Analysis
-
max time kernel
69s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 13:19
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://mega.nz/file/HA9D2SiB#vTGsijtui8rFFC-7KwRtTTbRxMQYVpBvN5ow563Vp38
Resource
win10v2004-20240426-en
Errors
General
-
Target
https://mega.nz/file/HA9D2SiB#vTGsijtui8rFFC-7KwRtTTbRxMQYVpBvN5ow563Vp38
Malware Config
Extracted
xworm
3.0
country-surface.gl.at.ply.gg:33099
XIMmw0sYrxYSGqLX
-
Install_directory
%AppData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\ComaruMineSoft (1).exe family_xworm behavioral1/memory/5968-202-0x0000000000C80000-0x0000000000CA8000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ComaruMineSoft (1).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation ComaruMineSoft (1).exe -
Drops startup file 2 IoCs
Processes:
ComaruMineSoft (1).exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComaruMineSoft (1).lnk ComaruMineSoft (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ComaruMineSoft (1).lnk ComaruMineSoft (1).exe -
Executes dropped EXE 3 IoCs
Processes:
ComaruMineSoft (1).exeComaruMineSoft (1).exeComaruMineSoft (1).exepid process 5968 ComaruMineSoft (1).exe 6040 ComaruMineSoft (1).exe 4428 ComaruMineSoft (1).exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ComaruMineSoft (1).exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ComaruMineSoft (1) = "C:\\Users\\Admin\\AppData\\Roaming\\ComaruMineSoft (1).exe" ComaruMineSoft (1).exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 53 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "118" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 657986.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exeComaruMineSoft (1).exepid process 4484 msedge.exe 4484 msedge.exe 1492 msedge.exe 1492 msedge.exe 4368 identity_helper.exe 4368 identity_helper.exe 5744 msedge.exe 5744 msedge.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5968 ComaruMineSoft (1).exe 5968 ComaruMineSoft (1).exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
AUDIODG.EXEComaruMineSoft (1).exetaskmgr.exeComaruMineSoft (1).exeComaruMineSoft (1).exedescription pid process Token: 33 628 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 628 AUDIODG.EXE Token: SeDebugPrivilege 5968 ComaruMineSoft (1).exe Token: SeDebugPrivilege 5396 taskmgr.exe Token: SeSystemProfilePrivilege 5396 taskmgr.exe Token: SeCreateGlobalPrivilege 5396 taskmgr.exe Token: SeDebugPrivilege 5968 ComaruMineSoft (1).exe Token: SeDebugPrivilege 6040 ComaruMineSoft (1).exe Token: SeDebugPrivilege 4428 ComaruMineSoft (1).exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 1492 msedge.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe 5396 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ComaruMineSoft (1).exeLogonUI.exepid process 5968 ComaruMineSoft (1).exe 5948 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1492 wrote to memory of 1800 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 1800 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4116 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4484 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4484 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe PID 1492 wrote to memory of 4988 1492 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/HA9D2SiB#vTGsijtui8rFFC-7KwRtTTbRxMQYVpBvN5ow563Vp381⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffb84cd46f8,0x7ffb84cd4708,0x7ffb84cd47182⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5008 /prefetch:82⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵PID:3540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:12⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6012 /prefetch:82⤵PID:5212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 /prefetch:82⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,1082024831122623936,491964947767089855,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5744
-
-
C:\Users\Admin\Downloads\ComaruMineSoft (1).exe"C:\Users\Admin\Downloads\ComaruMineSoft (1).exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5968 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "ComaruMineSoft (1)" /tr "C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"3⤵
- Creates scheduled task(s)
PID:5184
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4232
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2600
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x50c 0x4ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:628
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1092
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5396
-
C:\Users\Admin\Downloads\ComaruMineSoft (1).exe"C:\Users\Admin\Downloads\ComaruMineSoft (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6040
-
C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"C:\Users\Admin\AppData\Roaming\ComaruMineSoft (1).exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38dc855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5948
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
Filesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD53695980549f56cd7a8c2429c22461858
SHA15346dcac39b230a2c3f8c78148bb245fca896345
SHA2563fca0e890c9e4cccb830f91d5e56f902f17c6f3a9f6b4085b5bf8aaaed90eb78
SHA51253db960e3e1c156e75da46018895780cf9deed48ab0f61dc88d60832f0c1273ed8899188062ad9e1e5b77fb294f0f2fa6256ed8901bdf1bbf50c31493e3a13ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
5KB
MD5a7a9c673221f03f2017a0627bf39d38f
SHA1c047ff0b75c884c617cba6daca4d088e06ca3cc7
SHA25664b2b970965b2a234b1284b206738e528a7ff70522a3e4ecaadc1509993c71d7
SHA512b3e27cbee7bec40604af577cbf2b6b72b651efc34d0158ea76e41a552f5b8c7ee06865a69d6898e54155a105ac3115531c5d8b44db6535737a673dd52147accb
-
Filesize
6KB
MD54721bd5b329f782d8b63f258d027a516
SHA1b7c5ff54dbd08d506b30d692112625dc76b1156b
SHA25622cf170b51bf868a99963042c6f6589df4399a9c25093675c358b9bd27afd685
SHA512db7d0363a178103b1add65ece189817126c2483076aac1b3b545c945600fe286faee9b942cf23e8f6c726a159b5518986df17e10c5260d7cbface7dec1d0b381
-
Filesize
6KB
MD5682b12e9fe10c86ab3169c565bd84e61
SHA12e0384f67d3f90821f4250ea3feac58fc2cdaf7b
SHA256bfe8aa309597e5ec892c0b196bf16768c3703d00d411891e6211808f728fdb12
SHA512a0f3fda3146892210c686fe6786702b568df2f2bca3891400ffd69d2b48a4e139fab0deccf5464e4fb14400f54f7c3fd0e52303709a192871babaff795145e4f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5a8e679ec4b90807d7081fc4e26d731ad
SHA1a61fab5817df2b379a7bed15cd5e1c43fd02243c
SHA2564db7a2b83f6221041bb47e34ced72b7ab0d4b6248b7272ce77dcc0d1ec2b50e2
SHA5129f29e3c90f40ec1d191bcfe13f322e2d302098277f18bab734d19c587050aaa1145d1bdaf2eeb279426ae8fdb44a2cb5095615eb6331f0bef6930d99c47afbda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579172.TMP
Filesize48B
MD59e8f05acc2194ee89fb29453390e3b76
SHA1067c4309745bcdd7463d2e7a21eb5e638cc50f90
SHA25662e9e561d48dfbda35993ae6d46161f0b06dbcb2536b4a10de0d9582c9a212a0
SHA512588f627bddca6a02700c296c067e839f679c28c9e239f68b971bf5a6693ab225751eee1f6d4d35e2afeab8ca628a4f07c41e0d972edca7527a23a383aaa48662
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c226b06344a1447dc3b75627a7a71afe
SHA1dbd1b440534aa71deffd0d027a037ff471660cae
SHA25697e9f6603a73a9c8ab58d59be1955c1ba45a5cf5e142b3d5098fbfca8d109a45
SHA5122846223c7bd57a12ebec9ce7c6b9cfebfedcff39af6981467aa8360a2a30ac5067e2d739ce25b0c3c07b5fdbdd03cd95b7f8feda436c0e4a47f9aacf3473e373
-
Filesize
11KB
MD587215b88c5bd8637e45460d57f06dc9e
SHA17a6b2be3722f5a43f675ba004a7d9f2d315c742c
SHA25647b8524eda60d9cfd3cf1aa513f7b0ca8b3e30c4b6b5d68388ab11d9388941fb
SHA512c4be09d567073dc43a482034a4b08c5ba1fee9cfdb2ff44d7c7a6324509210cab6163adf2c1cfb4560282f6c2a7db4b4e42bd2a7aeca32c6a7fae9229ebc5a14
-
Filesize
828B
MD52f65a1d25c69a7029c7015ca251f7b92
SHA109e8a0f134868408488aabf5103bbe8c081bc32b
SHA256db5a3f218aefdea6daa802793ff00c0022a33f98a754892152d75abce61578f2
SHA512ecdca7fdd3a02395b50f346fa763555bb0b9eca0223f48f9680d6bf3d2d07314415d676c299c24d97c261a34d53b6b6b34fa9f1b9b1b5f3b5b6711e0b8b9c4c7
-
Filesize
136KB
MD543808435bf099cd9cde1eb59f855f9bf
SHA1ed805b3285351246fc6b4c7f354d63a81a150a6b
SHA256160e71a35044219b73f37711affceece275c67e36151b1a07c30b402699e781d
SHA51249bdcd464f07be319eb9812856fe9321f4e50ed1c761ecb4bcb4b4f497657c87daa8a807ce3c82dd752207bf48b4e95bd596aa1ede0c39b29549e9e47e2b189e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e