xworm | d7694169a73999cbd1d8ea033b6a164321082b582eacbbbe6d3f607b563a3599

Analysis

max time kernel
332s
max time network
334s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
01/03/2025, 18:46

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Bloxstrap (1).exe
Size

4.3MB
MD5

56d66e4df02b04ed21a45cc29e583679
SHA1

0537dc87acb3ce7b7a9b539e18e74a495f71673c
SHA256

d7694169a73999cbd1d8ea033b6a164321082b582eacbbbe6d3f607b563a3599
SHA512

b0040d61eccbe9c9cb34863379ffafec534b36357e1d5b56fa14ad9418ff1cf919f1d0f95b5b886942c16810775386ed76323d29aecd116e0b276b73e0576a98
SSDEEP

98304:3iLGdqIgOoD9sXV4GiXTSQdg3thqK2Oz1q70/xDTISpspijCk:XYrHGiXLdg9jz1xjplCk

Score

10^/10

xworm bootkit defense_evasion discovery execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

cause-indexes.gl.at.ply.gg:17210

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002ae7c-17.dat	family_xworm
behavioral1/memory/2320-28-0x0000000000530000-0x000000000054A000-memory.dmp	family_xworm

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dajvys.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
3548	powershell.exe
1764	powershell.exe
3812	powershell.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	dajvys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dajvys.exe"	dajvys.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	dajvys.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dajvys.exe"	dajvys.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
3368	Bloxstrap.exe
2320	XClient.exe
6568	RobloxPlayerBeta.exe
2364	dajvys.exe
3924	dajvys.exe

Loads dropped DLL 1 IoCs

pid	Process
6568	RobloxPlayerBeta.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Java = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dajvys.exe"	dajvys.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dajvys.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	dajvys.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
6568	RobloxPlayerBeta.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 24 IoCs

pid	Process
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe
6568	RobloxPlayerBeta.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c00000002be75-3799.dat	upx
behavioral1/memory/2364-3802-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/3924-3807-0x0000000000400000-0x00000000006D8000-memory.dmp	upx
behavioral1/memory/2364-3821-0x0000000000400000-0x00000000006D8000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dajvys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dajvys.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "80"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\shell\open\command	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\ = "URL: Roblox Protocol"	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\shell\open\command	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\shell\open	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe\" -player \"%1\""	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\DefaultIcon	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\shell	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Bloxstrap\\Bloxstrap.exe"	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\shell\open	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\shell	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox\URL Protocol	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\DefaultIcon	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\ = "URL: Roblox Protocol"	Bloxstrap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox-player\URL Protocol	Bloxstrap.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\roblox	Bloxstrap.exe

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	RobloxPlayerBeta.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	RobloxPlayerBeta.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	powershell.exe
1764	powershell.exe
3812	powershell.exe
3812	powershell.exe
1704	powershell.exe
1704	powershell.exe
3548	powershell.exe
3548	powershell.exe
2320	XClient.exe
3368	Bloxstrap.exe
3368	Bloxstrap.exe
3368	Bloxstrap.exe
6568	RobloxPlayerBeta.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe
2364	dajvys.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	XClient.exe
Token: SeDebugPrivilege	3368	Bloxstrap.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	3548	powershell.exe
Token: SeDebugPrivilege	2320	XClient.exe
Token: SeBackupPrivilege	2364	dajvys.exe
Token: SeRestorePrivilege	2364	dajvys.exe
Token: SeShutdownPrivilege	2364	dajvys.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3368	Bloxstrap.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2320	XClient.exe
2364	dajvys.exe
3924	dajvys.exe
8012	LogonUI.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
6568	RobloxPlayerBeta.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 3368	3380	Bloxstrap (1).exe	78
PID 3380 wrote to memory of 3368	3380	Bloxstrap (1).exe	78
PID 3380 wrote to memory of 2320	3380	Bloxstrap (1).exe	79
PID 3380 wrote to memory of 2320	3380	Bloxstrap (1).exe	79
PID 2320 wrote to memory of 1764	2320	XClient.exe	80
PID 2320 wrote to memory of 1764	2320	XClient.exe	80
PID 2320 wrote to memory of 3812	2320	XClient.exe	82
PID 2320 wrote to memory of 3812	2320	XClient.exe	82
PID 2320 wrote to memory of 1704	2320	XClient.exe	84
PID 2320 wrote to memory of 1704	2320	XClient.exe	84
PID 2320 wrote to memory of 3548	2320	XClient.exe	86
PID 2320 wrote to memory of 3548	2320	XClient.exe	86
PID 3368 wrote to memory of 6568	3368	Bloxstrap.exe	90
PID 3368 wrote to memory of 6568	3368	Bloxstrap.exe	90
PID 2320 wrote to memory of 2364	2320	XClient.exe	91
PID 2320 wrote to memory of 2364	2320	XClient.exe	91
PID 2320 wrote to memory of 2364	2320	XClient.exe	91

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	dajvys.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	dajvys.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1"	dajvys.exe

C:\Users\Admin\AppData\Local\Temp\Bloxstrap (1).exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-67acd0f240534e7b\RobloxPlayerBeta.exe
    "C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-67acd0f240534e7b\RobloxPlayerBeta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    PID:6568
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- - C:\Users\Admin\AppData\Local\Temp\dajvys.exe
    "C:\Users\Admin\AppData\Local\Temp\dajvys.exe"
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2364

C:\Users\Admin\AppData\Local\Temp\dajvys.exe
C:\Users\Admin\AppData\Local\Temp\dajvys.exe explorer.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a13055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-67acd0f240534e7b\RobloxPlayerBeta.dll

Filesize
14.5MB

MD5
5547db0332d5ea03f99a6d86a242c8c8

SHA1
eb539ffdeb898d3732873110b0411498750f68d8

SHA256
ae71840949603aca6719a460135d139aed345c5cfe0c9e45675de447b25312a6

SHA512
49b22fd8e9dd1340e31c8f6d67f437ddbe1800c4db46200a0285c73bd1a65dd6deb5ae1aa66fe494651094c99f1c4656ed8f3762f4bbcf34cc35096ac3cde402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6f0e62045515b66d0a0105abc22dbf19

SHA1
894d685122f3f3c9a3457df2f0b12b0e851b394c

SHA256
529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319

SHA512
f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

Filesize
10.8MB

MD5
05fe4ab617fb8a0e6df903e14b3312c9

SHA1
04500479b9e6cdfbaf431634cfbfd496214c80ca

SHA256
b4e27af0caf72026adc98fa65d34d5fe22882b2c3b36291f39fb2c69b3183efc

SHA512
acff0e95ba628ed724ad331b1e5701f5cef343cb8ee5aa44aff0c5907453abaca68b874c7275a61d835d982ac18e0a1ffafa9289c7e72b9cc8b79c564b46c3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1fdd77cb12693ba80efbe8a5463b34b0

SHA1
a28daa287556525ef8d54f4244fac761b9be9dc3

SHA256
03075f33cfb3ba600a7312a2c6ed5a26dd2e2d210913f70a471f1a120e501891

SHA512
e635f719d5e4a3a394ef348e5324c4e407427f00354e0ba9bc7cd25a3e966ecbd045211141a2c3156d1caf4459fd813b772595e74df06426bc9fd884e7e0f7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osik2atb.o12.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dajvys.exe

Filesize
1.7MB

MD5
6e628c5531010f1053fff090a7699659

SHA1
237e5b8870092dd0e9a3b0fb76da93fcfce56516

SHA256
52d65a486dd027d9d6e3ca10ea808815ff0fda4e5032695333b7c2d5a5f95e41

SHA512
53eb023d70038b2820a6c0ed0a453307f90b22279e521fa8af3b6ef240ce022300a1d05794bf02d52f472c5adeb87c814373c5e29b3f13102c0128af06d5f0e7

Download Submit
memory/1764-30-0x0000011AB2630000-0x0000011AB2652000-memory.dmp

Filesize
136KB

Download
memory/2320-28-0x0000000000530000-0x000000000054A000-memory.dmp

Filesize
104KB

Download
memory/2320-76-0x00007FF9F4830000-0x00007FF9F52F2000-memory.dmp

Filesize
10.8MB

Download
memory/2320-85-0x000000001B2C0000-0x000000001B2CC000-memory.dmp

Filesize
48KB

Download
memory/2320-26-0x00007FF9F4830000-0x00007FF9F52F2000-memory.dmp

Filesize
10.8MB

Download
memory/2320-3822-0x00007FF9F4830000-0x00007FF9F52F2000-memory.dmp

Filesize
10.8MB

Download
memory/2364-3821-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/2364-3802-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/3368-27-0x00007FF9F178B000-0x00007FF9F178C000-memory.dmp

Filesize
4KB

Download
memory/3368-77-0x00007FF9F178B000-0x00007FF9F178C000-memory.dmp

Filesize
4KB

Download
memory/3380-1-0x0000000000100000-0x000000000054A000-memory.dmp

Filesize
4.3MB

Download
memory/3380-29-0x00007FF9F4830000-0x00007FF9F52F2000-memory.dmp

Filesize
10.8MB

Download
memory/3380-2-0x00007FF9F4830000-0x00007FF9F52F2000-memory.dmp

Filesize
10.8MB

Download
memory/3380-0-0x00007FF9F4833000-0x00007FF9F4835000-memory.dmp

Filesize
8KB

Download
memory/3924-3807-0x0000000000400000-0x00000000006D8000-memory.dmp

Filesize
2.8MB

Download
memory/6568-3748-0x00007FFA145A0000-0x00007FFA145A9000-memory.dmp

Filesize
36KB

Download
memory/6568-3736-0x00007FFA14380000-0x00007FFA14390000-memory.dmp

Filesize
64KB

Download
memory/6568-3749-0x00007FFA145A0000-0x00007FFA145A9000-memory.dmp

Filesize
36KB

Download
memory/6568-3766-0x00007FFA131F0000-0x00007FFA13217000-memory.dmp

Filesize
156KB

Download
memory/6568-3765-0x00007FFA131F0000-0x00007FFA13217000-memory.dmp

Filesize
156KB

Download
memory/6568-3764-0x00007FFA131F0000-0x00007FFA13217000-memory.dmp

Filesize
156KB

Download
memory/6568-3763-0x00007FFA131F0000-0x00007FFA13217000-memory.dmp

Filesize
156KB

Download
memory/6568-3762-0x00007FFA131F0000-0x00007FFA13217000-memory.dmp

Filesize
156KB

Download
memory/6568-3761-0x00007FFA131F0000-0x00007FFA13217000-memory.dmp

Filesize
156KB

Download
memory/6568-3760-0x00007FFA131B0000-0x00007FFA131C0000-memory.dmp

Filesize
64KB

Download
memory/6568-3759-0x00007FFA131B0000-0x00007FFA131C0000-memory.dmp

Filesize
64KB

Download
memory/6568-3758-0x00007FFA13180000-0x00007FFA131A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3757-0x00007FFA13180000-0x00007FFA131A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3756-0x00007FFA13180000-0x00007FFA131A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3755-0x00007FFA13180000-0x00007FFA131A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3754-0x00007FFA13180000-0x00007FFA131A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3753-0x00007FFA13150000-0x00007FFA13160000-memory.dmp

Filesize
64KB

Download
memory/6568-3752-0x00007FFA13150000-0x00007FFA13160000-memory.dmp

Filesize
64KB

Download
memory/6568-3751-0x00007FFA13040000-0x00007FFA13050000-memory.dmp

Filesize
64KB

Download
memory/6568-3750-0x00007FFA13040000-0x00007FFA13050000-memory.dmp

Filesize
64KB

Download
memory/6568-3730-0x00007FFA12F80000-0x00007FFA12F90000-memory.dmp

Filesize
64KB

Download
memory/6568-3747-0x00007FFA145A0000-0x00007FFA145A9000-memory.dmp

Filesize
36KB

Download
memory/6568-3746-0x00007FFA145A0000-0x00007FFA145A9000-memory.dmp

Filesize
36KB

Download
memory/6568-3745-0x00007FFA145A0000-0x00007FFA145A9000-memory.dmp

Filesize
36KB

Download
memory/6568-3744-0x00007FFA14580000-0x00007FFA14590000-memory.dmp

Filesize
64KB

Download
memory/6568-3743-0x00007FFA14580000-0x00007FFA14590000-memory.dmp

Filesize
64KB

Download
memory/6568-3742-0x00007FFA14580000-0x00007FFA14590000-memory.dmp

Filesize
64KB

Download
memory/6568-3740-0x00007FFA143C0000-0x00007FFA143CD000-memory.dmp

Filesize
52KB

Download
memory/6568-3739-0x00007FFA143C0000-0x00007FFA143CD000-memory.dmp

Filesize
52KB

Download
memory/6568-3738-0x00007FFA143C0000-0x00007FFA143CD000-memory.dmp

Filesize
52KB

Download
memory/6568-3737-0x00007FFA143C0000-0x00007FFA143CD000-memory.dmp

Filesize
52KB

Download
memory/6568-3741-0x00007FFA143C0000-0x00007FFA143CD000-memory.dmp

Filesize
52KB

Download
memory/6568-3735-0x00007FFA14380000-0x00007FFA14390000-memory.dmp

Filesize
64KB

Download
memory/6568-3734-0x00007FFA14310000-0x00007FFA14320000-memory.dmp

Filesize
64KB

Download
memory/6568-3733-0x00007FFA14310000-0x00007FFA14320000-memory.dmp

Filesize
64KB

Download
memory/6568-3732-0x00007FFA12F80000-0x00007FFA12F90000-memory.dmp

Filesize
64KB

Download
memory/6568-3731-0x00007FFA12F80000-0x00007FFA12F90000-memory.dmp

Filesize
64KB

Download
memory/6568-3729-0x00007FFA12F60000-0x00007FFA12F70000-memory.dmp

Filesize
64KB

Download
memory/6568-3713-0x00007FFA143D0000-0x00007FFA143E0000-memory.dmp

Filesize
64KB

Download
memory/6568-3728-0x00007FFA12F60000-0x00007FFA12F70000-memory.dmp

Filesize
64KB

Download
memory/6568-3727-0x00007FFA12F60000-0x00007FFA12F70000-memory.dmp

Filesize
64KB

Download
memory/6568-3726-0x00007FFA12DB0000-0x00007FFA12DC0000-memory.dmp

Filesize
64KB

Download
memory/6568-3725-0x00007FFA12DB0000-0x00007FFA12DC0000-memory.dmp

Filesize
64KB

Download
memory/6568-3724-0x00007FFA12C40000-0x00007FFA12C50000-memory.dmp

Filesize
64KB

Download
memory/6568-3723-0x00007FFA12C40000-0x00007FFA12C50000-memory.dmp

Filesize
64KB

Download
memory/6568-3721-0x00007FFA14480000-0x00007FFA144A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3720-0x00007FFA14480000-0x00007FFA144A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3719-0x00007FFA14480000-0x00007FFA144A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3718-0x00007FFA14480000-0x00007FFA144A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3717-0x00007FFA14480000-0x00007FFA144A0000-memory.dmp

Filesize
128KB

Download
memory/6568-3716-0x00007FFA14460000-0x00007FFA14470000-memory.dmp

Filesize
64KB

Download
memory/6568-3715-0x00007FFA14460000-0x00007FFA14470000-memory.dmp

Filesize
64KB

Download
memory/6568-3714-0x00007FFA143D0000-0x00007FFA143E0000-memory.dmp

Filesize
64KB

Download
memory/6568-3708-0x00007FFA157F0000-0x00007FFA15820000-memory.dmp

Filesize
192KB

Download
memory/6568-3706-0x00007FFA157A0000-0x00007FFA157B0000-memory.dmp

Filesize
64KB

Download
memory/6568-3705-0x00007FFA157A0000-0x00007FFA157B0000-memory.dmp

Filesize
64KB

Download
memory/6568-3704-0x00007FFA15680000-0x00007FFA15690000-memory.dmp

Filesize
64KB

Download
memory/6568-3710-0x00007FFA157F0000-0x00007FFA15820000-memory.dmp

Filesize
192KB

Download
memory/6568-3703-0x00007FFA15680000-0x00007FFA15690000-memory.dmp

Filesize
64KB

Download
memory/6568-3722-0x00007FFA14570000-0x00007FFA1457C000-memory.dmp

Filesize
48KB

Download
memory/6568-3709-0x00007FFA157F0000-0x00007FFA15820000-memory.dmp

Filesize
192KB

Download
memory/6568-3711-0x00007FFA157F0000-0x00007FFA15820000-memory.dmp

Filesize
192KB

Download
memory/6568-3712-0x00007FFA15880000-0x00007FFA15889000-memory.dmp

Filesize
36KB

Download
memory/6568-3707-0x00007FFA157F0000-0x00007FFA15820000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads