xworm | hxxps://gofile[.]io/d/9EDfYX

Analysis

max time kernel
841s
max time network
895s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
21-01-2025 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/9EDfYX

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Family

xworm

talk-weights.gl.at.ply.gg:24842

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5580-264-0x0000000000400000-0x0000000000416000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5772	powershell.exe
5992	powershell.exe
5372	powershell.exe
5080	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
71	discord.com
72	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\83e4d857-a592-4420-9465-9fdb4e102927.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250121040915.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1581648047-808845429-2272123689-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
844	msedge.exe
844	msedge.exe
4948	identity_helper.exe
4948	identity_helper.exe
1348	msedge.exe
1348	msedge.exe
5372	powershell.exe
5372	powershell.exe
5372	powershell.exe
5772	powershell.exe
5772	powershell.exe
5772	powershell.exe
5992	powershell.exe
5992	powershell.exe
5992	powershell.exe
5580	broken.exe
5580	broken.exe
5080	powershell.exe
5080	powershell.exe
5080	powershell.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe
2600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	5372	powershell.exe
Token: SeDebugPrivilege	5596	fixed-ver.exe
Token: SeDebugPrivilege	5580	broken.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeIncreaseQuotaPrivilege	5772	powershell.exe
Token: SeSecurityPrivilege	5772	powershell.exe
Token: SeTakeOwnershipPrivilege	5772	powershell.exe
Token: SeLoadDriverPrivilege	5772	powershell.exe
Token: SeSystemProfilePrivilege	5772	powershell.exe
Token: SeSystemtimePrivilege	5772	powershell.exe
Token: SeProfSingleProcessPrivilege	5772	powershell.exe
Token: SeIncBasePriorityPrivilege	5772	powershell.exe
Token: SeCreatePagefilePrivilege	5772	powershell.exe
Token: SeBackupPrivilege	5772	powershell.exe
Token: SeRestorePrivilege	5772	powershell.exe
Token: SeShutdownPrivilege	5772	powershell.exe
Token: SeDebugPrivilege	5772	powershell.exe
Token: SeSystemEnvironmentPrivilege	5772	powershell.exe
Token: SeRemoteShutdownPrivilege	5772	powershell.exe
Token: SeUndockPrivilege	5772	powershell.exe
Token: SeManageVolumePrivilege	5772	powershell.exe
Token: 33	5772	powershell.exe
Token: 34	5772	powershell.exe
Token: 35	5772	powershell.exe
Token: 36	5772	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeIncreaseQuotaPrivilege	5992	powershell.exe
Token: SeSecurityPrivilege	5992	powershell.exe
Token: SeTakeOwnershipPrivilege	5992	powershell.exe
Token: SeLoadDriverPrivilege	5992	powershell.exe
Token: SeSystemProfilePrivilege	5992	powershell.exe
Token: SeSystemtimePrivilege	5992	powershell.exe
Token: SeProfSingleProcessPrivilege	5992	powershell.exe
Token: SeIncBasePriorityPrivilege	5992	powershell.exe
Token: SeCreatePagefilePrivilege	5992	powershell.exe
Token: SeBackupPrivilege	5992	powershell.exe
Token: SeRestorePrivilege	5992	powershell.exe
Token: SeShutdownPrivilege	5992	powershell.exe
Token: SeDebugPrivilege	5992	powershell.exe
Token: SeSystemEnvironmentPrivilege	5992	powershell.exe
Token: SeRemoteShutdownPrivilege	5992	powershell.exe
Token: SeUndockPrivilege	5992	powershell.exe
Token: SeManageVolumePrivilege	5992	powershell.exe
Token: 33	5992	powershell.exe
Token: 34	5992	powershell.exe
Token: 35	5992	powershell.exe
Token: 36	5992	powershell.exe
Token: SeDebugPrivilege	5580	broken.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5496	broken.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe
844	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5580	broken.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 3664	844	msedge.exe	82
PID 844 wrote to memory of 3664	844	msedge.exe	82
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 4620	844	msedge.exe	83
PID 844 wrote to memory of 2536	844	msedge.exe	84
PID 844 wrote to memory of 2536	844	msedge.exe	84
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85
PID 844 wrote to memory of 4200	844	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/9EDfYX
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffae7f746f8,0x7ffae7f74708,0x7ffae7f74718
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2a4,0x2a8,0x2ac,0x280,0x2b0,0x7ff6b35d5460,0x7ff6b35d5470,0x7ff6b35d5480
    3⤵
    PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,6810549028299122396,7057471246565342067,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\fixed ver\fixed ver\runner.bat" "
1⤵
PID:5272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process '"C:\Users\Admin\Downloads\fixed ver\fixed ver\runner.bat"' -ArgumentList 'am_admin' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5372
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\fixed ver\fixed ver\runner.bat" am_admin
    3⤵
    PID:5500
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:5564
  - - C:\Users\Admin\Downloads\fixed ver\fixed ver\broken.exe
      "broken.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\fixed ver\fixed ver\broken.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'broken.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5992
  - - C:\Users\Admin\Downloads\fixed ver\fixed ver\fixed-ver.exe
      "fixed-ver.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\fixed ver\fixed ver\runner.bat"
1⤵
PID:3800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Start-Process '"C:\Users\Admin\Downloads\fixed ver\fixed ver\runner.bat"' -ArgumentList 'am_admin' -Verb RunAs"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5080
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\fixed ver\fixed ver\runner.bat" am_admin
    3⤵
    PID:5416
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:5476
  - - C:\Users\Admin\Downloads\fixed ver\fixed ver\broken.exe
      "broken.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5496
  - - C:\Users\Admin\Downloads\fixed ver\fixed ver\fixed-ver.exe
      "fixed-ver.exe"
      4⤵
      PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
713ad359b75fe6d947468ec1825202b9

SHA1
19dcd19f18a2ad6deb581451aad724bd44a592a4

SHA256
56572269ec031c63d966c6d3b4712600b908d38826c59c0f9a8225d0a783e9f4

SHA512
4df344dec422bed85b186909dc7f9c35126b3bb45e100f18fb95b4a9943ace242479adf5f0194b054d38b67032498f897a5a54b49026efee0c4797cb5a5e54e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4bc32eb841f2b788106b7b5a44c13f4

SHA1
27868013e809484e5ac5cb21ee306b919ee0916e

SHA256
051cdf1896c2091e9ff822c2118fda400e2de25ee323e856bf9eb0c64c7a7257

SHA512
7a4963ea09832503179642ee750b1c8024373c66b4fce2bd316b782d1fc670c1c77cdb31f9316b34c78b6f3f1c99d90fb50e0500b72f4a647adf7653c44d242b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c8eb7d84aaea5c0c37cdce43d1ad96dd

SHA1
0a27d004b734e4c486372c6888111b813e806811

SHA256
27ec491fe2b7f0eb567a44deb50c74408376ff3addf6c88a2b1060adc4a5976e

SHA512
f39070a20583f7ff33b7b3c0e97c08da2a3ff36049e256bbe0d0031bf15579c6d9c3da8d1f9daac1073519b648a1d005a8fa195ee2232b2962516e9aa14dac3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
56KB

MD5
118ec83735afb436b2cf94bcf56ded58

SHA1
c26b511fbf357a1984c4e7ae675d674220a166db

SHA256
bfc3f3e059503db8d08ae4671d2874d5c6cdbe90974ff2d4e410dbfb6ae6631b

SHA512
3f41f8e1bc48600efa92089ed50d035093985ce8a3a6c8a0c136441dbffdfc6a30a1d275e29e35a5260496ef185af673d674a00619155d9b7172d75bb8d1c4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
46cce8e93369184e2c509ec22a159268

SHA1
7e445d8f716bf5f523dfa452f3ddcb3a3d7fce48

SHA256
e4d8e1e91ae58112edad6e2d61ddd7351559f06f967da55abcd69cb4dc7955ac

SHA512
a8b85265a420eac83ff4d168a700a7fa04d68fb391cd97433b9d0ee482bb21d505ff8e870209a42b273d0f0a5159bdac41a9de4e5ff4a36259e36492227e5501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
0e1d9c58496c88472e0e21922dd6e0b6

SHA1
3ea4ea9b09abd112e178f4ff94e37aa8dd751b61

SHA256
0659945f66fcafcba45b5d2d4cb1e0e0b7e17ab19b01ab4cabd520c9b0157873

SHA512
6b4d31a5dbda9a1ec40db508e614a59af40d7accfbe2f7967cae40511dbccb9335c892ef946a11d4f79d7f83eab20b9a2352ce0e534450e593f5803214a09a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7c0d79b95ae2cf3dfd2a4054af266439

SHA1
c632524bc5141e51619f1bbab0149e8c9ad7660e

SHA256
482f5001679264f5a3f2a293accc44b07e092ea861755a66428fadcb0ff43d6d

SHA512
e2f8cf3582f48b0886ae7299646b1029f36c0e081fad45445b4a99f04b5993106fe7a0288842c50eb4ee10ad2dd32c98a848849b52e190c869144d5701804411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58ad81.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
291a1df457e264e552ac3887e71659c7

SHA1
2f6ec0036bc51861865b7b732d5f7611538879b7

SHA256
f7e48e30648204e6197de5fa068d6c23cae567db5dc6397f5f81bd03afa601fc

SHA512
85451807b403266d4a2fd5309b6ccbef708960a2d301837646f4cebf172e3f43e8efa78f3dfdd66eae89dde36da1cf13c3403390807ebe0cd92720c2227a8205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e32c1876a202dd2787d6aba9a2e9bc8e

SHA1
08a8807efdf1f06d4c0547bde8f0292e36929bf7

SHA256
98a9280cad52181e8e60f7ea8a7c6043833dbd6a9fc37456db126c951f14beca

SHA512
7889d6ad7baba67b88b7979b14ceea2dc9b75e278d2a0e58aa7e4e2144a90a3dd059e7b6b0614135ffa7dc95a1378ae7f6c6736fc7995c47012cd10bbb512b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a10a3a406f3fa69991119f417945ccc9

SHA1
84ec79b60f427f463a780988bae44e42181cf819

SHA256
c17a773f3a4a5e719bbbe261d7c14ec5688d4d80d64f3a6e28d1963411771c81

SHA512
2bb300428c9e5f22bf6531b73fac3536cdafb1fb730fd2c9ee1dcf83079581127e1045dc94b26eaf40953b6269cb63c8eb711f37c8fc1e8f84bd3088e5f8e3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6338e51cf2d1cb4bfea21c7d81cb3dc3

SHA1
0049d2863f309423d889fed141ef1f146246ac82

SHA256
2636a794e74289532973b8f1f9c62a0009520dad49951c956dceba846835e0ac

SHA512
ffcbb8f086de4ca9b51f2a86ff75f283afd9a08ba7fdfc16b119f4b80e452579fed0c7d5eb02cda11e6d7c6762ca8d5a1e542e90e106020f530d755933fb3ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
b321aef296129848c0c2c5c77ee69951

SHA1
402afa01ec8a6990a78514994f9648aedead5817

SHA256
e44d575c1dfcf221b68c84c2cf1d4f1bea45a7e32cd8010228acff6120daff1f

SHA512
cbb689d400fceb2f59d67e9e9d28007d2bb7562cf18f806420a9adbb08e0be5825153a44d4199ed03fc8e87311c2f5d4ab9aec5f3667984572070487475e8642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2cc725a01c3595b47f7f8c2506702733

SHA1
0bd2fd4005f950891e2da2b6ceedd3067fcffb3e

SHA256
ed2528c97b18409b89fdf30605b3a328b6d0ea7033f484e5adbb0e3457b76f35

SHA512
7fa3eb2aedc883993b7f6b78ef3a9a4124698400053e2d42d1b2f81a3d295f81d493ba791a676eb0d5a3fa9dbe1cfa2d1e1caaaef55f810a5a28b1497a4c948b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
55dc7bacadb267220b99760a80f43c9a

SHA1
329fbc366b4d4f7e1d8496b1302bb193498d7883

SHA256
e72a367cff481e4b2d411cc92bdffef290fc3f6f86a1e77efd6f123b2464cd95

SHA512
da43398163d876e7c6163659d2eb8a058bfcff14143a211c9652737e52f1385ccc3cdef25b16269ab2c8db20edd6ec29d48ba54705345f2e72eaded70ba2538b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec4ebec8211b148132c672fabcd0859e

SHA1
19f9f6665274e4f5fa47b2b8a7c1ffe29b69cef1

SHA256
1f97e8471ac5aa773dc04f35dd3fbbd8ce2c8620998713e24174e65a40479e2f

SHA512
9c189773cbd1862d7d644dfc566a6dd2582397f114056438e5b86ea2265aa55e4622d2606b943164bbb795c9dbab222db06fc3720a98e472923af7db5faeb19a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdwgub1o.oyn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ca10772738974d9f28c101df5dcb9653

SHA1
238c642b616abbac2914ae9b56c3df6a2983dade

SHA256
6f74fb9449f1c436a0e9cc72823c2a333813f5606be75442e4903a3283fbe410

SHA512
95cc8b87cf2cec764500f71fad9f4c105dd1cafba2f708039cc1ed18246fb087897315d0f9f519be3c0a7aaa7b531ad989b44e3a777709fa9d3c5cac7f64ec5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4c3952a8dec585f9a78e895648e2f17a

SHA1
f84e09cd3e0294344a9b6c791f65bbc396e10bdd

SHA256
f009476abd7255bf8e5c92cafbd8bff12b2a1d3d841ec25a991633c8ae1ff7d3

SHA512
1e93cc5c08231e70403298cfe2469ab8773a3ea14bfd3088533717f737a5c9d0b4aacf44afe89850fa750a2cef72051df4b2d24cd8669712a71df6aa37a1ab1f

Download Submit
memory/5080-305-0x000001DC6DFC0000-0x000001DC6E10F000-memory.dmp

Filesize
1.3MB

Download
memory/5372-260-0x000001E868250000-0x000001E868272000-memory.dmp

Filesize
136KB

Download
memory/5580-264-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5596-263-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/5772-279-0x000001DE18B70000-0x000001DE18CBF000-memory.dmp

Filesize
1.3MB

Download
memory/5992-291-0x0000016B2E7C0000-0x0000016B2E90F000-memory.dmp

Filesize
1.3MB

Download