xworm | hxxps://file[.]io/iS2uT3qQOVpD

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/iS2uT3qQOVpD

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

79.110.49.242:3388

127.0.0.1:3388

Mutex

QNDDCJJJgTd23H0h

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d57-218.dat	family_xworm
behavioral1/memory/4836-261-0x0000000000270000-0x0000000000280000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 6 IoCs

pid	Process
4836	ghyjtdftjhgtujytghyrte.exe
2192	ghyjtdftjhgtujytghyrte.exe
2192	ghyjtdftjhgtujytghyrte.exe
2860	ghyjtdftjhgtujytghyrte.exe
4612	ghyjtdftjhgtujytghyrte.exe
1100	ghyjtdftjhgtujytghyrte.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
514	ip-api.com
552	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 819407.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2104	msedge.exe
2104	msedge.exe
216	msedge.exe
216	msedge.exe
3136	identity_helper.exe
3136	identity_helper.exe
5380	msedge.exe
5380	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4836	ghyjtdftjhgtujytghyrte.exe
Token: SeDebugPrivilege	2192	ghyjtdftjhgtujytghyrte.exe
Token: SeDebugPrivilege	2192	ghyjtdftjhgtujytghyrte.exe
Token: SeDebugPrivilege	2860	ghyjtdftjhgtujytghyrte.exe
Token: SeDebugPrivilege	4612	ghyjtdftjhgtujytghyrte.exe
Token: SeDebugPrivilege	1100	ghyjtdftjhgtujytghyrte.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 2008	216	msedge.exe	84
PID 216 wrote to memory of 2008	216	msedge.exe	84
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 4352	216	msedge.exe	85
PID 216 wrote to memory of 2104	216	msedge.exe	86
PID 216 wrote to memory of 2104	216	msedge.exe	86
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87
PID 216 wrote to memory of 1688	216	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/iS2uT3qQOVpD
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffedd6d46f8,0x7ffedd6d4708,0x7ffedd6d4718
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2536 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7752 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8684 /prefetch:8
  2⤵
  PID:6168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8540 /prefetch:1
  2⤵
  PID:6176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9236 /prefetch:8
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9396 /prefetch:1
  2⤵
  PID:6524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:6536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9776 /prefetch:1
  2⤵
  PID:6668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9904 /prefetch:1
  2⤵
  PID:6676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10092 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10216 /prefetch:1
  2⤵
  PID:6820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:1
  2⤵
  PID:7088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5380
- C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe
  "C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10644 /prefetch:1
  2⤵
  PID:6520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1013516359747219912,6500359286157963171,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6464

C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe
"C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe
"C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe
"C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe
"C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe
"C:\Users\Admin\Downloads\ghyjtdftjhgtujytghyrte.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8fe34cd6a3bae378a556a3c1696a8e99

SHA1
38c9d25dcdada7cfac2b5e022345367f2616c677

SHA256
2797c980001e728dc02839a4016e27f10942d9991d56d8f0c6ec7ed46d90923e

SHA512
08e36acb95139b737eeddeef6d5448b1dee632f9752b7e299b8959c9469d3aec5cc38b6c8fe666956e2283e1d1e98305b2d7fb6daebdefc43d30f6fd2ac54e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
46df3c6b77934b73fb9da5ede222e145

SHA1
a415e3617f1fdea6ce8783d3f204daa44438753d

SHA256
2658d72ae09de8f88103adefa555563f8301f4585f7a4598d912e4b7ae189811

SHA512
3309e01ae3b4a78cc8817f7313be40dcb0e1652c16ceb7f8b42eec66e89602b3ba26e7715eaadc493e5733516cec044ff2e378e17861a821dcd7443b9c7bd3d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dca2497709543ce3a5af20e23f2dc12a

SHA1
0be59b5543cc333ae149068f673edaec86a98f2e

SHA256
94cbb818d712d0dc7ee1d6aa82273ba27582b4c5fb9dbb02348b157be23b18ff

SHA512
0c03fbf651ed91fde44fb9180d350106a9a8de302acfb8ca65faf6f6d4e6627d00d275ad4a6b268b96cc11cef95995ff779313b3a8ba3df9f6cee42666eb8e18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
6545e788715255ef4bd9804f56245b0f

SHA1
4b36972c33d92e10d41462afd06664545cca072f

SHA256
3c44c3c9d7b68dc4d98d2e2130aab7fd4078f649b9ffa1eb302114a0080d7270

SHA512
20ebb8ee60a8417d60459c9c4b7e6de90ee2af95d9e710f7b223cd217107ac46f86dbfcfafa6581fe1a0dc332ab36534fa3e97260f0705dea1d75c7e4d5bbffb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4aa93be3ba05f0b5cbba3782b89d313c

SHA1
23289ef8704622ab6e927dd27a161b327eb5ef82

SHA256
de7cf990613e268451c9bf5a43d1ae9bb2c80652effb8496e60c848c6378b891

SHA512
42818a190ce9c000a9d3abb75b750a1e77d033030905036da4065d829b4e037887fa5e0893fe70616cf01c7735772424f77e177cf7ebe70233c2fe53bb50bb5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
ec3c1f4626c5b6650e76cc3d7a394626

SHA1
28ab99b940dbe322dce64af7d863f12065d5b61e

SHA256
d4a4a418f8eee335d49f0cc9e5bfcda52e3eadbfb57ca7802dd3be8140bc0af6

SHA512
40323b7c409acd8ff2d65dd4759f226cab46b2c0c7b8a639c08a21b6d2db402553dd13759967551085708d05c51402fb683ba54088e2cafd155deb597a8f8233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
8cb79f6f5f6b7d64ec427cf27e70f1e0

SHA1
6c7cd36d9ddf3333dd396703219f15bcd3ef222e

SHA256
23743b0797bad8f9780235d836d3e82e2ccc3a591370da38bf614c206f007515

SHA512
dcd7598c1bc14a50bfd6d55c87ce9593126279054e0e68d79e4921d7098e09a190786596634c8db1914bc4121801b5dca22c5c1fda1ed82af769e266f1b8a178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
815b1b81e53f3b6dee0fb15eda359d58

SHA1
7eddb45e29f52ae2e482c7765ecac7bb080ae8f0

SHA256
f8da5fa49a259ba244c81af5f6329cb24b1d00add158325adfdf700201f8f38b

SHA512
7e2d83e6a1f2c0db74177c093f18cdc6c37d70e9bab68d56672cbd600a000ce88479488c7e52588ae0d1c7e8cd98b9361f93f47d5df11322f4dadd1d5de53a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1c64ab509fb6ff2bcc5a110c68811217

SHA1
4a07ee0658d04f198504089d44d556ce36ccb374

SHA256
627d400485140e4232656e6b2702e100b04a5e1c38316775f17659291a73bdc4

SHA512
86c03238028a7b113494799b8dd7279a19bd69282d0541dd73b824bdb23e780f929809e8e89d038b0edd66fed6b1552cbb90f8a7522ef4927957572f4c59313d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
49a0128b60bf16ab4f971e5c0f8f17a1

SHA1
5329742e0ecd17ff7d1a21d90178f962e7217732

SHA256
b86b694bba3afaf157a5e0e5de789511bf5d50386f82a3072b48de75cc1f214c

SHA512
deabf58229934bc32a1fe05a1d93bca765c829062d0ef3cda5fab3962ccd044cea9c3b1d184951e75f3116f3706c079dbac191f29600fd14f1d082d25bb8fe9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ef71.TMP

Filesize
3KB

MD5
d67f5ff0dad47efbae29259159dfb2d7

SHA1
3984b48752e7f4678311a25ebe246bec2d012166

SHA256
28d54b8e11e99c6ea233b5b1a6c461f8e947a8781858c07497cb3882a4ad2e3d

SHA512
645f6bc20729f5feaeccc7544dddfcf7f69cd2a2fd7e04f5736ad7bec6ea82a67b59d6eea6b90daba2b98bc3f94c41f23119e1a269d386e0d8ea897516db0c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8c7434bdf25503cba5af1193f4936522

SHA1
6af810fcbe57fe4908239a5e2e4ced263e6962ff

SHA256
583fba59fc3c6e539a794f9f68233bb66e570acc115b34c7ba6731abb8c3352a

SHA512
36fcb60a0a68889885b8ac10c5bddb74ba608acb8b56845e20dfaad4cd6520d827bbeb622f29640042dcb91583e68ab3ae42c54e5a2a63ffeac846a9cf25df59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dffcd023f03b9b69a6e8435e910b77a9

SHA1
eed99a4e2c55f5eb75dd0ffbd30e944c4ad467c7

SHA256
0dad16365ac1fbf7a84c5681bea58b6cd54128d6373b13cfb27395b47bbcde3f

SHA512
372a3cc51b352297828f6a5fde2b0576973dacabb9c82fe541a3d9ac23537e8b13a79d74a354acdd82fc0535b4ac52052115f9daa5f7596dc1e34e7941062c42

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 819407.crdownload

Filesize
40KB

MD5
83b3e3983456198db7aec2e1a914e4b5

SHA1
eb78db876a034bfcb0501b4b1d7cc2dee4c05258

SHA256
4c816a98492edfacccd4e7ada1f36d0b713c8399d0e44cbaf7ba49d4a090f65a

SHA512
76eccba717657622826be8bd11961f9db3727337b643ec5b864b23fc01e5b93bda378d0b6d0358a24a43bec838fea736c0fddde44eb4a312ecd8d149a5bc3763

Download Submit
memory/4836-261-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download