xworm | 12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

playit-0.9.4-signed.exe
Size

4.5MB
MD5

b5a2f8dde0d824b64b749f0db69d00d4
SHA1

2cf1025a87a2dee9972b71f54e399e37ae75e043
SHA256

12f2da4d791bd7654bb4e89d48cef58c07e2b804be1c6f79ee3d68e9e9566906
SHA512

107a05c44148d9b4c7ae597c94e1a99809addeb43ade7178effd83758bd443afbaf9d3008894c8e5834ac9acb308517097418bc8a5f9f0d50d25a373aa6637d6
SSDEEP

98304:yJd9khieA3BPOtdBrkFVYBh7IoAyTzZwFkQoGtczBOlzp2ybcBk:yJnkvAxPO3BrkFVYBKoASaFJekl92AcB

Score

10^/10

xworm discovery execution persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

Version

3.1

147.185.221.23:24311

Attributes

Install_directory
%AppData%
install_file
RegEdit.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0002000000022b13-14.dat	family_xworm
behavioral1/memory/4760-25-0x0000000000140000-0x0000000000154000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4436	powershell.exe
740	powershell.exe
3104	powershell.exe

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	playit-0.9.4-signed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 4 IoCs

pid	Process
2220	playit-0.9.3-signed.exe
4760	XClient.exe
5832	XClient.exe
588	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2316	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1772	msedge.exe
1772	msedge.exe
4436	powershell.exe
4436	powershell.exe
1536	msedge.exe
1536	msedge.exe
4436	powershell.exe
740	powershell.exe
740	powershell.exe
740	powershell.exe
3104	powershell.exe
3104	powershell.exe
3104	powershell.exe
4448	identity_helper.exe
4448	identity_helper.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4760	XClient.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3104	powershell.exe
Token: SeDebugPrivilege	4760	XClient.exe
Token: SeDebugPrivilege	5832	XClient.exe
Token: SeDebugPrivilege	588	XClient.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 2220	460	playit-0.9.4-signed.exe	87
PID 460 wrote to memory of 2220	460	playit-0.9.4-signed.exe	87
PID 460 wrote to memory of 4760	460	playit-0.9.4-signed.exe	89
PID 460 wrote to memory of 4760	460	playit-0.9.4-signed.exe	89
PID 2220 wrote to memory of 1536	2220	playit-0.9.3-signed.exe	92
PID 2220 wrote to memory of 1536	2220	playit-0.9.3-signed.exe	92
PID 1536 wrote to memory of 3876	1536	msedge.exe	93
PID 1536 wrote to memory of 3876	1536	msedge.exe	93
PID 4760 wrote to memory of 4436	4760	XClient.exe	97
PID 4760 wrote to memory of 4436	4760	XClient.exe	97
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 4792	1536	msedge.exe	99
PID 1536 wrote to memory of 1772	1536	msedge.exe	100
PID 1536 wrote to memory of 1772	1536	msedge.exe	100
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101
PID 1536 wrote to memory of 3296	1536	msedge.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe
"C:\Users\Admin\AppData\Local\Temp\playit-0.9.4-signed.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe
  "C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://playit.gg/claim/afa678ea99
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbbc846f8,0x7ffdbbc84708,0x7ffdbbc84718
      4⤵
      PID:3876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:4792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
      4⤵
      PID:3296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
      4⤵
      PID:2328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:3840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
      4⤵
      PID:1640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
      4⤵
      PID:1980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
      4⤵
      PID:736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
      4⤵
      PID:5284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:5292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,13642928257034983162,9467928322116806558,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2484
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3324

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5832

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
025ff6b5594d3dec01c039c9e177cf53

SHA1
7b3506995910cc2af07a4d16004d8893d7fc6218

SHA256
e8463a7a795800b447e55203b2fc9b0b8a5715fa0ec5100d8eedfcb05f52dc82

SHA512
653f0dd287886252d8e0126b95bf2233f307349b55e47cb7dbc564ba776b3d93f78b995e2a3525b955c775c17355ecddc97a89dc0744ba76ad14108c88afb03e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a864a2fba852251c26fa741d3274a786

SHA1
f619535cda237e2434a4d87f7e64c3254975edb0

SHA256
559b6555424499dfbb0ce7e966f3499d37d9f43e21f524d4818cc7cb234ec790

SHA512
cc3d035137ea799d9a76316a54a55f5c6c12ea19946a0a8e29311dfe61ef49871eabae2d044205c7b184f6039544968aa72eca86c311ec0f264ed0c650a32574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
93d754e59002ba6b2e9d21dd5a205d22

SHA1
bf22fbc3122404aa874499e49a24d2900185a2a6

SHA256
9708a8e1923e5ef86d3e9c5e49f6b5f64fe756ecd122d9751867fa169f7320e5

SHA512
655fc61b80316672765469c75fd28a3172ce35a81f1d3ab6dcad03a5d745144e003700aa6defcd1f618847583a04d223550d580bd3dbd5b2347df5ebe8253767

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5555025959bd08a6b3df2df5b3251c6

SHA1
83d798f528ed238b22f5072bb575b1898ee8d08c

SHA256
e09cdf0d3b8df597564acad9ff9634a182d4dfa59d9ed69aef49f792d6b0e819

SHA512
0b813e6d5ddde97b535682c483e6a05d5bc5fe4f32ace9e90ec1fa6b79468b3e8db26b64855fad142138e8524ce011acab2b75a44ae90699dc3ad20e8e4c23da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
003c3cb1dc3587456c2328e2d561c73a

SHA1
814e1cd2def7af947916c992797872e068c75373

SHA256
2a96f52ae19d80142e0fbbb7582bb9e983856e08d938e35a195b8b6fde62943a

SHA512
f1eb6a8aed8088d1d856201351378af96804b740f524ca97bc6c548e5dd6151feb3c5c0f2dc233f986c6c5144780da03337aa857433f6c7ba2fd6f6b090f9f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
47c76e4c64fa4ab0eaf643c6105dff0f

SHA1
7bf0495a9350100c1d013104ebb9ab6920bc9ae6

SHA256
c264bb7112cab8048b1e65890373b7f7202acc2cc7f6d3a6594a24ac2a0daacf

SHA512
2211ffb86e4bdbb203c584ff78e33396eef0eb646412d33e6a5bb2ba22955850ebb6a066ae2a9e6e606fff7bd12320b8dccc13ed212c576163dade66ce019c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
373b8bdb239f9f35a62b94efbdba3e5c

SHA1
d2d2384ae2b07bebf781dc5c9a3a2f2b75283079

SHA256
f1a84849df47d0b655a025cf599e57b4d4480a9b42c59cf9ba1f5defd3bb0b9b

SHA512
73471892727772524be4f326ec6d9ab0c22315f03119082c9ede11b0245f7d21074ac9ff89995e41766e9a8225a879fa13b7ec20529adcc60cbe89ecf31ff26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58463b.TMP

Filesize
538B

MD5
04f16371413932acd1fea67c14ec6419

SHA1
1e3f89593214c56ed3480e4ca0b2c35e40f42476

SHA256
6d6aac74d1db75c4f248f222c11f49308a3cc862aa5e08dfd0c85481c57bb06b

SHA512
cca1b6567cbfc523dbddc036fb5f101501f6dd83c4984ac49df16daba20ad5d7c2fa6aa9c8fb91316e6d83a2a859a8866a9d8ad62ea6364f4642a8e778913027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ee5c446464ba841a74e0df9baa36ee1

SHA1
26d55aa45edcf75e9251c278db40d5740a5abfcc

SHA256
59f1810437dbf17b68697e4a4f0cf153cf68b8d8724c40e6d7ce536788e28600

SHA512
c293bfa78344e1a9fa096c1ff151db7e381655ca04a6d8d9ec414861d73393a1c4ed4eb99195b4597ecb81b9257d13584a821150f08673c016cb1ed291d1a43d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0093819c829dd30c13746f256efba97f

SHA1
f095cbb1d10a54a91d7d341c4098d44973d3ec50

SHA256
5f936c252c9ed7d08d4a73b86230d9877173b44c36544f0b24eae3eb38617401

SHA512
72aac852de41473494d2263aa44dbabfb1f318f8a21ebdfe080c4a98b9288db07e9641a935d9a640b5e879f28a0560cae53bd4191ac94d315b87746e57e69af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
57KB

MD5
f2a9ba24fda65a5e298a37965de4258f

SHA1
5c91e7c89233c45933ac106cd4d1110d293c9206

SHA256
6ea59e69f350e9f0311dfc3d58fcc3ebd22f2401b3047f454a518e73a12569dd

SHA512
e53b4e702ba04350d3c5f4c3780394b53360100b67f9856831a49235d1561cb864616823be3308911629416a5e69d88f2c3fdff8907547a9d821714e1eb94386

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkh3jqww.mk3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\playit-0.9.3-signed.exe

Filesize
13.1MB

MD5
da0750733bf36c61222eefaba4805dcb

SHA1
304e90d123300e646b768f1f358e59ba506b7dce

SHA256
c9ff8f05cdde137cb0e1e386184a42d4889988c4cfd235fd3340fe545f5e06ac

SHA512
f9a8e89f294257f785388e237a6da1f363f8d78af7c9b473d67261b99526224eb84598eacbba17f01a9f2eb2f6fea0740f7e37df92891df8fa39a33820287454

Download Submit
memory/460-22-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/460-2-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/460-1-0x00000000001D0000-0x0000000000652000-memory.dmp

Filesize
4.5MB

Download
memory/460-0-0x00007FFDC0733000-0x00007FFDC0735000-memory.dmp

Filesize
8KB

Download
memory/2220-190-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-298-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-310-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-166-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-305-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-301-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-218-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-226-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-240-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-138-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-257-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-294-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-283-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2220-285-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/4436-58-0x00000152CEE30000-0x00000152CEE52000-memory.dmp

Filesize
136KB

Download
memory/4760-25-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/4760-168-0x000000001AF00000-0x000000001AF0A000-memory.dmp

Filesize
40KB

Download
memory/4760-139-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-140-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-167-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download
memory/4760-24-0x00007FFDC0730000-0x00007FFDC11F1000-memory.dmp

Filesize
10.8MB

Download