xworm | 807365fb2ba6da0202b002ef59b76c7e5205cd7a20280b006403ca94ec700904

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	LocalnrIszSVIvh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	LocalnrIszSVIvh.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3252	powershell.exe
312	powershell.exe
4872	powershell.exe
3152	powershell.exe

Modify Registry: Disable Windows Driver Blocklist 2 TTPs 1 IoCs

Disable Windows Driver Blocklist via Registry.

defense_evasion

Modify Registry

Impair Defenses

T1562

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\CI\Config\VulnerableDriverBlocklistEnable = "0"	LocalnrIszSVIvh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	DxHax.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	LocalgpXAJOk_AK.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk	LocalgpXAJOk_AK.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Appinfo.lnk	LocalgpXAJOk_AK.exe

Executes dropped EXE 22 IoCs

pid	Process
4768	LocalgpXAJOk_AK.exe
4972	LocalnrIszSVIvh.exe
3316	Appinfo
4592	Appinfo
1164	Appinfo
4060	Appinfo
4036	Appinfo
876	Appinfo
4504	Appinfo
3380	Appinfo
2820	Appinfo
392	Appinfo
1648	Appinfo
1068	Appinfo
3904	Appinfo
2612	Appinfo
2284	Appinfo
3668	Appinfo
4396	Appinfo
4548	Appinfo
1408	Appinfo
2864	Appinfo

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Appinfo = "C:\\ProgramData\\Appinfo"	LocalgpXAJOk_AK.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
9	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LocalnrIszSVIvh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	LocalnrIszSVIvh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	LocalnrIszSVIvh.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	LocalnrIszSVIvh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	LocalnrIszSVIvh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	LocalnrIszSVIvh.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	LocalnrIszSVIvh.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	LocalnrIszSVIvh.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	LocalnrIszSVIvh.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "f1e7b87d-9a93d34d-d"	LocalnrIszSVIvh.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration\IE Installed Date = b55a3e8d5bb492ab	LocalnrIszSVIvh.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4892	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4768	LocalgpXAJOk_AK.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
4972	LocalnrIszSVIvh.exe
4972	LocalnrIszSVIvh.exe
2984	msedge.exe
2984	msedge.exe
3460	msedge.exe
3460	msedge.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe
312	powershell.exe
312	powershell.exe
312	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
4768	LocalgpXAJOk_AK.exe
4768	LocalgpXAJOk_AK.exe
3888	identity_helper.exe
3888	identity_helper.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe
4232	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4972	LocalnrIszSVIvh.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	4768	LocalgpXAJOk_AK.exe
Token: SeTakeOwnershipPrivilege	4972	LocalnrIszSVIvh.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	4768	LocalgpXAJOk_AK.exe
Token: SeDebugPrivilege	3316	Appinfo
Token: SeDebugPrivilege	4592	Appinfo
Token: SeDebugPrivilege	1164	Appinfo
Token: SeDebugPrivilege	4060	Appinfo
Token: SeDebugPrivilege	4036	Appinfo
Token: SeDebugPrivilege	876	Appinfo
Token: SeDebugPrivilege	4504	Appinfo
Token: SeDebugPrivilege	3380	Appinfo
Token: SeDebugPrivilege	2820	Appinfo
Token: SeDebugPrivilege	392	Appinfo
Token: SeDebugPrivilege	1648	Appinfo
Token: SeDebugPrivilege	1068	Appinfo
Token: SeDebugPrivilege	3904	Appinfo
Token: SeDebugPrivilege	2612	Appinfo
Token: SeDebugPrivilege	2284	Appinfo
Token: SeDebugPrivilege	3668	Appinfo
Token: SeDebugPrivilege	4396	Appinfo
Token: SeDebugPrivilege	4548	Appinfo
Token: SeDebugPrivilege	1408	Appinfo
Token: SeDebugPrivilege	2864	Appinfo

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4768	LocalgpXAJOk_AK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 4768	4072	DxHax.exe	84
PID 4072 wrote to memory of 4768	4072	DxHax.exe	84
PID 4072 wrote to memory of 4972	4072	DxHax.exe	85
PID 4072 wrote to memory of 4972	4072	DxHax.exe	85
PID 4072 wrote to memory of 4972	4072	DxHax.exe	85
PID 4972 wrote to memory of 3460	4972	LocalnrIszSVIvh.exe	86
PID 4972 wrote to memory of 3460	4972	LocalnrIszSVIvh.exe	86
PID 3460 wrote to memory of 1252	3460	msedge.exe	87
PID 3460 wrote to memory of 1252	3460	msedge.exe	87
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 4968	3460	msedge.exe	88
PID 3460 wrote to memory of 2984	3460	msedge.exe	89
PID 3460 wrote to memory of 2984	3460	msedge.exe	89
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90
PID 3460 wrote to memory of 3396	3460	msedge.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe
"C:\Users\Admin\AppData\Local\Temp\26.06.2024\DxHax.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe
  "C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalgpXAJOk_AK.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3152
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LocalgpXAJOk_AK.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Appinfo'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Appinfo'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Appinfo" /tr "C:\ProgramData\Appinfo"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4892
- C:\Users\Admin\AppData\LocalnrIszSVIvh.exe
  "C:\Users\Admin\AppData\LocalnrIszSVIvh.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Modify Registry: Disable Windows Driver Blocklist
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://artecore.xyz/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffe9e6646f8,0x7ffe9e664708,0x7ffe9e664718
      4⤵
      PID:1252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
      4⤵
      PID:4968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
      4⤵
      PID:3396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:2560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
      4⤵
      PID:2324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
      4⤵
      PID:4616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
      4⤵
      PID:3876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
      4⤵
      PID:2392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
      4⤵
      PID:4128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:4872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3655983192991800114,11853836429307775979,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4316 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\ProgramData\Appinfo
C:\ProgramData\Appinfo
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery