xworm | 6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/11/2024, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
Size

16KB
MD5

acfdf588da4f3d02f8b4e6db8cc9e60d
SHA1

71bc876820b36d478f65cb9f236499d8c98a7fdd
SHA256

6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9
SHA512

3698487d35e5d12d013c4f986375191e645038fa3199d7950c03370c085533aa6da2710ab2c9b7f200d5625c90b39bb5580fbf0dfced9cad6ebac86e001d83b8
SSDEEP

384:eRc06pZg1jOAJO0lsJeho4ZbP5bvGINB9FlbP4Nk:qX6pZgAiO0Be49RlNB9XbQK

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:8895

162.230.48.189:8895

Mutex

ZRGtN7NDh24Vx89x

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/2528-1110-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4852 created 3392	4852	tmpBCD8.tmp.exe	56
PID 1740 created 3392	1740	tmp7BA3.tmp.exe	56

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	coiiic.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	tmp7BA3.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ReturnType.vbs	tmpBCD8.tmp.exe

Executes dropped EXE 3 IoCs

pid	Process
4852	tmpBCD8.tmp.exe
2564	coiiic.exe
1740	tmp7BA3.tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\github_install = "C:\\Users\\Admin\\AppData\\Roaming\\github_install.exe"	tmp7BA3.tmp.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
452	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 2528	4852	tmpBCD8.tmp.exe	88
PID 1740 set thread context of 4784	1740	tmp7BA3.tmp.exe	113

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp7BA3.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBCD8.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coiiic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4852	tmpBCD8.tmp.exe
1740	tmp7BA3.tmp.exe
1740	tmp7BA3.tmp.exe
452	powershell.exe
452	powershell.exe
4188	msedge.exe
4188	msedge.exe
2192	msedge.exe
2192	msedge.exe
1740	tmp7BA3.tmp.exe
1740	tmp7BA3.tmp.exe
1740	tmp7BA3.tmp.exe
1984	identity_helper.exe
1984	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
Token: SeDebugPrivilege	4852	tmpBCD8.tmp.exe
Token: SeDebugPrivilege	4852	tmpBCD8.tmp.exe
Token: SeDebugPrivilege	2528	InstallUtil.exe
Token: SeDebugPrivilege	2564	coiiic.exe
Token: SeDebugPrivilege	1740	tmp7BA3.tmp.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	1740	tmp7BA3.tmp.exe
Token: SeDebugPrivilege	4784	InstallUtil.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 4852	4680	6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe	87
PID 4680 wrote to memory of 4852	4680	6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe	87
PID 4680 wrote to memory of 4852	4680	6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe	87
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 4852 wrote to memory of 2528	4852	tmpBCD8.tmp.exe	88
PID 2528 wrote to memory of 2564	2528	InstallUtil.exe	99
PID 2528 wrote to memory of 2564	2528	InstallUtil.exe	99
PID 2528 wrote to memory of 2564	2528	InstallUtil.exe	99
PID 2564 wrote to memory of 1740	2564	coiiic.exe	100
PID 2564 wrote to memory of 1740	2564	coiiic.exe	100
PID 2564 wrote to memory of 1740	2564	coiiic.exe	100
PID 1740 wrote to memory of 452	1740	tmp7BA3.tmp.exe	102
PID 1740 wrote to memory of 452	1740	tmp7BA3.tmp.exe	102
PID 1740 wrote to memory of 452	1740	tmp7BA3.tmp.exe	102
PID 452 wrote to memory of 2192	452	powershell.exe	104
PID 452 wrote to memory of 2192	452	powershell.exe	104
PID 2192 wrote to memory of 4144	2192	msedge.exe	105
PID 2192 wrote to memory of 4144	2192	msedge.exe	105
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106
PID 2192 wrote to memory of 1516	2192	msedge.exe	106

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3392
- C:\Users\Admin\AppData\Local\Temp\6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe
  "C:\Users\Admin\AppData\Local\Temp\6425c4148a69abba62149c51dbb1850731a25c4ca8232c3d6304a20c0545d8c9.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops startup file
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Local\Temp\coiiic.exe
    "C:\Users\Admin\AppData\Local\Temp\coiiic.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Process "https://trashycontinuousbubbly.com/wkhy5rzh2v?key=8f87e6d0bc0d653ad051bd077c8dd5ad"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://trashycontinuousbubbly.com/wkhy5rzh2v?key=8f87e6d0bc0d653ad051bd077c8dd5ad
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee90546f8,0x7ffee9054708,0x7ffee9054718
        7⤵
        
        PID:4144
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
        7⤵
        
        PID:1516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
        7⤵
        
        PID:3252
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        7⤵
        
        PID:3432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
        7⤵
        
        PID:1072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
        7⤵
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
        7⤵
        
        PID:4176
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
        7⤵
        
        PID:3148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
        7⤵
        
        PID:4884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,10202856438396200128,4913051799898563701,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        7⤵
        
        PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
62972f09b9f7128e9185854af2eb50cc

SHA1
66e05b291e1f833ae5098cd451075a602a8e0b39

SHA256
c220eac787a412fe564684e365d962c7711ba6d20cf22ae62f15d229efb72cdf

SHA512
3a274c7199eee5e4c72b03e3b29660d3b766ba96f60a9d855f96d9264c4c9b345474273e5eec99ec74a54c39e555635cd9c651eb75a6bf83f9aa60ad85c87138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02ad081149b460ac00d56c9491a119a6

SHA1
8dffdfd9bdd0c2d1c3fd00ee793098258ecc3e38

SHA256
4c58851d6697e688346c7979e0899537f70377cf630720677f496b7487c9ed5d

SHA512
07c582e9ff19e6aeef250c5ab8321b6847533af553d1b0fb18a136ade39ae716173b4a8919b328e846d86869e8073700602ef728828d9cecc067e356c7173b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ecb0d78f1ac6fd3b59e27f356062bdad

SHA1
d1739ca1b1c1370769495131e5f8383fc0a25b06

SHA256
94651e3e3feda485c11ca78294f6b1fd9f7b402ac8f6e1aa4b8880e1ffbad542

SHA512
9dfa47a497dcae7865ef5201cb37e69cad83ca88d2a6db135e61f6135daca0ba2f24e9f5a14bca2dbd7ffe877140d9fe46c47b1f255c6396eabe0934875fb9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_umpvffhq.ehl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\coiiic.exe

Filesize
5KB

MD5
a935a6bef40cd45cac42da267be89cf7

SHA1
3a861c7dd590ef58b5d14d0d7f614cc05d4f9446

SHA256
3e2b0853a60dbe619179aca70b5c560cc81bb1bff1fb9eb18c92442ffb5f7646

SHA512
facc4774bad84df1bc84e2f60531482d93496cf250979168368dcdae8f68164beaff93901776ad1da366653c9b55e686ba41db3ae85c49f08178168c65cb1ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7BA3.tmp.exe

Filesize
1.4MB

MD5
d53cbe20ab628a9619459367ba42ae5c

SHA1
22a66b3eecf462519abc249bda2e4b28439fc639

SHA256
a2405a789ade187fe954ae0e9c82fb97ccfbd306bf5b1591e2b8a29e0555ea4b

SHA512
ca02bf41e682cc526aeff93d7527812b9903bc61296170ca313939fe7e7daf4ea6dffc81daeac137c6d6d651a7d98ee60408053415bcdd1b662dad4f4a11eca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBCD8.tmp.exe

Filesize
1.3MB

MD5
a4c1ea4b6e69e69462efa7659ff6f48c

SHA1
cf71024bf28f10f63bf7cd27dba64d406c2ed97c

SHA256
1abb33b881408b0341a530de14b0afdb88b96ffcd0254dd397848db3e6508803

SHA512
be527013711f308bb9a0deb65b11066570e86cee896041d55556dc8566a2476bc96ab089ca155030397d95fd8d358170bc2f5b0bf97efd579dd464b1ca803507

Download Submit
memory/452-2225-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/452-2224-0x0000000005420000-0x0000000005442000-memory.dmp

Filesize
136KB

Download
memory/452-2222-0x0000000002AB0000-0x0000000002AE6000-memory.dmp

Filesize
216KB

Download
memory/452-2235-0x0000000005ED0000-0x0000000006224000-memory.dmp

Filesize
3.3MB

Download
memory/452-2223-0x00000000055C0000-0x0000000005BE8000-memory.dmp

Filesize
6.2MB

Download
memory/452-2239-0x0000000006830000-0x000000000684A000-memory.dmp

Filesize
104KB

Download
memory/452-2240-0x0000000006880000-0x00000000068A2000-memory.dmp

Filesize
136KB

Download
memory/452-2238-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/452-2237-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/452-2236-0x00000000063D0000-0x00000000063EE000-memory.dmp

Filesize
120KB

Download
memory/1740-2217-0x0000000005A70000-0x0000000005B24000-memory.dmp

Filesize
720KB

Download
memory/1740-1142-0x00000000056F0000-0x0000000005830000-memory.dmp

Filesize
1.2MB

Download
memory/1740-1141-0x0000000000CB0000-0x0000000000E20000-memory.dmp

Filesize
1.4MB

Download
memory/2528-1111-0x00000000052D0000-0x000000000536C000-memory.dmp

Filesize
624KB

Download
memory/2528-1109-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2528-1113-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2528-1114-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2528-1115-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/2528-2218-0x0000000007B00000-0x0000000007E50000-memory.dmp

Filesize
3.3MB

Download
memory/2528-1110-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2528-1116-0x0000000005CA0000-0x0000000005D06000-memory.dmp

Filesize
408KB

Download
memory/2564-1128-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/4680-1-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/4680-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/4680-2-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4680-17-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4784-2270-0x0000000005A70000-0x0000000006088000-memory.dmp

Filesize
6.1MB

Download
memory/4784-2269-0x00000000052E0000-0x000000000539C000-memory.dmp

Filesize
752KB

Download
memory/4784-2268-0x0000000002C00000-0x0000000002C08000-memory.dmp

Filesize
32KB

Download
memory/4784-2267-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/4852-65-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-51-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-1096-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1097-0x00000000059D0000-0x0000000005A2A000-memory.dmp

Filesize
360KB

Download
memory/4852-1098-0x0000000005870000-0x00000000058BC000-memory.dmp

Filesize
304KB

Download
memory/4852-1102-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1103-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1104-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-1105-0x0000000005AE0000-0x0000000005B34000-memory.dmp

Filesize
336KB

Download
memory/4852-23-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-25-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-1112-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-27-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-29-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-32-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-33-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-35-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-37-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-39-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-41-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-43-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-47-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-49-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-20-0x0000000005CD0000-0x0000000006274000-memory.dmp

Filesize
5.6MB

Download
memory/4852-53-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-55-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-57-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-59-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-61-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-63-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-68-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-69-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-73-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-75-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-77-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-79-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-81-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-85-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-83-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-71-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-45-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-22-0x0000000005630000-0x0000000005712000-memory.dmp

Filesize
904KB

Download
memory/4852-21-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/4852-15-0x0000000000C30000-0x0000000000D78000-memory.dmp

Filesize
1.3MB

Download
memory/4852-19-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download
memory/4852-18-0x0000000005630000-0x0000000005718000-memory.dmp

Filesize
928KB

Download
memory/4852-16-0x00000000747C0000-0x0000000074F70000-memory.dmp

Filesize
7.7MB

Download