xworm | hxxps://cdn[.]discordapp[.]com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper[.]exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

Analysis

max time kernel
50s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

paul-nw.gl.at.ply.gg:51413

Mutex

AVvzTAnLyW8qQCcO

Attributes

Install_directory
%AppData%
install_file
kev.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023bd6-109.dat	family_xworm
behavioral1/memory/4840-121-0x0000000000DA0000-0x0000000000DB0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
8	4780	msedge.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	newuimatrix.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	newuimatrix.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	matrixnew mapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	matrixnew mapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	-.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	-.exe

Executes dropped EXE 8 IoCs

pid	Process
5956	matrixnew mapper.exe
6108	newuimatrix.exe
5176	matrixnew mapper.exe
4292	-.exe
5312	newuimatrix.exe
5324	-.exe
4840	.exe
4076	.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
69	raw.githubusercontent.com
67	raw.githubusercontent.com
68	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
76	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
6108	newuimatrix.exe
5312	newuimatrix.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 8802.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4780	msedge.exe
4780	msedge.exe
1400	msedge.exe
1400	msedge.exe
1300	identity_helper.exe
1300	identity_helper.exe
5836	msedge.exe
5836	msedge.exe
5312	newuimatrix.exe
5312	newuimatrix.exe
5312	newuimatrix.exe
5312	newuimatrix.exe
6108	newuimatrix.exe
6108	newuimatrix.exe
6108	newuimatrix.exe
6108	newuimatrix.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	-.exe
Token: SeDebugPrivilege	5324	-.exe
Token: SeDebugPrivilege	4840	.exe
Token: SeDebugPrivilege	4076	.exe
Token: SeDebugPrivilege	5312	newuimatrix.exe
Token: SeDebugPrivilege	5312	newuimatrix.exe
Token: SeLoadDriverPrivilege	5312	newuimatrix.exe
Token: SeDebugPrivilege	6108	newuimatrix.exe
Token: SeDebugPrivilege	6108	newuimatrix.exe
Token: SeLoadDriverPrivilege	6108	newuimatrix.exe
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found
Token: SeShutdownPrivilege	3468	Process not Found
Token: SeCreatePagefilePrivilege	3468	Process not Found

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2568	1400	msedge.exe	84
PID 1400 wrote to memory of 2568	1400	msedge.exe	84
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 1664	1400	msedge.exe	85
PID 1400 wrote to memory of 4780	1400	msedge.exe	86
PID 1400 wrote to memory of 4780	1400	msedge.exe	86
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87
PID 1400 wrote to memory of 2016	1400	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1345776574292561992/1345776601526177954/matrixnew_mapper.exe?ex=67c5c7a1&is=67c47621&hm=500a57a7bca2c90dcf4f340e9b6d8a57d3a0b1ad8cabd7af66795e1aa0440f98&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd0ce46f8,0x7fffd0ce4708,0x7fffd0ce4718
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8272164391798386983,17025552221106865733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5836
- C:\Users\Admin\Downloads\matrixnew mapper.exe
  "C:\Users\Admin\Downloads\matrixnew mapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5956
- - C:\Users\Admin\Downloads\newuimatrix.exe
    "C:\Users\Admin\Downloads\newuimatrix.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6108
- - C:\Users\Admin\Downloads\-.exe
    "C:\Users\Admin\Downloads\-.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4292
  - - C:\Users\Admin\Downloads\.exe
      "C:\Users\Admin\Downloads\.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4840
- C:\Users\Admin\Downloads\matrixnew mapper.exe
  "C:\Users\Admin\Downloads\matrixnew mapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5176
- - C:\Users\Admin\Downloads\newuimatrix.exe
    "C:\Users\Admin\Downloads\newuimatrix.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5312
- - C:\Users\Admin\Downloads\-.exe
    "C:\Users\Admin\Downloads\-.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5324
  - - C:\Users\Admin\Downloads\.exe
      "C:\Users\Admin\Downloads\.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
fcbf8a298db582813ed8182fee49dfb2

SHA1
b423f9e65db61494f494deddbdf5b1c76ac669e1

SHA256
9eb4e71a7bb35032d8810bb3cc2593951e99400f5e952990217d180682d99aaa

SHA512
a1016322e02862ebb73ca8262451ad148a69833415a3eb5c6783fb5459b690fa625817a3c5e8afe72f80dd10b6063fde34d9146aff02f1f1bf972eb25679a2d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
78d94f2554793cb67beb1376069738eb

SHA1
10650d51d8944494a7e8ce4375863aeb49449594

SHA256
f077b2b34ed98dd08d08c3320f1b19d99855540778a2d55cdd0377e96c61240e

SHA512
bdb68169b08f1774364dd64d3fc5951195024ae77fb0c522b03edd1436323c2179f9e31f16d85ba20711aee0d9acbedc57437f67251e9d2ea64a124e43c816db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D9CA54E0FA212456E1DB00704A97658E

Filesize
281B

MD5
866189286095475f2edba8b091ea59de

SHA1
ca973f8f6db87fe5413f81c64a1c269275d3a643

SHA256
48242f4740e64bbab1542b2a37fab53d15f03116afaeef7821b0f0986767d2fa

SHA512
97d42fffc42d5f5735735f6c3311cdeadb4bcf4a59f7a2bedaa6a0c4962c844eaac6cde1eb5bdf3af1779052820491aea73d7b75baa4ba71b80f86f0edd7cdff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
6d209b89c38b9a79210bd765fa721118

SHA1
3fa3f336dc8c3d9155d076fc74f4d3b583a38a37

SHA256
deda9c241450c61d80852f96e4ac5102832c75aa0b0f24c94a02843faa58dc1c

SHA512
f484f636a30189c02035726069885990bea6b7dc416dd3d6e4376008354a670605e79736a773758b7ce8f5b4371039d73f6ba346b397760786e7ff6a6b4ab355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
c25587a4bcdc876af300930f56ca2c6a

SHA1
4be03c3228ad48e3836c1903c6072cb7c752c3ca

SHA256
789a9c7c7ba2cbabcb42557d7a1413ef71b5c914467fb393ec2598425fb9957d

SHA512
47388eb11bd4539129aadd33f9df57b06282ccdf80cbc25329ef889673e22e7aeae89505a9d3c7e29254a2a21087913fc29e5a84523b8800e8c5ad614ba3c8e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
d6c54071090a99fb09e1487ac919c5d0

SHA1
2ecbb4df598c0eee4c2a9c6738d0f91fc69d9175

SHA256
a5d8ecc5f8f35b01ed9a91b5d97689c1918f7a42f884d9089655700ce95c3301

SHA512
f7073dcf8a6112290804f1eb57755ab3d567e8fd196e4c50900e8dd56feca7fa188929cd2b0e73b5558bfe67b760034c5362751badee7702001646dd0806d0bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D9CA54E0FA212456E1DB00704A97658E

Filesize
476B

MD5
688f4c752237fd8e55d1b5c0ad6faa18

SHA1
9f61b21ea55b168f04b6acb03f388d7ba994f6de

SHA256
1d2cdf1d4f6caf8d6789b217aa32db027eec0776ee275704276e5ecd57932990

SHA512
43381861ef20913a79dd3d6350da5cb0f09415f142af356dfb5e22a6cc554167b874af2442f7eed52e8e7ccf68fba53a0a3b7ee3d5ff2b586890720c432d470c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
333c4a078aafd4e088f09922e5084f40

SHA1
d4e21f5554310cb0720e874fbddd4ef7c4516399

SHA256
d75bacd6259796587df0928566377b4d17e0f614ddda36bd3ff4df8092f49bad

SHA512
1b91a29d2f1b684107b27c03b763b36c3cf48d1c14d9810349c73e94b403bb21c881403a62124743bea43a38248cd0500f4a1aea59072a5cbcf73221455bbe1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\-.exe.log

Filesize
408B

MD5
70f08e6585ed9994d97a4c71472fccd8

SHA1
3f44494d4747c87fb8b94bb153c3a3d717f9fd63

SHA256
87fbf339c47e259826080aa2dcbdf371ea47a50eec88222c6e64a92906cb37fa

SHA512
d381aec2ea869f3b2d06497e934c7fe993df6deac719370bd74310a29e8e48b6497559922d2cb44ace97c4bd7ad00eae8fe92a31081f2119de3ddbb5988af388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\matrixnew mapper.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56361f50f0ee63ef0ea7c91d0c8b847a

SHA1
35227c31259df7a652efb6486b2251c4ee4b43fc

SHA256
7660beecfee70d695225795558f521c3fb2b01571c224b373d202760b02055c0

SHA512
94582035220d2a78dfea9dd3377bec3f4a1a1c82255b3b74f4e313f56eb2f7b089e36af9fceea9aa83b7c81432622c3c7f900008a1bdb6b1cd12c4073ae4b8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0621e31d12b6e16ab28de3e74462a4ce

SHA1
0af6f056aff6edbbc961676656d8045cbe1be12b

SHA256
1fd3365fdb49f26471ce9e348ce54c9bc7b66230118302b32074029d88fb6030

SHA512
bf0aa5b97023e19013d01abd3387d074cdd5b57f98ec4b0241058b39f9255a7bbab296dce8617f3368601a3d751a6a66dc207d8dd3fc1cba9cac5f98e3127f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ab4df0fcaa54f81bc98b30dc93d0cb4

SHA1
6d018f802d163a2ce0a16092f009e105c951066b

SHA256
e600cf1490855997964c3537868bf86c0ce3c8c1bf0ab47fcccca4001a18811f

SHA512
9a8a136f33207b2cf6a5f0d133c54fcfc4f55a58ae79ffc292e25e50a5f3cc7ce5787fbdfe5e75b8c13cc7e0a7798873237c46de3f63ce194ef6a1e3b11641f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02985578ea1c7df133348dd82edad2c3

SHA1
ca416bc626e5b938d94992cf6b3e9d670b74acce

SHA256
cad7ad5a760ffbc61ff17a14e6c3a206a09e2fc399f10c8864babf1da7afe31c

SHA512
587e325536bd8d0a9ee1523c548a6aa4a7dbb3d5531495679f9e3f469e2f12b5ea0bcfbf5db183a39aacab022766b375127e73524bb27ee5f996ba90de0014f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56bafe9928b0a0fa13d697215e7abbe2

SHA1
ed81a45087fe552403aa0bb2d005e2fd70239a3a

SHA256
9614600bda0b5ef83666a67fe6fc99e492d9fa53aa78933126ad038a3691eddc

SHA512
4f9142c4566cd7feb1eb61a030fa9ee4274a4fcefe4004d8c821289573f3b8f0b5f2d6e9a5b3185dfeeddb036f9e85463f08b4ee2a83663f799c09950b5cc0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f9ebcb13c674c2262cde0c67baf0f2ed

SHA1
847d952f26376b80d0a26e59ea7f842b9502511e

SHA256
31de6ed06195c00a34d40ba1ed6fa396fd9d7dd7fd49df9070e20c2a5aed5278

SHA512
801c675c23b1c3d3d540d20082a41ee218ef6bb11ea73803cc83dc8e1e7d99d41cf7a156fa8fe64b0d35935c6d66f7879b018722d63ce1bfe162c7eab3c741c6

Download Submit
C:\Users\Admin\Downloads\-.exe

Filesize
428KB

MD5
4e4ef72e167c726a5918dd38c9ec901d

SHA1
0d6502c6c0e0e60be7883ea09514b0bd1a1dd1bc

SHA256
17bfc5e52bc85dfafe14e428825ae1b36bd9f016c0a26dc2049057e4a4d71e69

SHA512
c86161039a7c09bb28614a62f40b34b27f0894fc84ed60ef24919048e0aeebaa0ebe00cd4d5cf2a4537f0f09df2ee3eae666c1ce4ae93711e362ca6591e74f24

Download Submit
C:\Users\Admin\Downloads\.exe

Filesize
37KB

MD5
01f86862e5a3fab03f886eb19089da95

SHA1
8749ecbbac9f911deaee8d5530ef644ca0270258

SHA256
ecfb4e772dd3be3c70e2833558b53c9352466ef193694a32a2a6e4926d810d81

SHA512
c03771ab0e115c95c2af29f1ec3e331e90bac38074bd1eeda741a6e9f4f93d7cf55dd2a6354219886e50055730c10a363f264eeadcb2c06a1fd06a3670e41a86

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 8802.crdownload

Filesize
4.5MB

MD5
2661e9a9b063a4d7a96686aa8e4ffa04

SHA1
cf6af9701e80fb8000f0820e649e9683f7e0e659

SHA256
a3b2fdc9903049997ece0fd5ae96922642477a8ad822c9d8a53d574b8459aca5

SHA512
6bda80210f421d64d8a954564689bdb3fc8f8e229e748c0aca846e9ae2f2b7bf24533a85ba22d0d2771f36a88e38d5918b9b387a6224f83301f5eda70bd3bf83

Download Submit
C:\Users\Admin\Downloads\newuimatrix.exe

Filesize
4.1MB

MD5
f749fcc1351aadd81b6775332859fff7

SHA1
d774f21509b2e96ae96c08824387c353d8b5bca2

SHA256
fa1c0114aca150636c782bf0a161aa46059827ba4690090cf5fe076ffc50d82e

SHA512
434a5fa21e0e138945382398726540393308b4eccb7e3b42f557c6683fd39b519e7d8dc507c73e4fac14c961776d6d938406b07bbf7b14f2f4f15a6f41b090fe

Download Submit
C:\Users\Admin\Downloads\version.dat

Filesize
16KB

MD5
fe9d1d0656c28691cf3a2f4229f262e9

SHA1
9f81b7ea6b62e608bb501a37e27facf7f7675fba

SHA256
35267a058bda692c3b12c8bdfcc1b795b6f9a1a0ea0870b57e92ca86629ad02e

SHA512
df3fc13dc861586094aa1b7a4b71a8daa243f6f38ee924a9e86e3dfee720b60b3a8446d736d4b7933297c43f7452da32e37eda6c5a195cd67c29ed45a858e8ac

Download Submit
C:\Users\Admin\Downloads\version.dat

Filesize
12.1MB

MD5
cd3df5bf39b50ff855e57a27befbe320

SHA1
7edfacb75716699b0fb09185d04813dc1e17202e

SHA256
758ee0c93df4a3fc26d6bff793e56c79d00872cb975b02d6b2d67bb2147e6924

SHA512
2e6e838c6e202b36118bee804c0b5ba47fe5d51295b78505c5cd3eebb6e60c914cd33d8ea5e62654d9cce15d2a2d5429e03430a445a86afcd576e20918d7653f

Download Submit
memory/4292-104-0x000000001B460000-0x000000001B4FC000-memory.dmp

Filesize
624KB

Download
memory/4292-103-0x000000001CCF0000-0x000000001D1BE000-memory.dmp

Filesize
4.8MB

Download
memory/4292-102-0x000000001B2B0000-0x000000001B356000-memory.dmp

Filesize
664KB

Download
memory/4840-121-0x0000000000DA0000-0x0000000000DB0000-memory.dmp

Filesize
64KB

Download
memory/5312-100-0x00007FF782300000-0x00007FF782714000-memory.dmp

Filesize
4.1MB

Download
memory/5312-171-0x000001A04DAF0000-0x000001A04DAF1000-memory.dmp

Filesize
4KB

Download
memory/5312-170-0x000001A04CEC0000-0x000001A04DADC000-memory.dmp

Filesize
12.1MB

Download
memory/5312-172-0x000001A04CEC0000-0x000001A04DADC000-memory.dmp

Filesize
12.1MB

Download
memory/5312-174-0x000001A04CEC0000-0x000001A04DADC000-memory.dmp

Filesize
12.1MB

Download
memory/5312-196-0x00007FF782300000-0x00007FF782714000-memory.dmp

Filesize
4.1MB

Download
memory/5956-75-0x0000000000A00000-0x0000000000E84000-memory.dmp

Filesize
4.5MB

Download
memory/6108-91-0x00007FF782300000-0x00007FF782714000-memory.dmp

Filesize
4.1MB

Download
memory/6108-186-0x00007FF782300000-0x00007FF782714000-memory.dmp

Filesize
4.1MB

Download
memory/6108-189-0x000001942EB40000-0x000001942F75C000-memory.dmp

Filesize
12.1MB

Download
memory/6108-187-0x000001942EB40000-0x000001942F75C000-memory.dmp

Filesize
12.1MB

Download