umbral | hxxps://cdn[.]discordapp[.]com/attachments/1005408678033236088/1278055488000364575/xanyx-loader[.]rar?ex=66cf696d&is=66ce17ed&hm=bff75af846020fc0279078064ec0a9de26e8de2bcb53124ceab6106049de7439&

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27-08-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1005408678033236088/1278055488000364575/xanyx-loader.rar?ex=66cf696d&is=66ce17ed&hm=bff75af846020fc0279078064ec0a9de26e8de2bcb53124ceab6106049de7439&

Score

10^/10

umbral credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1277968811785457707/QMEDo085SOqrKDO33OA_H6n9bDNLlzAEH4AxLM7VchZIKI1isnDJLGpfI126Kl0lK_ic

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a95d-532.dat	family_umbral
behavioral1/memory/2260-534-0x0000019291A70000-0x0000019291ACE000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4280	powershell.exe
4976	powershell.exe
1876	powershell.exe
4904	powershell.exe
3148	powershell.exe
2208	powershell.exe
4940	powershell.exe
864	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	xanyx-loader.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	xanyx-loader.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 9 IoCs

pid	Process
1304	7z2408-x64.exe
1912	7zFM.exe
2260	xanyx-loader.exe
3940	xanyx-loader.exe
1924	xanyx-loader.exe
4888	xanyx-loader.exe
4924	xanyx-loader.exe
3156	xanyx-loader.exe
2528	xanyx-loader.exe

Loads dropped DLL 2 IoCs

pid	Process
1912	7zFM.exe
3168	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	discord.com
35	discord.com
38	discord.com
42	discord.com
43	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
35	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2664	wmic.exe
2872	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\Registry\User\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\NotificationData	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "5"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 98003100000000000259807d110050524f4752417e320000800009000400efbec55259611b5968932e0000001804000000000100000000000000000056000000000009923200500072006f006700720061006d002000460069006c0065007300200028007800380036002900000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003700000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000002591c81110050524f4752417e310000740009000400efbec55259611b5966932e0000003f0000000000010000000000000000004a0000000000ed909600500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\xanyx-loader.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 99530.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4204	msedge.exe
4204	msedge.exe
5108	msedge.exe
5108	msedge.exe
828	msedge.exe
828	msedge.exe
3820	msedge.exe
3820	msedge.exe
4700	identity_helper.exe
4700	identity_helper.exe
3112	msedge.exe
3112	msedge.exe
2260	xanyx-loader.exe
864	powershell.exe
864	powershell.exe
2208	powershell.exe
2208	powershell.exe
4280	powershell.exe
4280	powershell.exe
3524	powershell.exe
3524	powershell.exe
4976	powershell.exe
4976	powershell.exe
3156	xanyx-loader.exe
4940	powershell.exe
4940	powershell.exe
1876	powershell.exe
1876	powershell.exe
4904	powershell.exe
4904	powershell.exe
2340	powershell.exe
2340	powershell.exe
3148	powershell.exe
3148	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3988	OpenWith.exe
1912	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1912	7zFM.exe
Token: 35	1912	7zFM.exe
Token: SeSecurityPrivilege	1912	7zFM.exe
Token: SeDebugPrivilege	2260	xanyx-loader.exe
Token: SeIncreaseQuotaPrivilege	1092	wmic.exe
Token: SeSecurityPrivilege	1092	wmic.exe
Token: SeTakeOwnershipPrivilege	1092	wmic.exe
Token: SeLoadDriverPrivilege	1092	wmic.exe
Token: SeSystemProfilePrivilege	1092	wmic.exe
Token: SeSystemtimePrivilege	1092	wmic.exe
Token: SeProfSingleProcessPrivilege	1092	wmic.exe
Token: SeIncBasePriorityPrivilege	1092	wmic.exe
Token: SeCreatePagefilePrivilege	1092	wmic.exe
Token: SeBackupPrivilege	1092	wmic.exe
Token: SeRestorePrivilege	1092	wmic.exe
Token: SeShutdownPrivilege	1092	wmic.exe
Token: SeDebugPrivilege	1092	wmic.exe
Token: SeSystemEnvironmentPrivilege	1092	wmic.exe
Token: SeRemoteShutdownPrivilege	1092	wmic.exe
Token: SeUndockPrivilege	1092	wmic.exe
Token: SeManageVolumePrivilege	1092	wmic.exe
Token: 33	1092	wmic.exe
Token: 34	1092	wmic.exe
Token: 35	1092	wmic.exe
Token: 36	1092	wmic.exe
Token: SeIncreaseQuotaPrivilege	1092	wmic.exe
Token: SeSecurityPrivilege	1092	wmic.exe
Token: SeTakeOwnershipPrivilege	1092	wmic.exe
Token: SeLoadDriverPrivilege	1092	wmic.exe
Token: SeSystemProfilePrivilege	1092	wmic.exe
Token: SeSystemtimePrivilege	1092	wmic.exe
Token: SeProfSingleProcessPrivilege	1092	wmic.exe
Token: SeIncBasePriorityPrivilege	1092	wmic.exe
Token: SeCreatePagefilePrivilege	1092	wmic.exe
Token: SeBackupPrivilege	1092	wmic.exe
Token: SeRestorePrivilege	1092	wmic.exe
Token: SeShutdownPrivilege	1092	wmic.exe
Token: SeDebugPrivilege	1092	wmic.exe
Token: SeSystemEnvironmentPrivilege	1092	wmic.exe
Token: SeRemoteShutdownPrivilege	1092	wmic.exe
Token: SeUndockPrivilege	1092	wmic.exe
Token: SeManageVolumePrivilege	1092	wmic.exe
Token: 33	1092	wmic.exe
Token: 34	1092	wmic.exe
Token: 35	1092	wmic.exe
Token: 36	1092	wmic.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4280	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeIncreaseQuotaPrivilege	4980	wmic.exe
Token: SeSecurityPrivilege	4980	wmic.exe
Token: SeTakeOwnershipPrivilege	4980	wmic.exe
Token: SeLoadDriverPrivilege	4980	wmic.exe
Token: SeSystemProfilePrivilege	4980	wmic.exe
Token: SeSystemtimePrivilege	4980	wmic.exe
Token: SeProfSingleProcessPrivilege	4980	wmic.exe
Token: SeIncBasePriorityPrivilege	4980	wmic.exe
Token: SeCreatePagefilePrivilege	4980	wmic.exe
Token: SeBackupPrivilege	4980	wmic.exe
Token: SeRestorePrivilege	4980	wmic.exe
Token: SeShutdownPrivilege	4980	wmic.exe
Token: SeDebugPrivilege	4980	wmic.exe
Token: SeSystemEnvironmentPrivilege	4980	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
1912	7zFM.exe
5108	msedge.exe
1912	7zFM.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe
2424	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
4500	OpenWith.exe
1304	7z2408-x64.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
3988	OpenWith.exe
2424	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 1448	5108	msedge.exe	81
PID 5108 wrote to memory of 1448	5108	msedge.exe	81
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 2344	5108	msedge.exe	82
PID 5108 wrote to memory of 4204	5108	msedge.exe	83
PID 5108 wrote to memory of 4204	5108	msedge.exe	83
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84
PID 5108 wrote to memory of 2540	5108	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1005408678033236088/1278055488000364575/xanyx-loader.rar?ex=66cf696d&is=66ce17ed&hm=bff75af846020fc0279078064ec0a9de26e8de2bcb53124ceab6106049de7439&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff997143cb8,0x7ff997143cc8,0x7ff997143cd8
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,14131519148362787337,13818570262156893562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2976 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3988
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\xanyx-loader.rar"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1912

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2836

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\xanyx-loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2064
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4976
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2664

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Executes dropped EXE
PID:3940

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3156
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\xanyx-loader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2904
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3424
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2872

C:\Users\Admin\Desktop\xanyx-loader.exe
"C:\Users\Admin\Desktop\xanyx-loader.exe"
1⤵
- Executes dropped EXE
PID:2528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4888
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1472 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {020d6362-f94a-4c17-820b-9b9e19fdaa29} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" gpu
    3⤵
    PID:2636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {729c83c5-0cad-4a24-932b-861eef3ddce6} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" socket
    3⤵
    PID:4724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2816 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 2536 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5429c3c3-abe9-4c38-bffb-0b1a8776adf3} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab
    3⤵
    PID:1876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3540 -childID 2 -isForBrowser -prefsHandle 3532 -prefMapHandle 3528 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1559aa96-563a-4a0a-8d16-aaa80f5c4dc6} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab
    3⤵
    PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4660 -prefMapHandle 4656 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca6c6a19-2c3e-4e22-ac24-1fd452978a0c} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" utility
    3⤵
    - Checks processor information in registry
    PID:2176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 4200 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bbed8d1c-e598-4e9e-9d3d-0279e0584164} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab
    3⤵
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5580 -prefMapHandle 5576 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07ce96a-e920-4951-94ee-cd2cfb4eed9a} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab
    3⤵
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5696 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5768 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7e08041-e5f8-4ee4-b535-63e55a34ae7c} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3500 -childID 6 -isForBrowser -prefsHandle 3492 -prefMapHandle 2740 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0833579-e801-45dc-b4e5-f5e6c8442729} 2424 "\\.\pipe\gecko-crash-server-pipe.2424" tab
    3⤵
    PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
549KB

MD5
0b24892597dcb0257cdb78b5ed165218

SHA1
5fe5d446406ff1e34d2fe3ee347769941636e323

SHA256
707f415d7d581edd9bce99a0429ad4629d3be0316c329e8b9ebd576f7ab50b71

SHA512
24ea9e0f10a283e67850070976c81ae4b2d4d9bb92c6eb41b2557ad3ae02990287531a619cf57cd257011c6770d4c25dd19c3c0e46447eb4d0984d50d869e56f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
14KB

MD5
5dfdda860ba69df0ae0ab193cf22a4ad

SHA1
631c3b573b87688a9c5c5f9268fa826b315acb22

SHA256
2ffa1c010889dc2c03dfef2271343ac6032c3966530c383b92d3dfd99a3aadc5

SHA512
ba844e4157d1da80879d89d52155e10f02682f34d92a5a7a57fb1d723cac66b01ff3aace379072780c01720419fd21f1f25279f6587950e9ed4c43688c284a95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xanyx-loader.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c3889d3f0d2246f800c495aec7c3f7c

SHA1
dd38e6bf74617bfcf9d6cceff2f746a094114220

SHA256
0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

SHA512
2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c4a10f6df4922438ca68ada540730100

SHA1
4c7bfbe3e2358a28bf5b024c4be485fa6773629e

SHA256
f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

SHA512
b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6b4b1762-05e4-4570-9379-bf1eff6c44e9.tmp

Filesize
5KB

MD5
ef7faca002c6aee9d135d6438ebe37f0

SHA1
9460c65221953c845b5f576f729a68b49f818394

SHA256
eb981ba2a145ce6b123b96dc21f19774ac3502e26efaacc515cb1beed97bf8de

SHA512
e5708881e1520bc7ce2616b547f3f57324bb185d80a4339243f6a3cc68b9eb0f8a032c1f2676fcd648881265fac6eeeaa15e3cfa5c6f477cd716ffc98486f859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
16a6972efc9d8931fb3109bb0f6f3466

SHA1
d68e0fad5b701cab08035205ac170b6091cf4166

SHA256
837368e9361c6799e3ffb49f3a16ab21fb3111d1bf39a929737999a71f36c887

SHA512
105b286e23bc6e2d2e050741ecf13cd4a5ee318b96bdda19bf06b4a2e9ed899cc66cdbf49e9b14b4db18f3d6bb452f535f8f439ca44f6e15c090994e3bde2b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
411B

MD5
e9b2bab14a870c18bb1c9a8057de14a2

SHA1
6768642edc4a3ef62830f33d7fac9364bd763e63

SHA256
7d45eb9b155d81a62f8eac86985c5a479c8c60fc606c07046f52b251444fa2da

SHA512
15f64aa193e4b7d9ab786a174dbed2b59585df5c0529b49321d9d9af849667ab8070289a3222318199d266efec37d246b299e1c6c5d4e105969e3cd487bb79e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41471f04688c4e328abedf208690ed1c

SHA1
6519dbceb1e1e60389e61e1b0924cf1bfe73bae3

SHA256
82dd4a207c61f640ad8d042d3f9ba3cfd958c40a1fc5ff1b3ffd9c98d38c3cac

SHA512
97d7b09183494f03d72e04ccbbe71950c7eb8886a8ad2c4dcfc7bdd6d18f7316ef734c5e96e956d92bcd5c08c94fd1432310c70efab7bb7fdc3487a7dd4b4edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c5a2f27a6c5b72e73d06e37020a4bf33

SHA1
7cd30d63b150d155e10fff2dc8704b2d39191b01

SHA256
42ba96daef1c2ef567f7e55fa01490fe8458603a3f45de5f3770ea3613c61010

SHA512
bc67624db82aac7a099a2bee39f921679407d7cee066869335a009d38649f8d1a5f5afccd307075900b55a827b985422518b21cdbfdc9452c58e1f1408d13452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d78f22eaf4a44148e657d9dc46600a42

SHA1
954aaeb2147d4068060a00a452c8fca85256bc85

SHA256
5e2f77fd798badda96c2aa02e02503e1bc5006fa25a58514346b7c27994f5281

SHA512
3da9788df7866f1dfadc113c34362929acdd3b45f1cdb794307f5cbf3f1ab812596b0e1336a3fb64c62d8970af49a240553af8174d34d1b4ded63e90a7a2f476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cd12d545192a06741b676e7b6ff42cc0

SHA1
a60cde52ad46d8fd5e7ce4874a4be1668363a8dd

SHA256
807dd63608d911246c4c40e29157886df62cbf176ddc75c7c4651435b8f9852d

SHA512
51282710df965b767ca1bca258050f7d5c3c254f1f53495b4e7bfc02755707c33c05f50af5b9b9d25d14928cd42e3e0fded7adbcce58b8ead0049cee8cc08232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
769603958ab36eca935f947e4ea7e1c1

SHA1
a326113ff54e289471bd66598e918bbefd5d4c0f

SHA256
aabbce0246ce94cd718f26eeb4a0b541288f5a1af05f03f1b866499dbc45d1ec

SHA512
3cd11a8500e9fe89622bd3e28070bb3413c4d1f61d35d28a1c9c03d3384c7cccfaeb3a64ac040e0dcbdc420b69ee661ee09346c7d89049210a642e969bc927dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98c5cbd700adcaffd1d1718024054701

SHA1
df4a6a7c54f5e6a5f79df01fdbab725c3e6cfbb9

SHA256
bd10e7415a87b434fd46c87c89218e5e3f5ab9797b8303ddcbeb4e5dffb80f0b

SHA512
f9051e8b90937962992852aa519ba56dec235d70d1e1d1e33ffd38d6a19905301901c784ade786f9db37fa4b6ec78048c4f642ebdb46a878fc28aafa146683ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5c65e0fddc0fb988943c265488ff3b76

SHA1
f0de6cb9efc55e63b2e311555a9be73e82a91ab1

SHA256
79718c2b30d601279243e3e5bd0cb578baf821620fbf7f9940a9495df8f29464

SHA512
d79f0ac60269f9be0b11f17ff2d31db4a888044405bb1140bfa65cb197dcca5396db91dfe607b65476ebfd0a8f66f51544fcacae088eec93ae111b647a1f6449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
87ebe221d639e66210ef10c93e5f83c3

SHA1
483a666b82f7b59e2d569f6f331fa3989fe0f526

SHA256
9a41c90023823aa68dc48f5d8592910dc2ad1116bf54870a0832aba787990380

SHA512
2a1e22894388a79526f39db4fa7c65db92626719337f865eaac39d0bb28dc95726fba62c1f0d659864843a2804bd803fe3dfbc0840421c80ff735192928efcce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c4273f170169bb353809542b107cbd85

SHA1
1dc690ec9521c5aded719c7925d428271eeb2706

SHA256
b3efd6f2403ed3b19c8e7488b272bd2d024fe64d1ada4e5e22a2041fa66157f4

SHA512
9a23e0d07db1f8ca882ffe6b669bb2814a3f19b148d7a27b9c1f4e139be76bf81ceae73714d0e43e397c463265b58bbe411be662f50f1f96a081229ca378d6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b68ab4ca7e39baffff644d4820c98f0c

SHA1
25aee3c71f29c4520c9a89a13ce47864b75ced4e

SHA256
974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676

SHA512
5c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
45741c307af2576c6437c5fdb24ef9ce

SHA1
a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf

SHA256
7887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2

SHA512
39fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de1cbc191bee1d162d00561785ff3e3f

SHA1
e65c6208aaeb730c3242fec9afbfe797fb464f66

SHA256
7eda0e7287adda6d5511bb314988c270a1ec05a6bd7fcbfab698ed7b4b195434

SHA512
af507d8a805f43842e87414b43c1a0f8973f3d663d2efeb0556b9d212741d159e2f0d0e0528588d9dba1278cca1efd37ab4d28c118c4424345191d0b016d2013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8473c0720d50f160d2a0aa6f2c469195

SHA1
12178cc31b143c8e205c974340c73f34aeadb1c2

SHA256
575c9adfd431e013e5bfb5e133b805ed9e7aa77da05be167f3f8b92211e643b0

SHA512
61fe1040a5fbc1c0bf7290bc63b336152831647cafda9d491ae65f927b49fad9d8feb867115eddc8aeab6a8d5c3fd398edde0d177b11180b33982deefd52ceaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_haz5k4r5.bti.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\AlternateServices.bin

Filesize
7KB

MD5
19b04d7b78cc15f94d1047f0e3d26c3c

SHA1
39e3ec1e1b2e4a1c99129baf7f42f14d6b7bd577

SHA256
2f0fe906d6376c7f8f4ba5a7eee3376eabd5a1430917826b85867dc8bc381df2

SHA512
331a590d0cb82750b97acf5b8823f2a410ac786d9f15abe774c888b98c03b663fbea9a1d6237cb45fe6ca2ae86fce8bf62987b3af95019651c4728676df38b45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
063ae5ff94abb0b67571e8d71c9360fc

SHA1
ee7fc4d5a54524fa2df309d3b5b8c17bed37a17e

SHA256
61cfcee15a4dd80f4ada364a76f249e250aa2bba5923b4bcfeaefd405f7e162c

SHA512
c4a37d7550ff39c195363e9cab57e90bafe9cf86357463dcdc546c6e5378b6f86051b0372d36b52d60954dc2b95c39e3c8b4265881f6b960aceca1b63d3a3ef4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\763fbdb1-46fa-42c0-bbdc-65feb446d2f0

Filesize
671B

MD5
0a1d4c61992f9d466f74493af6d93234

SHA1
d3972ed0c9843433c29bd9c09d4582a081af9932

SHA256
959e78f81557aabd287542d2074c55d2591211e5a41504b26f0180b2921d08af

SHA512
d58707923a057f1d0d5746c9125bfe5d29a111e5e5cf6fa5cb2a98d47228df653e44241c77e381aff85dd45772cd5d2282f7d83c1baf5971e9336ee9691e8403

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\81a6f0d8-da36-4a2c-9114-112605e76dc7

Filesize
25KB

MD5
dc02df1a930ca9bab473000c55dd02be

SHA1
7c5faf4d6e0c37906a85eb47fc25bb3f053c4b39

SHA256
b59c62961a17c95fe07b2a5c603ade2a3514cba491419486871be2608ab2ea5c

SHA512
869d3443f08aaca36067d3b0a8a9ef983d437116b4119f5ed1dee7df6bfd30faabfd72b17e2e408196f1c97869e34016caca527fcde755fb679c41453557d3fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5vinb3pw.default-release\datareporting\glean\pending_pings\ae1ff134-6771-4bbd-89be-72e3d8b722d6

Filesize
982B

MD5
2f7ef5376ac8c97f64054070a8ef10e8

SHA1
9b3c2537e146e27384cf298557584a87aadd01fd

SHA256
3c5ae4d73fae307c4b8ce21de06f9932fd8ff5acff03253124aff4c42f14521f

SHA512
5cdd4481b5b6c549eb1c020611567534aa4395787d208c1a7478d470f38fdbd9d36a4616771a84a49363ba53a64d0034a20f58a1fdeb73d296c737b5d5dcb98e

Download Submit
C:\Users\Admin\Desktop\xanyx-loader.exe

Filesize
349KB

MD5
ed847ded3be4f10c7ac9e83d9d1d2e83

SHA1
e871c6bfb85998c26b1dac25f477c401af71b6da

SHA256
be714037f784e78ea5e6698029d60d692be324de6530a02a8efd65c1a8a5fccc

SHA512
a6a3640fed6a3f4241ab2d365ef8fa08af9a5c40f95031cc350a21fbcf1385354c3b8d128e91d0c5cc349856ea7b7ff17a01615da218de9f4b836bccd48fbbf6

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier

Filesize
58B

MD5
37da88b521d433509b41a4f658730dbe

SHA1
2ea39c5e0b87a0717eac738f9ae92be8771fd576

SHA256
62ba564e8b8b6fba4ae004166cddac5e232f0b2d06dd97c0e4656571adfe7d84

SHA512
98a00650022e0e36e748714b92b6beaebc3afa3c7a5baab8cecd155091d7acac94dbec0fb9c7c2c24c07e0ac7068058926de85bf10ed4e7a3b634d47119ea832

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 99530.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\xanyx-loader.rar

Filesize
111KB

MD5
102cbc98414aede69cdf6c09d5b6e569

SHA1
fe76e1619e0b1148485877327456d239ee7c1020

SHA256
2f42648d7921f8cbd227352fbb4ec5c7851cb238e537db7413dea030b1d4fc05

SHA512
2dd754a7ed68fb517d603b5d8de05fb5fe7c85546f30278003d42003940a706b378ff47848620dcc4063cc362ad09a8d85188fb0c7d484f056f44a3142d3d695

Download Submit
C:\Users\Admin\Downloads\xanyx-loader.rar:Zone.Identifier

Filesize
224B

MD5
25cefa892b421e75b454167eabd9794e

SHA1
e4cb1412d23ba9423a8cc7ad17926b0c35ddd9a5

SHA256
489149f2e780a088010e5086ffca6966542c1306d8c0d48416d5853cb77aefe0

SHA512
103d5096f38e88a2c76e065f1be9583a206e4b8da1d8d388ae62978560c86388dbc5ccac28d809d39829e53e0e554657dd785955905eae12c6b81a95e0e66b30

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/864-540-0x0000021FF7AF0000-0x0000021FF7B12000-memory.dmp

Filesize
136KB

Download
memory/2260-595-0x00000192AC140000-0x00000192AC152000-memory.dmp

Filesize
72KB

Download
memory/2260-594-0x00000192937C0000-0x00000192937CA000-memory.dmp

Filesize
40KB

Download
memory/2260-561-0x0000019293780000-0x000001929379E000-memory.dmp

Filesize
120KB

Download
memory/2260-559-0x0000019293910000-0x0000019293960000-memory.dmp

Filesize
320KB

Download
memory/2260-558-0x00000192AC330000-0x00000192AC3A6000-memory.dmp

Filesize
472KB

Download
memory/2260-534-0x0000019291A70000-0x0000019291ACE000-memory.dmp

Filesize
376KB

Download