xworm | 80a2ae9b77c4eafc3da22fac6025b340793c2bdbfef7b061cdc88bdea330e11a

Resubmissions

07/03/2025, 23:50

250307-3v18qayzcz 10

07/03/2025, 22:21

250307-19myjayse1 10

Analysis

max time kernel
68s
max time network
68s
platform
windows11-21h2_x64
resource
win11-20250218-en
resource tags

arch:x64arch:x86image:win11-20250218-enlocale:en-usos:windows11-21h2-x64system
submitted
07/03/2025, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XClient.exe
Size

34KB
MD5

606d9b179157736ea5acad71ad50c0c7
SHA1

dd88b6e09b9be71fe98ee1fa76c5f14f5e9ef84c
SHA256

80a2ae9b77c4eafc3da22fac6025b340793c2bdbfef7b061cdc88bdea330e11a
SHA512

c81d9e0e6f28869f6618c2904d317eb113514db2685621c674c0697e76c187249fd50a365cf07f6972c2a43970b4081e470a18dc631ca74cd1f606307fcdd2c7
SSDEEP

768:OtH6rNd7AtFPNhzIgtoFk9Fy9Yx/Ojhe/Vcg:OtuNJyF0gtowFy9Yx/OjItcg

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

MellowFishy-29478.portmap.host:29478

Mutex

k1tzVGcrL1gP53ej

Attributes

Install_directory
%AppData%
install_file
Realtek Audio Driver.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3904-1-0x0000000000A60000-0x0000000000A6E000-memory.dmp	family_xworm
behavioral1/files/0x001a00000002b088-22.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek Audio Driver.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek Audio Driver.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
3780	Realtek Audio Driver.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Microsoft\Windows\CurrentVersion\Run\Realtek Audio Driver = "C:\\Users\\Admin\\AppData\\Roaming\\Realtek Audio Driver.exe"	XClient.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ml\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\pt_BR\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\en_GB\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ms\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\te\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\cs\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\da\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\no\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\am\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\en\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ko\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\mn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\gl\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\km\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\el\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\hu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\zu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\fi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\az\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ne\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\fr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\tr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\lt\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\eu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ja\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\nl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\page_embed_script.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\sr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\ca\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\en_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3452_67698794\_locales\cy\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133858651121736074"	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2287204051-441334380-1151193565-1000\{148DF20C-790B-499A-9761-D7D861285C00}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3904	XClient.exe
Token: SeDebugPrivilege	964	taskmgr.exe
Token: SeSystemProfilePrivilege	964	taskmgr.exe
Token: SeCreateGlobalPrivilege	964	taskmgr.exe
Token: SeDebugPrivilege	3780	Realtek Audio Driver.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe
964	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3452 wrote to memory of 3692	3452	msedge.exe	101
PID 3452 wrote to memory of 3692	3452	msedge.exe	101
PID 3452 wrote to memory of 3948	3452	msedge.exe	102
PID 3452 wrote to memory of 3948	3452	msedge.exe	102
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 2228	3452	msedge.exe	103
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104
PID 3452 wrote to memory of 4276	3452	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\XClient.exe
"C:\Users\Admin\AppData\Local\Temp\XClient.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=1036,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5168 /prefetch:14
1⤵
PID:3744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5352,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:1
1⤵
PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --always-read-main-dll --field-trial-handle=3852,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:1
1⤵
PID:572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5340,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5068 /prefetch:1
1⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5204,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:14
1⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5788,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:14
1⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6260,i,8156301195647385391,612045039718669237,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:1
1⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2b4,0x7ffee570f208,0x7ffee570f214,0x7ffee570f220
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1856,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=2132 /prefetch:11
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2104,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2468,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=2644 /prefetch:13
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4440,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:14
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4440,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=4464 /prefetch:14
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4588,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=4596 /prefetch:14
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4764,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=4620 /prefetch:14
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4876,i,5270536835260331179,7944197742785788953,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:14
  2⤵
  PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:2348

C:\Users\Admin\AppData\Roaming\Realtek Audio Driver.exe
"C:\Users\Admin\AppData\Roaming\Realtek Audio Driver.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
b9bf1a42371abb635055f26b85ee0be3

SHA1
e5151e852ca233faf156f28e048b9f3c00647443

SHA256
63be70c52af2036079f28be17a58c5e588f5ae748a8b9525fd5cf34916823c4d

SHA512
8adb2e8577fee460a7d9543bdaacf72fc3f44581c4a8fb625d09bb50ca9cae4c5bc8d0b50e374c02471281c93d5adbdea94f883ffa0f24890132a250fbc9045d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
9e26431363987062aeb1f73fb2046750

SHA1
0bbf10a2c67466e8025d8321b62b2cba79696a89

SHA256
0a306b3f556d4acc68881c018556b5b0273fffba57cefbdc3fd94365da24d9fb

SHA512
4069e821d7bb43c5d18be06749ca22c3b83d1731305f20f2e44064cfbf4112d7d1778bb3edd3debf049b6efc8c0d343324e9a9fb0a9041957800da64da13b56e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
5KB

MD5
50cc50db39744521b2aee1aefee79c6e

SHA1
5268ae9b0c033ed987ca245e1720c8e3cfbf3f45

SHA256
36cf310f7ff214aacea19be7f46377e0e57ca08fc3bedacf09498d87a029d142

SHA512
565f58119d647973fb94b97d378ee223ef9251eb349c9d5f54fb861b13dec21470cabafff72305c15f4cb8bd08ca862edf1fe0f5da103330a3f21bc356027d69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
64KB

MD5
2054bedc7c5ea5da21a648d83a57e952

SHA1
7e6b317f67c5181b08416a920130c520a798cada

SHA256
8812a5ccf74948a4cfc85bd076636c1adee2544b2b0b0146b443ccd7f3eee1ef

SHA512
391e97dfb22a9745d75765ab5909502662a1535c5132286292ecf893e398989ada5a1be65715d60e3ff8659a2a63d6dea6baa4a69d4ed3051c73d526a31d15b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
72KB

MD5
7145f71bd5f4e6f2131fcf2264bd641a

SHA1
ccff31da9590c2a2048ad5de9185bbd948b16246

SHA256
b14be98132f64d26b557e8260fad5fb5db9909dd0a4888d73f10aa64aeabde3d

SHA512
610d4a33790296d06085c5159ba9477e0741e97dae6422b56f8e3348edef29a9cd1170ddcb1ace0888bb12dd7fc7f00805a8b5b89ce2d469aa6a6d2652726d6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

Filesize
150KB

MD5
eae462c55eba847a1a8b58e58976b253

SHA1
4d7c9d59d6ae64eb852bd60b48c161125c820673

SHA256
ebcda644bcfbd0c9300227bafde696e8923ddb004b4ee619d7873e8a12eae2ad

SHA512
494481a98ab6c83b16b4e8d287d85ba66499501545da45458acc395da89955971cf2a14e83c2da041c79c580714b92b9409aa14017a16d0b80a7ff3d91bad2a3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek Audio Driver.lnk

Filesize
838B

MD5
29925f12322a72f0e2f9dd77257d12f6

SHA1
e4e3abcf18daa531d6bbc6d6b42f25a85c21774d

SHA256
01302044adb3011d85a51b7a5b46767ed9bd9ab3bb43427313b80aa17936dfc5

SHA512
95e3670dee89594e982fcb4478ba2ffe445cebdee98f58f59935f7c82fc5c0acdab7771bd5467b058aabf9b9a5393679a992948b12c252459e62de4a77ff165c

Download Submit
C:\Users\Admin\AppData\Roaming\Realtek Audio Driver.exe

Filesize
34KB

MD5
606d9b179157736ea5acad71ad50c0c7

SHA1
dd88b6e09b9be71fe98ee1fa76c5f14f5e9ef84c

SHA256
80a2ae9b77c4eafc3da22fac6025b340793c2bdbfef7b061cdc88bdea330e11a

SHA512
c81d9e0e6f28869f6618c2904d317eb113514db2685621c674c0697e76c187249fd50a365cf07f6972c2a43970b4081e470a18dc631ca74cd1f606307fcdd2c7

Download Submit
memory/964-8-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-10-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-18-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-19-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-9-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-17-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-16-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-15-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-14-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/964-20-0x00000231AAD50000-0x00000231AAD51000-memory.dmp

Filesize
4KB

Download
memory/3904-0-0x00007FFEEBCA3000-0x00007FFEEBCA5000-memory.dmp

Filesize
8KB

Download
memory/3904-23-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/3904-7-0x00007FFEEBCA3000-0x00007FFEEBCA5000-memory.dmp

Filesize
8KB

Download
memory/3904-6-0x00007FFEEBCA0000-0x00007FFEEC762000-memory.dmp

Filesize
10.8MB

Download
memory/3904-1-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download