Analysis
-
max time kernel
1048s -
max time network
992s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 10:28
Behavioral task
behavioral1
Sample
kiddions.exe
Resource
win10v2004-20240508-en
General
-
Target
kiddions.exe
-
Size
77KB
-
MD5
66457c38d36822b43c72333837268fce
-
SHA1
45279743be3613147f741715e620fe9ee9136eb6
-
SHA256
3b280af17ea33850c3652f64436f4f02760afe4f0ba9bb9d63596dc942cac882
-
SHA512
bcc68460de0100d48806b5092dfcca1b69137f976c727f38e23f375b9c9d2c64f7e641c7e15005957bc975219cbba4fbb695617a3dbe8ea1e5da95f3dd2351ca
-
SSDEEP
1536:eYFcsoTxxsSq9H0RsqhLJxfRjj+wiGbgZqBQGaYu6nObbHh/GT:er9+URNhbRjy3GbgIpOXHhuT
Malware Config
Extracted
xworm
127.0.0.1:45129
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/4596-1-0x00000000008A0000-0x00000000008BA000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\XClient.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3268 powershell.exe 532 powershell.exe 4536 powershell.exe 5000 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kiddions.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation kiddions.exe -
Drops startup file 2 IoCs
Processes:
kiddions.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk kiddions.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk kiddions.exe -
Executes dropped EXE 18 IoCs
Processes:
XClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exepid process 5092 XClient.exe 3456 XClient.exe 1652 XClient.exe 2964 XClient.exe 2332 XClient.exe 4332 XClient.exe 3268 XClient.exe 900 XClient.exe 4344 XClient.exe 2784 XClient.exe 3952 XClient.exe 3552 XClient.exe 3272 XClient.exe 840 XClient.exe 2032 XClient.exe 3128 XClient.exe 3096 XClient.exe 2528 XClient.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kiddions.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" kiddions.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
kiddions.exevlc.exepid process 4596 kiddions.exe 1660 vlc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exekiddions.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemspaint.exepid process 3268 powershell.exe 3268 powershell.exe 532 powershell.exe 532 powershell.exe 4536 powershell.exe 4536 powershell.exe 5000 powershell.exe 5000 powershell.exe 4596 kiddions.exe 4600 msedge.exe 4600 msedge.exe 684 msedge.exe 684 msedge.exe 2888 msedge.exe 2888 msedge.exe 2888 msedge.exe 2888 msedge.exe 1568 identity_helper.exe 1568 identity_helper.exe 4196 mspaint.exe 4196 mspaint.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe 4596 kiddions.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vlc.exepid process 1660 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
kiddions.exepowershell.exepowershell.exepowershell.exepowershell.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exeXClient.exedescription pid process Token: SeDebugPrivilege 4596 kiddions.exe Token: SeDebugPrivilege 3268 powershell.exe Token: SeDebugPrivilege 532 powershell.exe Token: SeDebugPrivilege 4536 powershell.exe Token: SeDebugPrivilege 5000 powershell.exe Token: SeDebugPrivilege 4596 kiddions.exe Token: SeDebugPrivilege 5092 XClient.exe Token: SeDebugPrivilege 3456 XClient.exe Token: SeDebugPrivilege 1652 XClient.exe Token: SeDebugPrivilege 2964 XClient.exe Token: SeDebugPrivilege 2332 XClient.exe Token: SeDebugPrivilege 4332 XClient.exe Token: SeDebugPrivilege 3268 XClient.exe Token: SeDebugPrivilege 900 XClient.exe Token: SeDebugPrivilege 4344 XClient.exe Token: SeDebugPrivilege 2784 XClient.exe Token: SeDebugPrivilege 3952 XClient.exe Token: SeDebugPrivilege 3552 XClient.exe Token: SeDebugPrivilege 3272 XClient.exe Token: SeDebugPrivilege 840 XClient.exe Token: SeDebugPrivilege 2032 XClient.exe Token: SeDebugPrivilege 3128 XClient.exe Token: SeDebugPrivilege 3096 XClient.exe Token: SeDebugPrivilege 2528 XClient.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
Processes:
vlc.exemsedge.exepid process 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
vlc.exemsedge.exepid process 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 1660 vlc.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe 684 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
kiddions.exevlc.exemspaint.exepid process 4596 kiddions.exe 1660 vlc.exe 4196 mspaint.exe 4196 mspaint.exe 4196 mspaint.exe 4196 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
kiddions.exemsedge.exedescription pid process target process PID 4596 wrote to memory of 3268 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 3268 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 532 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 532 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 4536 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 4536 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 5000 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 5000 4596 kiddions.exe powershell.exe PID 4596 wrote to memory of 1852 4596 kiddions.exe schtasks.exe PID 4596 wrote to memory of 1852 4596 kiddions.exe schtasks.exe PID 684 wrote to memory of 2696 684 msedge.exe msedge.exe PID 684 wrote to memory of 2696 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 1904 684 msedge.exe msedge.exe PID 684 wrote to memory of 4600 684 msedge.exe msedge.exe PID 684 wrote to memory of 4600 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe PID 684 wrote to memory of 2004 684 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\kiddions.exe"C:\Users\Admin\AppData\Local\Temp\kiddions.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kiddions.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'kiddions.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DenyComplete.m4v"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfa3746f8,0x7ffcfa374708,0x7ffcfa3747182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3076 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1926016854565967121,16391483557457453731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Pictures\TestUnregister.emf"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\XClient.exeC:\Users\Admin\AppData\Roaming\XClient.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56ef2b386ddfe8ec9455ca47c16b0eaef
SHA1c656537021542e9d81de12f30905492e331c47f9
SHA256c6fa616d466204bb3d236b09f284ef630d39e461bd047b9cb6e6e1e32b08f5da
SHA51253248e8811cf873c8d66c1217506733bbf164df2eebfd45efe6685bdf0c9bf645be4d21938f915ec0192c68c0e56221e5d58f7a692b82edb1990cc2549f0f663
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d262423eb898a442f3a0f6e983ff421e
SHA127b537069e9d1f60ade46ec36ca4e46422330ea3
SHA25607b9b4f48f354321d767dbabce58e3379e930fbb7a6999a20a943bff3e14a870
SHA512a2b76250d4e30cababab98877cf5f6362a6532df3035da84e887b8d0fa6f1973b158f5b4ffebef611df89faa63068204fe4ee7815405aff4f38322c6fe127c28
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD559dc3bc132a9ca7882f239033b6e9003
SHA1fe880cfb2741db6eb84402261fa143b7ed49de49
SHA2561f08fd50d0ac42c4e0ebaadd202cf8dd190886740606bf41846047395680342b
SHA512e1ceb7de950b944c8d4c22dd056d2d99305b74cfa2e578853ffd4963015e7a27906a2c3ce5a4367f1d4829a553cd07aeaf0c19d9f52bd70758c32b2a6a63c763
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5ef72c47dbfaae0b9b0d09f22ad4afe20
SHA15357f66ba69b89440b99d4273b74221670129338
SHA256692ec20c7039170fb199510f0436181fd155e6b4516d4d1c9e1675adf99aaa7f
SHA5127514b6bc8dc39fa618223300be27cd535dc35b18c66b4a089e2302e72b3e0cac06d88a989fa1296feb386b3cbe2084019df6430c7f895071b76e04ce559a30b4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptoxlyqq.3lo.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\XClient.exeFilesize
77KB
MD566457c38d36822b43c72333837268fce
SHA145279743be3613147f741715e620fe9ee9136eb6
SHA2563b280af17ea33850c3652f64436f4f02760afe4f0ba9bb9d63596dc942cac882
SHA512bcc68460de0100d48806b5092dfcca1b69137f976c727f38e23f375b9c9d2c64f7e641c7e15005957bc975219cbba4fbb695617a3dbe8ea1e5da95f3dd2351ca
-
memory/1660-78-0x00007FF725A50000-0x00007FF725B48000-memory.dmpFilesize
992KB
-
memory/1660-79-0x00007FFD0E1C0000-0x00007FFD0E1F4000-memory.dmpFilesize
208KB
-
memory/1660-80-0x00007FFCFA0D0000-0x00007FFCFA386000-memory.dmpFilesize
2.7MB
-
memory/1660-81-0x00007FFCF6330000-0x00007FFCF73E0000-memory.dmpFilesize
16.7MB
-
memory/3268-18-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmpFilesize
10.8MB
-
memory/3268-15-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmpFilesize
10.8MB
-
memory/3268-14-0x0000024E78290000-0x0000024E782B2000-memory.dmpFilesize
136KB
-
memory/3268-4-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmpFilesize
10.8MB
-
memory/3268-3-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmpFilesize
10.8MB
-
memory/4596-65-0x00007FFCFFA23000-0x00007FFCFFA25000-memory.dmpFilesize
8KB
-
memory/4596-106-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmpFilesize
10.8MB
-
memory/4596-0-0x00007FFCFFA23000-0x00007FFCFFA25000-memory.dmpFilesize
8KB
-
memory/4596-2-0x00007FFCFFA20000-0x00007FFD004E1000-memory.dmpFilesize
10.8MB
-
memory/4596-1-0x00000000008A0000-0x00000000008BA000-memory.dmpFilesize
104KB