Overview

overview

10

Static

static

10

XClient.exe

windows10-1703-x64

XClient.exe

windows7-x64

XClient.exe

windows10-1703-x64

XClient.exe

windows10-2004-x64

XClient.exe

windows11-21h2-x64

Analysis

  • max time kernel
    253s
  • max time network
    256s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-08-2024 10:22

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    XClient.exe

  • Size

    283KB

  • MD5

    94d7570a4d6becf9ccccac918fc7a525

  • SHA1

    8e9fa909a7f38b1f4481ee880340c96aa03a9a84

  • SHA256

    6639082eb40e90f37ad92b3616c2040937355c5196ba241340cb1e8719d098df

  • SHA512

    d97b0b2c758e3288ffbacf1111b621f0530ad152830b17795a8734e4d30cd85c5578d94983f6668222028e45095582a05a41033df0bf1061fb18124fe7fa8e7f

  • SSDEEP

    3072:c43Cklb4wOyopUd87kREhYyZxbHrR6Y7zjokEtNaaayMakxiJ+UZeQnjm9sjSwkm:bpbVoA8oKhsrx8iJZeQiWsVCA2aAN0F

Score
10/10
xwormdiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

hard-tyler.gl.at.ply.gg:27490

Attributes
  • Install_directory

    %Temp%

  • install_file

    systemprocess.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1568
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemprocess.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4440
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemprocess.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4696
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://guns.lol/serc
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:868
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadfaa46f8,0x7ffadfaa4708,0x7ffadfaa4718
        3⤵
          PID:2592
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
          3⤵
            PID:3480
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:1604
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
            3⤵
              PID:4352
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
              3⤵
                PID:1016
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                3⤵
                  PID:4176
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                  3⤵
                    PID:1600
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
                    3⤵
                      PID:5032
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                      3⤵
                        PID:964
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
                        3⤵
                          PID:316
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3056
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
                          3⤵
                            PID:4084
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
                            3⤵
                              PID:656
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
                              3⤵
                                PID:3596
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                                3⤵
                                  PID:3220
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3580 /prefetch:8
                                  3⤵
                                    PID:4024
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2496 /prefetch:2
                                    3⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:4744
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
                                    3⤵
                                      PID:1168
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:1
                                      3⤵
                                        PID:4964
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1072 /prefetch:1
                                        3⤵
                                          PID:1928
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
                                          3⤵
                                            PID:3580
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
                                            3⤵
                                              PID:1084
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
                                              3⤵
                                                PID:1508
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
                                                3⤵
                                                  PID:3108
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
                                                  3⤵
                                                    PID:4396
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
                                                    3⤵
                                                      PID:3080
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
                                                      3⤵
                                                        PID:4020
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
                                                        3⤵
                                                          PID:3428
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,13805554800085138123,5322101180394165811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
                                                          3⤵
                                                            PID:3676
                                                        • C:\Windows\SYSTEM32\shutdown.exe
                                                          shutdown.exe /f /s /t 0
                                                          2⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1324
                                                      • C:\Windows\System32\CompPkgSrv.exe
                                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                        1⤵
                                                          PID:540
                                                        • C:\Windows\System32\CompPkgSrv.exe
                                                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                          1⤵
                                                            PID:3688
                                                          • C:\Windows\system32\AUDIODG.EXE
                                                            C:\Windows\system32\AUDIODG.EXE 0x464 0x320
                                                            1⤵
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2564
                                                          • C:\Windows\system32\LogonUI.exe
                                                            "LogonUI.exe" /flags:0x4 /state0:0xa3973855 /state1:0x41c64e6d
                                                            1⤵
                                                            • Modifies data under HKEY_USERS
                                                            PID:2232

                                                          Network

                                                          MITRE ATT&CK Enterprise v15

                                                          Replay Monitor

                                                          Loading Replay Monitor...

                                                          Downloads

                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                            Filesize

                                                            2KB

                                                            MD5

                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                            SHA1

                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                            SHA256

                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                            SHA512

                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            4dd2754d1bea40445984d65abee82b21

                                                            SHA1

                                                            4b6a5658bae9a784a370a115fbb4a12e92bd3390

                                                            SHA256

                                                            183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

                                                            SHA512

                                                            92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                            Filesize

                                                            152B

                                                            MD5

                                                            ecf7ca53c80b5245e35839009d12f866

                                                            SHA1

                                                            a7af77cf31d410708ebd35a232a80bddfb0615bb

                                                            SHA256

                                                            882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

                                                            SHA512

                                                            706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
                                                            Filesize

                                                            1024KB

                                                            MD5

                                                            428ff1ac3ce2c4453eda8d22c4260b27

                                                            SHA1

                                                            7ac34f3fa075459aae5f00579adb0f8af66bcfda

                                                            SHA256

                                                            5e21b684d1423fd501eccabed11d155887cd6a8a485161127cf2fa2d55406ba1

                                                            SHA512

                                                            134d37f4509fa565d1d27fdfa3d2d1e86df5484aaffb2380df9453cf39807ef94a92f41d1bd6d50a63a3ea872b1d21dfc65cd088cbcb4416afcbfa1ab7eff77f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
                                                            Filesize

                                                            1024KB

                                                            MD5

                                                            19756d5e06ee30af80bf8470522adc98

                                                            SHA1

                                                            45801241647406251978f133990b0e553fa2b26d

                                                            SHA256

                                                            e61bf27dc4f42d5e7183def20da8ec1cf29e7900a6c6b0ba42d12094b717e5f0

                                                            SHA512

                                                            5860d6417cf2b2d8ec726a1c71662d3ce578cdc5f45ea4e9fe3640c9c6b91c2f80bf7f2df69dc992491425925103dc4d7cea60448aadb4fbe7df4b20ba8e2043

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
                                                            Filesize

                                                            94KB

                                                            MD5

                                                            772cdf1fb49b38268a3c033c8866db65

                                                            SHA1

                                                            2cb40d996df5a7e4d8a16e7e8ca6d290671d8105

                                                            SHA256

                                                            532553010e41b064b4fe45fcf9809166e11166e10827f422b239f1d0187f694d

                                                            SHA512

                                                            98aa1da3398490bb81a0fd34798cb291cfbd8c93925af6aef0dc82695aea6dd3e8d97937324c856372277f62ee24eff66544cb7fe1c1eb36ec78565e28dec17f

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                            Filesize

                                                            504B

                                                            MD5

                                                            4f9d189699ac7bc8974a6d0acb93dd9a

                                                            SHA1

                                                            cae32ec4fb4d75171e1500dde284aa37a0130d88

                                                            SHA256

                                                            faf44e7b4fbcd41f8e2be11901d88b12a0cd9a34fcc6dea22c1be2ee0b40eaa0

                                                            SHA512

                                                            33d2d1397931fb172d4219e9826d99ac993ace32d64d1417656910753ff0d273d9c69675086a30365686faee177cca252321fe3150815a6a4ef3c3496bf48005

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                            Filesize

                                                            192B

                                                            MD5

                                                            92651385498e626d1ac97e1196cb3f7a

                                                            SHA1

                                                            b95b490418095c0bfa74cbb56832828761b252e0

                                                            SHA256

                                                            b1828a718eadec58ef896d3109a5044d8d99b5267b39b3993d020717e08853e6

                                                            SHA512

                                                            aa1d164c9c4ad7f59ccdb45728377bc27958973d6074aa4f3004e852478b91c36df9e3af500a286641c137302be2310e348158dc6e85e1c37f15adeee2e835d8

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                            Filesize

                                                            1KB

                                                            MD5

                                                            cfc20c24ed0192a5d6ac6f75d937c71b

                                                            SHA1

                                                            775c28b04a61188458a4bf2486fea30a468a7d0e

                                                            SHA256

                                                            10055a457b57e7cf8dd26d6ab4049672ad42c89afc3cdb70bcc866f0e8388faa

                                                            SHA512

                                                            7a6670ad8827ebf4a093e2f3467136104810b81e6ba1a19bf887eb69995710597901ba81f83cfcf7c8eb4e21db72a716e2af171e617c01be4a9e928850bc29da

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            8059aeea53f848ae3fa8d469cedc6143

                                                            SHA1

                                                            2626310a27f4642f81197172dc839c1224ebddbe

                                                            SHA256

                                                            6421594a5002e6535891ea425a384efbdf9187a0f389c51b69a325405881ec9e

                                                            SHA512

                                                            0746c7e5259ed8b6822789e9da2f162bb7b68b519e3245aac7f6ce30fc59ee1d3f55c737e5a945cbb999736b732b720786fa5799e2429e519a608c82fe55b2fd

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            9e8d76906b99e85c9c7360f1b8bb4bfb

                                                            SHA1

                                                            312095d385c6dc7b177c7168d259a439302fbc83

                                                            SHA256

                                                            da81efa93f38aaa92308263d4cc5ee2ef88af5b55bfde3c743b5ce162c05c3bb

                                                            SHA512

                                                            4afed77fcdcef80dd5b8b4a270f92d77b097046adbc3051d0abcaad8740eda43f4dfaf87164ce8619a8a5c41e4e00922d69f96b2277e2eb2d0676f4fc26291bc

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                            Filesize

                                                            6KB

                                                            MD5

                                                            cd396447a751b60b9aed1ea27737b18f

                                                            SHA1

                                                            185a6fe47be8b219310010385b56950fe5f26335

                                                            SHA256

                                                            dc6b0d4faf3d2fcadc2b660e6877f24d926930e87016dae167e293a23ae426d3

                                                            SHA512

                                                            ed12b3b7bb80282284ca529eb650d4c843fdc00513037a11e892126fb223cff5dc40cbac941fb75f2840fcaad3d582b69029d32dd18d939b9bb6e817186f1008

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                            Filesize

                                                            371B

                                                            MD5

                                                            1afed9d4f46749095263ff44b04bf861

                                                            SHA1

                                                            f5f19cfb48fe61b484dbd4dacae9d50b637efca3

                                                            SHA256

                                                            4a2add6a5142b8e3addac9943e04f2c78667973fb727e2b245071a506cf28b8a

                                                            SHA512

                                                            b576d200a704cce9b8cbe8434a20f76699e5428eb18c24531f5e62481c34b238906957386531acb58127f6b95d5ff28471e6b0cf14d56dd88c14955651fbc876

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a0e0b.TMP
                                                            Filesize

                                                            204B

                                                            MD5

                                                            aad2cd7584349d3d6b74c70d361005e2

                                                            SHA1

                                                            1aea55f78e53d0944bc1ea869a930ae63ef142ea

                                                            SHA256

                                                            f61651c7d0a83f9ec2719fe65703653e167eddd1d49669414da4777b52bba138

                                                            SHA512

                                                            0c1daf4846aca7b681454b4c8816b1c7551fb208b4d841d307a76e2224efc070c7b5dd0bbdb006bf0bf5ca0f1a322a4e45c25493de428de3b3cebe4cc36bce67

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                            Filesize

                                                            16B

                                                            MD5

                                                            6752a1d65b201c13b62ea44016eb221f

                                                            SHA1

                                                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                            SHA256

                                                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                            SHA512

                                                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                            Filesize

                                                            11KB

                                                            MD5

                                                            57aaa1fc75c3aafe405cb4a3202d2342

                                                            SHA1

                                                            3a4ff432cca2d139930397d7cb8bdaf11c0c85f7

                                                            SHA256

                                                            1d6f238e2b8c0134841dbee351d1d118e7b522dde9f5f65784e478dc8cb38dcf

                                                            SHA512

                                                            a17a3d437750687db8ec3e04a8c1039c2ace8c1ec5423d3811a463ca9171c0bf18cd042039e04edd7f292c82c0ca669ac5ec7ddbef7f57c7ec9865c53c11f3bf

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            6d3e9c29fe44e90aae6ed30ccf799ca8

                                                            SHA1

                                                            c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                                            SHA256

                                                            2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                                            SHA512

                                                            60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            e91a049452029afa6defd4fa34646957

                                                            SHA1

                                                            d1ba5c6d30e79706a2f0e66caf405dd49d5d887a

                                                            SHA256

                                                            1a747cb87d49175fb29efbc8162ff99235769897873db2242a8194af72b77a95

                                                            SHA512

                                                            01901cb6e9a385e54a0759a54a6dffd98e152d5052cf371bc514c73b52c3a075edf2af1851a24ee1bb8a637c441895946df7aca4ac11cb36ca1237a69f972c66

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                            Filesize

                                                            944B

                                                            MD5

                                                            993af531f0b57e8128ec273731c3a8e2

                                                            SHA1

                                                            a42ea55876f4f390837dd2c95fb7ff2344b6e9e1

                                                            SHA256

                                                            fff934d70d813381536d272c5b8ac6ad70acd054267b13592da767c9bd1dda62

                                                            SHA512

                                                            bdf5970ff2ee314dc297fce5c0f44765e77acbf269cd9ad9e7448a391d5f80d66a0c5426f99bc3480851e8763413aa180b3b3b6b22ef0e86a365450cb8c334e4

                                                            Download Submit

                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmked0w4.5cq.ps1
                                                            Filesize

                                                            60B

                                                            MD5

                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                            SHA1

                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                            SHA256

                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                            SHA512

                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            Download Submit

                                                          • memory/632-56-0x00007FFAE2A13000-0x00007FFAE2A15000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/632-2-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/632-0-0x00007FFAE2A13000-0x00007FFAE2A15000-memory.dmp

                                                            Filesize

                                                            8KB

                                                            Download

                                                          • memory/632-1-0x0000000000DB0000-0x0000000000DFC000-memory.dmp

                                                            Filesize

                                                            304KB

                                                            Download

                                                          • memory/632-58-0x0000000002E70000-0x0000000002E7C000-memory.dmp

                                                            Filesize

                                                            48KB

                                                            Download

                                                          • memory/632-57-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/632-355-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/1568-3-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/1568-4-0x00000236FE7E0000-0x00000236FE802000-memory.dmp

                                                            Filesize

                                                            136KB

                                                            Download

                                                          • memory/1568-5-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download

                                                          • memory/1568-17-0x00007FFAE2A10000-0x00007FFAE34D1000-memory.dmp

                                                            Filesize

                                                            10.8MB

                                                            Download