xworm | hxxps://drive[.]google[.]com/file/d/17HK-EZtmp9Jo3L4tgadFEfmAP_LNQyR5/view

Resubmissions

21-08-2024 15:43

240821-s6b3vszgrl 10

21-08-2024 15:40

240821-s36s3azfpp 10

21-08-2024 15:31

240821-sx7heazdlm 10

Analysis

max time kernel
88s
max time network
92s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/17HK-EZtmp9Jo3L4tgadFEfmAP_LNQyR5/view

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

https://pastebin.com/raw/NEdmeQqG:1487

Mutex

DwhfverRJEI78ymc

Attributes

Install_directory
%AppData%
install_file
svchost.exe
pastebin_url
https://pastebin.com/raw/NEdmeQqG

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000025bac-205.dat	family_xworm
behavioral1/memory/3696-212-0x0000000000380000-0x0000000000390000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2236	powershell.exe
3776	powershell.exe
900	powershell.exe
3388	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	52.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	52.exe

Executes dropped EXE 3 IoCs

pid	Process
2468	DeadCodeLauncher.exe
3696	52.exe
3084	DeadCodeLauncher.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	52.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
5	drive.google.com
32	pastebin.com
69	pastebin.com
70	pastebin.com
71	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\123123 пароль.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3044	msedge.exe
3044	msedge.exe
2452	msedge.exe
2452	msedge.exe
2848	msedge.exe
2848	msedge.exe
3860	identity_helper.exe
3860	identity_helper.exe
1352	msedge.exe
1352	msedge.exe
3084	DeadCodeLauncher.exe
3084	DeadCodeLauncher.exe
3776	powershell.exe
3776	powershell.exe
3776	powershell.exe
900	powershell.exe
900	powershell.exe
900	powershell.exe
3388	powershell.exe
3388	powershell.exe
3388	powershell.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4040	7zFM.exe
3084	DeadCodeLauncher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4040	7zFM.exe
Token: 35	4040	7zFM.exe
Token: SeSecurityPrivilege	4040	7zFM.exe
Token: SeSecurityPrivilege	4040	7zFM.exe
Token: SeDebugPrivilege	3696	52.exe
Token: SeDebugPrivilege	3776	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
4040	7zFM.exe
4040	7zFM.exe
4040	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe
2452	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3856	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe
3856	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 3392	2452	msedge.exe	81
PID 2452 wrote to memory of 3392	2452	msedge.exe	81
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 2556	2452	msedge.exe	82
PID 2452 wrote to memory of 3044	2452	msedge.exe	83
PID 2452 wrote to memory of 3044	2452	msedge.exe	83
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84
PID 2452 wrote to memory of 416	2452	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/17HK-EZtmp9Jo3L4tgadFEfmAP_LNQyR5/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffba33cb8,0x7ffffba33cc8,0x7ffffba33cd8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,15971102631936088410,8565415761287029700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:1364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4232

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\123123 пароль.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4040

C:\Users\Admin\Desktop\DeadCodeLauncher.exe
"C:\Users\Admin\Desktop\DeadCodeLauncher.exe"
1⤵
- Executes dropped EXE
PID:2468
- C:\Users\Admin\AppData\Local\Temp\52.exe
  "C:\Users\Admin\AppData\Local\Temp\52.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\52.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '52.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Users\Admin\AppData\Local\Temp\DeadCodeLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\DeadCodeLauncher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
4a100390fcab956d2b94466dab90b697

SHA1
88b02318e885441627dc39c3691e44e7cc5fd46f

SHA256
86ca2e7e625a73804a502511ddc2527479faa672e4cc7a4d224ba765511e61c8

SHA512
3561d1cb7b4d9b7d80c145d6658c4f89c15f0b9454ccd96cd0e6d1c87302f709c8841bb716dfe500e2c82510985dd70b2d18a2d54e70f62cd833efa8d45a016f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a9851963b53cc840b1563ae87454bb8f

SHA1
077b1478f6f0f744819b345c84035617a0a4450b

SHA256
dd53af77d4470235cfae67af815685f069e7f52c53a6e27dc8d3948d27f0ef2e

SHA512
091b19770e90492e7c0f98cfd0ff20e7f7544f78b9fa503d79c28e9d27b4922e79b8c1fb6d69d618250639114b7e4ea2f191fbfe07f405f68e1dfa341abd8638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e6c70c508176629617d1098571cdc2e1

SHA1
346a84bf36400bcb2e622739f8d37f2ce631564f

SHA256
e0a36b549967a1a1e94fc7d1d390cc8c7dceaca42113d05164a94ffc7d132218

SHA512
16fbe6bae5ef7a74d34cf3f5fbb52c3c38cb05969ec7b9429e95783f41bda2af562820b1f444799c6b1d836dc7f8925b21d0bb63d062484a4532d731b37c7ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3bd712907871d13c7c42b403ffeb2acf

SHA1
547c48714213965c7fb0ef5260f3fd7b8d0fc71c

SHA256
06096c71d7b74958cc00e7420dbb59b01db401a992ab3b302d61952045699382

SHA512
42a5275bddb9003d8b9d92822f71f3b0ea4c7f1dade32a12df8264d68399defeedf998813fc2a5c8cbef326a62ed571fd27d0e6cb29e0cbf5fd95500e2af3278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e02a4a00ea8cfff84c52da8caac5dfe

SHA1
2e22db646ebd6e47cbf5d4059039573fd65dcbe4

SHA256
fcc2f2795a43286e98ecaea2a2be7c25520d62c6469e61f56538040f63feb098

SHA512
0079c0e6df7c63e7048f8199f1bf6af34b281c3b9c7b34e063a187a5f807ed165e9912bf2961bab2dcc93a81fa805ac595195870f07425b6a203e0c13e20ca45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e9a4b8bad8ef915580da077da3b84efd

SHA1
0c57718b76d5e423a36fe25807f979afcd096138

SHA256
edd59c1388fb1ac164d08144692a2617d6b29510f96cc8ad4d4b7304b8220c2b

SHA512
c6253f3ce21b054675e90f07c6fc0385eefcb3cc0be7e66ffbdfcfaf1210fdbb7b08eb2823d3ffc4e82628e45e5251cb0dfcdf72ac19c429b4cfb78c728efd32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7dc83c47dea4c3b59dae970a0c9d8cec

SHA1
116eb8b29dfa718f959b0161cf3c20b2fbcba354

SHA256
9b295b28ca7980ebac30f201a82b8738cc72b544266f48db60c0d4a7a1aca85f

SHA512
2fd8a18e49d1358cdc4feb075d40bf5512dbe715644ef667af09920822d6afee297211fad6467203a30982aa2c1209cc419e3dab3196372c22e06f3ed500edaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c4afeec29a111c68b40298130f1d00b5

SHA1
f2c6d08ef66716d15d9f387f496be2693c40a56f

SHA256
bf611e85095bb9ecd5a930cced9fa57c20485181406d0c4441acf1d7b450c4e5

SHA512
609a275daeb81ed6fa17809d13d20ef048b4abc647fc4a90986bee0b456cd1b69a65a5318936dda79e7eaec37006d8593a603341beeaecf792a8002d4a0d60cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
050567a067ffea4eb40fe2eefebdc1ee

SHA1
6e1fb2c7a7976e0724c532449e97722787a00fec

SHA256
3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

SHA512
341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
53baceafe29eabe8b3af161873ec4af4

SHA1
0aa7a23375ea68302e8cdc0ca8fa020a56b4e74c

SHA256
cd12c5808bd48708772c5cc0b53c07941b643c8115bb8042b30ab96a1ceb61c8

SHA512
4166d67c20f6e7ad2843af73735a42391c2651dd8379cac74b4c09963e592dc475613dcd90280735b55ecdda6a2086c5d5d50b07616d9111a609de48b7fad296

Download Submit
C:\Users\Admin\AppData\Local\Temp\52.exe

Filesize
41KB

MD5
ea9a810f7368f48111f29b0ce79d875b

SHA1
c0ae2b564115a0487e2ea39046777a9013c52b98

SHA256
4e21ba88e33d63d676c0e447670d20ee4121d7153f2e13f1664fd863115a6bdc

SHA512
1e59ff6ec3f35f9329336ba3711e13d6fef22761803c2f217f48f25132083ba37c99f38b0418d6220c8bac2edd0dc988068bbd28882c17e9b60affe5a543cbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\DeadCodeLauncher.exe

Filesize
21.7MB

MD5
83c53c505565b7b55eaf09babbc6b539

SHA1
b2bd6132e9e8aff4e04fb46f6acebf93ff48e41f

SHA256
244fbb26b47effaadab2bdcd6907827ffd0b294a8a5f9473f88170bc03904354

SHA512
31188502dc7bc0234a7f7eb91f8ba2069dbe964a90a6328acfbe0c4c50f53b56651938487acf300d83129bf8aed873f93ee73d503caa9ff30e6d781f184beb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2kqs135h.tey.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\DeadCodeLauncher.exe

Filesize
21.4MB

MD5
4a10260e0877a388c779740a050cf77d

SHA1
a06077b7870d659d929e9d8773925bf11ee7fea6

SHA256
1d709aaeceacba216e1111fe9d63b3ce64d68db3b83254c6ab4e7914d0d889ff

SHA512
00c9506e56580f8c02b392ad9b812ec02a7122b7e890ee5b8a38a778086167fcbb51e965a1714e06f5e524044ebcc1bc47d21994ec15bfc096fa66582c58d9d1

Download Submit
C:\Users\Admin\Downloads\123123 пароль.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 169592.crdownload

Filesize
21.4MB

MD5
277f765d1fdd77a34e2f038e2a636892

SHA1
614c81533ec9b3eea3f3d736a9e118585d33ac75

SHA256
f7a878e766abcd2fc993c6df249663de3688dc6f9ea32fb55b81a3840c318f3b

SHA512
cfc280818f350d1d9fb5b516d24d109c1c3f38c631e09ebbbd7ee2982f2465e2f7803224f29c72974db8f06e2286db91596b8c7093fe7b37b587deae4e1c1e9c

Download Submit
memory/2468-177-0x0000000000830000-0x0000000001D96000-memory.dmp

Filesize
21.4MB

Download
memory/3084-230-0x00007FF81C410000-0x00007FF81C412000-memory.dmp

Filesize
8KB

Download
memory/3084-245-0x000001BD93080000-0x000001BD932E3000-memory.dmp

Filesize
2.4MB

Download
memory/3084-228-0x00007FF81C3F0000-0x00007FF81C3F2000-memory.dmp

Filesize
8KB

Download
memory/3084-229-0x00007FF81C400000-0x00007FF81C402000-memory.dmp

Filesize
8KB

Download
memory/3084-226-0x00007FF81C3D0000-0x00007FF81C3D2000-memory.dmp

Filesize
8KB

Download
memory/3084-231-0x00007FF81C420000-0x00007FF81C422000-memory.dmp

Filesize
8KB

Download
memory/3084-232-0x00007FF81C430000-0x00007FF81C432000-memory.dmp

Filesize
8KB

Download
memory/3084-233-0x00007FF81C440000-0x00007FF81C442000-memory.dmp

Filesize
8KB

Download
memory/3084-234-0x00007FF81C450000-0x00007FF81C452000-memory.dmp

Filesize
8KB

Download
memory/3084-236-0x00007FF81C470000-0x00007FF81C472000-memory.dmp

Filesize
8KB

Download
memory/3084-235-0x00007FF81C460000-0x00007FF81C462000-memory.dmp

Filesize
8KB

Download
memory/3084-237-0x00007FF81C480000-0x00007FF81C482000-memory.dmp

Filesize
8KB

Download
memory/3084-240-0x000001BD93080000-0x000001BD932E3000-memory.dmp

Filesize
2.4MB

Download
memory/3084-239-0x00007FF81C4A0000-0x00007FF81C4A2000-memory.dmp

Filesize
8KB

Download
memory/3084-238-0x00007FF81C490000-0x00007FF81C492000-memory.dmp

Filesize
8KB

Download
memory/3084-227-0x00007FF81C3E0000-0x00007FF81C3E2000-memory.dmp

Filesize
8KB

Download
memory/3084-274-0x000001BD91760000-0x000001BD9177A000-memory.dmp

Filesize
104KB

Download
memory/3084-254-0x000001BD92F50000-0x000001BD92FDF000-memory.dmp

Filesize
572KB

Download
memory/3084-253-0x000001BD932F0000-0x000001BD9373E000-memory.dmp

Filesize
4.3MB

Download
memory/3084-276-0x00007FF6DCE00000-0x00007FF6DFA37000-memory.dmp

Filesize
44.2MB

Download
memory/3084-273-0x000001BD92F50000-0x000001BD92FDF000-memory.dmp

Filesize
572KB

Download
memory/3084-272-0x000001BD92FE0000-0x000001BD9306A000-memory.dmp

Filesize
552KB

Download
memory/3084-266-0x000001BD91760000-0x000001BD9177A000-memory.dmp

Filesize
104KB

Download
memory/3084-260-0x000001BD92FE0000-0x000001BD9306A000-memory.dmp

Filesize
552KB

Download
memory/3084-252-0x000001BD932F0000-0x000001BD9373E000-memory.dmp

Filesize
4.3MB

Download
memory/3084-246-0x000001BD932F0000-0x000001BD9373E000-memory.dmp

Filesize
4.3MB

Download
memory/3084-222-0x00007FF81C390000-0x00007FF81C392000-memory.dmp

Filesize
8KB

Download
memory/3084-225-0x00007FF81C3C0000-0x00007FF81C3C2000-memory.dmp

Filesize
8KB

Download
memory/3084-224-0x00007FF81C3B0000-0x00007FF81C3B2000-memory.dmp

Filesize
8KB

Download
memory/3084-223-0x00007FF81C3A0000-0x00007FF81C3A2000-memory.dmp

Filesize
8KB

Download
memory/3696-212-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3776-284-0x0000024579A50000-0x0000024579A72000-memory.dmp

Filesize
136KB

Download