Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://file.io/dffW...

windows10-2004-x64

10

Analysis

  • max time kernel
    1043s
  • max time network
    1050s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 01:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://file.io/dffW7gZTTJu6

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:7777

79.110.49.242:7777
Mutex

hJEkaGvnky3K4g4j

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/dffW7gZTTJu6
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7fd646f8,0x7fff7fd64708,0x7fff7fd64718
      2⤵
        PID:1784
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
        2⤵
          PID:4596
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4604
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
          2⤵
            PID:3620
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
            2⤵
              PID:4064
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
              2⤵
                PID:4312
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
                2⤵
                  PID:2904
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
                  2⤵
                    PID:2320
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
                    2⤵
                      PID:3960
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                      2⤵
                        PID:3260
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                        2⤵
                          PID:4296
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
                          2⤵
                            PID:4048
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
                            2⤵
                              PID:764
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
                              2⤵
                                PID:4360
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:8
                                2⤵
                                  PID:1632
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
                                  2⤵
                                    PID:3216
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
                                    2⤵
                                      PID:5132
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
                                      2⤵
                                        PID:5180
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
                                        2⤵
                                          PID:5188
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7444 /prefetch:1
                                          2⤵
                                            PID:5196
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
                                            2⤵
                                              PID:5204
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1
                                              2⤵
                                                PID:5212
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:1
                                                2⤵
                                                  PID:5220
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
                                                  2⤵
                                                    PID:5500
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8224 /prefetch:1
                                                    2⤵
                                                      PID:5512
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8676 /prefetch:1
                                                      2⤵
                                                        PID:5940
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8840 /prefetch:1
                                                        2⤵
                                                          PID:5956
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9172 /prefetch:1
                                                          2⤵
                                                            PID:6104
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9308 /prefetch:1
                                                            2⤵
                                                              PID:924
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
                                                              2⤵
                                                                PID:2452
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9456 /prefetch:1
                                                                2⤵
                                                                  PID:1884
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9704 /prefetch:1
                                                                  2⤵
                                                                    PID:6228
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
                                                                    2⤵
                                                                      PID:6584
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9156 /prefetch:8
                                                                      2⤵
                                                                        PID:6628
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=10344 /prefetch:8
                                                                        2⤵
                                                                        • Modifies registry class
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        PID:6636
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8728 /prefetch:1
                                                                        2⤵
                                                                          PID:6848
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10228 /prefetch:8
                                                                          2⤵
                                                                            PID:7036
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10228 /prefetch:8
                                                                            2⤵
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            PID:6780
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:1
                                                                            2⤵
                                                                              PID:5312
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
                                                                              2⤵
                                                                                PID:5348
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8628 /prefetch:1
                                                                                2⤵
                                                                                  PID:5424
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
                                                                                  2⤵
                                                                                    PID:6424
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9788 /prefetch:8
                                                                                    2⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:4228
                                                                                  • C:\Users\Admin\Downloads\XClient.exe
                                                                                    "C:\Users\Admin\Downloads\XClient.exe"
                                                                                    2⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:6748
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,15285926038440261301,8719360127650963272,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6712 /prefetch:2
                                                                                    2⤵
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    PID:5176
                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                  1⤵
                                                                                    PID:4628
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:1436
                                                                                    • C:\Windows\System32\rundll32.exe
                                                                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                      1⤵
                                                                                        PID:4744
                                                                                      • C:\Users\Admin\Downloads\XClient.exe
                                                                                        "C:\Users\Admin\Downloads\XClient.exe"
                                                                                        1⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3996

                                                                                      Network

                                                                                      MITRE ATT&CK Enterprise v15

                                                                                      Replay Monitor

                                                                                      Loading Replay Monitor...

                                                                                      Downloads

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                        Filesize

                                                                                        152B

                                                                                        MD5

                                                                                        b8880802fc2bb880a7a869faa01315b0

                                                                                        SHA1

                                                                                        51d1a3fa2c272f094515675d82150bfce08ee8d3

                                                                                        SHA256

                                                                                        467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

                                                                                        SHA512

                                                                                        e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                        Filesize

                                                                                        152B

                                                                                        MD5

                                                                                        ba6ef346187b40694d493da98d5da979

                                                                                        SHA1

                                                                                        643c15bec043f8673943885199bb06cd1652ee37

                                                                                        SHA256

                                                                                        d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

                                                                                        SHA512

                                                                                        2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        960ded684a841f9155cb781a31fdcd2b

                                                                                        SHA1

                                                                                        c1934c844902481b696fc71f1b7740dbb58b02e1

                                                                                        SHA256

                                                                                        b816b91bdce8decbaf0b1534fdfad46ab6b3212c38d1f56ee247a90dbd4713ba

                                                                                        SHA512

                                                                                        bddcb0c6f0d0da8314ba4835d482fa433e163678259ea6daa3e330fe7df7be05bd6bd6a81209196629f4926688de864401376a205530a42a31f951434a0d67d1

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                        Filesize

                                                                                        1KB

                                                                                        MD5

                                                                                        24c6a8a0318cc863d3cbf3bcb4d2cae0

                                                                                        SHA1

                                                                                        221f80c9883035852c6c0a9d952d6323ca236521

                                                                                        SHA256

                                                                                        e52b77a74de02041122d1c5e05f5c3b5bfd0086c7996e31ba63917c77be0795a

                                                                                        SHA512

                                                                                        b9a0b8b8e73172a33b0812eebac517bd073bc7b93e3350a24bb8400f41cfcb47e193bfb5f0995eaa5b81398483dd7b7f8e454faf273f08aae82b1f36bdc80a69

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                        Filesize

                                                                                        14KB

                                                                                        MD5

                                                                                        21d06728cad7b3e7122fc715c8c25a75

                                                                                        SHA1

                                                                                        912a2fb0d75974bc7894d57bc9548966d41e9a34

                                                                                        SHA256

                                                                                        806507f58d070e4c8f2bd5e9fabb1e7eece38e4989a54719cffd0c22cee9db23

                                                                                        SHA512

                                                                                        88c17b260091d356f45f15157899e72325a320038a21d9ba4be91746b1c0c0337d128469c336aae1955cee4992b0549cfd1dc6a77c6616665b2dc6d99d1ca0ad

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        13KB

                                                                                        MD5

                                                                                        cc23305ca387b9f0695be32461e4b27d

                                                                                        SHA1

                                                                                        887570bdc53192b1052cda943dad207827399bae

                                                                                        SHA256

                                                                                        bb02cb3228b98167285b3f8dadf6b8226b814c1024ab742971a37998f6abfe45

                                                                                        SHA512

                                                                                        0c81d1648d2d3a03c0c253356bd5cb30fa8cf385eb5068c6695a9cab22a9106eddf8b7f0c73df8a6eee2d3bac071748a7584e3ca5416ecdfff5de2d750a5218f

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        18KB

                                                                                        MD5

                                                                                        fb4cd3a3066b0415edda963fc322c4a6

                                                                                        SHA1

                                                                                        ebb2f9454df2ae635bca0ae996c376f0681feeb0

                                                                                        SHA256

                                                                                        14f65542359270eb20e9256976984e6ad33a0a59006f9d4f94007cc3e1db178f

                                                                                        SHA512

                                                                                        5d60db8525e94e2dc6ec7bca6be94bf5cf73917fc8dbaf5ed8cf8aa3fa7ad55e62a25527d533ef469ae2eb9779d96780f91efcf967d68a66c13a3a56d3a785b4

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                        Filesize

                                                                                        5KB

                                                                                        MD5

                                                                                        a5acfaaf22780dc4a4711cc9ba1c481c

                                                                                        SHA1

                                                                                        58c007b902580c7266b906a106d24a07cbfff1f4

                                                                                        SHA256

                                                                                        b28ff8d7195b4f15bcc43cab3b6f6cfb0d97291f748c4e335ea3ef4283f684f2

                                                                                        SHA512

                                                                                        28c4c3aed9e52bc8456fae85bb61ed7077d8c9ccc026871cd6978811dc5a28eaf696452413584a242a52cf7d34ffd6938812c02788bb9099ebeab6f672908709

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        4KB

                                                                                        MD5

                                                                                        7f6f5646ef55dd6cf7a89b1a6909cfec

                                                                                        SHA1

                                                                                        64d64fdb5cca5ae103c266a71fbbd9335d7071c2

                                                                                        SHA256

                                                                                        25c4c1bd29263b69a49d7b77e8122f0c2c5a9ac182887c8c9922ef5000740e91

                                                                                        SHA512

                                                                                        f96123ac06f42e1841c8ac9e8598fd9dba8dad2cbb9e701d7b6a665b2af48b5563efc3c135b29ec0633810cfa614a5b617c29b2a1185c3cb98be4483ac8479b2

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                        Filesize

                                                                                        4KB

                                                                                        MD5

                                                                                        f7f07a1b2f12c4ed2107abdb56e0471d

                                                                                        SHA1

                                                                                        ce26fd219a5f6bc1294d50292bffd9308cf5feed

                                                                                        SHA256

                                                                                        5ab19400bd8fbbc059a4a7eb10a046b7af4cd3690f86a0b94159bbb2a89a6204

                                                                                        SHA512

                                                                                        7ab4cf5bd5d21955e22f6080982aa68e5c73392f550b38210fa2593232fbd75accd2a0d9f7d1109edd84dfd6721b5cf5252e57a4d04f7e21d6679c78ac2220bd

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d060.TMP
                                                                                        Filesize

                                                                                        3KB

                                                                                        MD5

                                                                                        2025fb40ab78ff78ed52648bd6dc3edb

                                                                                        SHA1

                                                                                        ba7dae577cac4467fba4ed5e9927752895d8d97d

                                                                                        SHA256

                                                                                        b0a27932bced26f15a29e2183ec75f2b9d0f40255ecef240e5ec18924950e5de

                                                                                        SHA512

                                                                                        1af5e67b1a84f43f85f6914715c0c9d203a4ce981d799c493ea2a57129a1be3a1a3550e24a909448cd8bdcb801b754586032f254db1b0d8acf019ed1a277ed15

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                        Filesize

                                                                                        16B

                                                                                        MD5

                                                                                        6752a1d65b201c13b62ea44016eb221f

                                                                                        SHA1

                                                                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                        SHA256

                                                                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                        SHA512

                                                                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                        Filesize

                                                                                        10KB

                                                                                        MD5

                                                                                        03523204355e2cce684aed1e5b097392

                                                                                        SHA1

                                                                                        f737a5121d274b485b1a88426536bcd9d5db34e1

                                                                                        SHA256

                                                                                        79ff6d0b67891663f838835d5aac54e8da6f8ffb7fb35d7f91b9dc562e197da9

                                                                                        SHA512

                                                                                        0922214bbff043e735a40ba2ceb7afd115ddd592f9324c351e3d49f3458d59c78f6eafd29390ab80e793af280be0a165b8b2ed83cb5b3e14e56312e24227904b

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                        Filesize

                                                                                        10KB

                                                                                        MD5

                                                                                        b4808bbf1eb99729871244ba9e0c625a

                                                                                        SHA1

                                                                                        b491a1470df00e924ca233cb00d797cae11f7707

                                                                                        SHA256

                                                                                        cb630195bdeb26c7c7682f71b7e99ba5eda4432635c174e6d94ebe036bd67d2b

                                                                                        SHA512

                                                                                        769958e6e0579924a61e10015c5fa4f4423c92960b8c32f8fc61b141da12c27f72f2df2881628e99ec877c1ca7b7f9ebb15ac61937acc094bedb766db94263f7

                                                                                        Download Submit

                                                                                      • C:\Users\Admin\Downloads\Unconfirmed 651470.crdownload
                                                                                        Filesize

                                                                                        39KB

                                                                                        MD5

                                                                                        26cea56a5e8a0fafdfae6a3b3465f724

                                                                                        SHA1

                                                                                        f35b47a7c5a378ff4b9f508ec5761853b4e8b886

                                                                                        SHA256

                                                                                        f462f48e0e7275b7d8588b901efbdac1217b095291b8a3617cc1a35667f555f9

                                                                                        SHA512

                                                                                        3bd03e87d4b8fb37c0ccd3babd94273c6f2222a2c62c9a68a606441f405ccfb59c5ba04836b800f2f43783b93af90aa7c019e176c513303ad97143515ed71307

                                                                                        Download Submit

                                                                                      • memory/6748-309-0x0000000000E90000-0x0000000000EA0000-memory.dmp

                                                                                        Filesize

                                                                                        64KB

                                                                                        Download