xworm | 2716cfd0d3479d42e903bd0c835b91fd5918a02fb63bdc1b52f73921bf4b307a

General

Target

GxMBK.exe
Size

1.6MB
MD5

049b7a8f84d8c8e7932bfc6e97362c30
SHA1

f3d85b5214062a92ecacd0a65e02593e44ab188a
SHA256

2716cfd0d3479d42e903bd0c835b91fd5918a02fb63bdc1b52f73921bf4b307a
SHA512

eb0c58f723a9c6a2d3d29b10f89538845cfbdaa2d4579de4238a0753050154dacc7832cc20f858b757fd6a2e491b5f775262f670309b7691437910c59a106924
SSDEEP

24576:bYO8wJFOtz7uuqEP+1MoIpgpgi2esTTPfQHSvMYdihbjct3sP8ZS3pdWMhLaw:koqAI4sTTP4smZ58wl

Score

10^/10

xworm microsoft persistence phishing rat trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

Mutex

TU53fgvTBLouBDSy

Attributes

install_file
USB.exe

aes.plain

Signatures

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Drops startup file 1 IoCs

Processes:

GxMBK.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk GxMBK.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk	GxMBK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of SetThreadContext 1 IoCs

Processes:

GxMBK.exe

description pid process target process

PID 4492 set thread context of 2176 4492 GxMBK.exe schtasks.exe

description	pid	process	target process
PID 4492 set thread context of 2176	4492	GxMBK.exe	schtasks.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\8d92a3ad-d37f-41a3-99cc-69ef876afb8d.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230131222327.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4188	msedge.exe
4188	msedge.exe
2084	msedge.exe
2084	msedge.exe
4772	identity_helper.exe
4772	identity_helper.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

2084 msedge.exe
2084 msedge.exe
2084 msedge.exe
2084 msedge.exe
2084 msedge.exe
2084 msedge.exe
2084 msedge.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

2084 msedge.exe
2084 msedge.exe
2084 msedge.exe

pid	process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

pid	process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

GxMBK.exeschtasks.exemsedge.exe

description	pid	process	target process
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 4492 wrote to memory of 2176	4492	GxMBK.exe	schtasks.exe
PID 2176 wrote to memory of 2084	2176	schtasks.exe	msedge.exe
PID 2176 wrote to memory of 2084	2176	schtasks.exe	msedge.exe
PID 2084 wrote to memory of 2744	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 2744	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1204	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4188	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4188	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1368	2084	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\GxMBK.exe
"C:\Users\Admin\AppData\Local\Temp\GxMBK.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x9c,0x7ffa974746f8,0x7ffa97474708,0x7ffa97474718
4⤵
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
4⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
4⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
4⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
4⤵
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 /prefetch:8
4⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
4⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5824 /prefetch:8
4⤵
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
4⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
4⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
4⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff735ae5460,0x7ff735ae5470,0x7ff735ae5480
5⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
4⤵
PID:2692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
4⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
4⤵
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
4⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1268 /prefetch:8
4⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:8
4⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1836 /prefetch:8
4⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5840 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,5681541189671699033,12873982525511144424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6076 /prefetch:8
4⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
3⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa974746f8,0x7ffa97474708,0x7ffa97474718
4⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c71cb7463c49e125cbae14ac265cf18f

SHA1
4430c030546d725e7f6e5584f139e012e9214f06

SHA256
1eb6d93849a5c52e9b381fc0abd82b401e2d1e5dfbedd48a3cff50e91e758018

SHA512
2f1317d23dfe8c39760e51900cfaed49a2ba4675f0904ec033252e037e0eb935e59b4cc0b8c11c4acd7cfbddf0d9d461f5a66504494863c2bb7781aa3c000eed

Download Submit
\??\pipe\LOCAL\crashpad_2084_CJWHVGLRPKPMVBZX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/64-179-0x0000000000000000-mapping.dmp

Download
memory/1204-140-0x0000000000000000-mapping.dmp

Download
memory/1328-163-0x0000000000000000-mapping.dmp

Download
memory/1368-144-0x0000000000000000-mapping.dmp

Download
memory/1560-160-0x0000000000000000-mapping.dmp

Download
memory/1636-168-0x0000000000000000-mapping.dmp

Download
memory/1776-178-0x0000000000000000-mapping.dmp

Download
memory/1876-150-0x0000000000000000-mapping.dmp

Download
memory/2084-137-0x0000000000000000-mapping.dmp

Download
memory/2092-162-0x0000000000000000-mapping.dmp

Download
memory/2132-159-0x0000000000000000-mapping.dmp

Download
memory/2176-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2176-135-0x0000000000000000-mapping.dmp

Download
memory/2692-166-0x0000000000000000-mapping.dmp

Download
memory/2744-138-0x0000000000000000-mapping.dmp

Download
memory/3080-174-0x0000000000000000-mapping.dmp

Download
memory/3440-181-0x0000000000000000-mapping.dmp

Download
memory/3584-154-0x0000000000000000-mapping.dmp

Download
memory/3748-176-0x0000000000000000-mapping.dmp

Download
memory/3752-146-0x0000000000000000-mapping.dmp

Download
memory/4044-148-0x0000000000000000-mapping.dmp

Download
memory/4188-141-0x0000000000000000-mapping.dmp

Download
memory/4244-170-0x0000000000000000-mapping.dmp

Download
memory/4288-158-0x0000000000000000-mapping.dmp

Download
memory/4412-156-0x0000000000000000-mapping.dmp

Download
memory/4492-132-0x0000000000A00000-0x0000000000B98000-memory.dmp

Filesize
1.6MB

Download
memory/4492-134-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/4492-133-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/4636-152-0x0000000000000000-mapping.dmp

Download
memory/4756-172-0x0000000000000000-mapping.dmp

Download
memory/4772-164-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads