xworm | c82bb2bdf2a6a156eaa280eb6cd7f006e5c2421a24490ea017e0048c5e4ab140

Resubmissions

01-12-2024 20:51

241201-znngha1pew 10

15-11-2024 18:52

15-11-2024 18:49

15-11-2024 18:48

15-11-2024 18:45

15-11-2024 16:38

Analysis

max time kernel
136s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
15-11-2024 18:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

XClient.exe
Size

63KB
MD5

babb94ecb1c83f5daa6fbe659eaaa4f9
SHA1

07289ec74f35061c515c6a835160ded06f823305
SHA256

c82bb2bdf2a6a156eaa280eb6cd7f006e5c2421a24490ea017e0048c5e4ab140
SHA512

93fb30710c1194bad4ce6cea55df8cca3b68dcb08a53dfb68f69cf6ca0695a3f89bae0e66d3f142c5d84cb9a03cc32ac65a815c9e859a1e4c39b50dd8609e6ab
SSDEEP

1536:GjFmCqZLnPN/2hFtT/PXl6/3d8/kbS5duRcdjT5WkOLuKZEY:GeZrNMF9/EFAkbS5AKZT5WkOLuI

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:56069

front-applications.gl.at.ply.gg:56069

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/4484-9-0x000000001C6E0000-0x000000001C6EE000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/4484-1-0x0000000000950000-0x0000000000966000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	XClient.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	bootim.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	bootim.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	bootim.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
760	identity_helper.exe
760	identity_helper.exe
1088	msedge.exe
1088	msedge.exe
2112	msedge.exe
2112	msedge.exe
1664	msedge.exe
1664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	XClient.exe
Token: 33	960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	960	AUDIODG.EXE
Token: SeTakeOwnershipPrivilege	4428	bootim.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
4484	XClient.exe
4484	XClient.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
4004	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe
1088	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4040	MiniSearchHost.exe
1932	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 4004	4484	XClient.exe	82
PID 4484 wrote to memory of 4004	4484	XClient.exe	82
PID 4004 wrote to memory of 2236	4004	msedge.exe	83
PID 4004 wrote to memory of 2236	4004	msedge.exe	83
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 4800	4004	msedge.exe	84
PID 4004 wrote to memory of 3580	4004	msedge.exe	85
PID 4004 wrote to memory of 3580	4004	msedge.exe	85
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86
PID 4004 wrote to memory of 4524	4004	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://pornhub.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc2fa3cb8,0x7ffdc2fa3cc8,0x7ffdc2fa3cd8
    3⤵
    PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:4800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
    3⤵
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
    3⤵
    PID:5112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
    3⤵
    PID:4260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
    3⤵
    PID:2044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
    3⤵
    PID:960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
    3⤵
    PID:4092
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,13665907506194953845,6274697279970786590,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:760
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4544
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3164
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3512
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:1440
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:3424
- C:\Windows\explorer.exe
  "C:\Windows\explorer.exe"
  2⤵
  - Modifies registry class
  PID:4468

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4040

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdc2fa3cb8,0x7ffdc2fa3cc8,0x7ffdc2fa3cd8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,4224075497894198262,4728118393632470222,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:3040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004BC 0x000000000000046C
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3c855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\system32\bootim.exe
bootim.exe /startpage:1
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
214a65e61b2c17b34b4702192b071661

SHA1
1d38f3f0af5cd18e24624fd2e542b808f2619e24

SHA256
67c4b2ccc4fba6862c945cada5af01b4c3535f7b17cb128fe1cbe52805a3d0fd

SHA512
5762b3718f8154c1fd5439c0cc83a3398dcc15226231124ff8a2c9c6f3ea8d85fbbe8f2644a9720119992bd1079416031bc85aa5d7007481b9ea642bb75334db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cac9b3fa8d9bc24e9a49faee780235fa

SHA1
a6253ef0b8c96f9bc03330bd390eaa2d7d7d657a

SHA256
d1a8af3ee4e683e42d858cd465de28f15886ee6ca8baabf47f07f653ae27d8d8

SHA512
f3b9c4f08d7387801d1635235c2494a41e1517c218721b2371266c8051f03c9ee4177ed40be22ec8d7a21c9304b96907bcabf7e88e80ab88c8de1719844f2c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
f9682e520c7cf6e63b33bb977f2fc5cf

SHA1
7b1e3e4ff0e435e3819179ead721581b5d797634

SHA256
70d657d9a6a7678ec2c24304a7292151aabb9a32a6baedb85c912e9fba62507f

SHA512
40111c9f16efdf67ae8cb9dfbfc34ba24c3a313225f1e38c34687d8de73e748a1f9fae74514ccda9cdb5f3bd9bb0e2d6e2a6aceafe1f9814bb9496d00bc60bdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
de6c5dda21ff126edb7645d6a023e6a1

SHA1
d4d69fa9133116eabe8e3841feea1ec1354eac97

SHA256
bebb357b6e285106153abca0e098d55086711d8b0cbe3cfeb74b0ecaea332b2f

SHA512
c72ce726be13aebea0f8a6a197f5613bc73e9645b93379cb9f2ef35f64b26bab3de7aaed8501e616c9b5612c838e1bbc2e3def9fc0d6e29f8fd08f111b994fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
79473724ee0bdba3740efbb184723c98

SHA1
b303a49aa4fa8b3fb14ebc37d69e1634548a2017

SHA256
efa76e66aec165084f59f76e4eb5b0a01daf0dbf77a2455b95d5dcdcdf92fb6f

SHA512
44d88ff0a95ca305319463f1878283184ec669484297776601f8223c15181e39f470b795c8e80fb510ff96f38f86f3ed4cb6b85d11651e15cac6ff67a6829d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
24912bd45df5228267d1c41242cf88df

SHA1
6d9a844971ccdcadcc45c878e7e5ba84b461d570

SHA256
e9106d34a178f577048f1cda5e8d245eae048b8df1c7b9a7290246c56ed85eeb

SHA512
1a02fa8bd345dc7802d70418713b9844eee8a274a5ba8720ffa7be4fc17ce901eb17a617a63c80382d762b2912aaad81ccaac5492a11a2fda2adcdb136f949f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
5b9637cd92ffe9a1727cd54660dffb5a

SHA1
b6894b2ad344dc368154a6b5419cac7fdb46a3a1

SHA256
2084215374705a562bfbb64c75d76cb778a0174b5dddbbce43298f41150fe39c

SHA512
e8bb7a2733b5c8afa93251694d505e215ab30cf77b83c8bec8ee306cc03a3eb26b51797c239a410dc970d3ee756d6da16265c63c4f6e5becc665e5904945b71a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
40fd8ed86541234857985e0cf3138b0f

SHA1
5aa0139982e5eb4e2baa1521804d89fd73a928e9

SHA256
fb110809d0de957c95c40fd0593a92f2c4934e92b443dd67bdb496cf2ce9ca13

SHA512
263bbe6e46eccb0d75b96d846b3f84054ac851a98b2328c81bf7702dc1dc465653587e16c10b257b15908b58db078ecb379634e4d7204b0c54f25972876afbbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
831123a0892972432fffe384a19ef75b

SHA1
e1ace6b956547677424783ca158a4c226bde0eb8

SHA256
67e2de0a9ea0fde254b812936543f987e0eb0fc250dfcd5289b650ff976e510a

SHA512
4ec67ec8d5d8ad30006b1bed7664e2f0e424fa5b07437159ebdd1d1856963cb6cfa79c6114520f8eb4a5b3d432a53a79ac38b38b0c89674b1fda3093625a288d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
a3a5a9d534a93d20ffd7d2bbce6e7410

SHA1
03ebc2a79a0fb975f8d44126e9783ce04c8c42ab

SHA256
9741037fc918db9f6df210467d6777019ff1d4a9ea738f8ffd5a682a1a72a1a8

SHA512
76a5ffc27ec3281f6269bea76bb9ac6c37325c5876d40066a88bb9d905df3fa393155051b6d543788dce7b94d5a8863942d9bbbb31ca2bcb883883daa3c0404b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
3978ee0ca47a774fc80b4952da538b65

SHA1
ce02f9c189f5c31a4799fd89b2609df5e4ed0362

SHA256
28b39580d6ca1e7fbc8758ffa75fa568b33b083e8bbcba6705e8877960c3001e

SHA512
fdf4a2b67aacba4785a6f78b3ce9515b384d2b047b12185f75414c890bf1cc35052cd98eadaf87bd39bc1e22256f3218114c6617397585910c127a8d71c0bc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
838B

MD5
c47d2a9f412d098a50a96cc6c84b9add

SHA1
d29282f110a83c4ee77e4d5da10d0a99abcb766e

SHA256
2b69e8f8de3493a7826e4c2aa59aa84289400c2b32f9592fcb42c93adf2c1c6d

SHA512
345e586617fedb23eac4a546cb4acf666d1f922fa33d7ba97e8c3c44e175097b9241efaa7d6f7f01eea8ea260a38751c9dbda2f4a906533182764f09258393cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
211B

MD5
f82226b40b8ba4d103fa0378e020f3ea

SHA1
c219cd3288fca0e99c78564a26de7c2b346ee200

SHA256
5d506d1950a4076c4044934c3638affc78d7102f9338ac90c0c533d050f0edbc

SHA512
2c9f015530900f604243154dbe63bb590a280266ff768fcf949d8dfcfc12f4d859e68ecf9b4184b507761e7b7d577d871fc5342fe8cbe5041d7d7d2327d40474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
ec86817567f2f9f3ec7054ea553dbea4

SHA1
8969cfe801aa752746702c661d64f45e4104b90b

SHA256
5de360b016025483542767bc1b469c680df85c66cde1205be40930a689dc1f9b

SHA512
d801c80fda349154d61e377430d89a3607e29e84b06d11c8c3226238ed59606e56ce3110055a1e6f93980ab265b5b29958ca3274e2194c58f476545f66d41307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0de83a3e144f575a7b497e5322a0ba8e

SHA1
62b9d6d56e75e706cc0ed99b54a0384b624270da

SHA256
05aef0b356f6515ad01c7f3268dec81d13b2b4baadc175ea01a068619bc6e9ef

SHA512
ef4c001f3a7c756771ecf0b585a51915b901dbe4ce69bf11471cd69c5ce6f201dd49a6c5029f6d7f1f972558f9337a40056a135c23135eec7252fc218a0cddbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1229715bf7dbf8f6bb87f33c75a36d4b

SHA1
43fb4ed4abb100938fe38985676f1d9fe3effefc

SHA256
fc6b5d193c2bed0801feb4e9ff261ba71c3006b5706a8cec62a3819a96109ed9

SHA512
5e1e5684481207e103593603af388ed9185024e72b25915d835f8865b323e290de14d62c6f4c2c9e40b6c4b66ffb3d2e538a7d16a482a26bf96939daba100c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2bd408dc50d9a97ea6404500b8aec597

SHA1
2a9724aebd7d0b48cef52cf96b245463047962d3

SHA256
6a2654b6a68b6d645288de40e20cf7f83704a4975c0a384253f13bcbf0da2f8c

SHA512
2f04ca2317c96a92f01d467bba11e07cd01bac0e3348d76fa03c7a4ee331e030a7aab95ebccd802cc258a5193a12b85810800e71f8cf01bcaaa52b4892d7f568

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
97d4c3d69bd2d2d53fb8591e03a897e9

SHA1
c358f5c4690cbed9164e697bdcb6adfa76bc837a

SHA256
943dd51502607fb8f76caf678bb05b6d57d46f3719d675736459bb04da9e0c11

SHA512
97faf88fa9813797ff80ded56001a88687169be85df4cd0703bea897e6698f6e8db2497215468c16b2dab1139e79bd813e9fb13f122b32d366a320e67c0734e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c43034da1f8c23d9c28d0c598cbcc20b

SHA1
152efa149550d333a12a8c8c18dcc405c874db60

SHA256
697af211335f953456f9b726380a89cfff1f1f55376721eb8c934cb271683494

SHA512
b0540407fbfda0e0c80fc658214a202f6e1319bcda0f10bdca2d31573d660d8d9ab6a43b84c3fc6e70901af6624a6653618336cf345f9b8e38b8803694fcc70b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d344c22dbf31dea65ae1bec686872838

SHA1
3c75c01f57a437ccba45fee3f90ab1730434aabd

SHA256
b90fc1497ff0c4244fcd04aab450d105e3ad3e5a04e8c999c1d27d990542e9ce

SHA512
1dcd0f4b4fb68b8be464e32e7f3c1bb888239e27353136092d96a4a5fb437e92817c1c7993cd6ea80fbb59ce15c861a70001b9c7ae58a1aa0fb85f08434a56c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
a26996b038df314f812f428fc415c2c0

SHA1
1193e4a57a26e14522d5367dcc2c5c9408dd37b6

SHA256
132a3013e609e4db2339b5cd15ecf12c4b5debc75b21b5f533c4347375fd313e

SHA512
779e692d41579a89592c7fcaa4bc455335097164bc8aced9ae1568e7a5d927620862f34a4b336d5868bd675c92a715dfb0a7e8241bff2fb1b625624b8f1322f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
708B

MD5
d393cf4556794e7d7f31f0ce3e183c6a

SHA1
e6a2958f83fe12eb2db4c41eb8175ee9c7bd642d

SHA256
e30948e2554daf81c1a8713cd17f94059344de1ebd88c1d56c73cef851541031

SHA512
bb3ac8f7ce063cc392fddea39220ed28166ba56922cc7b9c95c523dd4f1dd6f1a394123e7de1a85e7d3ad3c328ff3857d739284dce9dbb20153ed5de5a5bf1aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
58b12602d41fb55a2735c021bf21bb06

SHA1
50bbe9eb34d56fb5986a3f84558ee8bbd217ec8c

SHA256
ec67a11aa2de49a1d204b7d3c2052abee337972a50fa8bde4c6ddf4b322944e4

SHA512
7e7dfe03cf9b1f0032a9203b10ac5f5f3a7b106c02662bd232ecf195d97b9068b0bfba286f3d2d3c83cddc711c07695047cd180cca382fb768e3849950386d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13376170231777941

Filesize
19KB

MD5
17ec6a8812ea91593991c41770b7feb9

SHA1
bc2019371d51699a6e865eec0d734c0a46e08691

SHA256
dffc1c7125fe36f6c51b19ffe02ae7604aa029dabf301c5803425a7b35b41576

SHA512
215fdc1e929b1a007c365aa7cfdccc83a4633a49ea3d4c66ceb8dbdd825d713365324abe446d1f8400cf09d3ebf23d1e0f69195a8cebfedaeb8d2c7443abf453

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13376170231999941

Filesize
3KB

MD5
c30677ac7a329dde069ca446581c6c05

SHA1
69fc392dc8a18219115ddcc933cd631d25fc5c35

SHA256
2e9c41a994ab0e61f0480a5cb583496a57fe576776851b7a267147a3b984012d

SHA512
d9fc92c7307b287ae360d2fdb2057331c40f41eb7a78c8f98d9cbede67eecec810562e1364567e57672fcdc3e6f139272868ec5b18edeb0b586340ade3e81f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
ac2604b943dc6519dfbaca2fa84c2295

SHA1
39626890f906158f59e17e97e9ea354743455545

SHA256
44e033cd38f2a0cda4e0b2aca8bfa6aad4cc4956ece603e65bfcc5b07b80ca9d

SHA512
5fceb7025847cfc1f397b19df23587192324a4e1f174af25e86c88ccbe6adbc339dea9cd89783b5dafd102aa85b658ff9cfe6d31bbf30077a7fcc45ac7e3b420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
e5454fb8bcc84bc867f8b4762c0b1f3f

SHA1
03e105a94ae6d40fbd7faaed71cb218ffa430c6d

SHA256
d60fa75b2909dd0643f13830e50c5d364a07db48fed64ac45df201f29645b8a1

SHA512
3fbf303ec6af584320b3badd10bd60c2da9f16a6e63f8609b2dca37adfaf90c18f40524322683397cba37028fffc7573c6241d02e623f398634630a9ec868ca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
b2af0bf8cd54d15bf3784bb4112958e0

SHA1
554428f7790861dcf325f2773e0f28436bbbf3c9

SHA256
c653deb5c14f9bb332013fa41f6032edb1c815c3d18424dbec44d38c4137396a

SHA512
6f4ad5449be02b9fe6783f24cbfc395af26453a8bd4c597ce85a67dbd3750ca0300a553a60ef097b920cfef20ece4df030a47a2ca61e5e83d10fd8ae0a69dc56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
035cc4e9cd9db55002d655511db48783

SHA1
c5d9ba70190b8267eca38fc5f4cb2c426d4cb111

SHA256
0c189827976a95c15a5d3e81af7c7a691d0e7b8451e66cc030db9cdd6448a3f9

SHA512
f044dd380e828c3d6d6d23f11d3dc1711e6d968765fd986f64262dfe3faba75944ac84b189a8bf46d2f2113f02c83e1c1d050b35ca4232ec58444af722672e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
605cbc6aea73ed08a65fd5f23945892c

SHA1
74701e153fbe36b13ca583f65be7128b110956a4

SHA256
d7c582bdd4983795bcba778e571e0245d269cab100eb46b3e8d271bda230a8aa

SHA512
7cf03e675ef67a804e180ca5b7a89e01bcaf634937c2dfbf3cacad2ba40ee88272902a3f2f6dc142326d0c64579d592e33ca31bf41f6fde086bf9baf2a4aa5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cfc4148e-9c33-41df-a954-aa453bde2205.tmp

Filesize
5KB

MD5
b3e02aa288496114805840beb721825d

SHA1
291d8cf0807ab545fcde040de276f17ace546329

SHA256
ae5a75c5ced40a0aa70eb0243ed9f618e5538891216d5dbc830dba49519dd033

SHA512
ed35b38da68ebf3829d98e14faae82c54159dc42260cc77ba8fc59316206f1b9534cfd61f2e11ad7513230dc1f07f0a9d0d7320baa192413da8ad03c5243cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
60KB

MD5
65977a7bc85b71b510e3c4976bd55855

SHA1
fb1d9e351230d7e01d38c6837d638c8a0c7cf85a

SHA256
eb14d846fd1e134ee8a164abc7154c7396aaf2a1e43841f6ab535e8d274b781d

SHA512
47531088b5c8d769496d8876917ac3dc0eae81e707c2465225571295d959955a6f0ad64147ae75ca2f450421e8ac68fe8de823abd6e407be7be891383d45fe1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
38B

MD5
51a2cbb807f5085530dec18e45cb8569

SHA1
7ad88cd3de5844c7fc269c4500228a630016ab5b

SHA256
1c43a1bda1e458863c46dfae7fb43bfb3e27802169f37320399b1dd799a819ac

SHA512
b643a8fa75eda90c89ab98f79d4d022bb81f1f62f50ed4e5440f487f22d1163671ec3ae73c4742c11830214173ff2935c785018318f4a4cad413ae4eeef985df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
777f032694ebb23ff7d57a65e5da0601

SHA1
e9cefce382e5440139b2b0b42cede2a3736b7c4e

SHA256
700af069b7a947e9803c129ece986dc361d6f562dd986c1df52dee006bbcc90b

SHA512
d03115418079212772c99940fc5d59bffcc60acf4d10932a19d79f3ce264ac6a29f69ad235b1bdae16f7b25e29fdf25b9a132b6713c12204c87e15d68c6fdada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
8831e2100d724b6df6996840d59cbf9b

SHA1
1eb323d502753714d546ca987a6ce0596dc35f6b

SHA256
156aad1cec9f8dee69b8ed29e170196236a30bfd1af5ba60ef1ab8eabe3ab4f7

SHA512
40d2e1e01ec7420f8de50c61b4d3c58abacc536f80222410d24f6dd7b7d88eb9f4767184cf4c7c2e7f6e0593b59bdd3f411c0864aeed097886dc3bffe09d32a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
07b65226392be38c523d6e6c1df10ad6

SHA1
87d2ae8bb23328397d5c257529b7c861903fa8d1

SHA256
d165fd2445766ad12a862f30615f52e972c9260f9dffdf425f1b4432e9d1dce0

SHA512
d47fc3599a16c6a95da036200a2fded1674ecca2b8bdf55666da4ef12a5e23f0b347ed1417572452646ec7f73f12ac5a0d837c9d12b5ca283dfd4a41d942ab35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
06fafbf6bdc7d5d598f63cbfaa298c01

SHA1
c9f95cb3c0c2e570853b555c3b3bee2a92b8eb53

SHA256
8a3ad0bb9949205bcd7ee4e269705306a659baf00c2554a3dd3afa0948fb4358

SHA512
44959625ce35bb932ded4ca7f4c9a8dd75affc1d1341f4e94e4eb1baf4372cda120b1f5866772465bd98d592d239b38d1f07d1d0dc9a072c9f7b0441c0ed0ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
e282667f14c15a9d14af714423a0fbb8

SHA1
23daa936ee195091b429794f84b853a310a50bb5

SHA256
6313dbaa4e2138bdcbd5d0b2ceb7ebd7b99ae6f7b70a72b57daf3ce7d6b0edbf

SHA512
796731abb924da44789d28ed146096a293b0d8df2f9174f10e14158e806fcf6d7afc75832427c55f1c2672937db1aa5949367f78a06e5433b8154a5f3590c93f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11a267c826e011bdf003602946799d94

SHA1
02326d3b516c4c2e98df271514647460a30bce05

SHA256
ac4eeb353b6f29726dcb9d6fcbb08cc670ae6cb913b7245360e9650ae6a887e3

SHA512
d5c95328590094a410c3ff2111a33a73ffb0340dcf4868d32edcd624eee703e5a3277f1960d4fe8d4e6fe7b887d912d9a7efcb08f21ab7602bd61e1916c1e120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
68529a1ac5ef5c981a0c18d73959ba0c

SHA1
3b0d1e7a698221252ab19c2a830ece5d3dd4aed9

SHA256
c22c3a510b03d633a0a4f9eb090baea64d5ec3c6c513a2aff73ad1c4d8aaffb7

SHA512
d5cc75c37540bccf537f49bccc207b5c8937259b72e7964c59551bb3a2af8e617f3a396d0dd57cafc7d7534c8d1144dc416bbc98cfd186789bfbaf3f6b12f61b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
136522fa7765c1fee20473a41450ab48

SHA1
3222ac4c476b6cdbb6ab347667c6029d92e1de7c

SHA256
15ed0f1a7b9dfcf8011bc788f60ad116d0b4e113fa52d649d2201c336847cff2

SHA512
93626358ba806ae5753160022ee9ba12b3e0dec3c576080fedc41fb0bd2a47583cdd44f471350e46ce3a90837ffff097822c4fa157e9cad1b3aef8f435a88058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
d71b88fc8b812904b3ed4d279e8d50c5

SHA1
8f4754f322003aeb04e578b91f2706d7404211a3

SHA256
34f4de6e0d29a4b8bffece8daec40a04e21591ac485e397aa2bb9fabadd83950

SHA512
89ec7a8d93fb7981a218670749b7e89e54a089087cac6f12ef90ec8546f1297a9209da60939fa36eef44eb03de559696923f6ede489da6b89da88989ff62a7ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8c92fb48-1e70-42aa-9f17-35fe3cbe3443.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
548a80fc65ff5649acf5b20d4a9df162

SHA1
a7bb118f3f2abfaef378be26bdafafb1040c2ba5

SHA256
93f4fdd8c0283d966b04c3b43e374f1bc48bc7b20f1f7842a692d16e24a883b8

SHA512
89dc33544689b142c72486c1d36761ee864bc47144cc749c53a77ce9879db8d273ead6aaa0dad7cd8fab10c55cee01afead7154158aa9b910946616dee72a376

Download Submit
memory/3164-415-0x00000000014D0000-0x0000000001636000-memory.dmp

Filesize
1.4MB

Download
memory/4484-1-0x0000000000950000-0x0000000000966000-memory.dmp

Filesize
88KB

Download
memory/4484-412-0x000000001C690000-0x000000001C69D000-memory.dmp

Filesize
52KB

Download
memory/4484-261-0x000000001C810000-0x000000001C81C000-memory.dmp

Filesize
48KB

Download
memory/4484-6-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4484-7-0x00007FFDC8C33000-0x00007FFDC8C35000-memory.dmp

Filesize
8KB

Download
memory/4484-8-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4484-410-0x000000001C5F0000-0x000000001C5FA000-memory.dmp

Filesize
40KB

Download
memory/4484-333-0x000000001C5E0000-0x000000001C5EA000-memory.dmp

Filesize
40KB

Download
memory/4484-413-0x000000001C6A0000-0x000000001C6BE000-memory.dmp

Filesize
120KB

Download
memory/4484-414-0x000000001C6C0000-0x000000001C6CB000-memory.dmp

Filesize
44KB

Download
memory/4484-411-0x000000001C610000-0x000000001C656000-memory.dmp

Filesize
280KB

Download
memory/4484-9-0x000000001C6E0000-0x000000001C6EE000-memory.dmp

Filesize
56KB

Download
memory/4484-432-0x00007FFDC8C30000-0x00007FFDC96F2000-memory.dmp

Filesize
10.8MB

Download
memory/4484-0-0x00007FFDC8C33000-0x00007FFDC8C35000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads