xworm | hxxps://gofile[.]io/d/Ndk8aN

Analysis

max time kernel
1681s
max time network
1685s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-01-2025 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Ndk8aN

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

exchange-syndicate.gl.at.ply.gg:22530

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0028000000046280-171.dat	family_xworm
behavioral1/memory/1196-224-0x0000000000EA0000-0x0000000000EB4000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3824	powershell.exe
2828	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2503671516-4119152987-701077851-1000\Control Panel\International\Geo\Nation	FIX.exe

Executes dropped EXE 1 IoCs

pid	Process
1196	FIX.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\b488c4b7-a532-4693-9a65-f20655210d49.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250120041156.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3844	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 40261.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4068	msedge.exe
4068	msedge.exe
1232	msedge.exe
1232	msedge.exe
3196	identity_helper.exe
3196	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
3824	powershell.exe
3824	powershell.exe
3824	powershell.exe
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
1196	FIX.exe
1196	FIX.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe
1640	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1196	FIX.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeIncreaseQuotaPrivilege	3824	powershell.exe
Token: SeSecurityPrivilege	3824	powershell.exe
Token: SeTakeOwnershipPrivilege	3824	powershell.exe
Token: SeLoadDriverPrivilege	3824	powershell.exe
Token: SeSystemProfilePrivilege	3824	powershell.exe
Token: SeSystemtimePrivilege	3824	powershell.exe
Token: SeProfSingleProcessPrivilege	3824	powershell.exe
Token: SeIncBasePriorityPrivilege	3824	powershell.exe
Token: SeCreatePagefilePrivilege	3824	powershell.exe
Token: SeBackupPrivilege	3824	powershell.exe
Token: SeRestorePrivilege	3824	powershell.exe
Token: SeShutdownPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeSystemEnvironmentPrivilege	3824	powershell.exe
Token: SeRemoteShutdownPrivilege	3824	powershell.exe
Token: SeUndockPrivilege	3824	powershell.exe
Token: SeManageVolumePrivilege	3824	powershell.exe
Token: 33	3824	powershell.exe
Token: 34	3824	powershell.exe
Token: 35	3824	powershell.exe
Token: 36	3824	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeIncreaseQuotaPrivilege	2828	powershell.exe
Token: SeSecurityPrivilege	2828	powershell.exe
Token: SeTakeOwnershipPrivilege	2828	powershell.exe
Token: SeLoadDriverPrivilege	2828	powershell.exe
Token: SeSystemProfilePrivilege	2828	powershell.exe
Token: SeSystemtimePrivilege	2828	powershell.exe
Token: SeProfSingleProcessPrivilege	2828	powershell.exe
Token: SeIncBasePriorityPrivilege	2828	powershell.exe
Token: SeCreatePagefilePrivilege	2828	powershell.exe
Token: SeBackupPrivilege	2828	powershell.exe
Token: SeRestorePrivilege	2828	powershell.exe
Token: SeShutdownPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeSystemEnvironmentPrivilege	2828	powershell.exe
Token: SeRemoteShutdownPrivilege	2828	powershell.exe
Token: SeUndockPrivilege	2828	powershell.exe
Token: SeManageVolumePrivilege	2828	powershell.exe
Token: 33	2828	powershell.exe
Token: 34	2828	powershell.exe
Token: 35	2828	powershell.exe
Token: 36	2828	powershell.exe
Token: SeDebugPrivilege	1196	FIX.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1196	FIX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2036	1232	msedge.exe	83
PID 1232 wrote to memory of 2036	1232	msedge.exe	83
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 2136	1232	msedge.exe	84
PID 1232 wrote to memory of 4068	1232	msedge.exe	85
PID 1232 wrote to memory of 4068	1232	msedge.exe	85
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86
PID 1232 wrote to memory of 4372	1232	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Ndk8aN
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff6ac246f8,0x7fff6ac24708,0x7fff6ac24718
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff61c2e5460,0x7ff61c2e5470,0x7ff61c2e5480
    3⤵
    PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:4600
- C:\Users\Admin\Downloads\FIX.exe
  "C:\Users\Admin\Downloads\FIX.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\FIX.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'FIX.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3FE2.tmp.bat""
    3⤵
    PID:1872
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8090232297337251602,1118733450940507404,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4152 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8f6b00b7-46d8-4116-935e-77d459ddbacb.tmp

Filesize
10KB

MD5
69e2399ee1503973b787f1b0f52b323c

SHA1
c23dfef26ba0b37dabf9fd24c76f64c36dfb53ab

SHA256
9caa997ecbb485e103eb09cd1406c4ea81496fa28eb9f4cdb40f2b9136f303e3

SHA512
71f50c4306a95078033ac4ad4172638340932cffb5c7e616dd099bb6ef77601824ef0fcd557ff11a99d3f9df0c1c66b4835ddf5b13e8d2566cdf8fdd7ed5c6db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
254fc2a9d1a15f391d493bff79f66f08

SHA1
6165d5a9de512bb33a82d99d141a2562aa1aabfb

SHA256
2bf9282b87bdef746d298cff0734b9a82cd9c24656cb167b24a84c30fb6a1fd0

SHA512
484a1c99ee3c3d1ebf0af5ec9e73c9a2ca3cf8918f0ba2a4b543b75fa587ec6b432866b74bcd6b5cdd9372532c882da438d44653bd5bccdbc94ebc27852ff9e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5408de1548eb3231accfb9f086f2b9db

SHA1
f2d8c7e9f3e26cd49ee0a7a4fecd70b2bf2b7e8a

SHA256
3052d0885e0ef0d71562958b851db519cfed36fd8e667b57a65374ee1a13a670

SHA512
783254d067de3ac40df618665be7f76a6a8acb7e63b875bffc3c0c73b68d138c8a98c437e6267a1eb33f04be976a14b081a528598b1e517cdd9ad2293501acc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
5642d6a645d34c441c46f9326ba3aca1

SHA1
b4b2e4959f7b6f60d9360807da00582714c79cb0

SHA256
d0a8fd8a29247b890a987c4d969158d279347450051a4a76af58dff3b1397c8f

SHA512
4e5dc63e8b589d57044b7bbb3bce38177c7ba605a874132f903f759c912a391760dda4ece74ce3d8d4459ff57219d76e89b2636a8c495051834901b59f524be5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d63c.TMP

Filesize
48B

MD5
33898fa5771eefc64be931d95df88946

SHA1
51caa6dcd0b38cca758a1f0f701e9042ca9739b0

SHA256
21905352494c6cb2730ab49a86bb0f8e3b943ab54e31fc25b58197edea4cb702

SHA512
31372aeaf8fd77418b54672381966e95035faa92581f0d1df279f7dd62cc4b0bce81e10a84571de6f98c5889d2e257fd3dd44842940db9cc885e248d9f53c9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
0f6d48d28f3398c4f70388657884288f

SHA1
296a46a341d8fa303970053f713b27277ba0f139

SHA256
023d03a2f36fac62c6a15b3cbb3c419a1299f32446831e615eefd08303674cf6

SHA512
a26af5692fa87154e2e2cbb15b307eb1a9cf4f11ef0881d55a3bb36da4c19d85917887098c3b801d61f0fae9e5731aa56d339a44397a8a0299ec4811d8e94f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5893ee.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82f02f1a0ed67cc39c3297f010c9e8c4

SHA1
ceedc78b97a58faa2d652c42fa37d661b9774aba

SHA256
5c242eec925dbfbcdf2968c2fea95b7dbddcde083e4c74bcfef07025f34e4317

SHA512
87e76191f8c795038ebd42cf02bda9159563940a6329807ef08394ddcd7ac5919ea9088eb802d552cbb84cb64254eeaadbcc71db1966573479d94845dc63c94d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b02bb21ce8e6cce7369546e17db56e20

SHA1
17269bb53c49ac2ef889972b55dd6da390cefa73

SHA256
f2e0069d48ba0c08cf05539209188c649e8978e024393e5eb603163a358ad43a

SHA512
1a8e79ca62e26480a7faf0a66c96cda12ccdb2659279b22804150c8d378df6f62eefff8e4b00c2dd5c5240de8d3c6db5c0a6066e71d5a3f42a8a529df84f2e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e9077e696b13ecf68596b25e7fb718b

SHA1
612346d0fa966cbc65f68d6e930e4d598a52926a

SHA256
48d6a62d2a8f65f3f7838fc200236a49ced2e8e73df484aac259445b37ae1a38

SHA512
cc6be9e42f0330191f315ca2897450f4b6c04744b70e1e2ec316064ba5ae1e6f71d3fcd3a09248e6a214231e440902c23d8963590265da65ce216c2ee8b9db04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
48febe0b0625901956573dfb2378e7ed

SHA1
c324173a8f8fd7a6a7398f6bb24dd2ee11d3cf24

SHA256
f0fae7ad33efdd05845d0d631ce8341ea4b6dfd4c45be844f0c117738df9c0d0

SHA512
fc38a0c64e67e3b5d43f787fe86f700e6f753d8e90bcebc446d4a8c631b9e4362a74fa862a5b2ffc74f3f5236d3ecf006b341042b5469d1cc24f2c325a607a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bc3a0ca62cfef580ff9ebbb7afc92b9b

SHA1
fde9832ce521fcd53850d0701a543ef75b772e3b

SHA256
b0203fb7c3812937e92ac04ad6065a2129bc165a36a60a4d2fdb0accc4499464

SHA512
fc1f3a5bd2106d9b6ed5a678c2f4978550a0d7414172b0ce6954a835b0da01ac28c177955a48c2ef56ea3d517a6672474a9cab873aeccae3f22a45ccf2d070de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c57ae3bcbd286b62992e3e4a6fb274f9

SHA1
97700f953e9efc13ca96d2a697d176acd4a40d41

SHA256
e1129ab88088c3b1c20320df1f2990e758b9a9f953aa84baf4a735e25b9b0c3d

SHA512
23a136195d861a5ee1ed2a685792ef2f5b14c334403aecde13387222ae69db8ec581575b8c761e2f82a837ae46bd1974093e61f71c2f2de47674da17235fe233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kr4ubdsy.qrf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3FE2.tmp.bat

Filesize
146B

MD5
c2c019d557fdb4b3665349e717c488df

SHA1
d7318e0e5d367995dc67a2e9a9037354a8a621a8

SHA256
c924fec5471fccf214b45d9aa8353eafc24fd8f1c873dbde27e39f7cb0ba18a7

SHA512
6aadf1f7948479bfa6dfc489c7a00fbeb3f97023bd97d225c47d20da862d7e2651344097313f52b7b3e76b5d72eea3435f2dc7f484a0a96448b421a2cfd0fd5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d03aff4489ce5086f1701679f171e107

SHA1
82818fa1e2b16dcaa6c6d29280d974e329738de3

SHA256
6ee55daf94912bf811542210edaebb60b93aa2d83496f6bddda9e28729cf45d8

SHA512
d927c1b806752670f1d537e6848407282d7436ec543d12a437f413c4d9ea4fc9682520e9f48cd326b5fec81c22b32e30609f84c8e129121e53c08b47bc9cb49b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b30e14e0e4f215ea19b135f57f7ca656

SHA1
e9ae51d32a10922d0e961975f46cbba7b34c6b03

SHA256
71c48a51672883cf6a550ada9b1ba5e88702856acc7ab0eff725018d945ddd0d

SHA512
6dddec5f3d2ccbb4374f34d474f0a53e4fd3cc79cfd1e68dd368a79d2c0bccc95e83c2d6a3413e395bd2c2b24bdd0819bf2b888ff5b4011a71a976c4e5ad3fbf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 40261.crdownload

Filesize
56KB

MD5
4f8b3c80426a1be4ebbbad9a489887d7

SHA1
59b7994a532f54ad980c41500611bde0ed6d6256

SHA256
99307c1270070b7a3d8527f04d641309d3dacaad8043aa89558ae99b7ed41bc4

SHA512
2efa54d4e65581c686dd2ca830165fd80ca4e0b2bb8634c3a57f17b811b2efa5d1a695d0668802c77c9ccc597c5621bf6dd03cdc3ad03ba1193b739497d495ed

Download Submit
memory/1196-284-0x0000000003110000-0x000000000311C000-memory.dmp

Filesize
48KB

Download
memory/1196-224-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/3824-236-0x000002106CF60000-0x000002106CF82000-memory.dmp

Filesize
136KB

Download