xworm | hxxps://cdn[.]discordapp[.]com/attachments/1242148692295684136/1243270923709321226/Planet_x_loader_[.]exe?ex=6650ddc7&is=664f8c47&hm=690b0b711604fd604df670014dcac01f69a6945635377232e8a41ea06c73c6d9&

Analysis

max time kernel
145s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
23/05/2024, 18:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1242148692295684136/1243270923709321226/Planet_x_loader_.exe?ex=6650ddc7&is=664f8c47&hm=690b0b711604fd604df670014dcac01f69a6945635377232e8a41ea06c73c6d9&

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

19.ip.gl.ply.gg:38173

Attributes

Install_directory
%Userprofile%
install_file
Runtime Broker.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000300000002aa5f-91.dat	family_xworm
behavioral1/memory/3912-117-0x00000000002E0000-0x00000000002FA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2916	powershell.exe
1556	powershell.exe
3776	powershell.exe
4072	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk	XClient.exe

Executes dropped EXE 5 IoCs

pid	Process
4500	Planet_x_loader_.exe
1404	Genesis_Loader.exe
3912	XClient.exe
4936	Runtime Broker.exe
1556	Runtime Broker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe"	XClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3204	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 803680.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Planet_x_loader_.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2208	msedge.exe
2208	msedge.exe
1928	msedge.exe
1928	msedge.exe
3768	msedge.exe
3768	msedge.exe
4516	identity_helper.exe
4516	identity_helper.exe
4828	msedge.exe
4828	msedge.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
2916	powershell.exe
2916	powershell.exe
2916	powershell.exe
1556	powershell.exe
1556	powershell.exe
1556	powershell.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe
1404	Genesis_Loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	XClient.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3912	XClient.exe
Token: SeDebugPrivilege	4936	Runtime Broker.exe
Token: SeDebugPrivilege	1556	Runtime Broker.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3912	XClient.exe
1548	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2400	1928	msedge.exe	80
PID 1928 wrote to memory of 2400	1928	msedge.exe	80
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 3000	1928	msedge.exe	82
PID 1928 wrote to memory of 2208	1928	msedge.exe	83
PID 1928 wrote to memory of 2208	1928	msedge.exe	83
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84
PID 1928 wrote to memory of 2812	1928	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1242148692295684136/1243270923709321226/Planet_x_loader_.exe?ex=6650ddc7&is=664f8c47&hm=690b0b711604fd604df670014dcac01f69a6945635377232e8a41ea06c73c6d9&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd82603cb8,0x7ffd82603cc8,0x7ffd82603cd8
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Users\Admin\Downloads\Planet_x_loader_.exe
  "C:\Users\Admin\Downloads\Planet_x_loader_.exe"
  2⤵
  - Executes dropped EXE
  PID:4500
- - C:\Users\Admin\Genesis_Loader.exe
    "C:\Users\Admin\Genesis_Loader.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c color 3
      4⤵
      PID:3120
- - C:\Users\Admin\XClient.exe
    "C:\Users\Admin\XClient.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of AdjustPrivilegeToken
      PID:4072
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"
      4⤵
      Creates scheduled task(s)
      PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,8901002991573746336,12828136565494063968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6112 /prefetch:2
  2⤵
  PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2900

C:\Users\Admin\Runtime Broker.exe
"C:\Users\Admin\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Users\Admin\Runtime Broker.exe
"C:\Users\Admin\Runtime Broker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
22621eeee88fa48537406a9dfc955de9

SHA1
5a16d94b28922721b90eac27d0eef463a303d242

SHA256
d5c3aef6c48c91338ef80ce9b6c9ed27bdf4cd35ade3fa5a4614245f5c862cdd

SHA512
a34c50a8f892d83782a7aabfcf889e4229f3bea9cfaf8365599b9104d3135eead1d7ab28e63521e57f49b4846e4e6868cc41e33df5997d7dd2168dc18b64b1e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70d2e2eafe4f5a763704c108ac9c4ba9

SHA1
1fb7e75dc36481807265087d0d661e7230ba4c28

SHA256
6abc8f29314403618f5e15d7e583bc4053199e4806fd6c4cb0b6d0c0f7014b5b

SHA512
9d4c8aa4147f610fc77d5644d03ebfd45249872b799281c754f28f3610a391406ffb4dbfd5dc38369419c01356919260edb89d6ec8df7319700f23e768365af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8488e0fcfd8e72963705b58b3343a032

SHA1
bd173a4427dd5bbea0537693a7626c9a7ff76f56

SHA256
27f262210b1303eadb1747d2cc2ac41b13f6122fb25657d23ee7881353f3a330

SHA512
81f66ab109e573ed2daa26ff3478061c76266ad1462abbe36fb2145b8ca8c0a4dc8e74d7d566d6a524316a1a8230082b0c4db0dca797d90da1496a8f74c0cd5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2350c42a6d4e71a412e869612b059709

SHA1
d410c4a09f801c52590a7c0f92170cfa77f5cc76

SHA256
c603556dab3268ca5a3c305bd7c6778567a90ea69de3f277d10abfa86b322324

SHA512
4faffc589f510544cf92a86a7004f339ac3099f2e37baf1e6bdb6e67ecd66c6ad76cadf8d46dfe2c81436b25874baaff83f1d7de94535404cd85e704809f24ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cef328ddb1ee8916e7a658919323edd8

SHA1
a676234d426917535e174f85eabe4ef8b88256a5

SHA256
a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

SHA512
747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9580842b6e4c444ef252e0b068302615

SHA1
9f62bee22be6516435d7b83cd2488fc08ca56c5d

SHA256
d067c3aa15cf5974e0d9ae4eb66eeb7883dc45868391efa5e3fa272399cbb922

SHA512
56202550b1f24dc3bf4f2f03c89937438ffbc1cfdcce516c50c4821ee8b48c467da507bb5ab0124302e6c4c50a10d22bdc23016601972e1c23516da1d3b9d095

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
394f971f95da279c2ebf1a4113ce8426

SHA1
74f73a16920c5919ccb7788e3c2429c291da34d3

SHA256
5555d03ce11acdeae26b199b7bdf7220be2f8a4668800c29644740857576659f

SHA512
1ea93d43096e70a182b4a5011b20b2a0c3558b907039c8ead7c3f89cc360b8ee635789b15398ef42f6a0c74a98d9f070290d5e98f786017e4d6bc3e25a042f33

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
643bd05d5a2a61cea15ca384ef728d9b

SHA1
d263a46373da09b1d7c20e3c607016b7b221311e

SHA256
f0d07235fe5aeb9fe463bf0e1fa7b50c53768763ea61840aead602fb076a9525

SHA512
fc004b28c3eaa9cbda9b7eb94179148aa97279e18112b737dd049eb5d21015e140a321c0000f7d97307bf45193ac68109f411249a849c46ed060c362fbc773ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2wmyjebb.dpv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Planet_x_loader_.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 803680.crdownload

Filesize
13.9MB

MD5
4c80d5da7915e8de7f47e6e76ceb697f

SHA1
cb7fe9232bae3ecff588a7cbaa9eeb7504e9f1d2

SHA256
1e7f73a2dd0c15927ebf9fff85fcf0e9d2a7b470f23d6c9c759434f5336a7c06

SHA512
dd2bd4cafa5078b4b8a91dcb49f865610e50d0b374bc2a4e5d35432042a93c28e47d6a3be129a76749faba0e43282c256192b757215dea43772a90f41929356e

Download Submit
C:\Users\Admin\Genesis_Loader.exe

Filesize
13.8MB

MD5
88cfc89069c32feaf1f9176abda5821b

SHA1
e072f07cb1c33037bb9f1c6dfa86a12b6176f063

SHA256
59ae19e7177c43511fbe5a992d2b183432a0846fa0ee4f06f88a8c7a45b1e9de

SHA512
1f5b1f4bcd8981b82125e0684ae8f15e6ad7eb01f1e0cc8cb43e9018aa09e4de3036a0f2355d132d077a428987bb4d2ad71040d7cf6946c2149fafb4caa62625

Download Submit
C:\Users\Admin\XClient.exe

Filesize
77KB

MD5
44e49f60df19ffaa4c3c6adf58045e02

SHA1
2c08922b166c8052a65f3e628ee61b4554c1d440

SHA256
5c05973cf6fdbb1d5c96cf46e84a27ad06e5317e3c09da5d80aaf631fdc64597

SHA512
0d67c7f86456f08c19664169d25a687dc2529edadced31708b17f6719db2ba0824378a0319d2ead5cf8a80bdcdef4b73c079f190f14eb68c48d4acf03b526dca

Download Submit
memory/1404-120-0x00007FFD91600000-0x00007FFD91602000-memory.dmp

Filesize
8KB

Download
memory/1404-121-0x0000000140000000-0x000000014161F000-memory.dmp

Filesize
22.1MB

Download
memory/1404-119-0x00007FFD915F0000-0x00007FFD915F2000-memory.dmp

Filesize
8KB

Download
memory/2916-131-0x0000023CB1A80000-0x0000023CB1AA2000-memory.dmp

Filesize
136KB

Download
memory/3912-217-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/3912-117-0x00000000002E0000-0x00000000002FA000-memory.dmp

Filesize
104KB

Download
memory/4500-70-0x0000000000830000-0x0000000001620000-memory.dmp

Filesize
13.9MB

Download