Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://file.io/oQAy...

windows10-2004-x64

10

Analysis

  • max time kernel
    387s
  • max time network
    388s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://file.io/oQAy7eWfxdU9

Score
10/10
xwormdiscoveryrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.242:3388

127.0.0.1:3388
Mutex

ZzPr10udRDHeSHtK

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/oQAy7eWfxdU9
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6b9246f8,0x7ffb6b924708,0x7ffb6b924718
      2⤵
        PID:3740
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
        2⤵
          PID:220
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4800
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
          2⤵
            PID:2840
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
            2⤵
              PID:4100
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
              2⤵
                PID:2452
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
                2⤵
                  PID:408
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4584
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
                  2⤵
                    PID:1912
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
                    2⤵
                      PID:2868
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
                      2⤵
                        PID:4196
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
                        2⤵
                          PID:5160
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
                          2⤵
                            PID:5168
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
                            2⤵
                              PID:5288
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
                              2⤵
                                PID:5420
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
                                2⤵
                                  PID:5768
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
                                  2⤵
                                    PID:5780
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
                                    2⤵
                                      PID:5788
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
                                      2⤵
                                        PID:5796
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7040 /prefetch:1
                                        2⤵
                                          PID:5804
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
                                          2⤵
                                            PID:5812
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
                                            2⤵
                                              PID:5820
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
                                              2⤵
                                                PID:5828
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7372 /prefetch:1
                                                2⤵
                                                  PID:5836
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
                                                  2⤵
                                                    PID:5560
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
                                                    2⤵
                                                      PID:5568
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
                                                      2⤵
                                                        PID:5328
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
                                                        2⤵
                                                          PID:5432
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
                                                          2⤵
                                                            PID:3988
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1
                                                            2⤵
                                                              PID:3900
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:1
                                                              2⤵
                                                                PID:4668
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9028 /prefetch:1
                                                                2⤵
                                                                  PID:6276
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9224 /prefetch:1
                                                                  2⤵
                                                                    PID:6288
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9496 /prefetch:1
                                                                    2⤵
                                                                      PID:6364
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
                                                                      2⤵
                                                                        PID:6600
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8536 /prefetch:1
                                                                        2⤵
                                                                          PID:6912
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
                                                                          2⤵
                                                                            PID:6920
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8560 /prefetch:8
                                                                            2⤵
                                                                              PID:6660
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8504 /prefetch:1
                                                                              2⤵
                                                                                PID:6692
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
                                                                                2⤵
                                                                                  PID:5128
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
                                                                                  2⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:6072
                                                                                • C:\Users\Admin\Downloads\matcha_updater.exe
                                                                                  "C:\Users\Admin\Downloads\matcha_updater.exe"
                                                                                  2⤵
                                                                                  • Drops startup file
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                  PID:6868
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17249219478576581881,9758749944968588430,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4916 /prefetch:2
                                                                                  2⤵
                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                  PID:6268
                                                                              • C:\Windows\System32\CompPkgSrv.exe
                                                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                1⤵
                                                                                  PID:528
                                                                                • C:\Windows\System32\CompPkgSrv.exe
                                                                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                  1⤵
                                                                                    PID:5024
                                                                                  • C:\Windows\System32\rundll32.exe
                                                                                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                    1⤵
                                                                                      PID:7144
                                                                                    • C:\Users\Admin\Downloads\matcha_updater.exe
                                                                                      "C:\Users\Admin\Downloads\matcha_updater.exe"
                                                                                      1⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:5736

                                                                                    Network

                                                                                    MITRE ATT&CK Enterprise v15

                                                                                    Replay Monitor

                                                                                    Loading Replay Monitor...

                                                                                    Downloads

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                      Filesize

                                                                                      152B

                                                                                      MD5

                                                                                      0a9dc42e4013fc47438e96d24beb8eff

                                                                                      SHA1

                                                                                      806ab26d7eae031a58484188a7eb1adab06457fc

                                                                                      SHA256

                                                                                      58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

                                                                                      SHA512

                                                                                      868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                      Filesize

                                                                                      152B

                                                                                      MD5

                                                                                      61cef8e38cd95bf003f5fdd1dc37dae1

                                                                                      SHA1

                                                                                      11f2f79ecb349344c143eea9a0fed41891a3467f

                                                                                      SHA256

                                                                                      ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

                                                                                      SHA512

                                                                                      6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      31e8a1e3da568e475918761f4623f4e3

                                                                                      SHA1

                                                                                      c84d35166e8a6c41ed355ef8d024a0630c25e502

                                                                                      SHA256

                                                                                      b45c5281a839601ddbacad6f82fd8926663f7abd470bfe44c53ad8569a832a5e

                                                                                      SHA512

                                                                                      5f22c60db42f18d38f3bc2366c0a276f94eaf3dfd407c64f9fd95e84c2c31d4e16307388f61afa9256aa50474fdb27cdaace9a08c627030d514c4bd3d2194e8c

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                      Filesize

                                                                                      1KB

                                                                                      MD5

                                                                                      a6e62c2384062eab81949a48d3116a46

                                                                                      SHA1

                                                                                      edd5c83ccac0df0a4c3b583ed3f4a960870afabc

                                                                                      SHA256

                                                                                      da9b8fc01a5957862dc17ee46d3d8b4563633bd344ca847069fe5cbd30c70867

                                                                                      SHA512

                                                                                      9c71a1b560e49cc60c149b4ea1eca5c2361a669440aff8e65a161cff122d11e6357937f781b88683f38dfc93aa5db180933eac5912edaca3d4051a7a169abda8

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                      Filesize

                                                                                      13KB

                                                                                      MD5

                                                                                      1ea202edc74f0ed7de3cb04e0b72713b

                                                                                      SHA1

                                                                                      b0ac556d54f78eed4f840564364d467adf0b5ff4

                                                                                      SHA256

                                                                                      5ac694c804ca4f51ad1f5ba5f570ae0b57fe03e8298a5ba40bee1fe214ca349a

                                                                                      SHA512

                                                                                      fb882c8127ca3e981f184d724c8fcce444b0caeeed664f1393390c311e77d84273a8930dcdbec0fc335617c401a70bc893c31bd8de30c3adbc926e941730ce7f

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                      Filesize

                                                                                      10KB

                                                                                      MD5

                                                                                      8de6e63eaaea4462b9e9c48d57449ce8

                                                                                      SHA1

                                                                                      25a23b9116b38ef2fcd18dd14fff8ded01f70587

                                                                                      SHA256

                                                                                      b9d941ad309ca36b88ad4b98f104d8e6e2d87b47e3f6a5713da7bcd6cabc8be1

                                                                                      SHA512

                                                                                      15d9140d72349772ab43775a4363917297c2557eef43119f0800597431f5104440a926fb1af6ae2fea18f32fe8174346a74d8678dd4278b5cf6fa31d6ab403b0

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                      Filesize

                                                                                      5KB

                                                                                      MD5

                                                                                      1a3742e8abd1f523620e271a7070f803

                                                                                      SHA1

                                                                                      c1714c0e1e124a061efb2150b814af3e23b702b1

                                                                                      SHA256

                                                                                      ed5f108762cacc8d84ff23d95d502e9f39bc37c95f5d6fb308d320c2fb4d301b

                                                                                      SHA512

                                                                                      29dbb3f201f05594fd48d466b3c94817267ef15cf5e90984c816548e4ce3aa6a25a8b4fd6a45773732e7555788cd569d6d5de15a38c95d5a3fa41c49be8201ed

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                      Filesize

                                                                                      16KB

                                                                                      MD5

                                                                                      4970014271a987f1fd4b44257df522ef

                                                                                      SHA1

                                                                                      27f3e8f8fbf12417dbe0124061880aecea6ea59d

                                                                                      SHA256

                                                                                      6ffa77662a5b481d102d4968c7e3ca41065cd9acecf514ae5feb589f209e0273

                                                                                      SHA512

                                                                                      a4f4420c361dab9ed1a5c130046c44039c35f0d6a61daf23486a685fd69c81f3131e24d99c962f2a348d67e327d5b0fc0a7dcd67b2fec9a6ebfc58104dad08d0

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                      Filesize

                                                                                      3KB

                                                                                      MD5

                                                                                      6254b776efa217ecce5a16d7b414c8da

                                                                                      SHA1

                                                                                      5ea8ddc8b459c8136ccd328375dc57002cf223cd

                                                                                      SHA256

                                                                                      63d3a5c59c006cdf4c91587c90ab8800f17520cba56e45b57ae470c53e27bea9

                                                                                      SHA512

                                                                                      d0a8a8aef9c436e7274a56c41d244696aac0ffa2957de11217c254fa2b33625cbf453d2fc0d59c2d8d15ed789f0792fa6ee01c672d3bceea92fdb9c887914dac

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                      Filesize

                                                                                      3KB

                                                                                      MD5

                                                                                      c7ff9190d0464c7e847dd1959de05768

                                                                                      SHA1

                                                                                      bef703c6ee43748b28be59205861777e5535494c

                                                                                      SHA256

                                                                                      884e4f93e7c37be46da23a059179947ccc871c1d18bc208998858def9bb1b1f2

                                                                                      SHA512

                                                                                      e45efa45586395ba742ab8f937b90b861e5180c2f9f2ff446eafbbcbbfffcfb1ff6509efc8c7eb6988a25353200a31ca23bced6416ae46389c7456905a295b93

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                      Filesize

                                                                                      4KB

                                                                                      MD5

                                                                                      96d5b8887149cab4244ebb1859388961

                                                                                      SHA1

                                                                                      a8e65618701390334d7baa54d5f920a8ce188799

                                                                                      SHA256

                                                                                      8d4f6dfdeb1d95251b70b416844be90b54fcbe2db4ad2d62d65b4ae487902dcb

                                                                                      SHA512

                                                                                      e501c9b28d6f7050b88635b1a3c329b91f4bf8b0136d6fe959d8e102e2197069c26057d7137dfa30a923dd70c846ff0212d24ab6dc42d8ef27a05bacf5b86298

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d949.TMP
                                                                                      Filesize

                                                                                      2KB

                                                                                      MD5

                                                                                      5ad9905b2600f8560da0feebe69db365

                                                                                      SHA1

                                                                                      a0428101de4e5078885634e9cdc22e1fd3f93a6a

                                                                                      SHA256

                                                                                      b408438cfc7e0661b0742d363a150067c7f995b523770cb9eb12dc553c0568ce

                                                                                      SHA512

                                                                                      efc3aab59069afed61fca4350f0e8ca61b35059ab1a74a859cfd4e8e05a45189b903b7ad1c133aa4c3819ce05f06b3d6cbc1f8fe8796beeadac615cf44256660

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                      Filesize

                                                                                      16B

                                                                                      MD5

                                                                                      6752a1d65b201c13b62ea44016eb221f

                                                                                      SHA1

                                                                                      58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                      SHA256

                                                                                      0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                      SHA512

                                                                                      9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                      Filesize

                                                                                      10KB

                                                                                      MD5

                                                                                      3971455bdebcde6a09f6004ad7d90cd3

                                                                                      SHA1

                                                                                      a14f680506f0d5edcace62272fbed53e3758e4d5

                                                                                      SHA256

                                                                                      a3211b2cee13532914058aa3dedcad1dd2a1ff036acd1ea5fed9780655557fee

                                                                                      SHA512

                                                                                      cc91cc1b38996ffbfb3e1c0bcc873c1b4fe05a3355913602b17dc3f03f63c5648fbb5437f73f75de4f2ced2918740ba800956cf9547d80ef5a79aed5c7544e52

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                      Filesize

                                                                                      10KB

                                                                                      MD5

                                                                                      6ca9954862a10668e66914124780761d

                                                                                      SHA1

                                                                                      569ee26d163a56530cb13a1efafa27196b540242

                                                                                      SHA256

                                                                                      b64fb79880e17907f48b5489da1c7f65a18947841c6f228d4f1bf5d1c79ac81b

                                                                                      SHA512

                                                                                      787849ba1efa0ba2098d61105f862af7a3a2f80b1baf5c183015a4a681a4bdaf0fa8d52823dc76199a10c544f8422d83f92d38cafa2d3a914b7aee14206b7ed1

                                                                                      Download Submit

                                                                                    • C:\Users\Admin\Downloads\Unconfirmed 406799.crdownload
                                                                                      Filesize

                                                                                      34KB

                                                                                      MD5

                                                                                      f0458aa8920c3a81dc62f427b140a759

                                                                                      SHA1

                                                                                      6f1c7882775e6e1d6139d5a0ed4bdf35708f8767

                                                                                      SHA256

                                                                                      5f41b296c9c8ee823fbc5dd53ad0369a5ded6def0f1f9cb9fcc98a5308d8b43f

                                                                                      SHA512

                                                                                      ed017ffffe7854262a0ac28b16406e55977fe8459bb72becb7426d39228aae952f28d2679270df300762e8eb4db7bfaa7368fa5826d3f4cf2c23f251eb1d3c4f

                                                                                      Download Submit

                                                                                    • memory/6868-275-0x0000000000B50000-0x0000000000B5E000-memory.dmp

                                                                                      Filesize

                                                                                      56KB

                                                                                      Download