xworm | hxxps://file[.]io/F0o5cRRRP71F

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/F0o5cRRRP71F

Score

10^/10

xworm discovery motw phishing rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

79.110.49.242:3388

127.0.0.1:3388

Mutex

ZzPr10udRDHeSHtK

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023d63-291.dat	family_xworm
behavioral1/memory/640-302-0x0000000000A30000-0x0000000000A3E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	matcha_automatic_updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	matcha_automatic_updater.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	matcha_updater.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	matcha_updater.exe

Executes dropped EXE 4 IoCs

pid	Process
6628	matcha_automatic_updater.exe
640	matcha_updater.exe
5792	matcha_automatic_updater.exe
5252	matcha_updater.exe

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
397	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
6992	PING.EXE
4788	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 570644.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
6992	PING.EXE
4788	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
2592	msedge.exe
2592	msedge.exe
3016	identity_helper.exe
3016	identity_helper.exe
6744	msedge.exe
6744	msedge.exe
6736	msedge.exe
6736	msedge.exe
6736	msedge.exe
6736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	matcha_updater.exe
Token: SeDebugPrivilege	5252	matcha_updater.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe
2592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2596	2592	msedge.exe	83
PID 2592 wrote to memory of 2596	2592	msedge.exe	83
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2220	2592	msedge.exe	84
PID 2592 wrote to memory of 2344	2592	msedge.exe	85
PID 2592 wrote to memory of 2344	2592	msedge.exe	85
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86
PID 2592 wrote to memory of 2376	2592	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/F0o5cRRRP71F
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f7dc46f8,0x7ff9f7dc4708,0x7ff9f7dc4718
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  PID:5848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7076 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7736 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8252 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8996 /prefetch:8
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:6300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:6516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9732 /prefetch:1
  2⤵
  PID:6592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9756 /prefetch:1
  2⤵
  PID:6600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9764 /prefetch:1
  2⤵
  PID:6608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10264 /prefetch:1
  2⤵
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10284 /prefetch:1
  2⤵
  PID:6836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:7156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,7623978286688245522,16373529059766662013,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5240

C:\Users\Admin\Downloads\matcha_automatic_updater.exe
"C:\Users\Admin\Downloads\matcha_automatic_updater.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6628
- C:\Users\Admin\AppData\Roaming\matcha_updater.exe
  "C:\Users\Admin\AppData\Roaming\matcha_updater.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\hi.bat" "
  2⤵
  PID:6892
- - C:\Windows\system32\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6992

C:\Users\Admin\Downloads\matcha_automatic_updater.exe
"C:\Users\Admin\Downloads\matcha_automatic_updater.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5792
- C:\Users\Admin\AppData\Roaming\matcha_updater.exe
  "C:\Users\Admin\AppData\Roaming\matcha_updater.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\hi.bat" "
  2⤵
  PID:6184
- - C:\Windows\system32\PING.EXE
    ping -n 3 127.0.0.1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\matcha_automatic_updater.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b93f8f560372758276da13d7dc121362

SHA1
06993e6e90dda16075ff8c3a3b2dac234adbaac2

SHA256
d6b2d4c8592f2d80a6206b820c02efc8dff0efbd42f3f90e99d3d97d8b870515

SHA512
0d1183122ebac12102fdb151f662f87615b91574d2a9c742d53094432d2e17b447d495b3833b3f2dec9768ef01304b4d2a3319ae740e52be47211d0be3403bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
f40f0201231643cfce58288bddf87a29

SHA1
2bf0f89513086accca1e766cf21da0d16fc5d7cf

SHA256
6b42b1de93bd98be4e46b9b597716d85dc2cd9990072ca1a41dea4afa1dfe6c2

SHA512
8979760fcd5cedc2491fa8cfc18c7f0b3a571c9d289ca8c2546bb0fe81642e4159fcafcefaeb1c4f0a3bb6191dd7ae255d2faac796d0b8501cf0409e0f875442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a61de1b4b8edb3f98be31d3a9e73d733

SHA1
fe4e0fefd6f8d90ee42b7e9d4924dea833e057dd

SHA256
a46c884d92e1e90216bf67b28f388f53bfba64f3a75b6f9dd59d4ce8b198d700

SHA512
5fc0a716152e90ee174b820f0025387938ee2c6aa117d493932f98feac13a7120925aec5ab4b11b76aa98c02ecd29f77d8efe92e4a8ff395d64f0df1e39feb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
26795ad7680746f67426397d069b1c8c

SHA1
575e72c0bd59914ceeb288bd8efcabad9b0deee1

SHA256
9b2efc683f4ced3ff9cd26a0aae739de688d80802cacf22e4d1d6e5652f2e273

SHA512
8175721e190a3b5f5dfb8a7b92a3c42415439f6935463c5df2cf54cb999098a63411b8f7abac5501ba30b62c7a2ee0ce5ad8378d1f5d90db3aa8cec37c086445

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
7d09977e6ab3379697bcf093186c6155

SHA1
6b754d6ea7293f1d4149dc74bf959bdb6f4fea38

SHA256
e258165ece553f8542f64892d227b5ccd5961cf801c67ca78e33c3a93b443b28

SHA512
95bbc60ac21689a42634d8a34ef51e65fe694fd39bffb2fd3e195681a121512941dc94d33af07c5a52698953519122973811ef2f5756a0a2f8f27a3eb5db47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
aedf405c5e757771238ad4b7198db34a

SHA1
394d141b0e01758e269cd07cb68ab06efad6cebf

SHA256
b14cfa78341a69ebe0eb120b6c5ead4895cfc4850f4e0c045b194c80015f2121

SHA512
41cfca116c4a8c42a1f8b5b0cce4ab50b1da0abdcd530d93e7d4bd21dd6474ca4c52c7f767bea6a3fd871c2dd2b9d27ae77ec87d0ebd7728946ea46eb7f238c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f28e.TMP

Filesize
3KB

MD5
6d05b37bddec6ff6b5435790d57c0fba

SHA1
5cf155ddd00315172c958369780b9f91a1451f5f

SHA256
19d7471394368206ddc9a5179e73d1b4a8fbbceb13bac768c62ab20f833dc72c

SHA512
b6939022421ca69fa64c7468a577dd9f1acffbf85b907b8ba968ea9f0824d6d5a988c400f6793062bdc87fa26124a8a4e7b8c1fb02c3a85588c2a0b0469d097e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a8837a907650116c870414786912b0fc

SHA1
4fff15c96ae26695a0d9462c46ebaa1a8acdd012

SHA256
1e23bd31df76bf00ef30b81209d528049d970c539ec55ab2d814d4ef36768930

SHA512
b4b0578e7d9af4959ae853ebd621e4b24137b579a80f4d52c30655cd6f5ac13d7a82b4dcec084b6ddcdd32b00370a51d67d8a145bbde586d38c21a1d161e113f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5695b46cf3ba2c6257cca41dba81041d

SHA1
a289bb28f30e8f576ed5294bea5b79ddffbf2a79

SHA256
7ebb01338d7e579bd1d43d11ee5b5e5dfec666043cce3457551f565c2add56d4

SHA512
2533021c3ff362fc961e5e5fb91b5b90fc6d09769e5da1826d09e798c755cd4a5dbcc156feda88ff6c9ff3a193984829344f28edd6b29742635e1d65ad341221

Download Submit
C:\Users\Admin\AppData\Roaming\hi.bat

Filesize
90B

MD5
49e38bc0ad228da3af52fff4ae391d68

SHA1
77b96342f3918d31c92dc69c455fbdc0d27f4142

SHA256
0f477e5dcf357c6020da80a954cffea9c29b9adb418b5f3e653525a56de0730a

SHA512
c3b7379ad36830ad76e159cd2701885f184447ba44c91acd17f467c37cf7e58caa5762d9965d2598fca4485319e715636404561f49113263dc1c1f7c1671c476

Download Submit
C:\Users\Admin\AppData\Roaming\matcha_updater.exe

Filesize
34KB

MD5
f0458aa8920c3a81dc62f427b140a759

SHA1
6f1c7882775e6e1d6139d5a0ed4bdf35708f8767

SHA256
5f41b296c9c8ee823fbc5dd53ad0369a5ded6def0f1f9cb9fcc98a5308d8b43f

SHA512
ed017ffffe7854262a0ac28b16406e55977fe8459bb72becb7426d39228aae952f28d2679270df300762e8eb4db7bfaa7368fa5826d3f4cf2c23f251eb1d3c4f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 570644.crdownload

Filesize
44KB

MD5
258ea141544279a196e8f6e9822b20d1

SHA1
47bbca649af851075d7f33b08e2bc3fd0620639a

SHA256
9d441befd26c862e5c810a9ddb14c425b833696fbe42d5979e140e92f28351de

SHA512
00c6e26fe7fae1467b7374af529b7bd739ba1e758c768551b3c95ad7fe6ddadce6ccfef19f577d9b55e5d6f5fe8fe5319212bb1863362da656e15ae86b46b893

Download Submit
memory/640-302-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download
memory/640-340-0x000000001B5B0000-0x000000001B5BC000-memory.dmp

Filesize
48KB

Download
memory/6628-286-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download