xworm | ffaa5eea301ca6578ee0b3403513d77264246a77c18c8d529021045c15452940

Analysis

max time kernel
63s
max time network
71s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
Size

229KB
MD5

a0397395824c0069a98cbe5702f013a1
SHA1

730af9f2e0b3458788cca74c595d91fe165dbd49
SHA256

57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f
SHA512

8ab7f110b9989f24de8a264084c1e933c0b373f3619222c10a56b0ff10df29069d58e9cd847c0f196a6d71f54fbbca2221328d9a7901f4151dc60f887cc3afa1
SSDEEP

3072:it4FE9RQOqFdLD8KbgVtn8Mo8G1gVziHzZbIK1YKB/pCAcNqXhwBV3yxSQig8xNV:i8E9U/5bTgVziHzZnSKrCbYMwgba8Vq

Score

10^/10

xworm defense_evasion rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

medicine-sports.gl.at.ply.gg:28097

Attributes

install_file
Mason.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral30/memory/4412-1-0x00000252A6B20000-0x00000252A6B5E000-memory.dmp	family_xworm
behavioral30/memory/4412-13-0x00000252C12E0000-0x00000252C12EE000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe

Executes dropped EXE 1 IoCs

pid	Process
5432	czh3ngwa.yy1.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx	svchost.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "00188012A0BFB5F0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5208	WerFault.exe
5208	WerFault.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
3760	svchost.exe
3760	svchost.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5328	wlrmdr.exe
5328	wlrmdr.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe
5432	czh3ngwa.yy1.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
Token: SeDebugPrivilege	5432	czh3ngwa.yy1.exe
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2172	svchost.exe
Token: SeIncreaseQuotaPrivilege	2172	svchost.exe
Token: SeSecurityPrivilege	2172	svchost.exe
Token: SeTakeOwnershipPrivilege	2172	svchost.exe
Token: SeLoadDriverPrivilege	2172	svchost.exe
Token: SeSystemtimePrivilege	2172	svchost.exe
Token: SeBackupPrivilege	2172	svchost.exe
Token: SeRestorePrivilege	2172	svchost.exe
Token: SeShutdownPrivilege	2172	svchost.exe
Token: SeSystemEnvironmentPrivilege	2172	svchost.exe
Token: SeUndockPrivilege	2172	svchost.exe
Token: SeManageVolumePrivilege	2172	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2172	svchost.exe
Token: SeIncreaseQuotaPrivilege	2172	svchost.exe
Token: SeSecurityPrivilege	2172	svchost.exe
Token: SeTakeOwnershipPrivilege	2172	svchost.exe
Token: SeLoadDriverPrivilege	2172	svchost.exe
Token: SeSystemtimePrivilege	2172	svchost.exe
Token: SeBackupPrivilege	2172	svchost.exe
Token: SeRestorePrivilege	2172	svchost.exe
Token: SeShutdownPrivilege	2172	svchost.exe
Token: SeSystemEnvironmentPrivilege	2172	svchost.exe
Token: SeUndockPrivilege	2172	svchost.exe
Token: SeManageVolumePrivilege	2172	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2172	svchost.exe
Token: SeIncreaseQuotaPrivilege	2172	svchost.exe
Token: SeSecurityPrivilege	2172	svchost.exe
Token: SeTakeOwnershipPrivilege	2172	svchost.exe
Token: SeLoadDriverPrivilege	2172	svchost.exe
Token: SeSystemtimePrivilege	2172	svchost.exe
Token: SeBackupPrivilege	2172	svchost.exe
Token: SeRestorePrivilege	2172	svchost.exe
Token: SeShutdownPrivilege	2172	svchost.exe
Token: SeSystemEnvironmentPrivilege	2172	svchost.exe
Token: SeUndockPrivilege	2172	svchost.exe
Token: SeManageVolumePrivilege	2172	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2172	svchost.exe
Token: SeIncreaseQuotaPrivilege	2172	svchost.exe
Token: SeSecurityPrivilege	2172	svchost.exe
Token: SeTakeOwnershipPrivilege	2172	svchost.exe
Token: SeLoadDriverPrivilege	2172	svchost.exe
Token: SeSystemtimePrivilege	2172	svchost.exe
Token: SeBackupPrivilege	2172	svchost.exe
Token: SeRestorePrivilege	2172	svchost.exe
Token: SeShutdownPrivilege	2172	svchost.exe
Token: SeSystemEnvironmentPrivilege	2172	svchost.exe
Token: SeUndockPrivilege	2172	svchost.exe
Token: SeManageVolumePrivilege	2172	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2172	svchost.exe
Token: SeIncreaseQuotaPrivilege	2172	svchost.exe
Token: SeSecurityPrivilege	2172	svchost.exe
Token: SeTakeOwnershipPrivilege	2172	svchost.exe
Token: SeLoadDriverPrivilege	2172	svchost.exe
Token: SeSystemtimePrivilege	2172	svchost.exe
Token: SeBackupPrivilege	2172	svchost.exe
Token: SeRestorePrivilege	2172	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5328	wlrmdr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 5432	4412	57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe	88
PID 4412 wrote to memory of 5432	4412	57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe	88
PID 5432 wrote to memory of 612	5432	czh3ngwa.yy1.exe	5
PID 5432 wrote to memory of 676	5432	czh3ngwa.yy1.exe	7
PID 5432 wrote to memory of 968	5432	czh3ngwa.yy1.exe	12
PID 5432 wrote to memory of 316	5432	czh3ngwa.yy1.exe	13
PID 676 wrote to memory of 2656	676	lsass.exe	46
PID 5432 wrote to memory of 428	5432	czh3ngwa.yy1.exe	14
PID 5432 wrote to memory of 964	5432	czh3ngwa.yy1.exe	15
PID 5432 wrote to memory of 1100	5432	czh3ngwa.yy1.exe	17
PID 5432 wrote to memory of 1116	5432	czh3ngwa.yy1.exe	18
PID 5432 wrote to memory of 1136	5432	czh3ngwa.yy1.exe	19
PID 5432 wrote to memory of 1180	5432	czh3ngwa.yy1.exe	20
PID 5432 wrote to memory of 1304	5432	czh3ngwa.yy1.exe	21
PID 5432 wrote to memory of 1316	5432	czh3ngwa.yy1.exe	22
PID 5432 wrote to memory of 1352	5432	czh3ngwa.yy1.exe	23
PID 5432 wrote to memory of 1448	5432	czh3ngwa.yy1.exe	24
PID 5432 wrote to memory of 1472	5432	czh3ngwa.yy1.exe	25
PID 5432 wrote to memory of 1528	5432	czh3ngwa.yy1.exe	26
PID 5432 wrote to memory of 1540	5432	czh3ngwa.yy1.exe	27
PID 5432 wrote to memory of 1660	5432	czh3ngwa.yy1.exe	28
PID 5432 wrote to memory of 1692	5432	czh3ngwa.yy1.exe	29
PID 5432 wrote to memory of 1732	5432	czh3ngwa.yy1.exe	30
PID 5432 wrote to memory of 1776	5432	czh3ngwa.yy1.exe	31
PID 5432 wrote to memory of 1812	5432	czh3ngwa.yy1.exe	32
PID 5432 wrote to memory of 1892	5432	czh3ngwa.yy1.exe	33
PID 5432 wrote to memory of 1900	5432	czh3ngwa.yy1.exe	34
PID 5432 wrote to memory of 1968	5432	czh3ngwa.yy1.exe	35
PID 5432 wrote to memory of 1988	5432	czh3ngwa.yy1.exe	36
PID 5432 wrote to memory of 1688	5432	czh3ngwa.yy1.exe	37
PID 5432 wrote to memory of 2108	5432	czh3ngwa.yy1.exe	39
PID 5432 wrote to memory of 2172	5432	czh3ngwa.yy1.exe	40
PID 5432 wrote to memory of 2248	5432	czh3ngwa.yy1.exe	41
PID 676 wrote to memory of 2656	676	lsass.exe	46
PID 5432 wrote to memory of 2408	5432	czh3ngwa.yy1.exe	42
PID 5432 wrote to memory of 2416	5432	czh3ngwa.yy1.exe	43
PID 5432 wrote to memory of 2560	5432	czh3ngwa.yy1.exe	44
PID 5432 wrote to memory of 2620	5432	czh3ngwa.yy1.exe	45
PID 5432 wrote to memory of 2656	5432	czh3ngwa.yy1.exe	46
PID 5432 wrote to memory of 2684	5432	czh3ngwa.yy1.exe	47
PID 5432 wrote to memory of 2700	5432	czh3ngwa.yy1.exe	48
PID 5432 wrote to memory of 2848	5432	czh3ngwa.yy1.exe	49
PID 5432 wrote to memory of 2944	5432	czh3ngwa.yy1.exe	50
PID 5432 wrote to memory of 3036	5432	czh3ngwa.yy1.exe	51
PID 5432 wrote to memory of 3048	5432	czh3ngwa.yy1.exe	52
PID 5432 wrote to memory of 3016	5432	czh3ngwa.yy1.exe	54
PID 5432 wrote to memory of 3320	5432	czh3ngwa.yy1.exe	55
PID 5432 wrote to memory of 3404	5432	czh3ngwa.yy1.exe	56
PID 5432 wrote to memory of 3532	5432	czh3ngwa.yy1.exe	57
PID 5432 wrote to memory of 3736	5432	czh3ngwa.yy1.exe	58
PID 5432 wrote to memory of 3892	5432	czh3ngwa.yy1.exe	60
PID 5432 wrote to memory of 3592	5432	czh3ngwa.yy1.exe	62
PID 5432 wrote to memory of 4300	5432	czh3ngwa.yy1.exe	64
PID 5432 wrote to memory of 5680	5432	czh3ngwa.yy1.exe	65
PID 5432 wrote to memory of 3392	5432	czh3ngwa.yy1.exe	67
PID 5432 wrote to memory of 452	5432	czh3ngwa.yy1.exe	68
PID 5432 wrote to memory of 5872	5432	czh3ngwa.yy1.exe	69
PID 5432 wrote to memory of 5944	5432	czh3ngwa.yy1.exe	70
PID 5432 wrote to memory of 1720	5432	czh3ngwa.yy1.exe	72
PID 5432 wrote to memory of 1444	5432	czh3ngwa.yy1.exe	73
PID 5432 wrote to memory of 5044	5432	czh3ngwa.yy1.exe	74
PID 5432 wrote to memory of 6096	5432	czh3ngwa.yy1.exe	75
PID 5432 wrote to memory of 5996	5432	czh3ngwa.yy1.exe	76
PID 5432 wrote to memory of 5932	5432	czh3ngwa.yy1.exe	77

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:316
- C:\Windows\system32\wlrmdr.exe
  -s -1 -f 2 -t Your PC will automatically restart in one minute -m Windows ran into a problem and needs to restart. You should close this message now and save your work. -a 3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5328

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 676 -s 4200
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1136
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1304

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1472
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1988

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2620

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2656

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2684

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2944

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3320

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3404
- C:\Users\Admin\AppData\Local\Temp\57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe
  "C:\Users\Admin\AppData\Local\Temp\57d8199712f6f26f823f126d36745bb96fdec8d3ea2cb92b42b655a8adbba21f.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\czh3ngwa.yy1.exe
    "C:\Users\Admin\AppData\Local\Temp\czh3ngwa.yy1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:4300

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:3392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:5872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:1720

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1444

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:5044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:6096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:5996

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:5932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:5864

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3612

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA410.tmp.csv

Filesize
38KB

MD5
f40e9e6f2afc5370d4262bb8287ce4fe

SHA1
340db7c8fa196a11a17d16e63101e15b0a976a08

SHA256
bc3dc2d3492632b40c701f227ba8b819f69eb907aa0636615854d53162a72c90

SHA512
bbc6df02c6e910da00f456ff99916257bc4cb04c8b51a7260af6f9600b76750a21efdcfca4e9dfdb234457aeb123e5eb344472eb32e4c2678d0b6e28ca3ee737

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERA4CC.tmp.txt

Filesize
13KB

MD5
6fa4af8dd5784fed1f60f28fa92f161e

SHA1
7d74ecca1922f3a26f192492fcaba3ba8cc9bced

SHA256
848ebbd56029bc5cf81cf0b8b61c6f6040f34895ee50ad19943bc09299f348f5

SHA512
d828f2c1695289c9d6903aa5ef2c53a0d732c3b0320b511cbd4f489ca3314b20247b7b248c28dffe2b9d1b76757bbedae5425c7df8cbcfe7328cd9d52079c7c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
7ad2d0fa450455bf3fe198a21dbc195c

SHA1
bda92c67d64627f08336f0477489e1eddb4b7d95

SHA256
00399cc0be035a8dee30474a81129028590ca6642c004d133e45000e4d7d20b9

SHA512
180dc62f6ce18578a9f0b9ec228cdacebcc23b3c6c8df746dcc2a48eb3ac5354297885fd2514487fd3391ef8b74471e232a4a17bad9063b3b37dfc3a92abe5cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\czh3ngwa.yy1.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
memory/316-25-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/316-24-0x0000015EA4730000-0x0000015EA475B000-memory.dmp

Filesize
172KB

Download
memory/316-32-0x0000015EA4730000-0x0000015EA475B000-memory.dmp

Filesize
172KB

Download
memory/428-41-0x000002A73A580000-0x000002A73A5AB000-memory.dmp

Filesize
172KB

Download
memory/428-39-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/428-38-0x000002A73A580000-0x000002A73A5AB000-memory.dmp

Filesize
172KB

Download
memory/428-345-0x000002A73A580000-0x000002A73A5AB000-memory.dmp

Filesize
172KB

Download
memory/612-16-0x000001F732D60000-0x000001F732D8B000-memory.dmp

Filesize
172KB

Download
memory/612-17-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/612-28-0x00007FFE0E22D000-0x00007FFE0E22E000-memory.dmp

Filesize
4KB

Download
memory/612-27-0x000001F732D60000-0x000001F732D8B000-memory.dmp

Filesize
172KB

Download
memory/612-14-0x000001F732D30000-0x000001F732D55000-memory.dmp

Filesize
148KB

Download
memory/676-20-0x0000020C87BB0000-0x0000020C87BDB000-memory.dmp

Filesize
172KB

Download
memory/676-22-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/676-29-0x0000020C87BB0000-0x0000020C87BDB000-memory.dmp

Filesize
172KB

Download
memory/676-30-0x00007FFE0E22F000-0x00007FFE0E230000-memory.dmp

Filesize
4KB

Download
memory/676-31-0x00007FFE0E22C000-0x00007FFE0E22D000-memory.dmp

Filesize
4KB

Download
memory/964-48-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/964-349-0x000001DF8A560000-0x000001DF8A58B000-memory.dmp

Filesize
172KB

Download
memory/964-47-0x000001DF8A560000-0x000001DF8A58B000-memory.dmp

Filesize
172KB

Download
memory/964-53-0x000001DF8A560000-0x000001DF8A58B000-memory.dmp

Filesize
172KB

Download
memory/968-34-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/968-33-0x000001E0CBBE0000-0x000001E0CBC0B000-memory.dmp

Filesize
172KB

Download
memory/968-36-0x000001E0CBBE0000-0x000001E0CBC0B000-memory.dmp

Filesize
172KB

Download
memory/968-344-0x000001E0CBBE0000-0x000001E0CBC0B000-memory.dmp

Filesize
172KB

Download
memory/1100-351-0x000001F8B0F60000-0x000001F8B0F8B000-memory.dmp

Filesize
172KB

Download
memory/1100-58-0x000001F8B0F60000-0x000001F8B0F8B000-memory.dmp

Filesize
172KB

Download
memory/1100-59-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/1100-64-0x000001F8B0F60000-0x000001F8B0F8B000-memory.dmp

Filesize
172KB

Download
memory/1116-50-0x000002DF798C0000-0x000002DF798EB000-memory.dmp

Filesize
172KB

Download
memory/1116-350-0x000002DF798C0000-0x000002DF798EB000-memory.dmp

Filesize
172KB

Download
memory/1116-57-0x000002DF798C0000-0x000002DF798EB000-memory.dmp

Filesize
172KB

Download
memory/1116-51-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/1136-61-0x000001B32CBC0000-0x000001B32CBEB000-memory.dmp

Filesize
172KB

Download
memory/1136-62-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/1180-54-0x000001DE000C0000-0x000001DE000EB000-memory.dmp

Filesize
172KB

Download
memory/1180-55-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/1304-68-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/1304-67-0x0000013F31F60000-0x0000013F31F8B000-memory.dmp

Filesize
172KB

Download
memory/1316-71-0x00007FFDCE210000-0x00007FFDCE220000-memory.dmp

Filesize
64KB

Download
memory/1316-70-0x000001621A3C0000-0x000001621A3EB000-memory.dmp

Filesize
172KB

Download
memory/4412-343-0x00000252C13C0000-0x00000252C13D0000-memory.dmp

Filesize
64KB

Download
memory/4412-13-0x00000252C12E0000-0x00000252C12EE000-memory.dmp

Filesize
56KB

Download
memory/4412-2-0x00000252A6EF0000-0x00000252A6F1C000-memory.dmp

Filesize
176KB

Download
memory/4412-1-0x00000252A6B20000-0x00000252A6B5E000-memory.dmp

Filesize
248KB

Download
memory/4412-352-0x00000252C13C0000-0x00000252C13D0000-memory.dmp

Filesize
64KB

Download
memory/4412-0-0x00007FFDEFFE3000-0x00007FFDEFFE5000-memory.dmp

Filesize
8KB

Download
memory/5432-12-0x00007FFE0D360000-0x00007FFE0D41E000-memory.dmp

Filesize
760KB

Download
memory/5432-11-0x00007FFE0E190000-0x00007FFE0E385000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads