Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
20/11/2023, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
chr.exe
Resource
win7-20231023-en
General
-
Target
chr.exe
-
Size
66KB
-
MD5
50b2b692da0c363e301709a28b30afaf
-
SHA1
098e00413ba405bcc72b71a5869c2d151e93448a
-
SHA256
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
-
SHA512
d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
-
SSDEEP
1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Malware Config
Extracted
xworm
5.0
162.212.154.8:41589
1fGBFdYzxtDnKgy4
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574
Extracted
limerat
-
aes_key
devil
-
antivm
false
-
c2_url
https://pastebin.com/raw/rPy10VvM
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Session Manager.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral2/files/0x000c000000022be9-23.dat family_xworm behavioral2/files/0x000c000000022be9-29.dat family_xworm behavioral2/files/0x000c000000022be9-30.dat family_xworm behavioral2/memory/1888-31-0x00000000009B0000-0x00000000009D8000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation one.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation chr.exe -
Executes dropped EXE 2 IoCs
pid Process 1888 one.exe 1188 ses.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe" chr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe" chr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe" one.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\one.exe chr.exe File opened for modification C:\Windows\System32\one.exe chr.exe File created C:\Windows\System32\ses.exe chr.exe File opened for modification C:\Windows\System32\ses.exe chr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3388 schtasks.exe 940 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1888 one.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4412 powershell.exe 4412 powershell.exe 1396 powershell.exe 1396 powershell.exe 2676 powershell.exe 2676 powershell.exe 2676 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 1940 powershell.exe 1940 powershell.exe 1940 powershell.exe 4680 powershell.exe 4680 powershell.exe 4680 powershell.exe 1888 one.exe 1888 one.exe 3112 msedge.exe 3112 msedge.exe 5088 msedge.exe 5088 msedge.exe 3692 identity_helper.exe 3692 identity_helper.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe 4552 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4276 chr.exe Token: SeDebugPrivilege 4412 powershell.exe Token: SeDebugPrivilege 1888 one.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeDebugPrivilege 1940 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1888 one.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 4412 4276 chr.exe 94 PID 4276 wrote to memory of 4412 4276 chr.exe 94 PID 4276 wrote to memory of 3388 4276 chr.exe 96 PID 4276 wrote to memory of 3388 4276 chr.exe 96 PID 4276 wrote to memory of 1888 4276 chr.exe 98 PID 4276 wrote to memory of 1888 4276 chr.exe 98 PID 4276 wrote to memory of 1396 4276 chr.exe 99 PID 4276 wrote to memory of 1396 4276 chr.exe 99 PID 4276 wrote to memory of 940 4276 chr.exe 102 PID 4276 wrote to memory of 940 4276 chr.exe 102 PID 4276 wrote to memory of 1188 4276 chr.exe 105 PID 4276 wrote to memory of 1188 4276 chr.exe 105 PID 4276 wrote to memory of 1188 4276 chr.exe 105 PID 1888 wrote to memory of 2676 1888 one.exe 106 PID 1888 wrote to memory of 2676 1888 one.exe 106 PID 1888 wrote to memory of 536 1888 one.exe 109 PID 1888 wrote to memory of 536 1888 one.exe 109 PID 1888 wrote to memory of 1940 1888 one.exe 112 PID 1888 wrote to memory of 1940 1888 one.exe 112 PID 1888 wrote to memory of 4680 1888 one.exe 114 PID 1888 wrote to memory of 4680 1888 one.exe 114 PID 1188 wrote to memory of 3112 1188 ses.exe 118 PID 1188 wrote to memory of 3112 1188 ses.exe 118 PID 3112 wrote to memory of 4292 3112 msedge.exe 119 PID 3112 wrote to memory of 4292 3112 msedge.exe 119 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 PID 3112 wrote to memory of 3124 3112 msedge.exe 121 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\chr.exe"C:\Users\Admin\AppData\Local\Temp\chr.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:3388
-
-
C:\Windows\System32\one.exe"C:\Windows\System32\one.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:940
-
-
C:\Windows\System32\ses.exe"C:\Windows\System32\ses.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffbe5f246f8,0x7ffbe5f24708,0x7ffbe5f247184⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:84⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:14⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:14⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:14⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:14⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:14⤵PID:1192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:84⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5624 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:14⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:14⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:14⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:14⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,7637366027171715368,2766532147026297860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5264 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:2712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe5f246f8,0x7ffbe5f24708,0x7ffbe5f247184⤵PID:1936
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5b37a50043eeb7922fcb748ee824ab3dd
SHA171543c260435e4c14df09b55b43c4854ae6decf9
SHA25664796fe9e14792c63d50dfc5114c1aaf59f9881adf2cefef6fcac7c821fca9ae
SHA512eb68c3437262b50e9bdf8b65c76eefe430a284df3c4c847192355f919521a93b2fa771dc590cd2d231dd64c9ca5d72f223ab4010a2ef27cd9a6486808a412ca0
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
5KB
MD551da5d52cc38bac94a428be8b3d33132
SHA157b38ab4788ee7ba313c4df436a049fde6b2456b
SHA256dd908e81f1c37cfb6f3fd8a21964a65cbfec1ef127a0d23e76e70d1ca3419471
SHA5121e3ad7c879294c2b6f03a57aa2c403fce19d462e739cf3299b55b774e3cfed8fbb9e628b76d4a963a374655c0593efdb5b694c48a54dd55603d8f2c7d702fc7e
-
Filesize
6KB
MD5f141c987c3973886238ec464b49fc33a
SHA1b525e399c3f11207254bf437ac006dc2af236605
SHA25608c9cce0e4dcf848051ebadaa90feb7fdb3d689c661679effc06fe79891f19e6
SHA512a9a032ceab7a9f769a1b8264316bc47663a5c366ca5c81be9ffa9fc2d86bad8d99738fd67190a9fad2604a4d02fd2ccabe57a7e25f25438a42086c34bfd6356e
-
Filesize
24KB
MD53a748249c8b0e04e77ad0d6723e564ff
SHA15c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA51253254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2
-
Filesize
371B
MD539fb788edbc5b88c24a9dfc52f703d44
SHA1257cabbd68762d61aea4e083d14d876b7fcb4049
SHA2563258f5520f834cb29c73cf8021a5b15e95902da037e620614f93d5e96537e161
SHA51236cf0b53c4dbbd0bd3644ce4721527dc55d5345940fa455b7798eef3431a13a280368525f338a647c4aaee72ac35f3213ef42b87e94ac5b5edb233e1ef5d4a6c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\edda8e0c-46f6-461c-8878-338f55d6a861.tmp
Filesize371B
MD516c53d22cb5e731c7dc94a39d84e82d4
SHA1388c6178cff8a3378bc0c59ab1d70ab347a271d5
SHA256873f149ed4f6d8d3a953267f3ba45cbce101e1c3e834dc55a0b25b4165f79fcb
SHA512cd71f56802a4c1a612f402c1f22b9c4dd6bd80295d27fe91a3250e67ea728ba3afb8b7dace51cc2ec8dd941b529cff118fd1e40216367b8013a70a8622b1a47e
-
Filesize
10KB
MD5c748b2e477d0862f225cf3dd4e8c0a41
SHA19939086c47306b8e3200a9d36bbcaabaffeacb2a
SHA256acdfe7ffe2bc2fa8978ecad093e9fd9fe7c57bcdc77f1ca746c450f7eb859ec9
SHA51289f1071a0940f43c694e8e692d382a33457f8faf5e40471538bbde6a7fce244097e8bb5fa8990972d201a8ea05c611526173ba9ee7a7812d7a44c7240cc57b00
-
Filesize
944B
MD53b444d3f0ddea49d84cc7b3972abe0e6
SHA10a896b3808e68d5d72c2655621f43b0b2c65ae02
SHA256ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74
SHA512eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b
-
Filesize
944B
MD5bb812b3e31d6bcd9430e1859693c9856
SHA12e2fd106bd4c2cfb827a2db22cdfc12d9a2aebe1
SHA25636d73bca447ed277c72b5af7fe1e4f8d076e857fa82a7dd00e485138b9da673b
SHA5128bb6f11f4a69f6b1b0a2ff36f45c646cb726933a613e7c4d4b7c20e6c042616047beb4057675687d9f96e564c141b1a4b6f50fe793ec163393d57124a06319f4
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5ab1c06eb58feaa4c391aca847a9d8c22
SHA17135120dfad41b4d64e675294e1b974891b3ee76
SHA2563705f63962d11b61c726853043b5c47800b77b3392f8ef42921fb31514eeba8e
SHA5128fe9947248e64b2cb94af62bc8126f4c13700254a17a204b58535cb9ad32919be5aeca0e745127ceb8c666dc3b3140bb406d7591b32531c6c3eb1771ee571edb
-
Filesize
944B
MD5f0a41fc9c1123bb127e55ecc66c8f052
SHA157152411758fa3df2623cc8a4df6d9fea73652f8
SHA256a4fe2be2c449e841f6a12d32114672b097fc1058b6f2971a03521220a0228745
SHA512e3e967adac361ddcf8240cf641f3e77eacfefc61dec725b8ae12e6a94f7d2ebd937fb9eb3cd068a0b3d4306e163dc87773b322bc2dd8b7df93b8103d0e99a900
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452