xworm | hxxps://gofile[.]io/d/aDd2yE

Analysis

max time kernel
103s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/aDd2yE

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
XClient.exe
pastebin_url
https://pastebin.com/raw/KESYt2Qf

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000500000001e4da-57.dat	family_xworm
behavioral1/memory/536-97-0x0000000000580000-0x000000000059C000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
40	892	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
536	RedWare Temp V3.exe
3064	RedWare Temp V3.exe
5184	RedWare Temp V3.exe
5244	RedWare Temp V3.exe
2708	RedWare Temp V3.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
54	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1479699283-3000499823-2337359760-1000\{0BDAED44-3DD8-4388-8C4C-00BC48CA1BDA}	svchost.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 501990.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
892	msedge.exe
892	msedge.exe
4364	msedge.exe
4364	msedge.exe
3032	identity_helper.exe
3032	identity_helper.exe
872	msedge.exe
872	msedge.exe
3316	msedge.exe
3316	msedge.exe
4804	msedge.exe
4804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	RedWare Temp V3.exe
Token: SeDebugPrivilege	3064	RedWare Temp V3.exe
Token: SeDebugPrivilege	5184	RedWare Temp V3.exe
Token: SeDebugPrivilege	5244	RedWare Temp V3.exe
Token: SeDebugPrivilege	2708	RedWare Temp V3.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe
4364	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 1552	4364	msedge.exe	88
PID 4364 wrote to memory of 1552	4364	msedge.exe	88
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 1896	4364	msedge.exe	89
PID 4364 wrote to memory of 892	4364	msedge.exe	90
PID 4364 wrote to memory of 892	4364	msedge.exe	90
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91
PID 4364 wrote to memory of 1376	4364	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/aDd2yE
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff39d546f8,0x7fff39d54708,0x7fff39d54718
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Users\Admin\Downloads\RedWare Temp V3.exe
  "C:\Users\Admin\Downloads\RedWare Temp V3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6197272242355773345,340940362357893884,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:956

C:\Users\Admin\Downloads\RedWare Temp V3.exe
"C:\Users\Admin\Downloads\RedWare Temp V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Users\Admin\Downloads\RedWare Temp V3.exe
"C:\Users\Admin\Downloads\RedWare Temp V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5184

C:\Users\Admin\Downloads\RedWare Temp V3.exe
"C:\Users\Admin\Downloads\RedWare Temp V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5244

C:\Users\Admin\Downloads\RedWare Temp V3.exe
"C:\Users\Admin\Downloads\RedWare Temp V3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultf461a1cch773fh4759h9b07h659e695d6881
1⤵
PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff39d546f8,0x7fff39d54708,0x7fff39d54718
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3701230085855592414,6329363823202829811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3701230085855592414,6329363823202829811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:6084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault7c424a0bh669fh4b93h9087haca853811b1e
1⤵
PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff39d546f8,0x7fff39d54708,0x7fff39d54718
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,6729880062121122241,9564268060773262977,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,6729880062121122241,9564268060773262977,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault826c6b9fh02cah4ca8h88d8h6eeb3a6359f7
1⤵
PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff39d546f8,0x7fff39d54708,0x7fff39d54718
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1409779976754417029,760361260385819259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1409779976754417029,760361260385819259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b5cfebecbfd715cf1c2e86aaba6753c

SHA1
c2d783bdd82fcfb68e8d566bcd34ead327ed7c13

SHA256
6fca1fe2a780fb27f0493353a73b9ae02e9671b51a50b07566a322abe3b25cbf

SHA512
b6ba779a8bb083a12f7f100c4c338d5902f2e2762654f70fb578dae4c0dccba1c7eec4cb0b5cbc1d8567fbb02624a077fe9f60573dbd12b78da4e5ae618a751f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f26c6527981fa81a83e126aa48a3474b

SHA1
b1e454bd2eff22e1855e6f210a239c86d4b780a0

SHA256
8d3b6a85a89b3a3d84ea7032bece4d826f7646acb5e41a335b337ec3b650298a

SHA512
ba15a05a1c8c2219bdc00a212dba0e9fb8fd95946af2401d372cd7072ea78594b4036ceb947be6f455a0bf9ffbe14fc35bf49915ebe4baa6a3da42d34b740871

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1af5f8bff816f07133802323434ce71b

SHA1
f4996fcce06b6360fdde8ad6fcebdbd78ec11ddd

SHA256
6a18d1399647df7b8e91fa653c4701766f9e1a453c45ae829e4b1e6904e8b24a

SHA512
82eccc964f68d44162e03186471387056670ed11af57c929bef1064f5890b6a8f3234fffdacc820d330f5a333fbe62356dc9d729004947838084681c2e7b65d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9551a0057362c3e3af4ad4a95d38f5aa

SHA1
d498297c6c35f803271a532d0f37e4fc79ff1407

SHA256
dcaa3d6d14ae1068ba5d3075a36ce5c6ef304d056e2d6b83bc33a14df3a5d547

SHA512
f22e203748bb4f0ac5fd9a12d781b500eb438ac28383662a64c2aede8c23c0d0ab4f37710580e9aec4bb3b319d174584e5853f20f9500149be23d534eaeb0c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a690d53f0215760186aa07b114ac4561

SHA1
601015b3d5837e99e481db0dcdb0ea33fa80cefc

SHA256
8ee92ce70ce780b9af998d760d7226892a37c4a7ca5bddfaaaa5da016dbedd93

SHA512
935db7966c0c541b2894b83af14586dfffe138a2a18dc60bfd9d076fb724410841b5536261a090ce57525f8a7dc25e4bc3b133fce61569beebf4efb126607a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f1d2e17b3de784ec7f2941219c6bd07a

SHA1
6c3e66316c50f541c95d65542aa45c10bd84ab6a

SHA256
6c974a3a0953add59aacad6f953403a3ce0d617d3beccd69e74b7fe711b03a2d

SHA512
5ade6628a303e967b68c81066686123546a5a8c88379162e24bde1c5e52705306df5f59544525cc105831e1c62c7a086dbedc7cb40e1d3f6484cc146ac5b585a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
82ef2607beff28b14acaf5466fca50b0

SHA1
a09c79607ee47ebb14a1a6085fb59763e36daafe

SHA256
530a017591d0f6d3bbb0e575af2eea8b71ec9555c7fbad062520f979fc8b4f0b

SHA512
7e743cb540d913e53993f963c67eea336095458d6c408e605ba9da859710d0f2e223706c06460dfa91f32121c2aba605a8f320550f706585ced148511dea8482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b42cf09a09ef4417d883bf2c9d86c6c5

SHA1
29e09bc18a21598528081bd256429860e64a49c7

SHA256
76368157c17d8b7ca4e0e337c1a2a97287cf6637648d548ba0ccca07731ed50c

SHA512
9a87d7cfb0e7c522d2c98c940e98aa81deb12b86631d29163c6173c0ceb81d5e5f047f4795a41cb7d2c4465b032af25cba9239e3ed91b6e84a175b36d6638359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
325e4d688353cbcc852d694c29b0c0ea

SHA1
6f6426aa8e5521ee568db49be69ab1de5cee7e83

SHA256
2c916a1254d5474cdde9806018a81dea8cebc97a8bed54159531351724eea789

SHA512
8cbd7d54bd560a1504ea71f97fa3e395c920baba8600855d4f0be9e74ba18e46a8efe71454205bd85454096a2a70d9411dc8b1178081850ee06d856c91c6f7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9ac7d64ba533facf33c12b2972d57175

SHA1
0ebaf3c94cc3e9b9b02d7547a09bb717a947fdb3

SHA256
3a40027ca447bdbc4a277cc817c600cb359e26ff350c7bacf4c87e8b35f556a2

SHA512
96c4f83e1963bc4f6367b8916a97c8185cdbd9e33dcc89a541f1688103296226c017c84e3e41fbaff1ed197563871183f620562a02f1f0bcdee117247a878e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3d70d292f18442ddae72e61b7e34609

SHA1
28901afdd53e6d093e8a83e5ce779b5900caffa3

SHA256
006976d19ceba0608a0459b829ddb0686597fbf5cfdf9042ddfeb7a863ff5e22

SHA512
8b6a7d1cfc154dd2abdc94702995d443620401142ee74d7174ac7ad42fa05a63a5ce4e2cc00734cf609f4417c9890724a166b966dee81954ab745711a52c3553

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e1316f71d0270b15373b6cab54906b7

SHA1
712f17c67ddc044e8a59cfcb0b6d4baa78a7ce5f

SHA256
2860eb14ad04135fe4610da6232b97879882d86b207d1d75f28ad69cc3056bcd

SHA512
f16e02142f0fbdc1d515f31a9411cd1d26dd3167178fe70f1138db462784c9eb09044ac951f470905fea4a317d2f5818587fff347945b7a6b091b8ce044db270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
422493f878b6dd38524b78598465f54c

SHA1
84ea4e847aec5fe9ed3b16d9d9a3e0c00722ecb9

SHA256
89cfe824297f7e952221cba9a5ed64b39a67f9c08d033855803560da0025a273

SHA512
2eb130e50d89823fd23e6cbaf26baaee2adf60d151c64f104304605926f39f6e9a4d205a10fcbfadfc0bcc168c3d1826c4b0806c172d2660b00145b188f7b518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
637da4f56a85bf16568055153d9b04b9

SHA1
b36a3531bcce61e68227d452a2636671bd72f54a

SHA256
c852571cdbe04ebfd6a4e387012f9c3c2a577260920b13814904522a473d44b4

SHA512
1e49f11b9341844662f64f2cff8f8c02e80ffca3c506933e12a6d47c5e74ff79ef50854a97efc5d204a9b743c1ff61df1a1143a6a83b4f2c59fe26c4c89ac248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b80c3b76f6555ae2da2dab312cf21ec9

SHA1
abd50c2856888b115b2031cc97c5fb4ed3467e9c

SHA256
dadf2fa8eb791d6359ffea0309d69d2abde9312c30f5aee94c1f428a15b4f105

SHA512
b8e2f8da3d4894f5ff278ee5d0aa69fc099d267a2c40057587518dc5e0c511d07b07746df2efe4a6f514eaf28cac8b0e1ba97e0806d9bf7ae3299d5105ee81d4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 501990.crdownload

Filesize
86KB

MD5
dd14ce42c869309959374b8497b8b8c6

SHA1
3d6fbe7bdccb4d779e84ac058f8c7ec8fc3e623f

SHA256
78286063f2e7de6b9d38075affdbfd0f24456eceefb4e86321298e71409a6a02

SHA512
95975b34eac64834cffeba1322d3718afead0163cf11fb4362c12cb1d34beabc38cc4407619de98726cd977a212fed7002a2664b37ce105d07e8265776f47124

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/536-97-0x0000000000580000-0x000000000059C000-memory.dmp

Filesize
112KB

Download
memory/5244-132-0x00000000016F0000-0x0000000001725000-memory.dmp

Filesize
212KB

Download