asyncrat | hxxps://github[.]com/HexShifter0/Xworm-V6[.]0/releases

Analysis

max time kernel
119s
max time network
121s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-01-2025 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/HexShifter0/Xworm-V6.0/releases

Score

10^/10

asyncrat gurcu xworm default collection credential_access discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

jrutcxTxqD08SKSB

Attributes

Install_directory
%ProgramData%
install_file
OneDrive.exe
pastebin_url
https://pastebin.com/raw/RPPi3ByL

aes.plain

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

51.89.44.68:8848

Mutex

etb3t1tr5n

Attributes

delay
1
install
true
install_file
svchost.exe
install_folder
%Temp%

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/getM

https://api.telegram.org/bot7204924753:AAFaqmmBR9ybp4-iE8BA2YCiFNUbOEd0Ljk/sendMessage?chat_id=8169552647

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 6 IoCs

resource	yara_rule
behavioral1/files/0x001d00000002aaa1-223.dat	family_xworm
behavioral1/files/0x001b00000002ac49-234.dat	family_xworm
behavioral1/files/0x001900000002ac4b-245.dat	family_xworm
behavioral1/memory/4408-250-0x00000000007B0000-0x00000000007D8000-memory.dmp	family_xworm
behavioral1/memory/3692-252-0x0000000000C30000-0x0000000000C5C000-memory.dmp	family_xworm
behavioral1/memory/2920-254-0x0000000000EF0000-0x0000000000F1E000-memory.dmp	family_xworm

Gurcu family
gurcu
Gurcu, WhiteSnake
Gurcu aka WhiteSnake is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002ac51-338.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
716	powershell.exe
2920	powershell.exe
4864	powershell.exe
3024	powershell.exe
1588	powershell.exe
4480	powershell.exe
1612	powershell.exe
2348	powershell.exe
5076	powershell.exe
2180	powershell.exe
3112	powershell.exe
4804	powershell.exe

Downloads MZ/PE file

Uses browser remote debugging 2 TTPs 6 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2408	chrome.exe
2936	chrome.exe
2944	chrome.exe
5180	chrome.exe
5276	msedge.exe
5560	msedge.exe

Drops startup file 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Chrome Update.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneDrive.lnk	OneDrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 13 IoCs

pid	Process
3692	Chrome Update.exe
4408	OneDrive.exe
2920	msedge.exe
4756	Xworm V5.6.exe
4316	update.dotnet.exe
1284	svchost.exe
2408	svchost.exe
5624	svchost.exe
4660	svchost.exe
560	svchost.exe
5248	msedge.exe
5960	OneDrive.exe
2504	XClient.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	Chrome Update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\ProgramData\\OneDrive.exe"	OneDrive.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 35 IoCs

Web Service

T1102

flow	ioc
40	pastebin.com
41	pastebin.com
94	pastebin.com
11	raw.githubusercontent.com
60	pastebin.com
81	pastebin.com
85	pastebin.com
91	pastebin.com
89	pastebin.com
92	pastebin.com
93	pastebin.com
33	pastebin.com
50	pastebin.com
51	pastebin.com
66	pastebin.com
95	pastebin.com
35	pastebin.com
80	pastebin.com
82	pastebin.com
99	pastebin.com
1	pastebin.com
84	pastebin.com
86	pastebin.com
100	pastebin.com
31	pastebin.com
32	pastebin.com
39	pastebin.com
67	pastebin.com
96	pastebin.com
98	pastebin.com
30	raw.githubusercontent.com
36	pastebin.com
37	pastebin.com
90	pastebin.com
97	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3800	cmd.exe
3692	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	update.dotnet.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	update.dotnet.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4092	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5904	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\XWorm.V6.0.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\XWorm.V6.0\_readme_if_its_not_working.txt\:Zone.Identifier:$DATA	update.dotnet.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4252	schtasks.exe
4648	schtasks.exe
4724	schtasks.exe
1628	schtasks.exe
2000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	msedge.exe
2796	msedge.exe
956	msedge.exe
956	msedge.exe
1192	identity_helper.exe
1192	identity_helper.exe
4772	msedge.exe
4772	msedge.exe
4960	msedge.exe
4960	msedge.exe
1588	powershell.exe
1588	powershell.exe
716	powershell.exe
716	powershell.exe
716	powershell.exe
1588	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
5076	powershell.exe
5076	powershell.exe
5076	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
4864	powershell.exe
4864	powershell.exe
4864	powershell.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
2408	chrome.exe
2408	chrome.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe
4316	update.dotnet.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
2408	chrome.exe
2408	chrome.exe
2408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4408	OneDrive.exe
Token: SeDebugPrivilege	3692	Chrome Update.exe
Token: SeDebugPrivilege	2920	msedge.exe
Token: SeDebugPrivilege	4316	update.dotnet.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	5076	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeIncreaseQuotaPrivilege	1284	svchost.exe
Token: SeSecurityPrivilege	1284	svchost.exe
Token: SeTakeOwnershipPrivilege	1284	svchost.exe
Token: SeLoadDriverPrivilege	1284	svchost.exe
Token: SeSystemProfilePrivilege	1284	svchost.exe
Token: SeSystemtimePrivilege	1284	svchost.exe
Token: SeProfSingleProcessPrivilege	1284	svchost.exe
Token: SeIncBasePriorityPrivilege	1284	svchost.exe
Token: SeCreatePagefilePrivilege	1284	svchost.exe
Token: SeBackupPrivilege	1284	svchost.exe
Token: SeRestorePrivilege	1284	svchost.exe
Token: SeShutdownPrivilege	1284	svchost.exe
Token: SeDebugPrivilege	1284	svchost.exe
Token: SeSystemEnvironmentPrivilege	1284	svchost.exe
Token: SeRemoteShutdownPrivilege	1284	svchost.exe
Token: SeUndockPrivilege	1284	svchost.exe
Token: SeManageVolumePrivilege	1284	svchost.exe
Token: 33	1284	svchost.exe
Token: 34	1284	svchost.exe
Token: 35	1284	svchost.exe
Token: 36	1284	svchost.exe
Token: SeIncreaseQuotaPrivilege	2408	svchost.exe
Token: SeSecurityPrivilege	2408	svchost.exe
Token: SeTakeOwnershipPrivilege	2408	svchost.exe
Token: SeLoadDriverPrivilege	2408	svchost.exe
Token: SeSystemProfilePrivilege	2408	svchost.exe
Token: SeSystemtimePrivilege	2408	svchost.exe
Token: SeProfSingleProcessPrivilege	2408	svchost.exe
Token: SeIncBasePriorityPrivilege	2408	svchost.exe
Token: SeCreatePagefilePrivilege	2408	svchost.exe
Token: SeBackupPrivilege	2408	svchost.exe
Token: SeRestorePrivilege	2408	svchost.exe
Token: SeShutdownPrivilege	2408	svchost.exe
Token: SeDebugPrivilege	2408	svchost.exe
Token: SeSystemEnvironmentPrivilege	2408	svchost.exe
Token: SeRemoteShutdownPrivilege	2408	svchost.exe
Token: SeUndockPrivilege	2408	svchost.exe
Token: SeManageVolumePrivilege	2408	svchost.exe
Token: 33	2408	svchost.exe
Token: 34	2408	svchost.exe
Token: 35	2408	svchost.exe
Token: 36	2408	svchost.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeSecurityPrivilege	5516	msiexec.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeShutdownPrivilege	2408	chrome.exe
Token: SeCreatePagefilePrivilege	2408	chrome.exe
Token: SeIncreaseQuotaPrivilege	5624	svchost.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
2408	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe
956	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1460	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1124	956	msedge.exe	77
PID 956 wrote to memory of 1124	956	msedge.exe	77
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 4476	956	msedge.exe	78
PID 956 wrote to memory of 2796	956	msedge.exe	79
PID 956 wrote to memory of 2796	956	msedge.exe	79
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80
PID 956 wrote to memory of 952	956	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	update.dotnet.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/HexShifter0/Xworm-V6.0/releases
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb1c073cb8,0x7ffb1c073cc8,0x7ffb1c073cd8
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1728,18035952896947599232,3845797776836780095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:4732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3400

C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe
"C:\Users\Admin\Downloads\XWorm.V6.0\XWorm V6.0.exe"
1⤵
PID:4920
- C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1628
- C:\Users\Admin\AppData\Local\Temp\OneDrive.exe
  "C:\Users\Admin\AppData\Local\Temp\OneDrive.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "OneDrive" /tr "C:\ProgramData\OneDrive.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4252
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2180
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2000
- C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe
  "C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe"
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe
  "C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4316
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging
    3⤵
    - Uses browser remote debugging
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2408
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb0852cc40,0x7ffb0852cc4c,0x7ffb0852cc58
      4⤵
      PID:3768
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-logging --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --field-trial-handle=1868,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
      4⤵
      PID:3564
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=1716,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:3
      4⤵
      PID:3060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=2100,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2304 /prefetch:8
      4⤵
      PID:5052
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3060,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2936
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:2944
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4044,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4040 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5180
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4600,i,10165484862026854553,11159105081681129317,262144 --disable-features=PaintHolding --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4620 /prefetch:8
      4⤵
      PID:5852
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3800
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1244
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3692
  - - C:\Windows\system32\findstr.exe
      findstr All
      4⤵
      PID:1880
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:5136
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5252
  - - C:\Windows\system32\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5296
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging
    3⤵
    - Uses browser remote debugging
    PID:5276
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffb1c073cb8,0x7ffb1c073cc8,0x7ffb1c073cd8
      4⤵
      PID:5288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1420,1330970839994431893,264264629034196046,131072 --disable-logging --headless=new --headless --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --disable-logging --mojo-platform-channel-handle=1428 /prefetch:2
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1420,1330970839994431893,264264629034196046,131072 --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --disable-logging --mojo-platform-channel-handle=1588 /prefetch:3
      4⤵
      PID:5532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-logging --remote-debugging-port=9222 --allow-pre-commit-input --field-trial-handle=1420,1330970839994431893,264264629034196046,131072 --disable-gpu-compositing --lang=en-US --headless --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1920 /prefetch:1
      4⤵
      Uses browser remote debugging
      PID:5560
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:4660
- - C:\Users\Admin\AppData\Roaming\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:560
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\65d70167-6e3d-43e5-9e2b-4562682e437e.bat"
    3⤵
    PID:3964
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:5900
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4316
      4⤵
      Kills process with taskkill
      PID:5904
  - - C:\Windows\system32\timeout.exe
      timeout /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:4092

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5752

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5588

C:\Users\Admin\AppData\Local\msedge.exe
C:\Users\Admin\AppData\Local\msedge.exe
1⤵
- Drops startup file
- Executes dropped EXE
PID:5248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4804
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4724

C:\ProgramData\OneDrive.exe
C:\ProgramData\OneDrive.exe
1⤵
- Executes dropped EXE
PID:5960

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2504
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Modify Authentication Process

T1556

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Authentication Process

T1556

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
220B

MD5
2ab1fd921b6c195114e506007ba9fe05

SHA1
90033c6ee56461ca959482c9692cf6cfb6c5c6af

SHA256
c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

SHA512
4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\System\Apps.txt

Filesize
4KB

MD5
f9c6a35a31d023ed1bb35c7daa05e12e

SHA1
153921512598a6cf50a388fac90acfeae40ac031

SHA256
67ea0ac7b40cfc9c5d8ae98a5f2f09dbba4717474c838fe4430c728fbd31c593

SHA512
9ca7e4d24553f514fd62387ae4cfe652766dbdd34adcc6a545cc59a9071393a443c8dd1d5098a6a8146ad114876206e522cc04809a8d543e088dbf5eece3aca9

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\System\Apps.txt

Filesize
6KB

MD5
49c14763e096dc25ff0f9ff78dff3c9c

SHA1
e72ba72c8cc3b8efe3a5f2ab3723d6df6a5fe31e

SHA256
ab382fc77660c1a766a73499b359fe7ac3d4611d46c76a93faec1dee1a2e9447

SHA512
5ee8ca8f267cfc6bb85de5bf45561ff010e6a058c79c7dbdbb309bba817a4251e3da192b01fd3cd03e7fc3f41a7790ba922861e6f6ba69eaf14d49345cb6d6b2

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
1KB

MD5
f527b968b1869bbe31616451a4858b3c

SHA1
123c5eabd0e70aaa9c20a4e94fdc2283c281270d

SHA256
38897823157f21f1f5cc71872d75c1b6e4b882f2b81dd313e053e1873649da22

SHA512
93dee67b594c2f4fedbe7bff9b8d269a78579d175718a04ee25380dedc9d6da52e3469f523bf858c1ef6acfd06156ef97172ac82fec206a5214616fa7534d9b5

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
1KB

MD5
3ff54944ac87c111c9f30d5c8adc9ad8

SHA1
1197e4bba765c01c93bbc749f056dab5ad1fc658

SHA256
aa321a12a791512ef25277aa7620f662b5c71bc001ce541470d910e62b25b6de

SHA512
a9827a2b4444e456eba79496aae7e297b11258139ebe4f86b26e5b15d06f4df957e779bf0793414f8c65c3de49ff4e1c9a9a4ae2b0d36f6e1b96721764989442

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
3KB

MD5
c65be3f5bdaeb7c8da2d1f6827fab222

SHA1
558aac9a025b95cab270add3765bacc109169c2d

SHA256
945f427ca26ed028305bd0683631661fec0c2576ff073ca3786de595c32b3941

SHA512
0ea5381873dfbc5d1d3d55bb43a2ea7c49b0c91357c624b72ad44ea61b76cd14bb355a3a9cdb67bf86d1c816037d00eb0b55df5c18a3ddfb5b9f78b0e668e7e3

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
4KB

MD5
f4e63ae9a4350482fa954f0396d0df10

SHA1
322c6c84c9cdb0d434ce521d83d573a012c511bb

SHA256
1977efaf05b0ad8a296d63a0a7b01edec2ef8054510ec5505acf434f8ca64ad9

SHA512
0bf03d606f345c895a2dcd19f72f4a49a718e59fcf097134f4cc7fdd8504966bd3941f160eeffb3118aaa06a654dc94b663db4e47cfe20b3a69b815f17983863

Download Submit
C:\Users\Admin\AppData\Local\8ef698d47f95c008649c9c7c5e7a6763\msgid.dat

Filesize
3B

MD5
bd686fd640be98efaae0091fa301e613

SHA1
14bb99f81147d2705f53a1d75337b2ec3e10d23a

SHA256
684fe39f03758de6a882ae61fa62312b67e5b1e665928cbf3dc3d8f4f53e3562

SHA512
7928dede8d7e723c00b976549a83c2934f0876893dc5ae3d56416968ca2a018bc00fe6df315739698c80607bbc309de316b48f402fa6ee939c0aa39b27ebdb43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f3eeff743b2a4cc51e9401ce0139adf5

SHA1
ff128a71498d2df9c576ab809e3ed3ab4010a826

SHA256
34645f4d7e3a4d048a86a837d414a3306346513d1d4bb6de7f3f4a1f114895d5

SHA512
5cdc8edeff70eccc7030852b94cdd620ad8481225da2c5836fc7314351698fac3331a7b086f4368b4cac9a284052c43db6af7b78f120318177478708c0a06cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
3001af37c7f55407236dbc43498a5098

SHA1
bc20afa83950f36aae7e638de41344b099cab877

SHA256
4a3d0ebce23954213052427601f3f7890927451ccb4f7c39eebb741d25e2edcf

SHA512
9ec8e18a738fc951774fe179b870e673d41590a833c5ba57579b03ad3448c3559952b921344e73b0b8f5b7c4331c2f5bd27b5f0d87b436efe53e3cd55ee936f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
12KB

MD5
4b2e39481af7645e271e3d698a064208

SHA1
09627bff462e81f553d8baa671712a576a756db2

SHA256
eb2ce2524f19ee30e7d8777ac6e23309b41cb5f231b50228aba0a81e88606a01

SHA512
244eb53480302d8859e3a8451612195a3a3f5442428d3948f12dd568ef47e54cb3346eacf55eea0cf03171b778458758831844d2f9f738fd057c43c799c2147f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
96789b5123b1d0c8f939db00d43ead61

SHA1
817d3cda6cc400583f0a943c969f07755e5bfc5b

SHA256
c7bfba743967974486dab23d56cd446863b69c57d38d51417a09205b7c861546

SHA512
8b2ffcf7dde2f9b55eacd3b1eefcd64a4b1d39d554676d0659b9f43e6ba407dc9f34d637f4db07575c1fb155ebeb63ec3e271401cefbee2c2177e646ec0c485a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
9KB

MD5
e78c10d1763c15a1b5e5dd310db71e2a

SHA1
b7cdfdfd5a5246fe775e2a555a78221cc06952bf

SHA256
551ae4e085d404a4c064ccfb81fa2114d733717d4e7a8af8ff9957557eb4f300

SHA512
bab688e0a4daeeb8a5a34f761a71642d6b50e701c9983f3c732d1ccb78e7884cc29837526f9d8339af4011136a7a399abb0aa100b4fdb7295a99e885956d3dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
42389b39768748a04ceaec5865a7abf4

SHA1
2be8b6d761337354838bf34eec21a42bb9bf0f91

SHA256
f4bf66bd538762b0c39d32c2c655f67f0b5fee4fba006165a357a1d0db7c1729

SHA512
8733ad51f5b9dfaa5470017a46bbe36f652d91325d402b6e631cb74a3dea92869f04a5e96e131185955032f3a0d43fc64a010fd428e2243b1ebddd18de0ab3c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
1b92794633aaa7d8ca83e408ef516a36

SHA1
4ae0678d6cf8abedb3e9819fc9d7d715d3f72bb6

SHA256
0ff76dc871bd6e59abe386781ef988b4c8d734bca726a4d1eb556d3d78f1e7e0

SHA512
698bb4adf1932dd48fbffb344b0053b9dc753b97a92d88a26341e0c3b0fa2e03481c5193bd2b4a1caaa2aa2f00e41eae73c53aaadc1ac6bb8be17d0f229a61bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d29fb8452978cb17144f0ba161aefb65

SHA1
4426d561682250f6fae68e07c4a93d95a2ec40e1

SHA256
51abf270237378f4a649327dfe50e55ac7a8a021783374c00a903bedfb304d18

SHA512
3718ea7fb4f24429f9630ae8102acf4a1f90e283d9092837642413209420e23fa4e103762cba13647f326bb5ce6ab59d576553f4cb1cccced674bd71c0cc6730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f71f28d2c3c2de3390ad3480873300f

SHA1
810a1bd71b1d7de1ea102f32dbd1ac2c92ab90c5

SHA256
8544879a132b0f75608d39ce7e2ec293c6d2c8c80b7bb89944026b619e74c64c

SHA512
c3396dfaf9db6aa3baa9365cfc2650ee338807ce6f0693e66b5178b870d10914994aaf04e7d0f04d1358cb81fccdd0789c564ca2d74808a1cd007a91f1c295ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
3ddaef4d7014c0dc707a5c8a4ce3417b

SHA1
e2c27b75026c0279ad99b802f706ad1a4061d696

SHA256
b8a280011760ade5fa4f74bc038f74826ac7eedc1aef4e95b3ce7215fbb019e1

SHA512
da9a525596e2a0fc82ec4a2330e399471222a5d696d840dcee7992a525e324e5451167d437c859d99020bbc55831441c6349f27f2416e93565ab9e7ddc62aa0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5816bf.TMP

Filesize
874B

MD5
6a5aa3755a38346c37d9f7f48570c557

SHA1
2625736198c63dce5f9ea4aed93c51c0e97b524a

SHA256
334c2a1136633ac78a3351cf6144d3f4ffc413a7f4cf47f8a148e06bc98a7a13

SHA512
38d5a7411ea88299363aa2cc2748eaecfbf3cff3c1a255a7e2cdcf4e7f4d5f1638c1c02a4955a1bdec6fad1a18ebf439df08b22a42f797fb52a34ed92c229c1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
98383b992aed574648a3d9a6ab909df1

SHA1
c47007ebee412337cefd103eab1712fd7519302a

SHA256
9a760e5e85bd2f7026afe231baeb118f7e3aa0d620f51a3297d2e2518a9d5f05

SHA512
3080db20cfc2b1bb9207ac943b2c1724e5b0af89eb66ef0f3e83e68217c181df074bcf55b3868f5fa6171916f00b782074154aef95b417fc5e3a11ae48e4683d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47b9f275c45b6942645a2cd5e2f5d56e

SHA1
8199aa350f82b69e4cba496263ceeaaac35ba7ac

SHA256
5b8faddab55ab7564bc5cb984468898da1c9c90955da72b1c18b7dd10061f845

SHA512
4fbed0ccf099244f2cf03aa83689cac4d89b857bfdd559c9f0982e8de138cf46a63a5bbc188baa81cae2f8082ff80ae68539a9e445c30a93c5203bca4e918e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3b07a549654b1eeab669821631513eb7

SHA1
833c5111d8286f8ae3067f0c9dac0c0ae6f910f9

SHA256
9dbaa1745abf1f96d46b139b35774c5cbb2fffb39d69aed9e9030f6f91b30538

SHA512
3cc301bf8f1a682961a816cdb769b2f7e0ee8b4b9fb7251b6d27c0d924bef2dbacf2f7f410d84374bdbf2563ece073dec7c46440d16f50f9b358d753129370c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ab228f4d-2fca-4439-a1f2-0fd92fcc268b.tmp

Filesize
10KB

MD5
adbb4583a547541dd9f5701819387741

SHA1
3cb6e6c218f0ad03502a028c2f05a248f79b7389

SHA256
fbdb0a97315706dc47583fe8f780345319cd765fc84b588e14e4e4a553a652e9

SHA512
e1ad88e1872d42070637208da6bbbd43c29ad5d4c4aed85de4c523e89394bf8efe73319ddc5d9fbbcbecbab5fef77cbf4e4b83d3f0bcdc666b7125134316ad5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d910f3dba662aa59bb66971eb1cb454b

SHA1
6a9e55bd20b644b0513a5c7ff44c8a4a184842d1

SHA256
7e55ce064b3077ec9a539f6b4badd3e102d912be55598ead23b205cdf9664562

SHA512
a06c353821f77d4e2462fecc08447c641f59af2a2e1af633f6a84851d8ddaa0d2a67b75a673dfd0503c77c72cb01ab68bd7dad6d565842354d1f590fd434eab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
781da0576417bf414dc558e5a315e2be

SHA1
215451c1e370be595f1c389f587efeaa93108b4c

SHA256
41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe

SHA512
24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\5ac12070-d81a-4c8b-9ca3-38c309e76663.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
b5ec1c651d538125bbad8ae7b5878883

SHA1
fc51a9862cd962c1dcf92da77deca73aa79f0c04

SHA256
7e4836c483ec272727cb1e69f6d1769be0f8ea3783dab5fc6846bea18f8c5114

SHA512
ce915256b7339ce5ae8c12864b66f8c83c4ef31185e46d5877776a4fb21ae18a58c742af77312d54ca77f42d33c63e9b6ff868c078d11d423dac4b72cb599f2e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\65d70167-6e3d-43e5-9e2b-4562682e437e.bat

Filesize
152B

MD5
1ec5a1dc83b420ec52d9fbf7d8aaf5a0

SHA1
f3b0b30c4a652b5d0e468386fbf302ad966cf5fe

SHA256
517e906d5e984412abead401d1d6cc763c07e90f0ecd3236b754fe749ab878ec

SHA512
1650caa6a9b882b2e75ad09ee2fdd80999df6c8cde03c4c849a456dabc062bf45d77ae585bab0a5e25d3747cbdab64f3be1909949ca69eb2be1f6d2273f39e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome Update.exe

Filesize
153KB

MD5
8b8585c779df2f6df99f749d3b07f146

SHA1
b553267f8e6f2bb6531ca2cb330e0d6b7bc41a1d

SHA256
4a9d13e9b68d26c6feb71856b7a61a2a1b8f2dc1c7aaa9ad5dfd5609b5a2da6c

SHA512
b89cae4386d0b8173b87533b5af3d863a188836185d105d6007786ba0e415537e84b759b8c22b37430ee544c554db9f50aa21466c5549c8b80c4f5a3fa6cb5c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneDrive.exe

Filesize
140KB

MD5
a1cd6f4a3a37ed83515aa4752f98eb1d

SHA1
7f787c8d72787d8d130b4788b006b799167d1802

SHA256
5cbcc0a0c1d74cd54ac999717b0ff0607fe6ed02cca0a3e0433dd94783cfec65

SHA512
9489287e0b4925345fee05fe2f6e6f12440af1425ef397145e32e6f80c7ae98b530e42002d92dc156643f9829bc8a3b969e855cecd2265b6616c4514eed00355

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xworm V5.6.exe

Filesize
14.9MB

MD5
56ccb739926a725e78a7acf9af52c4bb

SHA1
5b01b90137871c3c8f0d04f510c4d56b23932cbc

SHA256
90f58865f265722ab007abb25074b3fc4916e927402552c6be17ef9afac96405

SHA512
2fee662bc4a1a36ce7328b23f991fa4a383b628839e403d6eb6a9533084b17699a6c939509867a86e803aafef2f9def98fa9305b576dad754aa7f599920c19a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gi5gfqk0.sv5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
166KB

MD5
aee20d80f94ae0885bb2cabadb78efc9

SHA1
1e82eba032fcb0b89e1fdf937a79133a5057d0a1

SHA256
498eb55b3fb4c4859ee763a721870bb60ecd57e99f66023b69d8a258efa3af7d

SHA512
3a05ff32b9aa79092578c09dfe67eaca23c6fe8383111dab05117f39d91f27670029f39482827d191bd6a652483202b8fc1813f8d5a0f3f73fd35ca37a4f6d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.dotnet.exe

Filesize
6.1MB

MD5
b3899dd5602b3587ee487ba34d7cfd47

SHA1
ace70e4fcea9b819eaf5bda4453866698252357f

SHA256
28c53ad86d705da7e21a1c0cbc996e15ab8f024368aa031b025d05f3dfdbeb2e

SHA512
104b8252db4e9a88e388370a6def71e0cbb536604d5a41ac60169a35a9662980d1359000d5ea316f29deb4c534678e86e266bba12bb0b658f2666d13b26c200a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
63KB

MD5
67ca41c73d556cc4cfc67fc5b425bbbd

SHA1
ada7f812cd581c493630eca83bf38c0f8b32b186

SHA256
23d2e491a8c7f2f7f344764e6879d9566c9a3e55a3788038e48b346c068dde5b

SHA512
0dceb6468147cd2497adf31843389a78460ed5abe2c5a13488fc55a2d202ee6ce0271821d3cf12bc1f09a4d6b79a737ea3bccfc2bb87f89b3fff6410fa85ec02

Download Submit
C:\Users\Admin\Downloads\XWorm.V6.0.zip

Filesize
34.5MB

MD5
a0b7d7f290385441b7b4c863d3873a22

SHA1
c66d5b61e0c82c05ce271994775bf6124457b6e1

SHA256
b8574159eebd064a1d7854e8422fb0222759bbc31b1469ff7866a06b4aa560f0

SHA512
10ddf84eb55a0b4fbd3a6f4e2549801e897b4789baedf9b73ba00c62afe62ba8f7536f00a223a762922b46826a987a89fd3b298a6fd594978b2205c38b1b3b78

Download Submit
C:\Users\Admin\Downloads\XWorm.V6.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/716-299-0x000001BE655F0000-0x000001BE6563B000-memory.dmp

Filesize
300KB

Download
memory/1284-344-0x0000000000110000-0x0000000000126000-memory.dmp

Filesize
88KB

Download
memory/1588-303-0x000001A59EDE0000-0x000001A59EE2B000-memory.dmp

Filesize
300KB

Download
memory/1588-280-0x000001A59EDB0000-0x000001A59EDD2000-memory.dmp

Filesize
136KB

Download
memory/1612-346-0x00000193B8270000-0x00000193B82BB000-memory.dmp

Filesize
300KB

Download
memory/2348-349-0x00000227459D0000-0x0000022745A1B000-memory.dmp

Filesize
300KB

Download
memory/2504-907-0x0000000002E60000-0x0000000002E98000-memory.dmp

Filesize
224KB

Download
memory/2920-410-0x0000000003100000-0x0000000003138000-memory.dmp

Filesize
224KB

Download
memory/2920-254-0x0000000000EF0000-0x0000000000F1E000-memory.dmp

Filesize
184KB

Download
memory/3692-408-0x000000001B9C0000-0x000000001B9F8000-memory.dmp

Filesize
224KB

Download
memory/3692-252-0x0000000000C30000-0x0000000000C5C000-memory.dmp

Filesize
176KB

Download
memory/4316-723-0x00000225F56C0000-0x00000225F5704000-memory.dmp

Filesize
272KB

Download
memory/4316-724-0x00000225F5760000-0x00000225F577A000-memory.dmp

Filesize
104KB

Download
memory/4316-832-0x00000225F6210000-0x00000225F62B0000-memory.dmp

Filesize
640KB

Download
memory/4316-279-0x00000225DA090000-0x00000225DA6A6000-memory.dmp

Filesize
6.1MB

Download
memory/4316-435-0x00000225F51B0000-0x00000225F5262000-memory.dmp

Filesize
712KB

Download
memory/4408-250-0x00000000007B0000-0x00000000007D8000-memory.dmp

Filesize
160KB

Download
memory/4408-409-0x00000000029C0000-0x00000000029F8000-memory.dmp

Filesize
224KB

Download
memory/4480-322-0x000001CD33030000-0x000001CD3307B000-memory.dmp

Filesize
300KB

Download
memory/4756-274-0x000001D98C820000-0x000001D98D708000-memory.dmp

Filesize
14.9MB

Download
memory/4920-218-0x0000000000B50000-0x00000000020E4000-memory.dmp

Filesize
21.6MB

Download
memory/5248-906-0x0000000002C50000-0x0000000002C88000-memory.dmp

Filesize
224KB

Download