Resubmissions
09-03-2024 07:00
240309-hs3csaee8x 309-03-2024 06:56
240309-hqcpcaee6s 809-03-2024 06:54
240309-hpga5see5v 10Analysis
-
max time kernel
222s -
max time network
231s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2024 06:56
Static task
static1
Behavioral task
behavioral1
Sample
OrangeWare BETA.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
OrangeWare BETA.exe
Resource
win10v2004-20240226-en
General
-
Target
OrangeWare BETA.exe
-
Size
605KB
-
MD5
5c45ec1854de2fab9b7c6b24e5bc5a58
-
SHA1
12d3e02b9391aab1b22d76eab1c87497bcbd51f0
-
SHA256
e25cea03b9a18d1c3e9179d7bb0ef7eee5b10dec80ef50e07599f7ae92223d05
-
SHA512
11a6e38aa2e402a00e79abf0f6175428bee3350f1d3a88009b39fc036216a74f2e75d80396930b5dee4e293d4c3e984bc1986913ded6033a6c372bf4d1099563
-
SSDEEP
6144:MX+wg3G5Q1IAZKSppJpjlYN0jqzMQPwmEykjNNAC0z4G7ennOJ4ZDvdQlTzI8Oxv:MXbg3FIoxPu08MQPwTACK5enTZDvgT1
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 5452 WindowsXPHorrorEdition.exe 1100 WindowsXPHorrorEdition.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 122 camo.githubusercontent.com 123 camo.githubusercontent.com 144 raw.githubusercontent.com 145 raw.githubusercontent.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3045580317-3728985860-206385570-1000\{6FB9A3B9-5E8D-4AD1-A030-8FB7AFEA4E62} msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 539486.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3120 msedge.exe 3120 msedge.exe 368 msedge.exe 368 msedge.exe 3840 identity_helper.exe 3840 identity_helper.exe 5936 msedge.exe 5936 msedge.exe 6008 msedge.exe 6008 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe 5984 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 5852 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5852 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 54 IoCs
pid Process 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe 368 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1100 WindowsXPHorrorEdition.exe 5452 WindowsXPHorrorEdition.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 368 wrote to memory of 1720 368 msedge.exe 101 PID 368 wrote to memory of 1720 368 msedge.exe 101 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 2800 368 msedge.exe 102 PID 368 wrote to memory of 3120 368 msedge.exe 103 PID 368 wrote to memory of 3120 368 msedge.exe 103 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104 PID 368 wrote to memory of 4860 368 msedge.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrangeWare BETA.exe"C:\Users\Admin\AppData\Local\Temp\OrangeWare BETA.exe"1⤵PID:4848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd649a46f8,0x7ffd649a4708,0x7ffd649a47182⤵PID:1720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:22⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:82⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵PID:2980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:12⤵PID:60
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:12⤵PID:312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:12⤵PID:4564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:5652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3640 /prefetch:82⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:12⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6228 /prefetch:82⤵PID:436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:82⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6008
-
-
C:\Users\Admin\Downloads\WindowsXPHorrorEdition.exe"C:\Users\Admin\Downloads\WindowsXPHorrorEdition.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100
-
-
C:\Users\Admin\Downloads\WindowsXPHorrorEdition.exe"C:\Users\Admin\Downloads\WindowsXPHorrorEdition.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,3288102851949156837,12894463551668415984,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4260 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5984
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2792
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x504 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e494d16e4b331d7fc483b3ae3b2e0973
SHA1d13ca61b6404902b716f7b02f0070dec7f36edbf
SHA256a43f82254638f7e05d1fea29e83545642f163a7a852f567fb2e94f0634347165
SHA512016b0ed886b33d010c84ca080d74fa343da110db696655c94b71a4cb8eb8284748dd83e06d0891a6e1e859832b0f1d07748b11d4d1a4576bbe1bee359e218737
-
Filesize
152B
MD50764f5481d3c05f5d391a36463484b49
SHA12c96194f04e768ac9d7134bc242808e4d8aeb149
SHA256cc773d1928f4a87e10944d153c23a7b20222b6795c9a0a09b81a94c1bd026ac3
SHA512a39e4cb7064fdd7393ffe7bb3a5e672b1bdc14d878cac1c5c9ceb97787454c5a4e7f9ae0020c6d524920caf7eadc9d49e10bee8799d73ee4e8febe7e51e22224
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5909cd60e51925da03ca9851e480b8f73
SHA1a18a0dc5a48ae7ee56ba3ee22d5caf0caf037915
SHA256c6335ddaddf62078db34e6bf84424d316815ae6ad82fb475589553ea8a8f127b
SHA5120f3d5ab5599347154662ac2c8a1fe9c76d3dccd6bc795f2031862a2f9406c1b7e522c2fb8f8a20cc16c93e88c2779ef56e8e63f4c657ddda8e756200afbdb8bf
-
Filesize
951B
MD59be7178dd6a8a19da21fed5310f6ce75
SHA1160227cb1ec6ae39c7c7a9ccf7de2399f02afed9
SHA2562311a6db578d7d3bbd317e585e23c373d955c25aedc6c4f64ee5e6a0ac320b18
SHA5129a7692e6e5018657c00ba25b1c8954ebcf23fcf9b362f500ea200e0607f29b3e3c34e8216688fe28b1c6c5a3920e2c1db4d115b2bf8d2b743fd75c61cd7245cf
-
Filesize
6KB
MD5e4139ad72d4f49e65cc6c58be65fc473
SHA1e397bc9aad41ab01d3af49ea9f34d24eb711bd8c
SHA2568388982c61d4bbf48cbc28e476cfae27dc2211e111498db9529aa23996ad9aa8
SHA5129789ad023c4daf9b07907322cadcd3735d18ed78316736ef48801cbba20570821438003ed0be526f657b3f525a55819428ef817a6376949f9a55181d102ddec6
-
Filesize
6KB
MD5cc90e8afef24a0cadbec500264065b42
SHA1a18007e4a80755b19c2336338a76fd74258b29af
SHA25681c87a68cdd2559b7fbbf14e90251c0abd4f8c507fa4af7af0fce07e7d52c7cd
SHA512cb1cc965ca63ed0795e91fd58140efe85c490433261cb25d75b88714d8e5d5f0afe3e8b37a269e7f7af812400a14aa414c24e64d89013b16e722bd02dcc4153c
-
Filesize
6KB
MD571a970884918f706d5d61d51b5918dad
SHA16e952ec6a61dd474f9088ae4887f956eff3ab91f
SHA2569ee7d9481449b6bab1e11d22485da9d93af45f4118b30d3cf589adcaaa17b064
SHA51260823dd7368d074f3637e0a5397f43dd9014a6156b8195f573b9cea783cbc4fec66281a972dc1486702f7e8522125750e7fb5f4ae9302d7a4092b77afc69bb6b
-
Filesize
6KB
MD5f2e5de6ac4dda4779aaf28a09215423a
SHA1bb0d9329c2ad06020c5076de886addd2d4f54903
SHA2568297f855450f7ff14f08da9e1c5a193b59bcf9a5529f3000777d9caa743ddf29
SHA5120e8764571c7717406746e134d0bf000cd7258c424d6d670ba6b030180040070a3ba9db1f0631b0de250b64720e19d1e4cc5ff3124eedc79b6df6453d93709b43
-
Filesize
1KB
MD537e9c12acd6c64c5d643f5e25f54ddb0
SHA179b8f3a8cfaff90b8d78b95ccdfc2df032547d22
SHA256db942d71c47d2ac8c187fc31f310d9fa73689972c0e7970449890084922f1c21
SHA5127fc66ce839a4eb401657beff40c16f2268ecd58859ad454e674bf1cc3cfb91413105668dfe0b234c36fa598c7072936a82b8594c06a0a502c9a0906bf1b588ef
-
Filesize
1KB
MD5531a8a000b669eb45896bce94917321b
SHA16957465ff203b3cfdd29dc10d5013ea27e251eda
SHA25616661390712b495c4f6ee206dc67d82700091be9acacf480007fc2a3d31ce69d
SHA5124e3c550a48a0303536bf26bcc055608a64cf404f5d47dac47ce6c5761bf48425b591caeb3f037d8d73d5b1ed70c968fdb883aeb0cb2353a29f7a1870ae055ab7
-
Filesize
871B
MD5a9d10094521d1aa33de8fc86335e183f
SHA17c16a2a36e6a556c0d63156e787ae94e24ac9046
SHA25636383ef2eecfb924c01e456525931b0bfc3e848bacb36c53cb01dfcfba5b6d34
SHA51233fd9a1d5424dc52efe50e7691e6570ac861ba2608323a9651814e9fb82c928a3564d07a414be82eb53ebb7519d60dd4be03361f0297f4ee6e38c96f62e7f8a8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52867b14c4d40c9810cc4ce6edc6102bd
SHA1c4a77a59d7359bd12529107a3d343a682ba72c9e
SHA25665bee51cca44a776cdabdb3fc6d47299fe03504a8d011acf223b082eb7bdd4e7
SHA51240b5657401b4620d2eaba15b0aa11b359d97e254767f3cb16fcd2f148c083d34110fb90a1dfd66ec7e76d9871e1c36dba20eb8dd2f6befefbea3f16d55138254
-
Filesize
11KB
MD5fbb3a66372b0e8d41d3f37847beb39af
SHA148c7b122011e08f81b9b5a1077cc41050115f5e7
SHA25635dc8b5b4336820ca0c5c699955a6b17bbd0c9ee4df4aba45f1b0c061cb1ac0b
SHA512ba6d96f53e2e704c633fcb36e8c3e9ac1eb86477f12011e80f7905f06d50f2e94108a6a462bbe56270e04af783218fde1101de32e5fbf92e81db124f3d337838
-
Filesize
12KB
MD5ff7f7dbe8a5b4ed2bfdc0795dc543cb0
SHA11a39641c7bd47b50064d97d942549ad38dfbabfc
SHA2569aeba4f56c82f908d9f659760f6ec3e24c6a0aa3f901720122fed431d8c551e7
SHA512ee3af96d803ea57b9dd1543e7a08160c925fd3cb93dbdcd481da35aaafed0c5d0479c23cb4e1cb0d936f6b418b8ff95f72d016661de449d1a861f99a1da80d4d
-
Filesize
13.5MB
MD5250afe23651b4c559ad2fb2c6c2c6ab4
SHA17303ae4ca6c2e898e05cc075b42f92c81bc340c4
SHA25661f0d5feea4a03df0376f88c01e71d84e8b845c4aa4ee95c429544e9185e07b7
SHA512440bf929e0f4bbb86628f755aa93a9af7e154c8cb2014206b9ef2ae070c56b86f12d1e177df222b5ccf1cb1d064833e9639ba2926d502203509019d4a8fe3835
-
Filesize
6.9MB
MD5e6050b09d825e1bde25382ac77c144f9
SHA1c303a5cd64d29e96662c65498b75785b8526bd4a
SHA25655c01c5e71d2b378da6acc55ae4ab7fee261a0046a1893540286a2798fe4256c
SHA5121e74fc8faaf33fdc2d01b2bf57a80c2dc2c6ec170b86f2cd24a89d1afe34fdb394d8b94a6a0bc3a4c1e4453eadc669a9306a3fe454b29dc7bd3fd7689b3a6ec3
-
Filesize
7.8MB
MD5662a4a168e4e504a63a47a704f22f826
SHA1f9ff79407c9ef56bfc6acc4d828b6d17558a8462
SHA256ba81612f6f8f52880f4b96999c1c9f07de57b98c3cd3d15e0f6d8ca9c600157c
SHA512ba27fd2ed49093f639a7622dfb86aef1eeced8744a1509548b920f83aad133acad40183bf01f52e804fe80747d0decb94926eb37d8b2c7be80386d15d2cc0658
-
Filesize
8.4MB
MD5d6a09c90a49625c232a877b4fb51e971
SHA1342d034f5520299a608cc50a745137995a0e6334
SHA256691867fb5476f3a7d0a99a98ea24af51b45025b6de85d64882097a878f83b61c
SHA5125f70890a9657d13ea8d8639af60a3f888e0b8d317d8285280f1c00193d02c19702f0d2fc67c03d3cac71cd944aafb8f2f4a577a1043db189e2e1a583eb1ca8fd