xworm | 6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

max time kernel
364s
max time network
365s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

писька чит.exe
Size

71KB
MD5

ed3794861ddc34b4748ff8081e80cb2b
SHA1

e63cf084552f0c2803de0109e3d2fcd3102c4738
SHA256

6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f
SHA512

df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03
SSDEEP

1536:EYB+O1NIBlJ4wlA0B4GI0b0xEPdB8QlOrIXt6fT+S1va+OuPyGV54:EOgQwlRB4wb0xEFBdMIk+S19OuaGV54

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

main-although.gl.at.ply.gg:30970

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4896-1-0x0000000000B70000-0x0000000000B88000-memory.dmp	family_xworm
behavioral2/files/0x000300000001e5e3-452.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5016	powershell.exe
2212	powershell.exe
1952	powershell.exe
3696	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	писька чит.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	писька чит.exe

Executes dropped EXE 4 IoCs

pid	Process
4828	sknjsu.exe
3696	fzuuds.exe
1008	jlfmra.exe
1608	udxxlv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe

Drops file in Windows directory 57 IoCs

description	ioc	Process
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 23 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{772A90EA-6D90-429E-B40D-01C4854BBC55}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2212	powershell.exe
2212	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe
3696	powershell.exe
3696	powershell.exe
3696	powershell.exe
5016	powershell.exe
5016	powershell.exe
5016	powershell.exe
1108	msedge.exe
1108	msedge.exe
4108	msedge.exe
4108	msedge.exe
5648	identity_helper.exe
5648	identity_helper.exe
5928	msedge.exe
5928	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3680	mmc.exe
4240	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	писька чит.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	3696	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	4896	писька чит.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: SeSecurityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: 33	3680	mmc.exe
Token: SeIncBasePriorityPrivilege	3680	mmc.exe
Token: SeDebugPrivilege	4240	taskmgr.exe
Token: SeSystemProfilePrivilege	4240	taskmgr.exe
Token: SeCreateGlobalPrivilege	4240	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe
4896	писька чит.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe
4240	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3680	mmc.exe
3680	mmc.exe
3680	mmc.exe
3680	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2212	4896	писька чит.exe	93
PID 4896 wrote to memory of 2212	4896	писька чит.exe	93
PID 4896 wrote to memory of 1952	4896	писька чит.exe	96
PID 4896 wrote to memory of 1952	4896	писька чит.exe	96
PID 4896 wrote to memory of 3696	4896	писька чит.exe	101
PID 4896 wrote to memory of 3696	4896	писька чит.exe	101
PID 4896 wrote to memory of 5016	4896	писька чит.exe	104
PID 4896 wrote to memory of 5016	4896	писька чит.exe	104
PID 4108 wrote to memory of 5100	4108	msedge.exe	116
PID 4108 wrote to memory of 5100	4108	msedge.exe	116
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 4280	4108	msedge.exe	117
PID 4108 wrote to memory of 1108	4108	msedge.exe	118
PID 4108 wrote to memory of 1108	4108	msedge.exe	118
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119
PID 4108 wrote to memory of 4496	4108	msedge.exe	119

C:\Users\Admin\AppData\Local\Temp\писька чит.exe
"C:\Users\Admin\AppData\Local\Temp\писька чит.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'писька чит.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Users\Admin\AppData\Local\Temp\sknjsu.exe
  "C:\Users\Admin\AppData\Local\Temp\sknjsu.exe"
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\fzuuds.exe
  "C:\Users\Admin\AppData\Local\Temp\fzuuds.exe"
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\jlfmra.exe
  "C:\Users\Admin\AppData\Local\Temp\jlfmra.exe"
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\udxxlv.exe
  "C:\Users\Admin\AppData\Local\Temp\udxxlv.exe"
  2⤵
  - Executes dropped EXE
  PID:1608

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa7b1546f8,0x7ffa7b154708,0x7ffa7b154718
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1752 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1928 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4944 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11686143634561869201,873509815093876401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2052 /prefetch:1
  2⤵
  PID:1676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=smss.exe Windows Session Manager"
1⤵
PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7b1546f8,0x7ffa7b154708,0x7ffa7b154718
  2⤵
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a499254d6b5d91f97eb7a86e5f8ca573

SHA1
03dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1

SHA256
fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499

SHA512
d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bafce9e4c53a0cb85310891b6b21791b

SHA1
5d70027cc137a7cbb38f5801b15fd97b05e89ee2

SHA256
71fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00

SHA512
c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
91be4e2bf6957e5b01200b15f83b9af1

SHA1
cb9b994eb27a6e41885e4b3dedc78fa1ea9324a9

SHA256
9951e1f58567cad50199fa9e5a1b380e3f0784da276fb2d5f859110d5832dd93

SHA512
c633e932eae25c5858ac035be15f99d273183306bdc1e296e9f0154219ec2da76126158c4a2e5f2af2d27473f6077f03f518d2edd0f1981f321079953f876c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ef28e5481f8b8fbf7e77985bbd73cd16

SHA1
bce42d217c558504eaebaa6b897ec5eabea18b7d

SHA256
436d234d7ca945e3c42e603db4920df8bea3fa303f80caa8034dc6c419c1021b

SHA512
10b6a88efe1b7cddf6d7ffc65d82c2add7f4188c623639e649e40208404ce0911992de5bcd6f2f875f2f5cf99d5bb9a93a686624dcfd111cf44c882131eeee6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2f38c619110c5374bd25d27891b5bab3

SHA1
d99ba04bb53601c0b2daf5b2e7d8ce8277cfab1b

SHA256
83bc152e90d38ee25d577e0f8d8878f91206d1cd3591ff30a5d25838381a3930

SHA512
ac1146c38fdedd81711bd3c1d64daeb39980e2dad64f61b18202a5c65b7612319f376c85186741b879d6d10ee46dbd7a6ca9eea9f98ac016156b8ee6801b3e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
327B

MD5
3eed05f4a75513ca7a782424edffca98

SHA1
04bb3a6e62176801ef3244b17e4fbc43a2ce7dd6

SHA256
f6a6f6776e8e9da571fd4185225f14f6467be4f0b29b237b3a685954e563abcb

SHA512
46a8f8eaa27160591bc4516db0c15198c8dd860b21bc01d03a8a252b0d30a63d2e7d7166172f8833b2e1b349dd2a081442e41d648769159ee46dbc610091b5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f752c70518e1ed6a74626cb5e378af1

SHA1
aa270a4a4d627527e9716f4555d219ccae0ec636

SHA256
21023ba455163436515d107cac71531d600f92572876ab64b06d023fa3f459e6

SHA512
06165347ea96b1f365b4905626e66ea5f997aff93cfeff744756e8d6826f130b0918a07f0fe69527300b9ef0dc8c67871b72690d33453c2181e2b93f8301428c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
132d16f9c659b50d81fdb1dbcde55d39

SHA1
af7c1f34571c6e6b0a6e3a4840d76f7a2db67fc9

SHA256
1f42f045fef9028a7b694d7f2be67d97f11090e72986722fcf53ad20490ba7d8

SHA512
29b10c68fd65fbe106019dd43ef229fbb3933b58e2d06b40505a20ee8637e9b16b8da84ca3a7600a0494c2dfe219f682ca5a20d2ffda94a2579c1432ebea838e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2591f3b8c542479c31ca944ba7fdc42f

SHA1
3ca64b29872a46622803e2437184cdb0203a7c96

SHA256
b6e14f11ca7be3ac2b7b538b669b931a203b6c713a8a069177f14605143dfa80

SHA512
6942b964fba70b2a255da84c5ba1896b4eaf6aaca2e2677f4bffbfd3a5f55757b2725cb260aa1c95027ec6c3df87c06bfafc2aa516296aa55196e8ad501d6012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a71c720fc3dda8f3a33cc76425a6a01

SHA1
e26ae21e534ce0617abd43cd98f7efb8ce1a6f36

SHA256
caf310762fdcc277a22f41f62588119a271004f10ea259f1d406e5ccdd5a7431

SHA512
54266826806bb30d94af1b1ccbf413a8605cf4ffe9697cd7c7ce021ebabdfd7a1771d151b5bd31a15faa5843700edbff3b52ee895af7927d66b7c41314c6ead2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e9606ba56c0147d1527494d6202133d0

SHA1
c41642650f66b8b9634bbe4ff8c1882d0e2add08

SHA256
9f5761f659c85ce68ae2178955170c1755fe3c9e5db6c8d1fc40f655f17d9663

SHA512
6e7571a44c45c288951971e2ad693e0a3d5311939165cc8196f9ab9c254671392fd9488db2c5df69d79b0213f2308f11fdf18f093471b65c5025894696e68ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
534B

MD5
3b4dd333aed8ab3b754230996dc954da

SHA1
412caaac6786d0a09952a67b18e43609ef07f23e

SHA256
406603aa1a2001161c48bac50ab1508d73f54616d06044298137f15ebccf7bbb

SHA512
a14f22f8ad3fe87217f510a8cb74c95008d521d9cb386ab04da8082e9e917299d5994e7a07da2193599ac328737331855b4bfc4aebab669857c191fb04c6f8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ca02f.TMP

Filesize
536B

MD5
2e77074546a849801b4dcfd66724a597

SHA1
466536c184acaab5016a7f93c8256795499c4412

SHA256
1ac8f84cd9674713a31c2290752c3f0841124a4ba2647bec65db1d2018196c44

SHA512
ad14ad30a2c85b6f55501fad3f586b5ed9386f0aaea7e0a5e32a8af6691a2ab6a53430e80d9cc65f0ad1b2c597d0fe12116f201041465dffd5f107bee3d9f324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10c08254cf177459c67097a4da679911

SHA1
61eb63573f2f2f49b54a1f96cc741e64ad081cee

SHA256
df9fe8e1db10d72824e4eb79788679337ec79a381adcfd03b3bd14fecfbd73c1

SHA512
f28c797bfd466a98927398c126aa46bb9bb23c3357dff6c2a360465bda0b4cf60c31c8a2434a03a96c1b606ab52277c5c3f170d69ecc32ddb61a0810e6f1aa5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a4e6ae9c8b56967e97660d2e35909bc9

SHA1
7b6c3f48c560547e0f98c25f9fb313576b773cbe

SHA256
52695d572426387f692d1e3909c2e7246487d3568c6a50d107616fc8669493a4

SHA512
9273eaa8aac1f51f9e90886f69f9cbeca5e221f432836c4f099442ea8761829b5c8e5c1e422b2e381be3f97708db1629738a7033f6cbf231e962f25e18389e89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f758bd882ef02b64b538d5f64ecbf24

SHA1
35015053ab41b74af81ed1323d260c751bebd3c7

SHA256
7e5ff7a92f4a13713e119471c5d819d7ffae17be96929707e2c8c80e6bf8d3dc

SHA512
ea83d57e392b1005e526f3c2a4139f81b4719bbf58ee0d90433b80ec6eab78a5c75b00fe54e71d342493b5a95da9e8c1c69275a939a8b3686761f22f9f5661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3d0500c8d6b7191126893ec9c545da7

SHA1
0558f95abd7cf3091281cd1fe6da18e293b29332

SHA256
6482b61eb195249bf741a496d62b83d894a015f854b6454e4191314ee5f6be0d

SHA512
615840f95d818fdb5e6592f0ae2875045997633d69eeb75eeb69d0453ad9c1bcc3bf403466907bf6d8bd37b95955d9f73c9a2144f428afaccb16c70a1be3fa06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4d826526adefcd3816ca4fb9fafdd89a

SHA1
018fe93bf1e6ec8f31dc9ab1ec0ded65451839da

SHA256
33e107084a6af5b146f865ef1d4e9a8f6e45df31b95956777d2608b67e5ea368

SHA512
c7fc83629ecdfceae0759dda2f33464113090187fa4c1ec3dcfc77150c759ac955d06b56164868042cb906022610d66bec1a78c1d0fbfb6dfe1eecead8a8febf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e4k4vjax.4rr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jlfmra.exe

Filesize
2.3MB

MD5
a44458813e819777013eb3e644d74362

SHA1
2dd0616ca78e22464cf0cf68ef7915358a16f9ee

SHA256
47f0e9a90d45b193e81d3e60b7a43e5a4550a07a3dd1f7c98110fde12265d999

SHA512
1a4723a36f55cf696f33a7927571bda403e81ced32fda85c7cf25c8458897fb187e46bf5f80c26542725a9a7e5aa0e961fd3f3b110ae8f54b3b96b3e5dfc8215

Download Submit
C:\Users\Admin\AppData\Local\Temp\sknjsu.exe

Filesize
316KB

MD5
7f31508d95be3fe50e4e9aa646e86a12

SHA1
c61b439d6e17d630728f48c09b36af2647940748

SHA256
994efdb644ca1acb029dfd8d8eeba440e1cb74d93841b17f21165b9900730b15

SHA512
2e2b01e84a3476b47a9c703b71ce31887e4a4fa9340780f0cbbd20601be621bf00b9619df8bec0e81b2825550150c477c5071d921104a4c6265ef2d5a9e77eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\udxxlv.exe

Filesize
317KB

MD5
a84257e64cfbd9f6c0a574af416bc0d1

SHA1
245649583806d63abb1b2dc1947feccc8ce4a4bc

SHA256
fe7ff85b95ec06ce0f3cb49fdfa4d36de1f08669d36d381794aaf597510afad7

SHA512
6fc85ee0f8c75a25193fc4883a734704a8190253348c158b9cef4b918cffee5c8997c5248ec2bc793f66978e8cb4c5233d300d112f1d7750bc660698414865c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

Filesize
771B

MD5
ba4702f2a3e5c2930624dd8346a3bf7c

SHA1
9f0370fcc6e5bb8c88973295c0a064df57d6eccf

SHA256
0311aea75b0502d60e0f5463e5c30313bbdd2ac319822c800ed1e3644ccfa6c6

SHA512
9d74a6d1b0c024bd0968c80e293f14e45894b8f0f2ab6f9a67523b02064b98bcfca70acd7c9724d59d86d140285721e455f4df83f2169b475475684ccdcab654

Download Submit
C:\Users\Admin\AppData\Roaming\XClient.exe

Filesize
71KB

MD5
ed3794861ddc34b4748ff8081e80cb2b

SHA1
e63cf084552f0c2803de0109e3d2fcd3102c4738

SHA256
6af19a694c8c3e6860d2555ce16be115c599c3424ec1e01c0bf67acd3298ae0f

SHA512
df771b8eecb7e065628c06b8cca9aa7df6dd05bbdba0f85ed34010e264a286a17129289d6ac3e9f87c56152ed7a35302e88ae6643a1bb06c45745cf3d5ea0b03

Download Submit
memory/1008-499-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1608-501-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2212-18-0x00007FFA7E660000-0x00007FFA7F121000-memory.dmp

Filesize
10.8MB

Download
memory/2212-3-0x00007FFA7E660000-0x00007FFA7F121000-memory.dmp

Filesize
10.8MB

Download
memory/2212-4-0x00007FFA7E660000-0x00007FFA7F121000-memory.dmp

Filesize
10.8MB

Download
memory/2212-5-0x000002CDFF610000-0x000002CDFF632000-memory.dmp

Filesize
136KB

Download
memory/2212-15-0x00007FFA7E660000-0x00007FFA7F121000-memory.dmp

Filesize
10.8MB

Download
memory/3696-496-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4240-439-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-445-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-446-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-447-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-448-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-449-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-450-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-440-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-444-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4240-438-0x00000267E5EE0000-0x00000267E5EE1000-memory.dmp

Filesize
4KB

Download
memory/4828-434-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/4896-0-0x00007FFA7E663000-0x00007FFA7E665000-memory.dmp

Filesize
8KB

Download
memory/4896-117-0x0000000001460000-0x000000000146C000-memory.dmp

Filesize
48KB

Download
memory/4896-116-0x000000001D8A0000-0x000000001D8AC000-memory.dmp

Filesize
48KB

Download
memory/4896-115-0x00007FFA7E660000-0x00007FFA7F121000-memory.dmp

Filesize
10.8MB

Download
memory/4896-114-0x00007FFA7E663000-0x00007FFA7E665000-memory.dmp

Filesize
8KB

Download
memory/4896-2-0x00007FFA7E660000-0x00007FFA7F121000-memory.dmp

Filesize
10.8MB

Download
memory/4896-1-0x0000000000B70000-0x0000000000B88000-memory.dmp

Filesize
96KB

Download