Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2024, 19:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gofile.io/d/fP3khu
Resource
win10v2004-20231215-en
General
-
Target
https://gofile.io/d/fP3khu
Malware Config
Extracted
xworm
3.1
authority-amazon.gl.at.ply.gg:41414
oYHq0IAEGaCbJk3U
-
Install_directory
%ProgramData%
-
install_file
Win 10.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023239-75.dat family_xworm behavioral1/memory/4208-134-0x0000000000CB0000-0x0000000000CC0000-memory.dmp family_xworm -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation X.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk X.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\X.lnk X.exe -
Executes dropped EXE 3 IoCs
pid Process 4208 X.exe 5856 X.exe 5184 X.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\X = "C:\\ProgramData\\X.exe" X.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 70 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5580 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 528024.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4048 msedge.exe 4048 msedge.exe 3048 msedge.exe 3048 msedge.exe 1760 identity_helper.exe 1760 identity_helper.exe 3144 msedge.exe 3144 msedge.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 1244 powershell.exe 1244 powershell.exe 1244 powershell.exe 5204 powershell.exe 5204 powershell.exe 5204 powershell.exe 4676 taskmgr.exe 5388 powershell.exe 5388 powershell.exe 5388 powershell.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4208 X.exe 4208 X.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4676 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4208 X.exe Token: SeDebugPrivilege 4676 taskmgr.exe Token: SeSystemProfilePrivilege 4676 taskmgr.exe Token: SeCreateGlobalPrivilege 4676 taskmgr.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 5204 powershell.exe Token: SeDebugPrivilege 5388 powershell.exe Token: SeDebugPrivilege 4208 X.exe Token: SeDebugPrivilege 5856 X.exe Token: SeDebugPrivilege 5184 X.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 3048 msedge.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe 4676 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4208 X.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3048 wrote to memory of 4660 3048 msedge.exe 85 PID 3048 wrote to memory of 4660 3048 msedge.exe 85 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4796 3048 msedge.exe 86 PID 3048 wrote to memory of 4048 3048 msedge.exe 87 PID 3048 wrote to memory of 4048 3048 msedge.exe 87 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 PID 3048 wrote to memory of 1908 3048 msedge.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/fP3khu1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed3dc46f8,0x7ffed3dc4708,0x7ffed3dc47182⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:82⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5844 /prefetch:82⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:4696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6104 /prefetch:82⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,4112285935735908251,13334403749470066122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵PID:5252
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2692
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4528
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3912
-
C:\Users\Admin\Downloads\X.exe"C:\Users\Admin\Downloads\X.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\X.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\X.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5388
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "X" /tr "C:\ProgramData\X.exe"2⤵
- Creates scheduled task(s)
PID:5580
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4676
-
C:\ProgramData\X.exeC:\ProgramData\X.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5856
-
C:\ProgramData\X.exeC:\ProgramData\X.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5184
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD54d6e17218d9a99976d1a14c6f6944c96
SHA19e54a19d6c61d99ac8759c5f07b2f0d5faab447f
SHA25632e343d2794af8bc6f2f7c905b5df11d53db4ad8922b92ad5e7cc9c856509d93
SHA5123fa166b3e2d1236298d8dda7071a6fcf2bde283f181b8b0a07c0bb8ba756d6f55fa8a847ca5286d4dbabc6dace67e842a118866320ac01bd5f93cccd3a032e47
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD52dfa4c4ecc98e6bdbc750a72e7c12371
SHA1e4a88c071c4c4512f80ade8f0f73a9a204fa977d
SHA256280048e821c28459f80949250fd0d18d2eabc7ba2d448452b83f1166740fa63f
SHA51286051cbe8b22024c20a8b0a7335232eded42d9ad7e6e11698dabb854c295c0167ba24daf1f255b6e92fe6c3634af37920b208e5a6ff44e11c898e2358f1183b3
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
Filesize
5KB
MD5c377126254c9910a4c894b67c63df9e0
SHA11591f24490f7c3d5f99bcb1f5c1bcc6325613ce2
SHA256777d7cf6f620495bcf6b97acdb6cf5812a628033933a3c4bf03827078ea8889c
SHA512a6d843fce22f98dc564d969cd9b53fb6a935f4340772078ffee98803130bae47228022e8dfc133111b6cdc72840a02f06ff426ad225a1c695e3731f3fad5f57b
-
Filesize
5KB
MD5a10ae90ee6a43ab85c8429d034624f52
SHA137f212a060465cd2b32dfa600b750c64c3715880
SHA256a135a73341e019cf5f1e00bc67c163a894f011fa3fe6d4d66617f696ef4c6f88
SHA512374167af29f8d60f31fa1f36fe7b14975dbe73f8789dd53f24405b0e88a4645ae307aa33725d4dccf745e12739ca1cf20db3dd3f4e6da86d734bedbbbbe69d3a
-
Filesize
24KB
MD5c2ef1d773c3f6f230cedf469f7e34059
SHA1e410764405adcfead3338c8d0b29371fd1a3f292
SHA256185450d538a894e4dcf55b428f506f3d7baa86664fbbc67afd6c255b65178521
SHA5122ef93803da4d630916bed75d678382fd1c72bff1700a1a72e2612431c6d5e11410ced4eaf522b388028aeadb08e8a77513e16594e6ab081f6d6203e4caa7d549
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD582f5a5c9c750537af06cb053092b3cc4
SHA1baf1dcf020a5f4fcf4dce71aafd7c0db8bfbbd98
SHA25625d2764afb5097be5fef2d42f12e1a5a09be8dc077566cc2297a5b7e0e035122
SHA5129a7937bdb452c67182f58f6ba656f5accc1b7441b60b67f86e31a39d6711f3f33ec3b2410fa75527c97545a44982bbd5604585b557db67c32e085dc29944e10c
-
Filesize
10KB
MD55e74d4c74325abcd835561f7d7a6002c
SHA18a3b872739e8ea5b84f68e75a39846c557319e77
SHA2562b6184527d99e6ad27da15ff1655e16a97cde5f9b098e4f09d5657def4fa25ce
SHA512a3d5b21ecfe4f04abb1dfbd012f0cdc7e1c3ea69432ccceefb1fce8b28aaf3d12362bce845d8b1905bac2a06c226595dd12fb11049110540a5a25a1eb9f98b65
-
Filesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
Filesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
634B
MD5e730d8b7a3a3b190e0e7446966556d86
SHA18d45dc25469b5e0da7ab8805d8f4aecc59277777
SHA256bf4601f67130d28bfd512de1d237798ed37e9cd678ce0ff283cc570d2e416acf
SHA512df0874447177eb3a58944531d920058a014b5da62d70d1cb427de9ceb438ec360ed015ac37893403b433c2a031f002fdf033d74208eb752093be95d999d5e315
-
Filesize
39KB
MD592db839198bdd58833cb5846e545ef0d
SHA106592ef8353b8ff4e720ff0e622b716cae02eff1
SHA256afa10200eaa767d4e8b13965026a72ce030353b90538dc3faa197e18ba563858
SHA512d159abe2239e57a8d345d6578c47bd61482360e6f3098afe8162763d55e19eeddf4cda061e0058da4483b9382a2b96a8e84f7c54f233cc2f6bba799e62bc2c56