Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2023, 01:49
Static task
static1
Behavioral task
behavioral1
Sample
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe
Resource
win7-20231023-en
General
-
Target
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe
-
Size
66KB
-
MD5
50b2b692da0c363e301709a28b30afaf
-
SHA1
098e00413ba405bcc72b71a5869c2d151e93448a
-
SHA256
d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49
-
SHA512
d463babcae95c3c200af5ae59aa5f89e2edeb267bb15e843f8a241e17794db1672067cba421ba38cda4e161151d93e5eb2e3bb06cd5ce6bc98d651ebf58f06ce
-
SSDEEP
1536:UJOjk0yzcRvVSfD8tzsy/jV49Gko0S/aATWJvQ3MJea9yn90+x:UJ70yK4D6P+YxpABJD9F+x
Malware Config
Extracted
xworm
5.0
162.212.154.8:41589
1fGBFdYzxtDnKgy4
-
Install_directory
%AppData%
-
install_file
OneDrive.exe
-
telegram
https://api.telegram.org/bot6875063177:AAG1OPJLZ36MPY8oqR1DVb1VHR2wOmnCudg/sendMessage?chat_id=2136313574
Extracted
limerat
-
aes_key
devil
-
antivm
false
-
c2_url
https://pastebin.com/raw/rPy10VvM
-
delay
3
-
download_payload
false
-
install
true
-
install_name
Windows Session Manager.exe
-
main_folder
AppData
-
pin_spread
false
-
sub_folder
\Windows\
-
usb_spread
false
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral2/files/0x000d000000022bf1-24.dat family_xworm behavioral2/files/0x000d000000022bf1-30.dat family_xworm behavioral2/files/0x000d000000022bf1-31.dat family_xworm behavioral2/memory/4924-33-0x0000000000DE0000-0x0000000000E08000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe Key value queried \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation one.exe -
Executes dropped EXE 2 IoCs
pid Process 4924 one.exe 1556 ses.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\one = "C:\\Windows\\System32\\one.exe" d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ses = "C:\\Windows\\System32\\ses.exe" d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe Set value (str) \REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDrive = "C:\\Users\\Admin\\AppData\\Roaming\\OneDrive.exe" one.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 ip-api.com -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\ses.exe d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe File created C:\Windows\System32\one.exe d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe File opened for modification C:\Windows\System32\one.exe d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe File created C:\Windows\System32\ses.exe d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2084 schtasks.exe 3876 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4924 one.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 4824 powershell.exe 4824 powershell.exe 812 powershell.exe 812 powershell.exe 1400 powershell.exe 1400 powershell.exe 1400 powershell.exe 324 powershell.exe 324 powershell.exe 324 powershell.exe 3976 powershell.exe 3976 powershell.exe 3976 powershell.exe 4224 powershell.exe 4224 powershell.exe 4224 powershell.exe 4924 one.exe 4924 one.exe 4164 msedge.exe 4164 msedge.exe 2676 msedge.exe 2676 msedge.exe 5948 identity_helper.exe 5948 identity_helper.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe 3372 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe Token: SeDebugPrivilege 4824 powershell.exe Token: SeDebugPrivilege 4924 one.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 324 powershell.exe Token: SeDebugPrivilege 3976 powershell.exe Token: SeDebugPrivilege 4224 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe 4164 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4924 one.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1716 wrote to memory of 4824 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 92 PID 1716 wrote to memory of 4824 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 92 PID 1716 wrote to memory of 2084 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 94 PID 1716 wrote to memory of 2084 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 94 PID 1716 wrote to memory of 4924 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 96 PID 1716 wrote to memory of 4924 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 96 PID 1716 wrote to memory of 812 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 97 PID 1716 wrote to memory of 812 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 97 PID 1716 wrote to memory of 3876 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 100 PID 1716 wrote to memory of 3876 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 100 PID 1716 wrote to memory of 1556 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 103 PID 1716 wrote to memory of 1556 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 103 PID 1716 wrote to memory of 1556 1716 d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe 103 PID 4924 wrote to memory of 1400 4924 one.exe 105 PID 4924 wrote to memory of 1400 4924 one.exe 105 PID 4924 wrote to memory of 324 4924 one.exe 107 PID 4924 wrote to memory of 324 4924 one.exe 107 PID 4924 wrote to memory of 3976 4924 one.exe 110 PID 4924 wrote to memory of 3976 4924 one.exe 110 PID 4924 wrote to memory of 4224 4924 one.exe 112 PID 4924 wrote to memory of 4224 4924 one.exe 112 PID 1556 wrote to memory of 4164 1556 ses.exe 116 PID 1556 wrote to memory of 4164 1556 ses.exe 116 PID 4164 wrote to memory of 4256 4164 msedge.exe 117 PID 4164 wrote to memory of 4256 4164 msedge.exe 117 PID 1556 wrote to memory of 3880 1556 ses.exe 118 PID 1556 wrote to memory of 3880 1556 ses.exe 118 PID 3880 wrote to memory of 3768 3880 msedge.exe 119 PID 3880 wrote to memory of 3768 3880 msedge.exe 119 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 PID 4164 wrote to memory of 1540 4164 msedge.exe 122 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe"C:\Users\Admin\AppData\Local\Temp\d25339ece508876c8900d27721f042391a4cc2769805afa377556a416a192c49.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "one" /SC ONLOGON /TR "C:\Windows\System32\one.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:2084
-
-
C:\Windows\System32\one.exe"C:\Windows\System32\one.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'one.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'OneDrive.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\ses.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /F /TN "ses" /SC ONLOGON /TR "C:\Windows\System32\ses.exe" /RL HIGHEST2⤵
- Creates scheduled task(s)
PID:3876
-
-
C:\Windows\System32\ses.exe"C:\Windows\System32\ses.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa94d346f8,0x7ffa94d34708,0x7ffa94d347184⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:84⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:24⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:14⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:14⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:14⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:14⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:14⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:14⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:14⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:84⤵PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:14⤵PID:6132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:14⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,5195829324202504727,15832317474736444213,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4124 /prefetch:24⤵
- Suspicious behavior: EnumeratesProcesses
PID:3372
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ses.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.03⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa94d346f8,0x7ffa94d34708,0x7ffa94d347184⤵PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,12308019106758252272,4253500727418688844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:34⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,12308019106758252272,4253500727418688844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:24⤵PID:224
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3840
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
Filesize
152B
MD5f4787679d96bf7263d9a34ce31dea7e4
SHA1ebbade52b0a07d888ae0221ad89081902e6e7f1b
SHA256bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87
SHA512de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5ad6e0050d5c5723c15d63f4b6ee83250
SHA15ee145beb5e0242748741c8c7247b265a9fb67bf
SHA256910d2118c800c29674cae98093abfa49441f4e57d61a5eb901cd38af0469641b
SHA512a9bf13e986dae418d1db75b3636b9803cb2d8fe42abde42c9e064e4a53686c1206051e8848ea660c8847891e9031a8ee50195fdfe0853f5440cda1442d1d1b9a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
5KB
MD5ad2ff058a2ae2d5594620c3a69869167
SHA1c9d30a5f33562f763e23da5c266baf144b99555a
SHA25623ef855836ccd73eb8d5888cce07253739474df8f19d16235c2cc465e6a299ff
SHA51278c353441d12704f27a9090306a90e486197dd8d6c15a478953545265402cf2541d847d0c4720ed88ca55ebb088a3a51c022facce29f3485021318d109f7edb9
-
Filesize
5KB
MD5de4d6d2cddbba6a3fed4ff2b684f445b
SHA108f09ad747e7cfaa2345b306562ae66fc08cf57d
SHA256e11fa1bdad2a9a292dfcfdf496d8fdde4dc3f40a294105b32abf99d7e19a9f88
SHA512cd395f0fb3ec864952f679568c926989185c3e0fe4610a02c9d43fb158ba29553774eb46deedf5ab94f8d31285a20812db339b799cba8efa62be2b299166b7b6
-
Filesize
24KB
MD53a748249c8b0e04e77ad0d6723e564ff
SHA15c4cc0e5453c13ffc91f259ccb36acfb3d3fa729
SHA256f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed
SHA51253254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2
-
Filesize
371B
MD5f103cfc89b7d1a6ac08666945b63d086
SHA1baaa11a6f6fa42d11865cbefbb8613f7f82207a7
SHA25667e0a72a036659a48b761d595679294857e4273172b621db0a1474d3c5ea3fe0
SHA512f3442307fa8b03a8677d4fc4a0e3b94b6a53fd45d5ecf79f2fd779681f888f8646787c70c4271bf061569a87608cb01ecfe20498f0942b5f99f2dc6aa2a38bb8
-
Filesize
371B
MD5e57d3d28ac2688c61ab8a79d27097ed0
SHA1f17a770778b5bc3db308ed2520de5bf396287f46
SHA2560910a79b8d2a46c0ceb9344539a8f471cf32f4e4b1338e5a230fdc01426b48a8
SHA512f75c925058bea593b1e214df2dd582cef638771ebec037d30fbc8c90ecf20eb6d5910b872a6ce4bec53f6c621ebf15808ea63a04d8e4bcd251861ed07b028947
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5b24d6ae864a292897f831cbfcf5b5eab
SHA1ac057cd06d54272a56b085cf06d8d2a7dd191256
SHA2560ec6abc2505a844b4e6453767689a70b65b933968c97d4fc86f94feb24d96af1
SHA512db90d7f3747d65fffbf30b3be19a065daac97ccca670249ff74678712b0129bd3f7a984e2873c7f5332714f73134c120e5e2df5d2ccd2d6ac67bb0f563138350
-
Filesize
10KB
MD57841fce166f2314bb7493da82e66d128
SHA15ab8082f3eb831be20c47d9cb9788aa059d661a1
SHA256d1d6094c7710ac93c479425a5b7317c05ced58ba2ac2328155fa3ce540cde291
SHA512765033c417eef0aa86c3a83782017526b53f4eca3d4f8847d6deceecb267c0c304a6d6262c0dcacb0843457897002eaefba27022a541578814d290495b532218
-
Filesize
2KB
MD5b24d6ae864a292897f831cbfcf5b5eab
SHA1ac057cd06d54272a56b085cf06d8d2a7dd191256
SHA2560ec6abc2505a844b4e6453767689a70b65b933968c97d4fc86f94feb24d96af1
SHA512db90d7f3747d65fffbf30b3be19a065daac97ccca670249ff74678712b0129bd3f7a984e2873c7f5332714f73134c120e5e2df5d2ccd2d6ac67bb0f563138350
-
Filesize
944B
MD53b444d3f0ddea49d84cc7b3972abe0e6
SHA10a896b3808e68d5d72c2655621f43b0b2c65ae02
SHA256ab075b491d20c6f66c7bd40b57538c1cfdaab5aac4715bfe3bbc7f4745860a74
SHA512eb0ab5d68472ec42de4c9b6d84306d7bca3874be1d0ac572030a070f21a698432418068e1a6006ff88480be8c8f54c769dee74b2def403f734109dba7261f36b
-
Filesize
944B
MD59a2c763c5ff40e18e49ad63c7c3b0088
SHA14b289ea34755323fa869da6ad6480d8d12385a36
SHA256517807921c55bd16cd8a8bfae3d5dc19444c66f836b66acd5593e3080acbaf8e
SHA5123af01926bc7de92076067d158d7250b206d396b3282ee0db43639d04d91bd9ff763acbce12c7822914824984a3c5fdd1b8dbf1ad2ee88233d47f0f808b746bc8
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD52253c665505da63342ef14dd8197f0b5
SHA1466f37281031aea4ac775d9fb8e91489a85faf82
SHA25627948dca356cfdff3a5480bdca63a66963505ad1bdc7ff42d1380bf418667436
SHA512c45fd978256c168493b900ffddded099e0717068b772012bdebfcdcb2377f7a4adf2b968eb37125ed98fdcfb277c9f81fa02f90cfec60f4915d3027c27d7da0d
-
Filesize
944B
MD5d0a40a2d16d62c60994d5bb5624a589b
SHA130f0a77f10518a09d83e6185d6c4cde23e4de8af
SHA256c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8
SHA512cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
142KB
MD52f2fed589cef6c6973db3dd854a6ba13
SHA16a121feaa70814260efcc50a0b48696cd0cf570e
SHA2561d77e69e717573061d58bb385dfe760cbbfbb205a9e1c1ea3428a25ac7319c36
SHA512c8d942892f514afbd5a8f888897b31e6e4d4c2e2d155bf1561dfba03ff382a5c12e810f5bb2cd9ff461524f4dd4012e85363537568ca7b36ad51c2bd4d95aade
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452
-
Filesize
28KB
MD5ab9502a920271fd1cf060f388a45fcd0
SHA1c7292f1d76eae037d3ea5dbbc171eee21bc944d8
SHA256e0fb281db34b9fa35971cb1af42175d6b5650c46f261771361a1aeed70565787
SHA5127fcf30539e0cf74d4f27904c4205d0d8fd209ffec2ca97fdd1277c3096e1dc8c910ce239b7bd622d4275d4ea24f5be2ca0ae6a3a2687e492fd7774712c620452