Analysis
-
max time kernel
271s -
max time network
270s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 13:00
Behavioral task
behavioral1
Sample
ComaruMineSoft (1).exe
Resource
win11-20240508-en
General
-
Target
ComaruMineSoft (1).exe
-
Size
136KB
-
MD5
43808435bf099cd9cde1eb59f855f9bf
-
SHA1
ed805b3285351246fc6b4c7f354d63a81a150a6b
-
SHA256
160e71a35044219b73f37711affceece275c67e36151b1a07c30b402699e781d
-
SHA512
49bdcd464f07be319eb9812856fe9321f4e50ed1c761ecb4bcb4b4f497657c87daa8a807ce3c82dd752207bf48b4e95bd596aa1ede0c39b29549e9e47e2b189e
-
SSDEEP
3072:YfNFD9tqOwwFBz65/M6If+3Js+3JFkKeTnF:YfTD9DxBt25
Malware Config
Extracted
xworm
3.0
country-surface.gl.at.ply.gg:33099
XIMmw0sYrxYSGqLX
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3808-1-0x0000000000790000-0x00000000007B8000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe family_xworm -
Drops startup file 2 IoCs
Processes:
ComaruMineSoft (1).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComaruMineSoft (1).lnk ComaruMineSoft (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComaruMineSoft (1).lnk ComaruMineSoft (1).exe -
Executes dropped EXE 4 IoCs
Processes:
ComaruMineSoft (1).exeComaruMineSoft (1).exeComaruMineSoft (1).exeComaruMineSoft (1).exepid process 4632 ComaruMineSoft (1).exe 3132 ComaruMineSoft (1).exe 1932 ComaruMineSoft (1).exe 3600 ComaruMineSoft (1).exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ComaruMineSoft (1).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\ComaruMineSoft (1) = "C:\\Users\\Admin\\AppData\\Roaming\\ComaruMineSoft (1).exe" ComaruMineSoft (1).exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
taskmgr.exeMiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings taskmgr.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 3236 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ComaruMineSoft (1).exetaskmgr.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 3808 ComaruMineSoft (1).exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3560 msedge.exe 3560 msedge.exe 4092 msedge.exe 4092 msedge.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3132 msedge.exe 3132 msedge.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 236 identity_helper.exe 236 identity_helper.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
taskmgr.exeregedit.exepid process 3396 taskmgr.exe 3236 regedit.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
ComaruMineSoft (1).exetaskmgr.exesvchost.exeComaruMineSoft (1).exeComaruMineSoft (1).exeComaruMineSoft (1).exeComaruMineSoft (1).exedescription pid process Token: SeDebugPrivilege 3808 ComaruMineSoft (1).exe Token: SeDebugPrivilege 3808 ComaruMineSoft (1).exe Token: SeDebugPrivilege 3396 taskmgr.exe Token: SeSystemProfilePrivilege 3396 taskmgr.exe Token: SeCreateGlobalPrivilege 3396 taskmgr.exe Token: SeSecurityPrivilege 3396 taskmgr.exe Token: SeTakeOwnershipPrivilege 3396 taskmgr.exe Token: SeBackupPrivilege 392 svchost.exe Token: SeRestorePrivilege 392 svchost.exe Token: SeSecurityPrivilege 392 svchost.exe Token: SeTakeOwnershipPrivilege 392 svchost.exe Token: 35 392 svchost.exe Token: SeDebugPrivilege 4632 ComaruMineSoft (1).exe Token: SeDebugPrivilege 3132 ComaruMineSoft (1).exe Token: SeSecurityPrivilege 3396 taskmgr.exe Token: SeTakeOwnershipPrivilege 3396 taskmgr.exe Token: SeSecurityPrivilege 3396 taskmgr.exe Token: SeTakeOwnershipPrivilege 3396 taskmgr.exe Token: SeDebugPrivilege 1932 ComaruMineSoft (1).exe Token: SeDebugPrivilege 3600 ComaruMineSoft (1).exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exemsedge.exepid process 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exemsedge.exepid process 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 4092 msedge.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe 3396 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ComaruMineSoft (1).exeMiniSearchHost.exepid process 3808 ComaruMineSoft (1).exe 5016 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ComaruMineSoft (1).exemsedge.exedescription pid process target process PID 3808 wrote to memory of 2084 3808 ComaruMineSoft (1).exe schtasks.exe PID 3808 wrote to memory of 2084 3808 ComaruMineSoft (1).exe schtasks.exe PID 4092 wrote to memory of 2600 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2600 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 2640 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3560 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3560 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe PID 4092 wrote to memory of 3232 4092 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ComaruMineSoft (1).exe"C:\Users\Admin\AppData\Local\Temp\ComaruMineSoft (1).exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ComaruMineSoft (1)" /tr "C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"2⤵
- Creates scheduled task(s)
PID:2084
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb27333cb8,0x7ffb27333cc8,0x7ffb27333cd82⤵PID:2600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:22⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:2740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:12⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:12⤵PID:4204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,7829185712082338841,7571288271275587746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4608 /prefetch:22⤵PID:408
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5108
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392
-
C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1908
-
C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:3236
-
C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1932
-
C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3600
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5016
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
Filesize
152B
MD5c1c7e2f451eb3836d23007799bc21d5f
SHA111a25f6055210aa7f99d77346b0d4f1dc123ce79
SHA256429a870d582c77c8a661c8cc3f4afa424ed5faf64ce722f51a6a74f66b21c800
SHA5122ca40bbbe76488dff4b10cca78a81ecf2e97d75cd65f301da4414d93e08e33f231171d455b0dbf012b2d4735428e835bf3631f678f0ab203383e315da2d23a34
-
Filesize
152B
MD56876cbd342d4d6b236f44f52c50f780f
SHA1a215cf6a499bfb67a3266d211844ec4c82128d83
SHA256ca5a6320d94ee74db11e55893a42a52c56c8f067cba35594d507b593d993451e
SHA512dff3675753b6b733ffa2da73d28a250a52ab29620935960673d77fe2f90d37a273c8c6afdf87db959bdb49f31b69b41f7aa4febac5bbdd43a9706a4dd9705039
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
Filesize
5KB
MD5d88ddff3cca9265e673fc95da04eaa16
SHA1912dc5ddb29b524e3d1dcd9c27bbe169276c6198
SHA256dd5bdeeb06e2a60d2d12fa9c267d19420ac17256d9d217c6aaceea73d9a52113
SHA51256475a9604b212e59187d243b2a19dac6d0fe87f8dcb448472ec206bebffd171dc9630feb2c459ebcd541aa51b579f3ad73e7c2e2a5bf2d0be6594bce7f2b872
-
Filesize
5KB
MD5e800971b085415eda64ad62535c22a6e
SHA1cf2a86c696eeaccdf13a992443be326643ac14a6
SHA25674dbae60c13bc191a61316ed7ddb509a8f9ad762a8c2b739b2caf24213fdc32b
SHA5129d59de4a183b1afcff40ae6a5e068c7284bb14924648da29f30382340901a217fb67e00195fda197cb8eb7eef7c6e4b1267fa9b8df7b2476f0449b21886c5f1e
-
Filesize
5KB
MD564b4ca2abc01f6a66b955de8501f191b
SHA1523bd8fb5b5e24a3200ce094ad0183e192aef031
SHA2568b459ee0b8f10ae1eba550fe5e69158c2221c727daa56bceb3a73804d8713e86
SHA51288e7c776b162dbfb5b4388932055e9b5323531a717edd5be933900b6ee6a4c5d0626bee81b356744d303c94f1bb632cac2ea215b92efe8c26ecea25f4259ffb1
-
Filesize
5KB
MD573e09a5448dafd714abf64e163024e95
SHA1690ecc80185dc68420085b9c2e1a006bce3fecb4
SHA256cf41147806197c9318db9f1508e32f30276fcace94690661a792378c3d725e77
SHA5122d3628b66c0b844f7d65f1c6d730890b4ed45cadd990cf3dce5a9b264e09c138086e7d3fa41648ee7a23d70b68df36fadf526fe5112373bf5c4ec81ac0525026
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b04dbfdce1cade724988b88a55c9a538
SHA1b11ec41f57f32ab8a60801a562fee33c4e90f294
SHA256293c19d5e74668c3343dcca7c5ce4e70b742306928a305dcd59934a4d4fc9e01
SHA5122d232367dd4180ba456a5f851e470548a5ac090a99d59132b90d815f60c1cdc6cbc96a35f38c12faca98c20a553e46223e7d9231f07f0a6d6e28917112e9f496
-
Filesize
11KB
MD5f3f3281d03c3c4ca85f3c2670f082bad
SHA155f7f2cf3bcf954b4b82e340635701a074f81c0c
SHA256437d378ebde6c2ee4588e650d51a4b57d135973222c6ba5c63cb33ce7c132b1c
SHA51234943d1997fbfa2bad926b97561cd06d4b1d701b3a754c6eef744ad462e41ebf810f2f571f761a260d31c85a83885f8f38b290a9dd7571608916f623db6e1922
-
Filesize
12KB
MD5e1d08c53902a4a228eadc83a7fefdf9f
SHA12c05a6db5ce4ea6cce045b2c5ff655de28ad939d
SHA2561c793319dc82a0471203aadf5f73c4c0ae1b0e644f6f5fc9c9a03854beeeb1c0
SHA51226a5953a571a69d4961a45c25806c1f93fd4a9ce54ddbe4fb91e47c08e9df1cbae27d3f25705f6c1d868dc5a528f60adc640456cf431c7eb95842ce1f7fb3c14
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD583704c7963de9f77ef9140f7c957c247
SHA17e084166afe58930cc1663a3db722b34754f9ecb
SHA2562f164fbe6bd7e11a243602c6cda5488794e237f57401071b701e2e82f9062ac9
SHA5121837f7d4e135c5a862d2875e9927085395a68e0cf16e3dd7cb556250ad9a478b22d2afb3050b0859f05a9aafd2c95e763d984d2f840dbfa343cc51598bd11019
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5cf4d76f1a9247b679411a23597ab0736
SHA1ca7ea2bb3f8f7be7c59eb122cad5b045cf4e9c66
SHA256552fdfebf5efd5e7e3373b9030d26042a53a28197c2955a8dfa3eed3479c6bbe
SHA512a21e03a0fb43eb2f50e2ee98e9eee1ffcda02f5e418352d567904c4ff33ca536c938f0cc46aa258bc6df37d34f05799bfc8c7d99a34afba789a2286ec1c47a91
-
Filesize
136KB
MD543808435bf099cd9cde1eb59f855f9bf
SHA1ed805b3285351246fc6b4c7f354d63a81a150a6b
SHA256160e71a35044219b73f37711affceece275c67e36151b1a07c30b402699e781d
SHA51249bdcd464f07be319eb9812856fe9321f4e50ed1c761ecb4bcb4b4f497657c87daa8a807ce3c82dd752207bf48b4e95bd596aa1ede0c39b29549e9e47e2b189e
-
Filesize
828B
MD57e4fe5395a0655720ae8d683db286fa9
SHA1132492df1003f4b26bbc6b758513e342dc058448
SHA256905ddef93fbd48475fb1b17c1bb5d87881c0925f3fede827a5914dc91bb0371c
SHA5129e4d5441c77c8197553ac48eee6c66386ce3e97b905d8ac54e3d32407877aa6ab578256f8feb83ab68296a1c895fa9a52d56d82b326f0996d2fc81cd7f2216cb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e