xworm | dd234898a4e49168729350bc7442acd77f35d53eede8edbb268cdec2a48bf774

Analysis

max time kernel
133s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
09/03/2025, 14:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

35KB
MD5

f5353c9e72508e5ee45fdd009e6b43db
SHA1

2fe825365aa07e610c1ba85d54c5f0d171750c04
SHA256

dd234898a4e49168729350bc7442acd77f35d53eede8edbb268cdec2a48bf774
SHA512

7bae76390749284f2ec904d5818786bd45bb382be2cd2782af7d6fd4b0aeeac71db14946a6d486da0956e0b29a391d614a39bc23f88ad2713e926c964a2be560
SSDEEP

768:SHs7Dzumj2frksy1TxVP+sVFyw9b2O/hDy8j:SM7DzumnpSKFr9b2O/Bxj

Score

10^/10

xworm bootkit discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

client-presence.gl.at.ply.gg:50976

Mutex

ZVJ9lOsEvNQZTKC6

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1052-1-0x0000000000250000-0x0000000000260000-memory.dmp	family_xworm
behavioral2/files/0x001e00000002adbe-9.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 8 IoCs

pid	Process
2572	XClient.exe
2972	XClient.exe
4080	qijwcb.exe
2384	MasonMBR-S.exe
3712	MasonGDI.exe
444	MasonRootkit.exe
3520	cxsveb.exe
1012	MasonMBR-L.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MasonMBR-L.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\MasonMBR	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonGDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonMBR-L.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4bfbfdf_0\ = "{2}.\\\\?\\hdaudio#func_01&ven_8086&dev_0022&subsys_80860022&rev_1001#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\\elineouttopo/00010001\|\\Device\\HarddiskVolume2\\Users\\Admin\\AppData\\Local\\Temp\\MasonGDI.exe%b{00000000-0000-0000-0000-000000000000}"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1408376509-1621642251-2666462513-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\e4bfbfdf_0	svchost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4380	schtasks.exe
5116	schtasks.exe
1876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe
444	MasonRootkit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3316	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1052	XClient.exe
Token: SeDebugPrivilege	1052	XClient.exe
Token: SeDebugPrivilege	2572	XClient.exe
Token: SeDebugPrivilege	2972	XClient.exe
Token: SeDebugPrivilege	444	MasonRootkit.exe
Token: 33	2208	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2208	AUDIODG.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	3316	Explorer.EXE
Token: SeCreatePagefilePrivilege	3316	Explorer.EXE
Token: SeShutdownPrivilege	1012	MasonMBR-L.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 5116	1052	XClient.exe	83
PID 1052 wrote to memory of 5116	1052	XClient.exe	83
PID 1052 wrote to memory of 4080	1052	XClient.exe	88
PID 1052 wrote to memory of 4080	1052	XClient.exe	88
PID 4080 wrote to memory of 1876	4080	qijwcb.exe	89
PID 4080 wrote to memory of 1876	4080	qijwcb.exe	89
PID 4080 wrote to memory of 2384	4080	qijwcb.exe	91
PID 4080 wrote to memory of 2384	4080	qijwcb.exe	91
PID 4080 wrote to memory of 3712	4080	qijwcb.exe	92
PID 4080 wrote to memory of 3712	4080	qijwcb.exe	92
PID 4080 wrote to memory of 3712	4080	qijwcb.exe	92
PID 4080 wrote to memory of 444	4080	qijwcb.exe	93
PID 4080 wrote to memory of 444	4080	qijwcb.exe	93
PID 444 wrote to memory of 652	444	MasonRootkit.exe	5
PID 444 wrote to memory of 712	444	MasonRootkit.exe	7
PID 444 wrote to memory of 1004	444	MasonRootkit.exe	12
PID 444 wrote to memory of 772	444	MasonRootkit.exe	13
PID 444 wrote to memory of 740	444	MasonRootkit.exe	14
PID 444 wrote to memory of 660	444	MasonRootkit.exe	15
PID 444 wrote to memory of 1088	444	MasonRootkit.exe	16
PID 444 wrote to memory of 1100	444	MasonRootkit.exe	17
PID 444 wrote to memory of 1188	444	MasonRootkit.exe	18
PID 444 wrote to memory of 1228	444	MasonRootkit.exe	20
PID 444 wrote to memory of 1268	444	MasonRootkit.exe	21
PID 444 wrote to memory of 1324	444	MasonRootkit.exe	22
PID 444 wrote to memory of 1452	444	MasonRootkit.exe	23
PID 444 wrote to memory of 1488	444	MasonRootkit.exe	24
PID 444 wrote to memory of 1496	444	MasonRootkit.exe	25
PID 444 wrote to memory of 1600	444	MasonRootkit.exe	26
PID 444 wrote to memory of 1608	444	MasonRootkit.exe	27
PID 444 wrote to memory of 1740	444	MasonRootkit.exe	28
PID 444 wrote to memory of 1756	444	MasonRootkit.exe	29
PID 444 wrote to memory of 1796	444	MasonRootkit.exe	30
PID 444 wrote to memory of 1868	444	MasonRootkit.exe	31
PID 444 wrote to memory of 1892	444	MasonRootkit.exe	32
PID 444 wrote to memory of 1204	444	MasonRootkit.exe	33
PID 444 wrote to memory of 1256	444	MasonRootkit.exe	34
PID 444 wrote to memory of 1844	444	MasonRootkit.exe	35
PID 444 wrote to memory of 2052	444	MasonRootkit.exe	36
PID 444 wrote to memory of 2164	444	MasonRootkit.exe	37
PID 444 wrote to memory of 2292	444	MasonRootkit.exe	39
PID 444 wrote to memory of 2396	444	MasonRootkit.exe	40
PID 444 wrote to memory of 2404	444	MasonRootkit.exe	41
PID 444 wrote to memory of 2428	444	MasonRootkit.exe	42
PID 444 wrote to memory of 2524	444	MasonRootkit.exe	43
PID 444 wrote to memory of 2544	444	MasonRootkit.exe	44
PID 444 wrote to memory of 2576	444	MasonRootkit.exe	45
PID 444 wrote to memory of 2588	444	MasonRootkit.exe	46
PID 444 wrote to memory of 2596	444	MasonRootkit.exe	47
PID 1892 wrote to memory of 2208	1892	svchost.exe	94
PID 1892 wrote to memory of 2208	1892	svchost.exe	94
PID 444 wrote to memory of 2208	444	MasonRootkit.exe	94
PID 444 wrote to memory of 2608	444	MasonRootkit.exe	48
PID 712 wrote to memory of 2544	712	lsass.exe	44
PID 444 wrote to memory of 476	444	MasonRootkit.exe	49
PID 444 wrote to memory of 704	444	MasonRootkit.exe	50
PID 444 wrote to memory of 3076	444	MasonRootkit.exe	51
PID 444 wrote to memory of 3316	444	MasonRootkit.exe	52
PID 444 wrote to memory of 3452	444	MasonRootkit.exe	53
PID 444 wrote to memory of 3484	444	MasonRootkit.exe	54
PID 444 wrote to memory of 3868	444	MasonRootkit.exe	57
PID 444 wrote to memory of 3952	444	MasonRootkit.exe	58
PID 444 wrote to memory of 3996	444	MasonRootkit.exe	59
PID 444 wrote to memory of 4016	444	MasonRootkit.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:652
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:772

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1228
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Users\Admin\AppData\Roaming\XClient.exe
  C:\Users\Admin\AppData\Roaming\XClient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1488
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:476

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004CC
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2208

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2052

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2524

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:704

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3076

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3316
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\qijwcb.exe
    "C:\Users\Admin\AppData\Local\Temp\qijwcb.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe"
      4⤵
      Executes dropped EXE
      PID:2384
    - - C:\Users\Admin\AppData\Local\Temp\MasonMBR-L.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MasonMBR-L.exe"
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
  - - C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe
      "C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:444
- - C:\Users\Admin\AppData\Local\Temp\cxsveb.exe
    "C:\Users\Admin\AppData\Local\Temp\cxsveb.exe"
    3⤵
    - Executes dropped EXE
    PID:3520
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\\MasonMBR.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4380
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3484

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3952

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4016

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3940

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3340

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:828

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2116

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonGDI.exe

Filesize
147KB

MD5
fd138f51961f3071e135dae4e279ca7d

SHA1
63a107425ab4b3515b4c6545076ac6721a459717

SHA256
24f189af6d0c0af7dbdbf230183423d34d9cc3c06f55fa911145dcc19e3a6eb6

SHA512
f0d596ebe25c89907018f4d5ca4635df28c7f7095c81bd4d6f6b0819301bd113fb2469d643c02b5d41f2ce523e8539c1a97a817160ee0074d6e1f0a7951e7804

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonMBR-S.exe

Filesize
58KB

MD5
1b120dcde4b7be948179d53257c71423

SHA1
efd894e18d8d9eb8b0af9e8eeaa0d44be04a7b62

SHA256
34c657218a5d7702de283691e868f61c1f50ffcd9e6c6bd3f0336bda904975aa

SHA512
fb5ac3cdc836926919710edb15f0e4cb54a72f74122566ac2a965efb1b36daa94cdf01b4b984203d0d4c0deb0791f65d20d675029b40fa7e1baafd3194e4dbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonMBR.exe

Filesize
93KB

MD5
b92a9c7baa9414d17e93112f621734b8

SHA1
f8f74b452bf78fd0dda4601d219d99d000d57606

SHA256
b9177dd0173b676408b79085e0a18a4bf35356b76acf79aa6039a36911796e3c

SHA512
0ab4781877b788acdf0c8ac9fd18e71fcf8a42f960e4b12ae0b81dbbe8abc25092ff4119c877863814e97180a6ade73ec567809e21ca5e8f543f7e7690c7d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MasonRootkit.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qijwcb.exe

Filesize
482KB

MD5
85e11c1d67aec0150757e3255d8231b7

SHA1
9167c5ea4a23d59f38e82f128f2b1a2dbbd88cea

SHA256
b6dac480e4c7f15e8de6633ee9b52b3bda0b6b2f1897a76ddb4ab0ffb76b2588

SHA512
a25fcf6c359a00e5671b08dbf91fde79fe14e9720d8d8b4980584fbb32f9bba78a8cc8760e5c504fad894e34df1d2693bd1d161539ad4597df3c50c84c1c5e51

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
35KB

MD5
f5353c9e72508e5ee45fdd009e6b43db

SHA1
2fe825365aa07e610c1ba85d54c5f0d171750c04

SHA256
dd234898a4e49168729350bc7442acd77f35d53eede8edbb268cdec2a48bf774

SHA512
7bae76390749284f2ec904d5818786bd45bb382be2cd2782af7d6fd4b0aeeac71db14946a6d486da0956e0b29a391d614a39bc23f88ad2713e926c964a2be560

Download Submit
memory/444-68-0x00007FFCE4120000-0x00007FFCE41DD000-memory.dmp

Filesize
756KB

Download
memory/444-67-0x00007FFCE4520000-0x00007FFCE4729000-memory.dmp

Filesize
2.0MB

Download
memory/652-69-0x0000018B46C90000-0x0000018B46CB5000-memory.dmp

Filesize
148KB

Download
memory/652-70-0x0000018B46CC0000-0x0000018B46CEB000-memory.dmp

Filesize
172KB

Download
memory/652-71-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/660-96-0x000001B3ED380000-0x000001B3ED3AB000-memory.dmp

Filesize
172KB

Download
memory/660-97-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/712-75-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/712-74-0x000001E2EF880000-0x000001E2EF8AB000-memory.dmp

Filesize
172KB

Download
memory/740-87-0x0000018986C60000-0x0000018986C8B000-memory.dmp

Filesize
172KB

Download
memory/740-88-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/772-79-0x00000206B9B50000-0x00000206B9B7B000-memory.dmp

Filesize
172KB

Download
memory/772-80-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1004-82-0x00000280FA4B0000-0x00000280FA4DB000-memory.dmp

Filesize
172KB

Download
memory/1004-83-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1052-6-0x00007FFCC36D0000-0x00007FFCC4192000-memory.dmp

Filesize
10.8MB

Download
memory/1052-1-0x0000000000250000-0x0000000000260000-memory.dmp

Filesize
64KB

Download
memory/1052-0-0x00007FFCC36D3000-0x00007FFCC36D5000-memory.dmp

Filesize
8KB

Download
memory/1052-7-0x00007FFCC36D3000-0x00007FFCC36D5000-memory.dmp

Filesize
8KB

Download
memory/1052-8-0x00007FFCC36D0000-0x00007FFCC4192000-memory.dmp

Filesize
10.8MB

Download
memory/1088-99-0x000001E005910000-0x000001E00593B000-memory.dmp

Filesize
172KB

Download
memory/1088-100-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1100-102-0x0000023335ED0000-0x0000023335EFB000-memory.dmp

Filesize
172KB

Download
memory/1100-103-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1188-105-0x0000022CEA160000-0x0000022CEA18B000-memory.dmp

Filesize
172KB

Download
memory/1188-106-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1228-109-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1228-108-0x0000016D31090000-0x0000016D310BB000-memory.dmp

Filesize
172KB

Download
memory/1268-112-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1268-111-0x000002A964F80000-0x000002A964FAB000-memory.dmp

Filesize
172KB

Download
memory/1324-116-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1324-115-0x000002CD9E8E0000-0x000002CD9E90B000-memory.dmp

Filesize
172KB

Download
memory/1452-125-0x0000016FD16E0000-0x0000016FD170B000-memory.dmp

Filesize
172KB

Download
memory/1452-126-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1488-128-0x0000022BA1660000-0x0000022BA168B000-memory.dmp

Filesize
172KB

Download
memory/1488-129-0x00007FFCA45B0000-0x00007FFCA45C0000-memory.dmp

Filesize
64KB

Download
memory/1496-131-0x000001664CF50000-0x000001664CF7B000-memory.dmp

Filesize
172KB

Download
memory/2384-53-0x00000000007E0000-0x00000000007F4000-memory.dmp

Filesize
80KB

Download
memory/2572-13-0x00007FFCC36D0000-0x00007FFCC4192000-memory.dmp

Filesize
10.8MB

Download
memory/2572-11-0x00007FFCC36D0000-0x00007FFCC4192000-memory.dmp

Filesize
10.8MB

Download
memory/3712-195-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/3712-85-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/4080-28-0x0000000000C50000-0x0000000000CCE000-memory.dmp

Filesize
504KB

Download
memory/4080-29-0x0000000002F30000-0x0000000002F86000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads