xworm | hxxps://workupload[.]com/file/wcARRJswEuX

Analysis

max time kernel
900s
max time network
845s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2025, 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/wcARRJswEuX

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%AppData%
install_file
OOBroker.exe
pastebin_url
https://pastebin.com/raw/5db7HHZA

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023ba6-116.dat	family_xworm
behavioral1/memory/5880-118-0x0000000000CF0000-0x0000000000D08000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5064	powershell.exe
2012	powershell.exe
5072	powershell.exe
5440	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	OOBroker.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OOBroker.lnk	OOBroker.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OOBroker.lnk	OOBroker.exe

Executes dropped EXE 1 IoCs

pid	Process
5880	OOBroker.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OOBroker = "C:\\Users\\Admin\\AppData\\Roaming\\OOBroker.exe"	OOBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
88	pastebin.com
89	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
404	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1732	msedge.exe
1732	msedge.exe
1408	msedge.exe
1408	msedge.exe
2364	identity_helper.exe
2364	identity_helper.exe
3872	msedge.exe
3872	msedge.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe
2012	powershell.exe
2012	powershell.exe
2012	powershell.exe
5072	powershell.exe
5072	powershell.exe
5072	powershell.exe
5440	powershell.exe
5440	powershell.exe
5440	powershell.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe
5440	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	5252	7zG.exe
Token: 35	5252	7zG.exe
Token: SeSecurityPrivilege	5252	7zG.exe
Token: SeSecurityPrivilege	5252	7zG.exe
Token: SeDebugPrivilege	5880	OOBroker.exe
Token: SeDebugPrivilege	5064	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeDebugPrivilege	5880	OOBroker.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
5252	7zG.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe
1408	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 5052	1408	msedge.exe	84
PID 1408 wrote to memory of 5052	1408	msedge.exe	84
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 4672	1408	msedge.exe	85
PID 1408 wrote to memory of 1732	1408	msedge.exe	86
PID 1408 wrote to memory of 1732	1408	msedge.exe	86
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87
PID 1408 wrote to memory of 5084	1408	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://workupload.com/file/wcARRJswEuX
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe216546f8,0x7ffe21654708,0x7ffe21654718
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1266942700255230998,5624281111812077202,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap18982:74:7zEvent31039
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5252

C:\Users\Admin\Desktop\OOBroker.exe
"C:\Users\Admin\Desktop\OOBroker.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:5880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\OOBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OOBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OOBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OOBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8B0.tmp.bat""
  2⤵
  PID:3112
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab283f88362e9716dd5c324319272528

SHA1
84cebc7951a84d497b2c1017095c2c572e3648c4

SHA256
61e4aa4614e645255c6db977ea7da1c7997f9676d8b8c3aaab616710d9186ab2

SHA512
66dff3b6c654c91b05f92b7661985391f29763cf757cc4b869bce5d1047af9fb29bbe37c4097ddcfa021331c16dd7e96321d7c5236729be29f74853818ec1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fffde59525dd5af902ac449748484b15

SHA1
243968c68b819f03d15b48fc92029bf11e21bedc

SHA256
26bc5e85dd325466a27394e860cac7bef264e287e5a75a20ea54eec96abd0762

SHA512
f246854e8ed0f88ca43f89cf497b90383e05ffa107496b4c346f070f6e9bbf1d9dc1bdcc28cad6b5c7810e3ba39f27d549061b3b413a7c0dd49faacae68cd645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
62cfcf65c1eb1fe8a33eb71e279d03a9

SHA1
4342ab0b4fbc6ac08875368928016e5785d43e4e

SHA256
44423fafa31187954dc56cb978557a5b4091b5a06bd20a9dcad6ba0eeb9e8cde

SHA512
ce66bfeb7551382acd2ccb47e6a3c79e61d2f605feb8a35841db25fbfb26c77f51308eb368b913855a89cfca58d0a0c04bf57e6fa2b7c478d222b9765c247969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ff4885ae1152547c80af857939cec27

SHA1
011181b9159a2a82727aafb4d607104bae876d71

SHA256
195e1e8b61a87bd59c9ffe2d44a4b3af91fc3dc156b6553aa04e7c436a869046

SHA512
fbf942d33d11e02cbe9c697514847d3977fe6049d763e9719a9aca802830b02797cd588ab15c3bd167019fdcd76289c47afd67f3cdf69bc8fa14be1886ba0e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1c1020ca99f7c61abcebe588f020d0dc

SHA1
58c0c2ea1a766ce78d8af425739ced01e0fabc73

SHA256
685752ddf69104832a179a52f0308203ecb64d787984241dd054293917b4c999

SHA512
54bc2128c0cc822f419af47559495896f60b68a58b875a8fccff77cd67ff1d63c5fa8f1455b712f9c7933d7dad27e3090559af5064b488d531c6c6ba7b49b86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff6c1f538ffe027f6fd9236251ac07e8

SHA1
694b0033e380a81b92e0ab910932ee83069f0bba

SHA256
913ccfdea5f7f52c8ac66c1b59dfeb7d08ba8646c60721148b2df55efa7f25a3

SHA512
60d7009e1e9aa8b9439df96be8de5730b43dfad5342ec7202fb5aa646d4cc2cdd1114f49aed471c7a1b9081a3b10185ae67b88c580b3b8eb2d49a2cc4ee0e862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
babd29552b0f55817879db9493175d39

SHA1
6623dfa671a306038bce54561f1f9a4949077a4c

SHA256
ccbfb81ee8bc10c044ca022ea67202e854cd5211b9cb9868205358720984cf6f

SHA512
6686599d44bf161badea6b90c524fc83dd5056a6a899a7385f58339cdd2114159164a9487923159a431ab13235dc8e15d6f0a28c876594cd1ffe3f23ff59ab39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
264ef11e0c263fcc10dcc5613d0cf008

SHA1
6bdf1b143d2f62107acda74867856905f0d3c047

SHA256
35dccd1e933de318eda04dc18c025073adefd4f493758a9e7cf7906d7d741186

SHA512
d8dfb55584443825c59c4ced66ac8719224b905a8f71c5c9868061a9d5fa5ab2ab2d17481eca83b158cb203419742da589158a9940f16b3c38c8d35e0d2cd38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
359d1e37a264703c99ebd01eed362de5

SHA1
a1122c8bf9848b3371cd191ba540864204d1d845

SHA256
5781f3046b0d978469415a059cf5ceae0e532869e69ab1dffb8ed878bd299b07

SHA512
ce3caa1d2205be8167b7cd48ebf538a9ce8c148643c26a20377894aa15cf00f90b2b5e2ebf35d40a0273c088abc11fe6f010e34691d7fbc4bef8d7e482f5087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6ca03841a619868438b436bbaba21ab4

SHA1
11bd79a4267e2c942c92f20a319780ae1fa6cadb

SHA256
b5d9415a62623fcd6fdd244e361a2126a30b22e2758e2797a8d1b228291ca72b

SHA512
4c89eff38a7cb9583818332ad04ce2564b8b3733b5771210814e37347a485fa0127095c15e9524028709ed20b298991c5a40efb42ea5724206d9cae5cc529bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iobxoxe2.fe2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8B0.tmp.bat

Filesize
148B

MD5
8a93d098814555eda6eca9143ed5e1b1

SHA1
efd920b1aea7704dda085023015d566070297228

SHA256
3c728951212dc06c3ce01afe502217c025e369945d704d7716257a495e5f3a3b

SHA512
86262234b3927f8705cc4f9d1f64435bb2f7120639d88996b25cc036d55b86cc02745ac0faf2840b64647ef6eb6baaeeadf20f0e54ec31c4a5a25d04bebda880

Download Submit
C:\Users\Admin\Desktop\OOBroker.exe

Filesize
70KB

MD5
94f5ebd0b5c55ea25db91b31f296918f

SHA1
32feab032619baf960a0d347280607079473d3be

SHA256
7e3333c7e97a38ebb8ed210d7b431d46e562b6b1652b462c44cce0f5791340ad

SHA512
d2858980f0e2afc9191e8ff902a2107fa64a25bbb3fafc954e7501f323f96837bf212946160e9f6c1d1a9f2380b46debaeb321e37f15e645f3dc8173b53380de

Download Submit
C:\Users\Admin\Downloads\OOBroker.zip

Filesize
41KB

MD5
79e559c405c93763b5b4f365b3d5e42b

SHA1
09761ca8dfa4fe85da38c9789901c30373730494

SHA256
3b81ba979b4cd7e7f7c62040a9ce698c510f433b7c8d28bedf4476a7cdf60577

SHA512
8b5023f604ab62a95521f4d1dca3104ec18a2177456aaabadf59a210a9164610ad5d62b3de1296e8b8957f2450c62c035de3e04a3ba473c37fcf223c57240ed9

Download Submit
memory/5064-146-0x000002035DD00000-0x000002035DD22000-memory.dmp

Filesize
136KB

Download
memory/5880-118-0x0000000000CF0000-0x0000000000D08000-memory.dmp

Filesize
96KB

Download
memory/5880-206-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download