Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2023, 14:33
Static task
static1
Behavioral task
behavioral1
Sample
chr.exe
Resource
win7-20231020-en
General
-
Target
chr.exe
-
Size
66KB
-
MD5
50b2b692da0c363e301709a28b30afaf
-
SHA1
098e00413ba405bcc72b71a5869c2d151e93448a
-
SHA256
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
-
SHA512
d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
-
SSDEEP
1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Malware Config
Extracted
xworm
5.0
162.212.154.8:41589
1fGBFdYzxtDnKgy4
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574
Extracted
limerat
-
aes_key
devil
-
antivm
false
-
c2_url
https://pastebin.com/raw/rPy10VvM
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Session Manager.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral2/files/0x0008000000022da4-25.dat family_xworm behavioral2/files/0x0008000000022da4-31.dat family_xworm behavioral2/files/0x0008000000022da4-32.dat family_xworm behavioral2/memory/2260-33-0x0000000000190000-0x00000000001B8000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation chr.exe Key value queried \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\Control Panel\International\Geo\Nation one.exe -
Executes dropped EXE 2 IoCs
pid Process 2260 one.exe 3600 ses.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe" one.exe Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe" chr.exe Set value (str) \REGISTRY\USER\S-1-5-21-1114462139-3090196418-29517368-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe" chr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\one.exe chr.exe File created C:\Windows\System32\ses.exe chr.exe File opened for modification C:\Windows\System32\ses.exe chr.exe File created C:\Windows\System32\one.exe chr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4476 schtasks.exe 2652 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2260 one.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 880 powershell.exe 880 powershell.exe 4648 powershell.exe 4648 powershell.exe 4648 powershell.exe 2804 powershell.exe 2804 powershell.exe 2288 powershell.exe 2288 powershell.exe 4120 powershell.exe 4120 powershell.exe 4120 powershell.exe 112 msedge.exe 112 msedge.exe 1332 msedge.exe 1332 msedge.exe 3940 powershell.exe 3940 powershell.exe 3940 powershell.exe 2260 one.exe 2260 one.exe 1768 identity_helper.exe 1768 identity_helper.exe 6064 msedge.exe 6064 msedge.exe 6064 msedge.exe 6064 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2336 chr.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2260 one.exe Token: SeDebugPrivilege 4648 powershell.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 4120 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe 112 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2260 one.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 880 2336 chr.exe 91 PID 2336 wrote to memory of 880 2336 chr.exe 91 PID 2336 wrote to memory of 4476 2336 chr.exe 94 PID 2336 wrote to memory of 4476 2336 chr.exe 94 PID 2336 wrote to memory of 2260 2336 chr.exe 96 PID 2336 wrote to memory of 2260 2336 chr.exe 96 PID 2336 wrote to memory of 4648 2336 chr.exe 98 PID 2336 wrote to memory of 4648 2336 chr.exe 98 PID 2336 wrote to memory of 2652 2336 chr.exe 99 PID 2336 wrote to memory of 2652 2336 chr.exe 99 PID 2336 wrote to memory of 3600 2336 chr.exe 101 PID 2336 wrote to memory of 3600 2336 chr.exe 101 PID 2336 wrote to memory of 3600 2336 chr.exe 101 PID 2260 wrote to memory of 2804 2260 one.exe 103 PID 2260 wrote to memory of 2804 2260 one.exe 103 PID 2260 wrote to memory of 2288 2260 one.exe 104 PID 2260 wrote to memory of 2288 2260 one.exe 104 PID 2260 wrote to memory of 4120 2260 one.exe 106 PID 2260 wrote to memory of 4120 2260 one.exe 106 PID 3600 wrote to memory of 112 3600 ses.exe 108 PID 3600 wrote to memory of 112 3600 ses.exe 108 PID 112 wrote to memory of 1124 112 msedge.exe 109 PID 112 wrote to memory of 1124 112 msedge.exe 109 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 2252 112 msedge.exe 112 PID 112 wrote to memory of 1332 112 msedge.exe 110 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chr.exe"C:\Users\Admin\AppData\Local\Temp\chr.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:4476
-
-
C:\Windows\System32\one.exe"C:\Windows\System32\one.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4648
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2652
-
-
C:\Windows\System32\ses.exe"C:\Windows\System32\ses.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6f0c46f8,0x7ffb6f0c4708,0x7ffb6f0c47184⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:84⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:24⤵PID:2252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:14⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:14⤵PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:14⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:84⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:14⤵PID:468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:14⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:14⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:14⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:14⤵PID:5440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:14⤵PID:5428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,4923060404128191266,13324274842097685311,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:6064
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:3188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6f0c46f8,0x7ffb6f0c4708,0x7ffb6f0c47184⤵PID:2356
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3796
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD58f30b8232b170bdbc7d9c741c82c4a73
SHA19abfca17624e13728bd7fa6547e7e26e0695d411
SHA2560916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be
-
Filesize
152B
MD58f30b8232b170bdbc7d9c741c82c4a73
SHA19abfca17624e13728bd7fa6547e7e26e0695d411
SHA2560916f816feace92a097267171f8aa8f944074530574a7aa1f9f0334899dfa3eb
SHA512587d973b13b97c5b92621c776c18348a13ef451ccda32977baa529de33e47a27e7920a57fe7c4d0b2f0e4a8a3bca5c62cc5798cf97f19556028f88afb38b37be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8b694361-45d6-4707-8445-dc06616a85df.tmp
Filesize24KB
MD50b8abe9b2d273da395ec7c5c0f376f32
SHA1d7b266fb7310cc71ab5fdb0ef68f5788e702f2ec
SHA2563751deeb9ad3db03e6b42dedcac68c1c9c7926a2beeaaa0820397b6ddb734a99
SHA5123dd503ddf2585038aa2fedc53d20bb9576f4619c3dc18089d7aba2c12dc0288447b2a481327c291456d7958488ba2e2d4028af4ca2d30e92807c8b1cdcffc404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5843f0f95f6bebbe6bca93e9be9034d9a
SHA1753bc80da591db50e0f1f6d083904e54f9909ee4
SHA256b4f8a32adee29a79c73a5b17bd001fff0694a5c6909215b5631e7d056c8a8c92
SHA512414e41007521e802b0d0c0bbef45da6156489d66ca4eeae634666f563ca9d381c4bf5ebb8c90547d62b46a6d7c8cc25f5ed61a7591212b2e4f0496e6d69b5bc6
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
5KB
MD57a29f695748c0f2e38f6b17902264b80
SHA173ecf6fa8b391c0bd7dd87d386abdd6912b6ce90
SHA256bc91a0a917b62d35546883c7cc6684481496a6d7576340975f1bb9434e87dcd5
SHA5120ff926a8af1c739f466217cf4b8eea0bdd616557e1fc5b785be70dbb6346a782136cc874f7eb24b39bf5d3dda59ad4284e48ace3f841f50345f1a24c6012398f
-
Filesize
6KB
MD554b46fc473bb78a609e2b68d3c85c018
SHA15cc45362a97cfcce211c8954639ab099944780bb
SHA256bd71c09b36ceb326a955c2a7c870fb791355adc44cd236b9211107e64f55b63d
SHA5125c15ba07d5d4c755f771323ae6ed4c011bf3e420295b3ebd8d64486d2110d2fd1891d14a6aa4c3c9425cb424f8e70410eac08404c11d036c399fe8d34f23cdfa
-
Filesize
371B
MD573c78361c185a6d37d16f323adbfccf0
SHA16572b6f9fa7b836c0364f721454a664e565af886
SHA25637138930220f56284c491048baaf64b62e27247cba7737df8b5d4aed327caa57
SHA5126c97582020e5071b82e49f6af6f5fe956a2921b268a92635f15e92c681669bad733f4c07e18ef59fe05d33524e01c26eeea30e32193b75be23f583250929a5bd
-
Filesize
371B
MD53daf02132d13b9a54e586bcba07b6f31
SHA115101b8fb2760e941b59cc305910726ce56eace0
SHA2568f9982ba555667c8891a3bc28449a782ebac7e716825f9e47a439e3a59d3039c
SHA512418c42a243bb554721c963840de295822bc31a5e105f87efddf4f7c10bdf257442957caf27ea26be26f1a7293b1dadc943e70c74bf9e6c64db4dc017608e0ea1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5178279334eae93a5ba614bfca426ad19
SHA11b4d9b38160a3f2f4f16e2db2ebc10a0845c95b0
SHA256cc2bd79577cf9a6defb84f6f01097f9f9a8290e91c8696b8252be5cce28c2440
SHA512729ddf8025bc06ab24107cba57b8ea6431b120fa7d85f1ad90fe5ad166fcb5cc95f445cecaa370e8fe4b7abfec567b2b4d6e09097da346f2041de201e45bb1fb
-
Filesize
944B
MD59a2c763c5ff40e18e49ad63c7c3b0088
SHA14b289ea34755323fa869da6ad6480d8d12385a36
SHA256517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA5123af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8
-
Filesize
944B
MD5cbc41bceec6e8cf6d23f68d952487858
SHA1f52edbceff042ded7209e8be90ec5e09086d62eb
SHA256b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d
SHA5120f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD51d28a205bc145a6a07c6fe838abb94ed
SHA1572c9899e82fb3729f78ec0acd976d87c7936557
SHA256777628275b29b896ec5713ad48a1fb6893badc1908202a87aea4695911a05b3f
SHA512a506921e233538a79ebf18769dece71ba0285a1d423055e6b73ef29600f2af6fd2f103b75380b953070045c9124b8991e2cca789c0ccdf788440a3c6be162c04
-
Filesize
944B
MD510890cda4b6eab618e926c4118ab0647
SHA11e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA25600f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452