Overview
overview
10Static
static
10231121-01-...d4.exe
windows7-x64
10231121-01-...d4.exe
windows10-2004-x64
10231121-02-...4c.exe
windows7-x64
10231121-02-...4c.exe
windows10-2004-x64
10231121-03-...94.exe
windows7-x64
10231121-03-...94.exe
windows10-2004-x64
10231121-04-...05.exe
windows7-x64
10231121-04-...05.exe
windows10-2004-x64
10231121-05-...29.exe
windows7-x64
10231121-05-...29.exe
windows10-2004-x64
10231121-06-...a6.exe
windows7-x64
10231121-06-...a6.exe
windows10-2004-x64
10231121-07-...6a.exe
windows7-x64
10231121-07-...6a.exe
windows10-2004-x64
10231121-08-...84.exe
windows7-x64
10231121-08-...84.exe
windows10-2004-x64
10231121-09-...c4.exe
windows7-x64
10231121-09-...c4.exe
windows10-2004-x64
10231121-10-...ec.exe
windows7-x64
10231121-10-...ec.exe
windows10-2004-x64
10231121-11-...bc.exe
windows7-x64
10231121-11-...bc.exe
windows10-2004-x64
10231121-12-...1d.exe
windows7-x64
10231121-12-...1d.exe
windows10-2004-x64
10231121-13-...5e.exe
windows7-x64
10231121-13-...5e.exe
windows10-2004-x64
10231121-14-...29.exe
windows7-x64
10231121-14-...29.exe
windows10-2004-x64
10231121-15-...f4.exe
windows7-x64
3231121-15-...f4.exe
windows10-2004-x64
10231121-16-...00.exe
windows7-x64
10231121-16-...00.exe
windows10-2004-x64
10Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
21-11-2023 02:01
Behavioral task
behavioral1
Sample
231121-01-AgentTesla-4f4bd4.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
231121-01-AgentTesla-4f4bd4.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral3
Sample
231121-02-AgentTesla-29ec4c.exe
Resource
win7-20231023-en
Behavioral task
behavioral4
Sample
231121-02-AgentTesla-29ec4c.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral5
Sample
231121-03-SmokeLoader-a0e394.exe
Resource
win7-20231025-en
Behavioral task
behavioral6
Sample
231121-03-SmokeLoader-a0e394.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral7
Sample
231121-04-AgentTesla-41c205.exe
Resource
win7-20231020-en
Behavioral task
behavioral8
Sample
231121-04-AgentTesla-41c205.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral9
Sample
231121-05-CobaltStrike-189129.exe
Resource
win7-20231023-en
Behavioral task
behavioral10
Sample
231121-05-CobaltStrike-189129.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral11
Sample
231121-06-AgentTesla-b971a6.exe
Resource
win7-20231023-en
Behavioral task
behavioral12
Sample
231121-06-AgentTesla-b971a6.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral13
Sample
231121-07-AgentTesla-64b66a.exe
Resource
win7-20231020-en
Behavioral task
behavioral14
Sample
231121-07-AgentTesla-64b66a.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral15
Sample
231121-08-AgentTesla-d20084.exe
Resource
win7-20231023-en
Behavioral task
behavioral16
Sample
231121-08-AgentTesla-d20084.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral17
Sample
231121-09-AgentTesla-fbf7c4.exe
Resource
win7-20231025-en
Behavioral task
behavioral18
Sample
231121-09-AgentTesla-fbf7c4.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral19
Sample
231121-10-AgentTesla-a77eec.exe
Resource
win7-20231023-en
Behavioral task
behavioral20
Sample
231121-10-AgentTesla-a77eec.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral21
Sample
231121-11-AgentTesla-fe5abc.exe
Resource
win7-20231023-en
Behavioral task
behavioral22
Sample
231121-11-AgentTesla-fe5abc.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral23
Sample
231121-12-AgentTesla-68ee1d.exe
Resource
win7-20231020-en
Behavioral task
behavioral24
Sample
231121-12-AgentTesla-68ee1d.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral25
Sample
231121-13-AgentTesla-4c625e.exe
Resource
win7-20231023-en
Behavioral task
behavioral26
Sample
231121-13-AgentTesla-4c625e.exe
Resource
win10v2004-20231023-en
Behavioral task
behavioral27
Sample
231121-14-AgentTesla-1fcc29.exe
Resource
win7-20231023-en
Behavioral task
behavioral28
Sample
231121-14-AgentTesla-1fcc29.exe
Resource
win10v2004-20231020-en
Behavioral task
behavioral29
Sample
231121-15-Lokibot-a3aaf4.exe
Resource
win7-20231023-en
Behavioral task
behavioral30
Sample
231121-15-Lokibot-a3aaf4.exe
Resource
win10v2004-20231025-en
Behavioral task
behavioral31
Sample
231121-16-Lime-098e00.exe
Resource
win7-20231020-en
General
-
Target
231121-16-Lime-098e00.exe
-
Size
66KB
-
MD5
50b2b692da0c363e301709a28b30afaf
-
SHA1
098e00413ba405bcc72b71a5869c2d151e93448a
-
SHA256
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
-
SHA512
d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
-
SSDEEP
1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Malware Config
Extracted
xworm
5.0
162.212.154.8:41589
1fGBFdYzxtDnKgy4
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574
Extracted
limerat
-
aes_key
devil
-
antivm
false
-
c2_url
https://pastebin.com/raw/rPy10VvM
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Session Manager.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral32/files/0x000600000001e7c2-24.dat family_xworm behavioral32/files/0x000600000001e7c2-30.dat family_xworm behavioral32/files/0x000600000001e7c2-31.dat family_xworm behavioral32/memory/4408-32-0x0000000000570000-0x0000000000598000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation one.exe Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation 231121-16-Lime-098e00.exe -
Executes dropped EXE 2 IoCs
pid Process 4408 one.exe 1996 ses.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe" 231121-16-Lime-098e00.exe Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe" 231121-16-Lime-098e00.exe Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe" one.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\one.exe 231121-16-Lime-098e00.exe File opened for modification C:\Windows\System32\one.exe 231121-16-Lime-098e00.exe File created C:\Windows\System32\ses.exe 231121-16-Lime-098e00.exe File opened for modification C:\Windows\System32\ses.exe 231121-16-Lime-098e00.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1388 schtasks.exe 4496 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4408 one.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1524 powershell.exe 1524 powershell.exe 4360 powershell.exe 4360 powershell.exe 4020 powershell.exe 4020 powershell.exe 220 powershell.exe 220 powershell.exe 2608 powershell.exe 2608 powershell.exe 4956 powershell.exe 4956 powershell.exe 4956 powershell.exe 232 msedge.exe 232 msedge.exe 392 msedge.exe 392 msedge.exe 4408 one.exe 4408 one.exe 3496 identity_helper.exe 3496 identity_helper.exe 5268 msedge.exe 5268 msedge.exe 5268 msedge.exe 5268 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 2940 231121-16-Lime-098e00.exe Token: SeDebugPrivilege 1524 powershell.exe Token: SeDebugPrivilege 4408 one.exe Token: SeDebugPrivilege 4360 powershell.exe Token: SeDebugPrivilege 4020 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe 232 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4408 one.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2940 wrote to memory of 1524 2940 231121-16-Lime-098e00.exe 89 PID 2940 wrote to memory of 1524 2940 231121-16-Lime-098e00.exe 89 PID 2940 wrote to memory of 4496 2940 231121-16-Lime-098e00.exe 92 PID 2940 wrote to memory of 4496 2940 231121-16-Lime-098e00.exe 92 PID 2940 wrote to memory of 4408 2940 231121-16-Lime-098e00.exe 95 PID 2940 wrote to memory of 4408 2940 231121-16-Lime-098e00.exe 95 PID 2940 wrote to memory of 4360 2940 231121-16-Lime-098e00.exe 96 PID 2940 wrote to memory of 4360 2940 231121-16-Lime-098e00.exe 96 PID 2940 wrote to memory of 1388 2940 231121-16-Lime-098e00.exe 100 PID 2940 wrote to memory of 1388 2940 231121-16-Lime-098e00.exe 100 PID 2940 wrote to memory of 1996 2940 231121-16-Lime-098e00.exe 101 PID 2940 wrote to memory of 1996 2940 231121-16-Lime-098e00.exe 101 PID 2940 wrote to memory of 1996 2940 231121-16-Lime-098e00.exe 101 PID 4408 wrote to memory of 4020 4408 one.exe 102 PID 4408 wrote to memory of 4020 4408 one.exe 102 PID 4408 wrote to memory of 220 4408 one.exe 105 PID 4408 wrote to memory of 220 4408 one.exe 105 PID 4408 wrote to memory of 2608 4408 one.exe 107 PID 4408 wrote to memory of 2608 4408 one.exe 107 PID 4408 wrote to memory of 4956 4408 one.exe 110 PID 4408 wrote to memory of 4956 4408 one.exe 110 PID 1996 wrote to memory of 232 1996 ses.exe 111 PID 1996 wrote to memory of 232 1996 ses.exe 111 PID 232 wrote to memory of 1308 232 msedge.exe 112 PID 232 wrote to memory of 1308 232 msedge.exe 112 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 PID 232 wrote to memory of 4696 232 msedge.exe 115 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\231121-16-Lime-098e00.exe"C:\Users\Admin\AppData\Local\Temp\231121-16-Lime-098e00.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:4496
-
-
C:\Windows\System32\one.exe"C:\Windows\System32\one.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:1388
-
-
C:\Windows\System32\ses.exe"C:\Windows\System32\ses.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb84246f8,0x7ffdb8424708,0x7ffdb84247184⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:84⤵PID:884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:24⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:14⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:14⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:14⤵PID:1972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:84⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:14⤵PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:14⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:14⤵PID:4492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:14⤵PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:14⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:14⤵PID:4532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,14057751585383444052,1392502556556023459,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2880 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:5268
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb84246f8,0x7ffdb8424708,0x7ffdb84247184⤵PID:4256
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3000
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD56dded92ec95cf9f22410bdeac841a00d
SHA183c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA2561840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8
-
Filesize
152B
MD56dded92ec95cf9f22410bdeac841a00d
SHA183c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA2561840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD50255974c09d8f224f8394fa054116e35
SHA15c112376e6c76260cac8b609bb9d406d685c8c84
SHA256897394b319ff86d26dc730dbd5d1f6e292425252ca11819430deb016fba1d453
SHA512438f7af776b3165f7ce0722bb696f5f4e9da5f2a0920cb79d28d7a16aa02d38d8c46494e71947ca192b468aa1706da2171b6b785448f87ad424e269c7b4eda92
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
5KB
MD561bcfefe304e878c3a4215a2e336aedd
SHA19b5ed5b5ff1cfd88e2d7f78a3ee4c2c2f4327585
SHA256405269611eac974bd0269a71777dcbd1c05ace39a3e9a949075e0b19d3e082ca
SHA51259c8ac8b1c5d69ae3c070e81a120f1b2d97f0f66ff77941e700aa84bbdd6485ccf0833ee17454ba465b650115e282de813119bb649cfff4da99f9d4fe51f6286
-
Filesize
6KB
MD59c37df17f6bb11be9791ae11b43768d0
SHA16f30f7301760cc3d8dcd85ffb1a924f1cf9c2421
SHA256e466357f2ffac87f6a8708c7f247ebf64a37a34a1661060a552d1aa1d4904a4f
SHA5120b37aa205c0e77d17eda013365c83e69a8a1383a6be12d29cd2eaea97a3eae5443992741ac69ba272cf555f3bd747db439ad38eb26683add483a56824552c6cf
-
Filesize
6KB
MD563849645ccdbf32c41f37ee376d1e907
SHA14abec647c3658ba40b7a23bfd5497ceb79dd0b78
SHA256bcf5abb647c34deebe8724b9986d96f7f1d145593a51aa6461e81c50d6172fca
SHA5120ccd101566d2233fa1c9846890f0c4b777ef10451cec9d3807e9f5058bffdca28a846ec2af3722f248d344da099ea67fd277e4076baffc5e9f413c943e0128b8
-
Filesize
24KB
MD5e05436aebb117e9919978ca32bbcefd9
SHA197b2af055317952ce42308ea69b82301320eb962
SHA256cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f
SHA51211328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9
-
Filesize
371B
MD59ca4d0dc89dd44713448e00fa997efb8
SHA1fbdc4c46b7641be331c6d7c4b54df4959b887dba
SHA256e87a00c93c0be1cd04924ecdc7fd50a4a06004afc8bc6db1c98e0033792e0060
SHA51286a6b9b0d6fc1d5ac569381fcd0b73267500c90987006761696abd4d0cadc7b8ed0fdebc1eb7afb0def8c6af1cf0c5d15600699bdd51b9af36ed465bd5394db3
-
Filesize
371B
MD5e3ece777cba830c6b451e393e162c1cd
SHA13e36b049c407b392f95c38e5c8cfde7a1425dc97
SHA256fd2e7cfc2180e46f12291ad841ad2df16861ebdb3383ef56233b21c73b0a2251
SHA5126a8d36458e90482891dd8e015ec4b34e9dfe861041d244cd0073b3c79feeaaebcbe2180a1ca486afc1f6d751ede72f9ed89ff803f986467eee0938df32888323
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD51d45d79bd0fc27893833e32f69a4cc43
SHA16e6de4336fd4508287b312b1bbe46e29de8ab963
SHA25684448fad89811e6b1e74f5963f805da8ae0ca2e9afafdcfceb5b4c692cce7f77
SHA5128b4fc410fe1073879f885683e3b9389df02cb6aa71663a464234e16313a69e7638f7c5ff40db4bf49cceb371621b50ac5c596c7a103cb4266ae7816353e9fb22
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD5bf3651a8682259b5e292b98289271f76
SHA14694a32734c377985dafbd15e26b9a129f1e4a45
SHA2565ffc07abea05b9bb523e511ed75995488a22e3dd54fddc50b62b8336bd57c575
SHA512d9cd369fc710131f0f24c3add83a923625831b1bfb4fba0da83dd71fa41a4ed5a0f0e00755f3cf8ae2aef4aa498c353348c51c167f7d6a2af834f07c78b33896
-
Filesize
944B
MD5a9293ef980c925abe33d940554ed8575
SHA19b6d85f2595f7fd4923f52b21ab7607279066969
SHA2568313a191aa9d11cce868d95ac9a9b1609275bfe93131fcb6e547b985b0242fbe
SHA5122003d90bb2bc89378ccaeb9c5edf76b2dfd93c80369d063e56141abb8d7fea6acee6a103874ab227bc1548437269c8e4ee5174bf482ecf3d66c38f3e0ba35d85
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452