xworm | ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e

Analysis

max time kernel
272s
max time network
274s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 09:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

40KB
MD5

a2abffd7525046355e99e8673c3701fe
SHA1

6e1aaff66b5aac7a1c3df969b36da6141a95a4f9
SHA256

ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e
SHA512

96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22
SSDEEP

768:olc+DXf6pUAbfsW09Uf929NiTnFPw9in6rOphHuUF8M:oW+upUADfnuNYFY9in6rOpxf8M

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

amount-acceptance.gl.at.ply.gg:7420

Mutex

k2N8rf6LqCqdtF6c

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

behavioral1/memory/1832-1-0x00000000006E0000-0x00000000006F0000-memory.dmp family_xworm
C:\ProgramData\svhost.exe family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1420 powershell.exe
3420 powershell.exe
2060 powershell.exe
2840 powershell.exe

resource	yara_rule
behavioral1/memory/1832-1-0x00000000006E0000-0x00000000006F0000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm

Drops startup file 2 IoCs

Processes:

XClient.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	XClient.exe

Executes dropped EXE 4 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exe

pid process

4520 svhost.exe
5908 svhost.exe
5776 svhost.exe
5112 svhost.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

XClient.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" XClient.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

Telegram.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini Telegram.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4520	svhost.exe
5908	svhost.exe
5776	svhost.exe
5112	svhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	XClient.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Telegram.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	XClient.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeTelegram.exeXClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	Telegram.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	XClient.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "111"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 18 IoCs

Processes:

Telegram.exemsedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe\" -- \"%1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\ = "URL:Telegram Link"	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-952492217-3293592999-1071733403-1000\{5F27D797-D571-4704-B161-B7A7F1B26398}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell\open\command	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\URL Protocol	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell\open	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\DefaultIcon	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe\" -- \"%1\""	Telegram.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\Downloads\\Telegram\\Telegram.exe,1\""	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tg\shell	Telegram.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\tdesktop.tg	Telegram.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier msedge.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2004 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

Telegram.exe

pid process

6124 Telegram.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier	msedge.exe

pid	process
2004	schtasks.exe

pid	process
6124	Telegram.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
1420	powershell.exe
1420	powershell.exe
3420	powershell.exe
3420	powershell.exe
2060	powershell.exe
2060	powershell.exe
2840	powershell.exe
2840	powershell.exe
2760	msedge.exe
2760	msedge.exe
4668	msedge.exe
4668	msedge.exe
5052	msedge.exe
5052	msedge.exe
4564	identity_helper.exe
4564	identity_helper.exe
4824	msedge.exe
4824	msedge.exe
2548	msedge.exe
2548	msedge.exe
5244	msedge.exe
5244	msedge.exe
5244	msedge.exe
5244	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

XClient.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	1832	XClient.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1832	XClient.exe
Token: SeDebugPrivilege	4520	svhost.exe
Token: SeDebugPrivilege	5908	svhost.exe
Token: SeDebugPrivilege	5776	svhost.exe
Token: SeDebugPrivilege	5112	svhost.exe
Token: SeShutdownPrivilege	1648	shutdown.exe
Token: SeRemoteShutdownPrivilege	1648	shutdown.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

msedge.exeTelegram.exe

pid	process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
6124	Telegram.exe
6124	Telegram.exe
6124	Telegram.exe
6124	Telegram.exe

Suspicious use of SendNotifyMessage 18 IoCs

Processes:

msedge.exeTelegram.exe

pid	process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
6124	Telegram.exe
6124	Telegram.exe
6124	Telegram.exe
6124	Telegram.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Telegram.exeLogonUI.exe

pid process

6124 Telegram.exe
6124 Telegram.exe
4924 LogonUI.exe

pid	process
6124	Telegram.exe
6124	Telegram.exe
4924	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

XClient.exemsedge.exe

description	pid	process	target process
PID 1832 wrote to memory of 1420	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 1420	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 3420	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 3420	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 2060	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 2060	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 2840	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 2840	1832	XClient.exe	powershell.exe
PID 1832 wrote to memory of 2004	1832	XClient.exe	schtasks.exe
PID 1832 wrote to memory of 2004	1832	XClient.exe	schtasks.exe
PID 2760 wrote to memory of 2840	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 2840	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3832	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 4668	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 4668	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe
PID 2760 wrote to memory of 3568	2760	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\SYSTEM32\shutdown.exe
shutdown.exe /f /s /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe4,0x10c,0x7ffa08353cb8,0x7ffa08353cc8,0x7ffa08353cd8
2⤵
PID:2840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:2988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
2⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
2⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:3736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5696 /prefetch:8
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5700 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
2⤵
PID:428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
2⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:5148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
2⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
2⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
2⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6800 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
2⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,10384525257846707723,3915216413332200412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5664

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5908

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Users\Admin\Downloads\Telegram\Telegram.exe
"C:\Users\Admin\Downloads\Telegram\Telegram.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6124

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa389c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4924

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
40KB

MD5
a2abffd7525046355e99e8673c3701fe

SHA1
6e1aaff66b5aac7a1c3df969b36da6141a95a4f9

SHA256
ac457a57600ba7fd011d94e6574b935a9589dd60b63d6ee6b5db67342ce5710e

SHA512
96b3b3750d9abaa627780eccb74dd870bb84ad1fb928233844054b2d24306f6f937f0762619d0b0209a8744aabbe278c773539fb8791987606427d8bfa767d22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
98792f2d1b3d638630fa601df6823aed

SHA1
ee50e507b28f67314752754cce5b2fd3fe739241

SHA256
3f63c900813de99733f162952bb27d374ba2e07d7751965b4de4a557cb4478ce

SHA512
b06c3057f15b00d4d04ac35943e9c2fd44031a72043b79131b0c6a7617ad9c4f2480633bd78ba8d3be61899b5182d2cab6889c0a82e17e9b8a363efed4b69f4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.log
Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
46bfadfc09e91238fe82de0fe30d91d2

SHA1
5da9d92d08803a52c63c1b96c6027e603e5fc3ef

SHA256
99733b0f1fec41252c1cf23c4a77b60aa371815f1c4c6fca5b0f81e81edf0f1d

SHA512
594994c4261e410c895b7f9b83562cd35eff449acb8fe1c124939a9e6c6fb8153516aff2445719fb73e8ba9df98c425ab30f247aa30571fc4d9cf2979f7582ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6c9e5afa53a396c5663f22632a417d09

SHA1
d0ab4eae378aafc7dfbf87e22a3113a642f0633a

SHA256
50ded1ff4676a285d97aca12244287f807e5c9dc5d258a63fb22a248557fb9b1

SHA512
543d694c98ef09020792e911313b31da77233a39d7de4d7ebe320bbd82b6c830f86983bbd5642b6c546b50de90e1644b80e2fb8400dd95800ec7c44bc17947e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
41KB

MD5
b15016a51bd29539b8dcbb0ce3c70a1b

SHA1
4eab6d31dea4a783aae6cabe29babe070bd6f6f0

SHA256
e72c68736ce86ec9e3785a89f0d547b4993d5a2522a33104eeb7954eff7f488a

SHA512
1c74e4d2895651b9ab86158396bcce27a04acfb5655a32a28c37ee0ebd66cd044c3c895db7e14acc41a93db55463310425c188a7c503f0308ce894cf93df219f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
67KB

MD5
9e3f75f0eac6a6d237054f7b98301754

SHA1
80a6cb454163c3c11449e3988ad04d6ad6d2b432

SHA256
33a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf

SHA512
5cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
1.2MB

MD5
620dd00003f691e6bda9ff44e1fc313f

SHA1
aaf106bb2767308c1056dee17ab2e92b9374fb00

SHA256
eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586

SHA512
3e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
b984f65da7fe37c3215b7c61071d3d1a

SHA1
3cb407bd7b59845ec7104656ba36b61452d771a6

SHA256
dd898d0b98db7c43e49d2093bd50bc56b13b615ad97f8774a11ebadf7b2769e6

SHA512
e449d94547dc45686e86491ef9001447c41d643158e01e99dae9ac1bb881a4bd62eb4ddcfe11feb8bc83e5751e6454e74b37e214d1d4d3a6c3edd067e83f89d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
a6de053ff6d458b21cb700cfce2188a4

SHA1
78f33342b4528c38b3f30bf86a5c35402dbd7e6b

SHA256
ebafbe2367d781495d71a65f4be31528e46cccd17f80ef3bc41a0e52fc036b10

SHA512
c96320534532500ef50584cdb2dde6580112e32e530ed1842d25f01c55e7814d8f8373612406e397c71eb7e9aed805dfc9bf5b68b76abc624d2cbe71632a09c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
fa3c24cb899c74bdcdf1417e373840b5

SHA1
391464240e3e3e3a6e00ab5f367c67fd75cabb06

SHA256
4451bdceb91292368b10f2a4ce403c3fcf9b523778e47adfac69b988eadff87f

SHA512
c1701d6911643c9d0fdb5d1d15bdc514176ab4ebb5fe5495fbc49b364e975c7134be52449cb7d8afbda6253de53296e91934a33e51bc9dc6942cdab9010fdfd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e2dc8e649e4daed002fe293e708aa6a8

SHA1
7e30aa39003b669fbb538030ad437a6106db4cc6

SHA256
147cf5b1400108de4884e9cec0ccd68bc8ae7bc633d1ce619ab7d000ffb0b891

SHA512
ee7961c7812ca0fa656ec5ef44b85384a69b33117d105f722febe165e9ac26378981a752ef98bed11457d88cfd0b947aaa3df7b1c882abd3afef862874afccc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
fc3351a3816a28c8eebb9a6a6d3f3d09

SHA1
ce5d19a61bd7a8fe387a14d7cd58c250a47cfdd7

SHA256
aa5a12ec18b84273aada25efd39e1752bd7db4155a0059f42a924ea8047e2e35

SHA512
65b02bb2ec95cf41ce9532f1006f9954b62956e4800cf58779204de30fe77a8ba4309d7e7aa2eb1ce19d67592be7cf609c431b2a46060b1e0b91275515ed3a3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f117d06cb4aab99f8b681a6ccc17d2c6

SHA1
09e4b61f28d9ca95a8ad6a0c5a7e334630b02695

SHA256
5111140425311aded0efe4658e7061aff08a0c0f793577e948340d46213671e6

SHA512
b348e428839652f6b35f61e0bc4de41630c3b04b3265301c5a281ed6b8e40f8c2001a1f58d13085b99d1b7e5f20fd3bf3f350ce56b3750ca0ca4a82e261909b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
41a7a29e0335cd8781ea125f1509ea24

SHA1
82ff48ed5e4ad037ffd3a3b0237574c23db85a3e

SHA256
885c0be1bf9c76caf2f5e73bb51ec3caeda35b18f9469cad764a52a51ccc6c55

SHA512
9ba1bd9d1a3855a465b84da2c81d1c53034f96f7a27fe4bfb9a1605422eace1b17d67a722960bc726c61929e36e7d2bae33b71dcd54dd534a1dabca9f32df686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
cd6050d3a6e28fcc0a9df3e9f978f892

SHA1
7895b95d23de6bd2576f4a429ab578ce73f5cf6d

SHA256
89c9102fa54294c738a0a4ea65cb93f59033074669fcda7e59d09cdb552f9b0c

SHA512
02f866882c952386719a340be79817e79d22e1c040d8b7e13d52e511b4c1ac721731e0e039623027c0938d28dad36ecf6d6a7f969667bfd29884d24204a014cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
78d1122f61459c8468beb793082db77a

SHA1
aca1d1d21113b6a179182cc5a8c04ef84aec64c8

SHA256
ef6b23de87c4a90e4b702ea90cb27ccfb67c2f666560f0d95937c1e03f73bf56

SHA512
dc28d20027aa9a007fbe4b860ec3f38951b2a23527417923adf92197a67df789de1b94a2fbff7f16aed1dc3e8037d1bd82c05863afbc77e376b5d8a30dcd427c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
315c49cc1678b2a8cacbb04d57bcdcc6

SHA1
461c4ec8eca02350d163940a2e0178f9d14b305f

SHA256
11f03f4fde08509b6c518e25009c330cadec544fb645aee1c328eeb6a3854a5e

SHA512
1e23d8681ec21d2e00e3bd7fcd9d8b633f28cd3cf6ebdb6b6583e25450e1d4d13da75534013a80eb16966f9f32edf0949a579c89cb9a9542abee84b608eb5f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5890b2.TMP
Filesize
1KB

MD5
00a0a8e5dc275c02825c52ee16536013

SHA1
739151dbd4cb2632ba90100bc94ce8346b8d794b

SHA256
9408a5d58ed015845aefc927a3a0dc2a6741f884b4773d99d248933f35b4b011

SHA512
f87a7311a5395168ee2d649ce3a7568e513f2c87a0d2d3c69646c477c7eeb1bb130c5a3193a560e0b639186ccbc203b6ec62c3926e2fbf6660d1895f889bc61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
d5f3606fed855e0ddaa907333d52f978

SHA1
1a90bad6b08e81fd96f3ed38beb40b3113b1a7d5

SHA256
c55ceddc69faa7f4b26a0ace06c54cbfa418090f689150188b9a41d7ed2435e2

SHA512
50ea78bec288da1ea9e8e92e14ac4a07616620fde755b9b1966ebb5a9c7a5337f1d9082fb0c7f70d6453d44f87793640c2b96a6d111d9e0cd8aec634ef819136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
aa187aa4e965e85421bb72f7883f6630

SHA1
ff05216c766d61f39833e1d1b53f8738f01379a7

SHA256
d9b53b8c7b9545190dc06e735fa2b40b9397787a6503c1adf72fda3131413079

SHA512
60716147c8fbfafeba1c3f1336ea31ffcf55f61520299f0b01be04793973fd7392c34764aac3e90db7d5f86841b73fcedc3c07f79f110e334278a55539976e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e32254d2b1dd8b4a4f75b90944cfdb78

SHA1
257aa296e80fff5787cdbe43d7b33f9c91fb8832

SHA256
76f2227c2d1c799e39b5017826d83a2bfc300489f7eb2b265fa04a0234f0037a

SHA512
f2b73d43db93085dcab6b365413c150cb979dc00d76866ebcc69ea9fcf82bb126da82ccc1ca4a2d164239f1c01aea37b18306f916c9db4c48b8b65bd14ddd9ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
051a74485331f9d9f5014e58ec71566c

SHA1
4ed0256a84f2e95609a0b4d5c249bca624db8fe4

SHA256
3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888

SHA512
1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
856900844f6f1c326c89d0bcfb2f0c28

SHA1
1caad440d46fa8c0cbed4822b4be2bbdddba97c2

SHA256
ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32

SHA512
ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nlhb4135.4ku.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\tportable-x64.5.2.0.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_2760_RVOAAUZMZXPSISNF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1420-11-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1420-10-0x000001B6DF400000-0x000001B6DF422000-memory.dmp

Filesize
136KB

Download
memory/1420-19-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1420-18-0x000001B6DF470000-0x000001B6DF5BF000-memory.dmp

Filesize
1.3MB

Download
memory/1420-15-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1420-14-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1420-13-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1420-12-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1832-62-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1832-58-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/1832-61-0x000000001B410000-0x000000001B41C000-memory.dmp

Filesize
48KB

Download
memory/1832-60-0x000000001CE60000-0x000000001D388000-memory.dmp

Filesize
5.2MB

Download
memory/1832-59-0x000000001BD60000-0x000000001BD6C000-memory.dmp

Filesize
48KB

Download
memory/1832-637-0x000000001C7A0000-0x000000001C850000-memory.dmp

Filesize
704KB

Download
memory/1832-0-0x00007FFA0D273000-0x00007FFA0D275000-memory.dmp

Filesize
8KB

Download
memory/1832-1-0x00000000006E0000-0x00000000006F0000-memory.dmp

Filesize
64KB

Download
memory/1832-773-0x00007FFA0D270000-0x00007FFA0DD32000-memory.dmp

Filesize
10.8MB

Download
memory/2060-42-0x000001D35B140000-0x000001D35B28F000-memory.dmp

Filesize
1.3MB

Download
memory/2840-53-0x000001C35A190000-0x000001C35A2DF000-memory.dmp

Filesize
1.3MB

Download
memory/3420-31-0x0000021DFAFC0000-0x0000021DFB10F000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads