xworm | hxxps://gofile[.]io/d/wMfLzN

Analysis

max time kernel
961s
max time network
966s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
08/11/2024, 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/wMfLzN

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/H3wFXmEi

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0027000000045198-196.dat	family_xworm
behavioral1/memory/5436-246-0x0000000000E90000-0x0000000000EAA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
5436	Astral Bootstrapper.exe
5788	Astral Bootstrapper.exe
6056	Astral Bootstrapper.exe
5416	Astral Bootstrapper.exe
5500	Astral Bootstrapper.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	ip-api.com
76	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cef6d89a-750a-43d1-a724-e8c398d99f89.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241108140419.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 393526.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4712	msedge.exe
4712	msedge.exe
972	identity_helper.exe
972	identity_helper.exe
5292	msedge.exe
5292	msedge.exe
5648	msedge.exe
5648	msedge.exe
5648	msedge.exe
5648	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5436	Astral Bootstrapper.exe
Token: SeDebugPrivilege	5788	Astral Bootstrapper.exe
Token: SeDebugPrivilege	6056	Astral Bootstrapper.exe
Token: SeDebugPrivilege	5416	Astral Bootstrapper.exe
Token: SeDebugPrivilege	5500	Astral Bootstrapper.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe
4712	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4712 wrote to memory of 1312	4712	msedge.exe	83
PID 4712 wrote to memory of 1312	4712	msedge.exe	83
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 2272	4712	msedge.exe	84
PID 4712 wrote to memory of 4524	4712	msedge.exe	85
PID 4712 wrote to memory of 4524	4712	msedge.exe	85
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86
PID 4712 wrote to memory of 1160	4712	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/wMfLzN
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffe779546f8,0x7ffe77954708,0x7ffe77954718
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2180
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x294,0x298,0x29c,0x270,0x2a0,0x7ff62c725460,0x7ff62c725470,0x7ff62c725480
    3⤵
    PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6640 /prefetch:8
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Users\Admin\Downloads\Astral Bootstrapper.exe
  "C:\Users\Admin\Downloads\Astral Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- C:\Users\Admin\Downloads\Astral Bootstrapper.exe
  "C:\Users\Admin\Downloads\Astral Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Users\Admin\Downloads\Astral Bootstrapper.exe
  "C:\Users\Admin\Downloads\Astral Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Users\Admin\Downloads\Astral Bootstrapper.exe
  "C:\Users\Admin\Downloads\Astral Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Users\Admin\Downloads\Astral Bootstrapper.exe
  "C:\Users\Admin\Downloads\Astral Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,12743498404870188593,16591397479214624445,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dda6e078b56bc17505e368f3e845302

SHA1
45fbd981fbbd4f961bf72f0ac76308fc18306cba

SHA256
591bf3493eb620a3851c0cd65bff79758a09c61e9a22ea113fa0480404a38b15

SHA512
9e460013fd043cee9bdbcdaf96ac2f7e21a08e88ddb754dddbd8378ee2288d50271e66b42092d84a12e726469465185be11a6fafab6ed4236a244524bd60f502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6126b3cef466f7479c4f176528a9348

SHA1
87855913d0bfe2c4559dd3acb243d05c6d7e4908

SHA256
588138bf57e937e1dec203a5073c3edb1e921c066779e893342e79e3d160e0b4

SHA512
ef622b26c8cee1f767def355b2d7bffb2b28e7a653c09b7e2d33f6468a453fff39fd120cacbffd79ce35722592af0f3fb7d5054e2dca06310e44dc460533f3d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
82776c85889873297de32df7350f6b7c

SHA1
a9d33fa9c2bc47aa9ce17c3e1d28ce4bed0aea27

SHA256
3dbabaff95c994cc8cd708d3a95824dfa5eec64b52130a2cdd3d7928150b5813

SHA512
aa0d8f5cc4601ecc6800757cbf92f3e582b75cc47d98a9099d63ba43558f0f6941cb7d4eab94c6bc6d5d8a726ab9cd8ba7405630f0d1fd2d1eb9fc99ecac651a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c757.TMP

Filesize
48B

MD5
72c0226f57b43d627e4100a9aa74d014

SHA1
77617f7d552501e90a2960aa2956b5ffe6a1ab0e

SHA256
d21d4ae1ff7c35bf90340ee6a62401241d84af5795698c13e49bea39103f34c7

SHA512
5ba6e09d4c502f04f755dda79bc8264373250891268e88c02951aa322ffbd9af1ed47e302c7faf2c28601bec93a7aabf2518a5442eb65e0fc6f6e89493c9babd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
5f05b26e0caccbee54089cb0044220cc

SHA1
e76ead734684a93a820d05c76824d5445f28f584

SHA256
256bcc760870f0a18774ed0999652be257776a2049eba989bda8f359b1507dcc

SHA512
29ecfa0586aaf62f2e6a90d2623fb01c7bb156993f2ed00085d8dcc97026b48aad69f27855cf3231d6f3d5c388a81367ec9e27ea47cefd50c530d08862292dd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58878a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5d097684337c3b9975a70677479c7c52

SHA1
b1865c5f2ad6c04e67f39cd265339889b1902c73

SHA256
0d9338fd054c206995b48e05f3b1dcb17babdeb74a936b9aca5ce14aa4713c69

SHA512
0a6fc5dc7fcd179dcb7e11f1cf93b1efe71354a5e6eb3ef06465a4082708f277dcdbec13cad214d5762af0343ff2aaeceff05a91c05bbe8454b4bdf4513f2918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac6cec68cefe0d5a504163f02eef2aa7

SHA1
6c27cb38bbaec7fc9c082a8eefeb60bc41d9df92

SHA256
96c104a82440ea5a479eac608f9876da7f526551bb7ac6c1b499a75ac11334eb

SHA512
cc9cd4d6d552987fb2f78613612ca919f7f184560d55d07b32d0051ad80c7fb43f36e9b745172da2219080dbdc89ffa87ae4a214082079978dff7411e424188f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fc890cf89e1b545b2bad29effe30a6c7

SHA1
5b1b407a34796da1cdc85dee407032adcced5455

SHA256
2a8c1d72b35d43da3c66a9073a5d6f1d50c5f4f904819f729c0687ef0ac73f10

SHA512
0ea516bbc437038bad7493ac487ce42e32367a3139fdee2cffc639467e91c5c26f171eafff5a3b0086ce95aa340de09780496d08b5bddba98ace2caf88871c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
90cc75707c7f427e9bbc8e0553500b46

SHA1
9034bdd7e7259406811ec8b5b7ce77317b6a2b7e

SHA256
f5d76f8630779de1fe82f8802d6d144861e3487171e4b32e3f8fffd2a57725fb

SHA512
7ad692bce11aee08bf65bb7c578b89a4a3024211ee1deaf671c925d65cc016943f2caad3d57b365e16d1764c78c36cae35c3c45cef0928dd611a565b0313e511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0d8c8c98295f59eade1d8c5b0527a5c2

SHA1
038269c6a2c432c6ecb5b236d08804502e29cde0

SHA256
9148e2a2ba2a3b765c088dc8a1bdcc9b07b129e5e48729a61ebc321cb7b8b721

SHA512
885a734a97a6f8c4a8fb5f0efa9fe55742f0685210472ed376466e67f928e82ddf91ba1211389d9c55dd1e03dc064aa7a81d1fca3cf429fbaf8f60db8b1348c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
88ec4e3f975f8505b9c7056d99c81f53

SHA1
30b71a1b399e0b1b596cdbdbeba89576eb2eeecf

SHA256
4d3a81b34d1f2e43235e6bf1bc81eec2fd119fd4be30aed1eefdfd31213d00e8

SHA512
49b67442f83bd364da80311b2e26a4b937123c496d56a46d2921312fd9360f0a083ba08cc61701cc3e91a2d6f4c79ddf52555ba47208b3d9d2381aed2c7de897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5cdd4867e859823100ec1d83d53e4c27

SHA1
0839c7b085088f2c1ebbba2ac3b1c1c1a432c36f

SHA256
72c65155e9736ab0ae681e8487703fd28e5e84354fc4bfdb30661cbfc67e77f3

SHA512
0da84a058514e21af00d24e67001fadaf30519f0f510fc907791c209a2dfe1b2889adb9da2e5ab624fe5128645d774ed07d4f0b3f22ae39287944557785bcf3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
1fa8591ac7e4f14de64a54d5ebf39d89

SHA1
438aab650dfb3d324fb2f0a22ab264fb62d042b4

SHA256
b2f0a6534544187e724ff1dc093ab50981136401264f9233f68a2a77c244a1e3

SHA512
e4ce70dec47603f2991d7a40aca3f5fa24f9e375b6e666e0d51608a44345ae91651daadb309052c0bfb82a106431cdb901cd11bc568b3f045c6db8941221844c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7d53b4232ea9841e9aa75e619448cddb

SHA1
65373f192a4f0faed092f2a0b2bff92696c49711

SHA256
dc1948f4a9b217f3e357401432faae1e55fea22d074cc1b1458461d8b9598464

SHA512
a9eeb7d22fd9c9d2f26dd87e908111d3fa25c96d32e3e45215a9eaa5e21c5b3de16b5dbcf2783c818570abf69358944932c9217bcbabbbc1109b30e9f5c43313

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 393526.crdownload

Filesize
81KB

MD5
bb6822575ef720c98f81d53f4b45f220

SHA1
4f55c68001af7a0e1607807c1bf545a5feaa928c

SHA256
7be3d4d8c3c2c09ada6939db1df54586aed1a3e39d60ceb384104af039555b71

SHA512
321669e1674befea05d5a69a77032e351e9c1a80e7a24af1448cac08fb9c757195185d55021099996691871e13a24e15f7bf01c932cfbd630cae2adace49a66b

Download Submit
memory/5436-246-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download