xworm | a12756e652171e06da8133a7abe625316b3d352fc82ed8cf199f349b7de0c478

Analysis

max time kernel
18s
max time network
21s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
21-05-2024 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B1OdUv8CBH.exe
Size

18.8MB
MD5

c5df5afb4679cbea28de24ff9ed306a2
SHA1

fe968a913c1377f0e85cc4c95afa3129a2f9ae22
SHA256

a12756e652171e06da8133a7abe625316b3d352fc82ed8cf199f349b7de0c478
SHA512

a4ddb32c744da55829823feb140c2c48612d442459ec76daf7ec0459327e8422222a380c53802c15b298cf122f1f86fe2891b2bf04732ef764d62fb182cd7e70
SSDEEP

196608:EXi2sOT7HnJ+7CBgHcyCkaIH2kkoyhr5QXNDe6JaCPU8rblcRHrdcKZ5CRO2HACB:ci07we4+TB6zxJcRBdCrHxwwR

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%ProgramData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/a1kmrNub

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\clientlol.exe	family_xworm
behavioral1/memory/1084-13-0x0000000000F10000-0x0000000000F28000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1168 powershell.exe
3596 powershell.exe
1808 powershell.exe
740 powershell.exe

pid	process
1168	powershell.exe
3596	powershell.exe
1808	powershell.exe
740	powershell.exe

Drops startup file 2 IoCs

Processes:

clientlol.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	clientlol.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	clientlol.exe

Executes dropped EXE 2 IoCs

Processes:

clientlol.exeKrampUI.exe

pid process

1084 clientlol.exe
4272 KrampUI.exe

pid	process
1084	clientlol.exe
4272	KrampUI.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

clientlol.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\ProgramData\\svchost"	clientlol.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 pastebin.com
5 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1388 schtasks.exe

flow	ioc
3	pastebin.com
5	pastebin.com

flow	ioc
3	ip-api.com

pid	process
1388	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

clientlol.exe

pid process

1084 clientlol.exe

pid	process
1084	clientlol.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

msedgewebview2.exepowershell.exepowershell.exepowershell.exepowershell.execlientlol.exe

pid	process
5028	msedgewebview2.exe
5028	msedgewebview2.exe
1168	powershell.exe
1168	powershell.exe
3596	powershell.exe
3596	powershell.exe
1808	powershell.exe
1808	powershell.exe
740	powershell.exe
740	powershell.exe
1084	clientlol.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

4604 msedgewebview2.exe

pid	process
4604	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

clientlol.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1084	clientlol.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	1084	clientlol.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

KrampUI.exemsedgewebview2.exe

pid process

4272 KrampUI.exe
4272 KrampUI.exe
4604 msedgewebview2.exe
4604 msedgewebview2.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

KrampUI.exe

pid process

4272 KrampUI.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

clientlol.exe

pid process

1084 clientlol.exe

pid	process
4272	KrampUI.exe
4272	KrampUI.exe
4604	msedgewebview2.exe
4604	msedgewebview2.exe

pid	process
4272	KrampUI.exe

pid	process
1084	clientlol.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B1OdUv8CBH.exeKrampUI.exemsedgewebview2.exe

description	pid	process	target process
PID 2176 wrote to memory of 1084	2176	B1OdUv8CBH.exe	clientlol.exe
PID 2176 wrote to memory of 1084	2176	B1OdUv8CBH.exe	clientlol.exe
PID 2176 wrote to memory of 4272	2176	B1OdUv8CBH.exe	KrampUI.exe
PID 2176 wrote to memory of 4272	2176	B1OdUv8CBH.exe	KrampUI.exe
PID 4272 wrote to memory of 4604	4272	KrampUI.exe	msedgewebview2.exe
PID 4272 wrote to memory of 4604	4272	KrampUI.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2264	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2264	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 1456	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 5028	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 5028	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe
PID 4604 wrote to memory of 2896	4604	msedgewebview2.exe	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\B1OdUv8CBH.exe
"C:\Users\Admin\AppData\Local\Temp\B1OdUv8CBH.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\ProgramData\clientlol.exe
  "C:\ProgramData\clientlol.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\clientlol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'clientlol.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\ProgramData\svchost"
    3⤵
    - Creates scheduled task(s)
    PID:1388
- C:\ProgramData\KrampUI.exe
  "C:\ProgramData\KrampUI.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=4272.4968.12825861739874104992
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\KrampUI\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\KrampUI\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffe56bd3cb8,0x7ffe56bd3cc8,0x7ffe56bd3cd8
      4⤵
      PID:2264
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1768,13390499027052175859,3869562969506414771,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
      4⤵
      PID:1456
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1768,13390499027052175859,3869562969506414771,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2040 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5028
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1768,13390499027052175859,3869562969506414771,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2348 /prefetch:8
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1768,13390499027052175859,3869562969506414771,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\KrampUI\EBWebView" --webview-exe-name=KrampUI.exe --webview-exe-version=1.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
      4⤵
      PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\KrampUI.exe

Filesize
17.3MB

MD5
ec02c6962ff0994f0dbc06133cb32f28

SHA1
1084bbf4c67fea18b2dd0232ad196f97ea17438c

SHA256
9663260edf06c3b9116a649af4c9fffa22f1bb3811f3e73e0f8fd6e3ba997565

SHA512
8d00d5f21209bb7ffa24ee7717db4e9294c720a62d50ee416ab6e6e6520afde1d9cacc3c364c2c4d81d3eb565efba29f9e815d384774ba0de0671496952418f6

Download Submit
C:\ProgramData\clientlol.exe

Filesize
1.5MB

MD5
da4f713eda91ee257714127d761852a3

SHA1
5901870facef99c9c850b141e8f8339721e932e4

SHA256
9d27a2b70745480a42b83777ea3aa0399c63a55c6d9b699d67f1e95f7605ebe1

SHA512
9964eca29700aefa97febdbca4e829a64ec6fd050d49c720f04963fab831b528319c9b3b054f36093ef9dc7236a681fba02f1f988ec19194f124d7a75abcddf7

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\949b0b46-27a4-410e-8f79-7ac00a693325.tmp

Filesize
2KB

MD5
77fcd85af97883f5db94c10fc70fe331

SHA1
bb73c5867388d7bbbe8dd94bb87adb0ed172c788

SHA256
7a8ca098c28cde5076e4bd05a09fef3e567836e3d781881802896f157eacc16e

SHA512
417bd028d3597890c8bedd9cd2bdced1fecdaf969d3b122d3c004fa95e8d5833ca7781aac2e60aba9a5ac55db6a1ce06284294b3c9e8760168e5ab3e032c9359

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
2d584c22f96fabe49d6376132556547b

SHA1
cdb7fe0cf3ed2aeedfa9bc405a044c636203695a

SHA256
09fcc54f2ad3626b2e04edb13360ebe030c22c564a087ecef9222e4cee0e23db

SHA512
28152d74f3d3cda194ce16d566d3e6b7f77344f99c3a6e8e08525ea853fb1979bd58ff9f72283093a7152aa35e9b045c04c30b81ca7be966f9663643f24acd48

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
e866a1c208f2d90141cf9af42d4acd04

SHA1
c45c246136eba798da0a938b82b45dce85f8e0b2

SHA256
f007434d706be74a95d3a8e47018f0c78e07dcf948f4f7373fa6f310fefbcfb9

SHA512
3241058a63842f510f039028be141c2ad552b9a938eb9f7156628f1d5b9ea2dc75386fe0574d115c9fb352bb941662afee0a685dcc96bb93471cfc4f71ef4143

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\KrampUI\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5swyqenb.0h0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_4604_QVDCYCXONXJSEVQK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1084-14-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/1084-13-0x0000000000F10000-0x0000000000F28000-memory.dmp

Filesize
96KB

Download
memory/1084-84-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmp

Filesize
10.8MB

Download
memory/1168-202-0x000001B4DDCF0000-0x000001B4DDD12000-memory.dmp

Filesize
136KB

Download
memory/1456-191-0x0000027EF3D00000-0x0000027EF3D31000-memory.dmp

Filesize
196KB

Download
memory/1456-42-0x00007FFE79D70000-0x00007FFE79D71000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x00000000005C0000-0x000000000188E000-memory.dmp

Filesize
18.8MB

Download
memory/2176-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmp

Filesize
8KB

Download
memory/2896-190-0x000001A2C1480000-0x000001A2C14B1000-memory.dmp

Filesize
196KB

Download