xworm | e51ecaeca7cda9ed0930aeb8805abc3d6a2e614493b7da7aec7b7cd92bfc2e2e

Analysis

max time kernel
1781s
max time network
1789s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Skibidi Simulator.exe
Size

190KB
MD5

3f0c9614a4589ea9d6cb31327d6d43f6
SHA1

ed27cf1b9f44c9075ab81083eb55a7d2cd1daaa3
SHA256

e51ecaeca7cda9ed0930aeb8805abc3d6a2e614493b7da7aec7b7cd92bfc2e2e
SHA512

ab6effe8fc71db4b00999abe3406ae9da541eb11fd901b7762ecc40f389e52d0900cb6aaa6b4ee19f3f9f904cac19a07cf9fa71d3587047fc9a2b65d1d8ed1af
SSDEEP

3072:hSqPIvvgpFI9AeOwZYLOE2lutCJC4ZRYJAJ9mT5QNfiz9KXl8+bzJ/xd0qFlvJJi:lGvYI9/Y6E2lBvMJAJ9m4Kz6/5xd0qS

Score

10^/10

xworm discovery evasion execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:55357

control-designers.gl.at.ply.gg:55357

Mutex

5lmtbJhTwGipQKSc

Attributes

Install_directory
%AppData%
install_file
Windows.exe

aes.plain

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2608-72-0x0000000001010000-0x000000000101E000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2608-1-0x00000000007F0000-0x0000000000824000-memory.dmp	family_xworm
behavioral1/files/0x000600000001e0ab-58.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3964	powershell.exe
4112	powershell.exe
3156	powershell.exe
2816	powershell.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Skibidi Simulator.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Skibidi Simulator.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	Skibidi Simulator.exe

Executes dropped EXE 30 IoCs

pid	Process
3640	Windows.exe
1400	Windows.exe
2556	Windows.exe
4904	Windows.exe
1568	Windows.exe
5060	Windows.exe
3272	Windows.exe
1016	Windows.exe
2120	Windows.exe
4064	Windows.exe
712	Windows.exe
1040	Windows.exe
4420	Windows.exe
1648	Windows.exe
2416	Windows.exe
1572	Windows.exe
1644	Windows.exe
3420	Windows.exe
4320	Windows.exe
3944	Windows.exe
704	Windows.exe
4776	Windows.exe
3612	Windows.exe
400	Windows.exe
3444	Windows.exe
216	Windows.exe
5088	Windows.exe
740	Windows.exe
1552	Windows.exe
3064	Windows.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Windows.exe"	Skibidi Simulator.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	Skibidi Simulator.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
4112	powershell.exe
4112	powershell.exe
3156	powershell.exe
3156	powershell.exe
2816	powershell.exe
2816	powershell.exe
3964	powershell.exe
3964	powershell.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
904	msedge.exe
904	msedge.exe
1964	msedge.exe
1964	msedge.exe
4076	identity_helper.exe
4076	identity_helper.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe
2608	Skibidi Simulator.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	Skibidi Simulator.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	2608	Skibidi Simulator.exe
Token: SeDebugPrivilege	3640	Windows.exe
Token: 33	2512	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2512	AUDIODG.EXE
Token: SeDebugPrivilege	1400	Windows.exe
Token: SeDebugPrivilege	2556	Windows.exe
Token: SeDebugPrivilege	4904	Windows.exe
Token: SeDebugPrivilege	1568	Windows.exe
Token: SeDebugPrivilege	5060	Windows.exe
Token: SeDebugPrivilege	3272	Windows.exe
Token: SeDebugPrivilege	1016	Windows.exe
Token: SeDebugPrivilege	2120	Windows.exe
Token: SeDebugPrivilege	4064	Windows.exe
Token: SeDebugPrivilege	712	Windows.exe
Token: SeDebugPrivilege	1040	Windows.exe
Token: SeDebugPrivilege	4420	Windows.exe
Token: SeDebugPrivilege	1648	Windows.exe
Token: SeDebugPrivilege	2416	Windows.exe
Token: SeDebugPrivilege	1572	Windows.exe
Token: SeDebugPrivilege	1644	Windows.exe
Token: SeDebugPrivilege	3420	Windows.exe
Token: SeDebugPrivilege	4320	Windows.exe
Token: SeDebugPrivilege	3944	Windows.exe
Token: SeDebugPrivilege	704	Windows.exe
Token: SeDebugPrivilege	4776	Windows.exe
Token: SeDebugPrivilege	3612	Windows.exe
Token: SeDebugPrivilege	400	Windows.exe
Token: SeDebugPrivilege	3444	Windows.exe
Token: SeDebugPrivilege	216	Windows.exe
Token: SeDebugPrivilege	5088	Windows.exe
Token: SeDebugPrivilege	740	Windows.exe
Token: SeDebugPrivilege	1552	Windows.exe
Token: SeDebugPrivilege	3064	Windows.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2608	Skibidi Simulator.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 4112	2608	Skibidi Simulator.exe	84
PID 2608 wrote to memory of 4112	2608	Skibidi Simulator.exe	84
PID 2608 wrote to memory of 3156	2608	Skibidi Simulator.exe	86
PID 2608 wrote to memory of 3156	2608	Skibidi Simulator.exe	86
PID 2608 wrote to memory of 2816	2608	Skibidi Simulator.exe	88
PID 2608 wrote to memory of 2816	2608	Skibidi Simulator.exe	88
PID 2608 wrote to memory of 3964	2608	Skibidi Simulator.exe	90
PID 2608 wrote to memory of 3964	2608	Skibidi Simulator.exe	90
PID 2608 wrote to memory of 1056	2608	Skibidi Simulator.exe	92
PID 2608 wrote to memory of 1056	2608	Skibidi Simulator.exe	92
PID 2608 wrote to memory of 4432	2608	Skibidi Simulator.exe	113
PID 2608 wrote to memory of 4432	2608	Skibidi Simulator.exe	113
PID 2608 wrote to memory of 1964	2608	Skibidi Simulator.exe	120
PID 2608 wrote to memory of 1964	2608	Skibidi Simulator.exe	120
PID 1964 wrote to memory of 944	1964	msedge.exe	121
PID 1964 wrote to memory of 944	1964	msedge.exe	121
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 2764	1964	msedge.exe	122
PID 1964 wrote to memory of 904	1964	msedge.exe	123
PID 1964 wrote to memory of 904	1964	msedge.exe	123
PID 1964 wrote to memory of 432	1964	msedge.exe	124
PID 1964 wrote to memory of 432	1964	msedge.exe	124
PID 1964 wrote to memory of 432	1964	msedge.exe	124
PID 1964 wrote to memory of 432	1964	msedge.exe	124
PID 1964 wrote to memory of 432	1964	msedge.exe	124
PID 1964 wrote to memory of 432	1964	msedge.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Skibidi Simulator.exe
"C:\Users\Admin\AppData\Local\Temp\Skibidi Simulator.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Skibidi Simulator.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Skibidi Simulator.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Windows.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows" /tr "C:\Users\Admin\AppData\Roaming\Windows.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1056
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9010c46f8,0x7ff9010c4708,0x7ff9010c4718
    3⤵
    PID:944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2764
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:1368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:928
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1693263611420397022,5661736210766573093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4076

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x474
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4044

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:1300

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1076

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:712

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3944

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Users\Admin\AppData\Roaming\Windows.exe
C:\Users\Admin\AppData\Roaming\Windows.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae1f55218e047b0dea53a58ee2a2bf0c

SHA1
7ccdfaa31fcf856171271ebf7b02f9925fef06cc

SHA256
9443d9c890766cdc3e8175e1c2c04f1cf5897141519f2c7d4a3a039b390af93f

SHA512
933a02614a9402ea56b7c9f86e5ff6e6f0d1740502e2f4f3ed8a3b9e9f9fd7a2b206b640ea8a2367712fdd3b7dfc451fd1abfa27b01bcc4ceb07a6aaca0eff4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c3bfb0fc673fd082b300f5fa7f82660

SHA1
7db12bfdbf02bf5b4abe706a8884f74e892e86ac

SHA256
eb87e8d930e5db86436af41369395304ec9c09f79ddb49fbfbf9739a2dbf5454

SHA512
6e7aadd8b8fb48bcc7c161bb71a21e4c22faeb733a5ce089be945002735db65087d42df34d270c96d1ef423cee13cdc621ddc8306f0df58fee893a39b7524b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b3bd4645d040db615f97e9b76f87ba50

SHA1
757f14e720e1b3167b00b288f8668850fc7f8af0

SHA256
38f81a83dd8f9bbd47ef9e792ea22acece79cacc3dfa095a2c17102883e2712b

SHA512
bcdb97c591c1076fe3b33b04cc5e62de4bb7b74a9e55bd55097fbb9c9c3d95ba1a5e84f63a21787e294f7756d617734bee1c51efcd0e8090c008b34c105a14e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_un50wext.tjl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Windows.exe

Filesize
190KB

MD5
3f0c9614a4589ea9d6cb31327d6d43f6

SHA1
ed27cf1b9f44c9075ab81083eb55a7d2cd1daaa3

SHA256
e51ecaeca7cda9ed0930aeb8805abc3d6a2e614493b7da7aec7b7cd92bfc2e2e

SHA512
ab6effe8fc71db4b00999abe3406ae9da541eb11fd901b7762ecc40f389e52d0900cb6aaa6b4ee19f3f9f904cac19a07cf9fa71d3587047fc9a2b65d1d8ed1af

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
627B

MD5
75a3e93e8d50e4c092ee22b186fadf74

SHA1
481f9f3ec43dd0cee89849721b61093e37fff870

SHA256
15a2cce9bd9019df9f5960024fce45118b70764eae5726c983f64e4d60c02ce2

SHA512
215b6478221adf4fe5086997da1d9868b5ab9ebdb26a26dc7e89c8246de0b9f95276ec820ed09b3d28ab3960fe1ca4152ab614f4a66bd4e9739a97ef99f8c127

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
2fb8cdc7bb9705733199214ce75840ff

SHA1
29ad208d6279219d0a33f254d786d17dca3574d6

SHA256
2f25a66cb22bb0cc86e8ce8d56ac02638bb1eaf3cbd3edeb159a47c04ffe4c46

SHA512
1870904e69c93baf9da7a0218c4ede8aee07e3b8f65ff94e01655f3eb36a451781b943584bc6629a2a0ca534619a09fc1fc52871ee2d90096247c428d3c7a283

Download Submit
memory/2608-62-0x000000001B9E0000-0x000000001BA6E000-memory.dmp

Filesize
568KB

Download
memory/2608-69-0x0000000001000000-0x000000000100A000-memory.dmp

Filesize
40KB

Download
memory/2608-65-0x000000001BAA0000-0x000000001BAAA000-memory.dmp

Filesize
40KB

Download
memory/2608-72-0x0000000001010000-0x000000000101E000-memory.dmp

Filesize
56KB

Download
memory/2608-73-0x0000000001020000-0x000000000102A000-memory.dmp

Filesize
40KB

Download
memory/2608-74-0x000000001BAB0000-0x000000001BABA000-memory.dmp

Filesize
40KB

Download
memory/2608-79-0x000000001BAC0000-0x000000001BACC000-memory.dmp

Filesize
48KB

Download
memory/2608-1-0x00000000007F0000-0x0000000000824000-memory.dmp

Filesize
208KB

Download
memory/2608-66-0x000000001EF30000-0x000000001F458000-memory.dmp

Filesize
5.2MB

Download
memory/2608-57-0x000000001B5A0000-0x000000001B5AC000-memory.dmp

Filesize
48KB

Download
memory/2608-2-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/2608-56-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/2608-0-0x00007FF8F62D3000-0x00007FF8F62D5000-memory.dmp

Filesize
8KB

Download
memory/4112-17-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/4112-5-0x0000016773930000-0x0000016773952000-memory.dmp

Filesize
136KB

Download
memory/4112-4-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download
memory/4112-3-0x00007FF8F62D0000-0x00007FF8F6D91000-memory.dmp

Filesize
10.8MB

Download