xworm | d44cd1efe9953098482be69488f24bf35c2e3662e2cc843a49b928a972eeb8a8

Analysis

max time kernel
133s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uytta Client.exe
Size

284KB
MD5

3877eb59a133bcf9745356dc794d48b9
SHA1

632f1d6ae66e5572e857cf41795b02137b1afe2e
SHA256

d44cd1efe9953098482be69488f24bf35c2e3662e2cc843a49b928a972eeb8a8
SHA512

886a3b50a01c57fb277f3fa295070195621c45c74f7d391c2507ccd4d33800ae08717f70704c79557cf880af85f242670c30cc6ee74491f329180feb264548cf
SSDEEP

3072:8siYcW3RruM0pV5nFPi0ffWZgOelgIiuM/5CxgsDnUi/H+VvtCY4InH3H8:8/Yc+B4540ffW/elQ5Ce9O+VvPNM

Score

10^/10

xworm defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xworm

173.31.160.10:4040

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023b48-4.dat	family_xworm
behavioral2/memory/3508-23-0x00000000006B0000-0x00000000006C6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation	Uytta Client.exe

Executes dropped EXE 2 IoCs

pid	Process
3508	XClient.exe
640	MonkeModManager.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Uytta Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	MonkeModManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	MonkeModManager.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	MonkeModManager.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	MonkeModManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	MonkeModManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	MonkeModManager.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	MonkeModManager.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3416	powershell.exe
3416	powershell.exe
864	msedge.exe
864	msedge.exe
4844	msedge.exe
4844	msedge.exe
3508	identity_helper.exe
3508	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3508	XClient.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	640	MonkeModManager.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
640	MonkeModManager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 3416	220	Uytta Client.exe	90
PID 220 wrote to memory of 3416	220	Uytta Client.exe	90
PID 220 wrote to memory of 3416	220	Uytta Client.exe	90
PID 220 wrote to memory of 3508	220	Uytta Client.exe	92
PID 220 wrote to memory of 3508	220	Uytta Client.exe	92
PID 220 wrote to memory of 640	220	Uytta Client.exe	93
PID 220 wrote to memory of 640	220	Uytta Client.exe	93
PID 4844 wrote to memory of 1468	4844	msedge.exe	103
PID 4844 wrote to memory of 1468	4844	msedge.exe	103
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 3856	4844	msedge.exe	106
PID 4844 wrote to memory of 864	4844	msedge.exe	107
PID 4844 wrote to memory of 864	4844	msedge.exe	107
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108
PID 4844 wrote to memory of 4320	4844	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\Uytta Client.exe
"C:\Users\Admin\AppData\Local\Temp\Uytta Client.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHgAaABpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHkAYQBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAYgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAegB6ACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe
  "C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb2a6a46f8,0x7ffb2a6a4708,0x7ffb2a6a4718
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,10021361202850467641,16699413198108455606,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:5604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4852fc46a00b2fbd09817fcd179715d

SHA1
b5233a493ea793f7e810e578fe415a96e8298a3c

SHA256
6cbb88dea372a5b15d661e78a983b0c46f7ae4d72416978814a17aa65a73079f

SHA512
38972cf90f5ca9286761280fcf8aa375f316eb59733466375f8ba055ce84b6c54e2297bad9a4212374c860898517e5a0c69343190fc4753aafc904557c1ea6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d6b4373e059c5b1fc25b68e6d990827

SHA1
b924e33d05263bffdff75d218043eed370108161

SHA256
fafcaeb410690fcf64fd35de54150c2f9f45b96de55812309c762e0a336b4aa2

SHA512
9bffd6911c9071dd70bc4366655f2370e754274f11c2e92a9ac2f760f316174a0af4e01ddb6f071816fdcad4bb00ff49915fb18fde7ee2dabb953a29e87d29e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
31c1b4fec872993d0b377fbd651976ce

SHA1
375b7416cfc26775593668cc1aeeb0354a137c63

SHA256
164aac6ca9122d1119b86602bfce3fd4caa8870df0212406fdc5688109edf367

SHA512
0e7721d61b655598f9c47f34a72fce2d62c5dd2ae570be41a4e63ac7d6d09b2a06264db9a914d6b2f67f5ba1e1eb58986d5a3465c8499d3e75288c7671ccd25e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
855a81e1a8f4cb323654e9963607d64e

SHA1
b9210b59f326ada049559fc0c0356de57cc3fa67

SHA256
f25a6ebe98895c48fdcc359ff8681d34dc8dd745c848384cdaa2efd01e605680

SHA512
f34240cc33c84eea1e5e92544505eebb197f8406b3e29352ea907af8ff222f8803476e92234988489d9a0618aef8863b49039809cc07edbd6a834d349fefdd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba3f735a80815077ec6fe83cf0c27216

SHA1
1ad80b59d89e357152edbfe1b2c04c3801f5dcdd

SHA256
ad3532cb3e61b0509f02b99b42d59fdc5d0cd7e96a10eaaed2f0d501e6a2302a

SHA512
bbcc92177b7b59bfffadbf8a92f3c0269b75f50c51579ddfd30f497780a9e3ba862f170dd66267453e4f76a75874124fb4579a58dbea0b90a99ff5370ae40a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
737eafe8335f6bcf2c313f8f95250af1

SHA1
a69603d62358da82f8963a630f4159cfcdce63ca

SHA256
4c4f3759165f8d101340bbdb3903aa8f8d2908a9453e7f5e87db695beb7e5b09

SHA512
0fc6894a05beaabd9431d04892a6ae25954dc76a3853670f84d915fa98c2c980917109db1038a3b2ea3b2629500d90f91d4155b55cc93ca8a7935648f205ba9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2757725044c1a23b8a85f992a9462efb

SHA1
e751bfc2a8dd2e167277bcf53e9dd1e08ab145fa

SHA256
88a7914189887f72044274ddd9c18771f596a76372ae636b1adbda3dd08e6f20

SHA512
dc7b088e3674703245f238e7be5fde520dac869cab7a56a9fbc03283e99f1cf747df9e3fd309e0d7bd06d11efb29d581d52e3a2836be9e2b40d373cddbe81d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
168B

MD5
cc27b09ed5140938a12354df9fa98e5c

SHA1
a4ec73e2944407d85bf8527c0d56ffbc2a4f1164

SHA256
7bcf92f7d48fb797a90deae385b82f8ff5f2fdb212fbd20d5bc0fd422c2544ed

SHA512
37b31c37c00e786da73d64594efb97ee71d4c2fa701d84b19eb3aaa3fabeb97b9a12a3b6723f2e7e10783f6e8baeb793bdacb4a8310ce4e9cc4ec63ae4dec200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584159.TMP

Filesize
48B

MD5
592b75a1e68ede2d118bd569fe495d4d

SHA1
7e82ef9a18af43da31fd60a518f156c19feb6fc8

SHA256
2f92fbf7242f5125d44b104b5eff919154fa6f85e34c51f37e8554427ec393d5

SHA512
6c923d9faa7874ce81291130a4088e4dd68c62a132018e33f9aa03c4e670ec485b8260200601bdb2487455f94a875dea3b3b3f7785c6c97db2d6d270087180c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31ab600d222761a9234ea31d23e16504

SHA1
044861b2353d3a0fccc191c4a5a0cf65f5bcc67f

SHA256
fc0be6102d2b97ecc16e2c1ef2ba37aa06d431620d873e88f9cea381385708c9

SHA512
b74d8cd900e2326024b08390a460067783ff84bdc6ad4bff48da6975d9b3b2f66a5c467c6470f1b41119adfe738b253cdb9212a062022cca108642d60fb0ff43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1a4f97b0bbf5bcba5498561ca5ab33f5

SHA1
ebf9fd01463668995e04df97f9900ca84a5c2af2

SHA256
31d682140b186f9145b65e54c91b229b39f0d2a6cbabb97c8b82d3238767cbdf

SHA512
355b133222aa301dc7bd985a9f42c8b537031068678f4fe52285d5978a69964048e8829d0aa4e5ef71a0eaa9360df9f76a5773eed70fc33032ce16b4860dee02

Download Submit
C:\Users\Admin\AppData\Local\Temp\MonkeModManager.exe

Filesize
217KB

MD5
1d62aa3d19462f3d5575fc54159911b4

SHA1
b37eab86c0075245fcc517a280f0705f6dffb852

SHA256
6acaae0fb470790102a338e23dfe2263f31e529288e4efe51b34bca30371cb36

SHA512
78a9501d7920920577a586396e5d9e2278a7c926448c9a98d7844db9032dbd887df90d2f389fe1754bf5a2071a19dfd5d40315624923e903ef9ef6cbb214b1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
61KB

MD5
67ad539d4ba13679ee8d1d08d2550222

SHA1
84e0e5f4c37f1e7bcae5fd652de76b5d12302733

SHA256
5e5102c1c1bc6f43fcf95b46816e69b37c28189043b100e762670bc81504d5bd

SHA512
c261a58e55d0d2a7dbcd27d45e9a4c39f30ee522bb50179ad0d479a9bdbccbf08d8d08663f08cc579898799f87bdfa1f2cd2ad3dd153e3aaada88c8fc3d5366c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qnfihkhp.0ev.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/640-26-0x00007FFB2F440000-0x00007FFB2FF01000-memory.dmp

Filesize
10.8MB

Download
memory/640-24-0x000001BEBD160000-0x000001BEBD19C000-memory.dmp

Filesize
240KB

Download
memory/640-93-0x00007FFB2F440000-0x00007FFB2FF01000-memory.dmp

Filesize
10.8MB

Download
memory/640-461-0x00007FFB2F440000-0x00007FFB2FF01000-memory.dmp

Filesize
10.8MB

Download
memory/3416-31-0x00000000051C0000-0x0000000005226000-memory.dmp

Filesize
408KB

Download
memory/3416-45-0x0000000075400000-0x000000007544C000-memory.dmp

Filesize
304KB

Download
memory/3416-59-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/3416-60-0x00000000074A0000-0x0000000007536000-memory.dmp

Filesize
600KB

Download
memory/3416-61-0x0000000007420000-0x0000000007431000-memory.dmp

Filesize
68KB

Download
memory/3416-25-0x0000000002900000-0x0000000002936000-memory.dmp

Filesize
216KB

Download
memory/3416-63-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/3416-64-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/3416-65-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/3416-66-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/3416-57-0x0000000007860000-0x0000000007EDA000-memory.dmp

Filesize
6.5MB

Download
memory/3416-56-0x00000000070E0000-0x0000000007183000-memory.dmp

Filesize
652KB

Download
memory/3416-55-0x00000000070B0000-0x00000000070CE000-memory.dmp

Filesize
120KB

Download
memory/3416-58-0x0000000007220000-0x000000000723A000-memory.dmp

Filesize
104KB

Download
memory/3416-44-0x00000000064C0000-0x00000000064F2000-memory.dmp

Filesize
200KB

Download
memory/3416-43-0x0000000005F20000-0x0000000005F6C000-memory.dmp

Filesize
304KB

Download
memory/3416-42-0x0000000005F00000-0x0000000005F1E000-memory.dmp

Filesize
120KB

Download
memory/3416-41-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/3416-30-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3416-29-0x0000000005120000-0x0000000005142000-memory.dmp

Filesize
136KB

Download
memory/3416-28-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/3416-27-0x0000000073E7E000-0x0000000073E7F000-memory.dmp

Filesize
4KB

Download
memory/3508-62-0x000000001B2C0000-0x000000001B2D0000-memory.dmp

Filesize
64KB

Download
memory/3508-23-0x00000000006B0000-0x00000000006C6000-memory.dmp

Filesize
88KB

Download
memory/3508-21-0x00007FFB2F443000-0x00007FFB2F445000-memory.dmp

Filesize
8KB

Download