xworm | 820d57a6faa4134e63df8bba8638792b55a7fe3c77559812706cd7de4da189b6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FNExternal.exe
Size

86KB
MD5

7dc43a52c140117ec3a23b8f78496f0f
SHA1

1c7c2697d12df0398fcb089853a1b5789f3ae887
SHA256

820d57a6faa4134e63df8bba8638792b55a7fe3c77559812706cd7de4da189b6
SHA512

95898e739ead059e06531367a0c5ca5c630ed1f16a2a2c36cada8b7a94d4fe81f7486ab7ef720da1ae09169c08fc32aa64fb4a5554a5779095400582bcaaf3be
SSDEEP

1536:N20YwopvrUvr0wMTwjqWJZiCbJVjWTDpJO960azDAOuymZp+X:BYZpAvgwMm5iCbJCSO5mZ8X

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:37044

design-ears.gl.at.ply.gg:37044

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/memory/536-1-0x0000000000FC0000-0x0000000000FDC000-memory.dmp	family_xworm
behavioral2/files/0x0007000000023df3-383.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
160	4596	msedge.exe

Executes dropped EXE 8 IoCs

pid	Process
2224	FNExternal.exe
3024	FNExternal.exe
5228	FNExternal.exe
3636	FNExternal.exe
5640	FNExternal.exe
2632	FNExternal.exe
5528	FNExternal.exe
5724	FNExternal.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com
165	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 234781.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4596	msedge.exe
4596	msedge.exe
452	msedge.exe
452	msedge.exe
3264	identity_helper.exe
3264	identity_helper.exe
5096	msedge.exe
5096	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe
5624	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	FNExternal.exe
Token: SeDebugPrivilege	2224	FNExternal.exe
Token: SeDebugPrivilege	3024	FNExternal.exe
Token: SeDebugPrivilege	5228	FNExternal.exe
Token: SeDebugPrivilege	3636	FNExternal.exe
Token: SeDebugPrivilege	5640	FNExternal.exe
Token: SeDebugPrivilege	2632	FNExternal.exe
Token: SeDebugPrivilege	5528	FNExternal.exe
Token: SeDebugPrivilege	5724	FNExternal.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2784	452	msedge.exe	96
PID 452 wrote to memory of 2784	452	msedge.exe	96
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 1708	452	msedge.exe	99
PID 452 wrote to memory of 4596	452	msedge.exe	100
PID 452 wrote to memory of 4596	452	msedge.exe	100
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101
PID 452 wrote to memory of 432	452	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\FNExternal.exe
"C:\Users\Admin\AppData\Local\Temp\FNExternal.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec04b46f8,0x7ffec04b4708,0x7ffec04b4718
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Users\Admin\Downloads\FNExternal.exe
  "C:\Users\Admin\Downloads\FNExternal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Users\Admin\Downloads\FNExternal.exe
  "C:\Users\Admin\Downloads\FNExternal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Users\Admin\Downloads\FNExternal.exe
  "C:\Users\Admin\Downloads\FNExternal.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,4045777407097374655,8386615647100145228,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6520 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5912

C:\Users\Admin\Downloads\FNExternal.exe
"C:\Users\Admin\Downloads\FNExternal.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\Downloads\FNExternal.exe
"C:\Users\Admin\Downloads\FNExternal.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5640

C:\Users\Admin\Downloads\FNExternal.exe
"C:\Users\Admin\Downloads\FNExternal.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Users\Admin\Downloads\FNExternal.exe
"C:\Users\Admin\Downloads\FNExternal.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5528

C:\Users\Admin\Downloads\FNExternal.exe
"C:\Users\Admin\Downloads\FNExternal.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FNExternal.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c9b7e612ef21ee665c70534d72524b0

SHA1
e76e22880ffa7d643933bf09544ceb23573d5add

SHA256
a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

SHA512
e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f4a0b24e1ad3a25fc9435eb63195e60

SHA1
052b5a37605d7e0e27d8b47bf162a000850196cd

SHA256
7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

SHA512
70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3151702b052396fa54c6f33e169d8bb3

SHA1
3112f82a81857099d35a70e4f1c0f920203352a1

SHA256
5ece1b115825036f76a1c1c140af8321b1788b391214cb38da768013dc690c23

SHA512
9676fdc331ae850cc5c1ebf241583d110fd4f21d8052fad32f1cb778c589578b4a5c7fb05f48cc55459a5e0743ea2a716f11bb88cd6e01263f02bf985e977a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
88cf3b6c25df9fb7fb534ab8658f3edc

SHA1
8686a81d7c1780806a47b16f7ee04e5c1160a7be

SHA256
6a3706ab9de36d0534722f4c61e8902efb07668f1fffae111896d2a8fc4aeace

SHA512
d85a0045baf112b8686b20155de79e646a0dc86a6cfabe60884b242dcc69b6959306eaef95a75ae095999583118501d2ad4223bf0e51fa5c34e4b6cbc101234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2f2c376884a5c05da4bc4e751c2fcb54

SHA1
f1d479f396bd609d74cb159513d8ba9ae3cf9497

SHA256
2aa68868bcaa36371d043a719d1298e3501fc3fe769d86a3889bf16d2f394220

SHA512
fed8bff6da53d0b1c67736e78d090ec62dad8cdd0f750b29dc79d27fd2edc1c43cec544e5984d57a03e7d59e94d2e26ac9895ffd080a3e8b4da828472cd7b3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
464712c345d10747311ff0c398f852cf

SHA1
9afe4131a73bba7a50244e21aac0616fc599c21c

SHA256
e9aa4ad739e85ecdcf17d742511f75f8a6546e869f0017e59a55a3a8ef266189

SHA512
411540aba64c56ae8f440764ac6fae9b9d722afe6edb1529679c9777ceaf6472cf893244ef3563b7e52473697bf85efca2dc16ee604d576a5e9f1dbe4e1be6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b7ca1075562910ef0d34536b658a4a8b

SHA1
15a1e70f2184815c2008b79ef85a6e886def323e

SHA256
9a254922255bef1902b94545097396eb0f8e41f1f432cac92be0c51a71534547

SHA512
0b388ae76387686d8bcd116ed6f29ab6ccb7106b2f28ed6f1137a788d25cf86c764081176a47a19e619596439128a6681635a613232b949805e0fc1e9bcd74a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
352f9de45b3886c8adb5a678b853afb1

SHA1
2aaa1dd9cb5945de86c64fe490e25c148d25be07

SHA256
4432cdfa3f6849f72647dabc6d74e5066e0b5c36b5dbbff7cc41a179c274ddc9

SHA512
491773de67d915d8b5adbd98282dd68cacf9751013774d59c7e1289c77c6ccbd313432fc6f4350dcbff171fcdd39c05775859e40b6971fc9f525aa3f72992114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c601f1d1dc5fb18c314bd53a05a8b4a7

SHA1
d3ae616e425843cc2711886d14ecaeec104b4a26

SHA256
206b027484152e3ce62b9a4ca5430d36a28fae7680b0ddb4f4aaa181a63c46cc

SHA512
8a22e9023aa51427ba5dad83f59f433004635c1a476b1daabcbb5a6a4f8a9d2f806ded0bad9c5edfe43412465d2eb41e07397e1c1a9d90ed3932b88e640fe3f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8f853b20bc84a5710371d3a9b6ea1f0

SHA1
9a01d947897d1bfde049a6ee12553722c571206c

SHA256
ca22c087e2ebcb1c6e25a9f64dd0aa094fae06f3f0f051c909ea2697bbb34005

SHA512
4cd3eaea84e764a44ed4cb67fad548b0e685ebb17ccdfb579a6e221e5e49ef5a7a18df21bbdac30e56e2f02747fe917fd746a07fb0a414e0674da598e85c14df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a417dc96a7c6dbf88efe880915fd713

SHA1
2983ea6ae4482727be77ff29a2ccc1526a3c3a77

SHA256
d10cae7ed616956e867a939a1a1f75a8267e4377542cb47c9f18db6c873c6ab7

SHA512
79ecf3927b1039a30f03b3f9d59cfb37e5135e219a088a94a6851751933bf77f6005d16b509a2148f6e75247aa362922218e2187e7df6843c23c04fc2b14ba7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0123676547c09aa6911aa739ca8f5823

SHA1
e4c9edc7eb9094535bc55d7ce689d46caf56e296

SHA256
ec3ca9ceeb161575014ebf7635d84cf52ccaf0f137634c438c4eeffc463ea15d

SHA512
88932434c0ae62653496001aa399da768283c063e0c1aa0ca53b2590f63a12dded91602905c25cfff99a7e456beb4dff97271d83fcb2d0a3e47d9ac702688110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
214c1cac3d4621d51d7b5dbc66422e3c

SHA1
be8b5edef53a9d98b79c4aa6aea764c0d22e1f00

SHA256
e4b6ba9a58499eafba873d917f109cc87cdcbefd8e5f50e1ea9a76e09cf7508e

SHA512
c7b63ff3ef09a139a70469fe2c56b5229886d1fd1cd47ed55ba9fe08fe3f6a8321125c5cefe84f20a9b3f80124402873eeef789e6d1b44ef538c36c1b97f9d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585455.TMP

Filesize
48B

MD5
97daaed273f11e5d1ecd5fc607f084f0

SHA1
5bdf1f5d25a61d344c0980949ea0ff9ab7f9f794

SHA256
3c403f5bd612ce96471cffecc562c0f642f63d27d87fd76e0ba8976ce3ae9359

SHA512
4975ffb8399b508a88c4139c9e66e36278ea279d473e3238863815798bc05bbbd5afa44ddc5d089deab88edbb11f55381e5c909a036e5344a5868aac144b3406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69de682cfd4ada5ddce61edf10f29208

SHA1
defaca3d828242e4b698e4740ac1c252ffc723b9

SHA256
5e6c306bcfa18aeb2a23a49a9a7448a67a8aeda9c2fc0666115340a66d0f14fb

SHA512
6505f7aaa30a484c4943d34f18d953e65f1808f3fc026a096adabf509e4657c91c11d807432fcef99aa4fbd454ef2bf76131b1a88da6e4e7b49bd062223ef327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6b235a975c5f40eaf98b0fda0685eda3

SHA1
c29a94256f27ca226a6638bfe86c5d4bf9fc4a48

SHA256
5342061d4d899b26bbaa4e12943af533af32a30693518aca0030c3dca62c5f1f

SHA512
551e88a7a38f6781fc066da73c1e9b902f9b15997fc7175cef907a0cfff1efb0703528d75433b774cb23a76c1b8de6507983806b1523e51443bc60199b3ebbd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582517.TMP

Filesize
538B

MD5
b9d0f3756da9bb350a7f37d5076853ca

SHA1
0ec07dfcd3af1dd42a4d1b28a53e372ef0644b84

SHA256
92ac8c39fbf0cf30fb47cc9961a76d5f89a8fefac62d637cf557315102bae6b6

SHA512
341bb535f1c41833b0fb7c2729a8c31756afb94f36fd25ccb8e9e16c593c179ad4136b704f3a5bcb19c96e057963ee20b561afd831c7b872b39c25de906d6e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
340e30d0e08a4f28da78faaf3759645c

SHA1
becd292bcc380334f814d70b15ab020ae8264ac2

SHA256
4c8f4d86f04c7e12a6060af64d9c2b8dcafffa4aabb1684e117d129e87922a29

SHA512
c0677aa03c09a6bc28b0469bb2d96934b3f99c3a144b9f4b256b0444d9d7cb9fefc2955bffc66677e68394272bb91bfcbf797a875365a9a3fa7279a8423c0efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
64d609fa27b74fd117595ebb60794f38

SHA1
50761624733c17105e91f68651255b82ade8720e

SHA256
29cde1bc261a3ccc83ae7593854f92e0273270809ed706713fa50060ab62c6da

SHA512
c329d1cdc8db240fe45d3947c6a76881292218739833e2e2e8e2f01a58bba6c804f32229ef766799d3fccc834524d342e2acb62bacf682d9c190166f8882a096

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 234781.crdownload

Filesize
86KB

MD5
7dc43a52c140117ec3a23b8f78496f0f

SHA1
1c7c2697d12df0398fcb089853a1b5789f3ae887

SHA256
820d57a6faa4134e63df8bba8638792b55a7fe3c77559812706cd7de4da189b6

SHA512
95898e739ead059e06531367a0c5ca5c630ed1f16a2a2c36cada8b7a94d4fe81f7486ab7ef720da1ae09169c08fc32aa64fb4a5554a5779095400582bcaaf3be

Download Submit
memory/536-0-0x00007FFEC5443000-0x00007FFEC5445000-memory.dmp

Filesize
8KB

Download
memory/536-27-0x00007FFEC5440000-0x00007FFEC5F01000-memory.dmp

Filesize
10.8MB

Download
memory/536-2-0x00007FFEC5440000-0x00007FFEC5F01000-memory.dmp

Filesize
10.8MB

Download
memory/536-1-0x0000000000FC0000-0x0000000000FDC000-memory.dmp

Filesize
112KB

Download