hawkeye | 00bfd28fd4ac55a7fd87527842dc892cea858282d880640fe10f3c8cdc4e56ee

Analysis

max time kernel
107s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cm-chat-media-video-1ed1d8e4b-814a-5abe-bf48-9183d87c3fae22700.mp4
Size

354KB
MD5

20e7c30e0ae7351db59ebea7e922a944
SHA1

3663755f85d76e11c8fd6e66945b5f2119b84c6d
SHA256

00bfd28fd4ac55a7fd87527842dc892cea858282d880640fe10f3c8cdc4e56ee
SHA512

efcfe5e10793ce9f77ef007c419ed3020417a0a69d642cfb7209d165e2d1afdab37cad183b6568f66edf80e270656f6559c3b8c255a58373b9ab37e88729971c
SSDEEP

6144:PLa4UVZw8TSp9OPNf1msHcaC3kR+wRj+yfMoZ5/Ny8qwXnMtKzU9bJpUPAPfUy:PHU4oSp4NtxHT+Wq8vNswX+9bvmAPfUy

Score

10^/10

hawkeye xworm discovery keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

join-ez.gl.at.ply.gg:27599

Attributes

Install_directory
%AppData%
install_file
WindowsUpdate.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 898709.crdownload	family_xworm
behavioral1/memory/4536-215-0x0000000000820000-0x0000000000834000-memory.dmp	family_xworm

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

FlareExecutor.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	FlareExecutor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk	FlareExecutor.exe

Executes dropped EXE 3 IoCs

Processes:

FlareExecutor.exeFlareExecutor.exeFlareExecutor.exe

pid process

4536 FlareExecutor.exe
2080 FlareExecutor.exe
3608 FlareExecutor.exe

pid	process
4536	FlareExecutor.exe
2080	FlareExecutor.exe
3608	FlareExecutor.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1620 2680 WerFault.exe wmplayer.exe

pid	pid_target	process	target process
1620	2680	WerFault.exe	wmplayer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wmplayer.exeunregmp2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

wmplayer.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{BE14FCAF-BFE6-41C7-A166-DE8FB016083E}	wmplayer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 898709.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

2472 msedge.exe
2472 msedge.exe
4688 msedge.exe
4688 msedge.exe
4124 identity_helper.exe
4124 identity_helper.exe
1068 msedge.exe
1068 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 898709.crdownload:SmartScreen	msedge.exe

pid	process
2472	msedge.exe
2472	msedge.exe
4688	msedge.exe
4688	msedge.exe
4124	identity_helper.exe
4124	identity_helper.exe
1068	msedge.exe
1068	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

wmplayer.exeunregmp2.exeAUDIODG.EXEFlareExecutor.exeFlareExecutor.exeFlareExecutor.exe

description	pid	process
Token: SeShutdownPrivilege	2680	wmplayer.exe
Token: SeCreatePagefilePrivilege	2680	wmplayer.exe
Token: SeShutdownPrivilege	3048	unregmp2.exe
Token: SeCreatePagefilePrivilege	3048	unregmp2.exe
Token: 33	4816	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4816	AUDIODG.EXE
Token: SeShutdownPrivilege	2680	wmplayer.exe
Token: SeCreatePagefilePrivilege	2680	wmplayer.exe
Token: SeDebugPrivilege	4536	FlareExecutor.exe
Token: SeDebugPrivilege	2080	FlareExecutor.exe
Token: SeDebugPrivilege	3608	FlareExecutor.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

wmplayer.exemsedge.exe

pid	process
2680	wmplayer.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe
4688	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

wmplayer.exeunregmp2.exemsedge.exe

description	pid	process	target process
PID 2680 wrote to memory of 4464	2680	wmplayer.exe	unregmp2.exe
PID 2680 wrote to memory of 4464	2680	wmplayer.exe	unregmp2.exe
PID 2680 wrote to memory of 4464	2680	wmplayer.exe	unregmp2.exe
PID 4464 wrote to memory of 3048	4464	unregmp2.exe	unregmp2.exe
PID 4464 wrote to memory of 3048	4464	unregmp2.exe	unregmp2.exe
PID 4688 wrote to memory of 2136	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2136	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 4212	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2472	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 2472	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe
PID 4688 wrote to memory of 1916	4688	msedge.exe	msedge.exe

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\cm-chat-media-video-1ed1d8e4b-814a-5abe-bf48-9183d87c3fae22700.mp4"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4464
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2348
  2⤵
  - Program crash
  PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:1016

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x4d8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 2680
1⤵
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\TestNew.mhtml
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd353946f8,0x7ffd35394708,0x7ffd35394718
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068
- C:\Users\Admin\Downloads\FlareExecutor.exe
  "C:\Users\Admin\Downloads\FlareExecutor.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3312 /prefetch:8
  2⤵
  PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5368

C:\Users\Admin\Downloads\FlareExecutor.exe
"C:\Users\Admin\Downloads\FlareExecutor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Users\Admin\Downloads\FlareExecutor.exe
"C:\Users\Admin\Downloads\FlareExecutor.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FlareExecutor.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0e3b72827d030df25f7b598e7186f4a1

SHA1
9c48905c7b5684c7c54644658468befbfb25ca89

SHA256
19337844ce837777d1e43614f2be476d832d4686f7e1d5b9025afb59696a7669

SHA512
ea84874218d8c40a1e90629ad5c42c350eee11502e661a7fc81e8ce99b14db8fedc09848b983e19aedc04186cfcd2c6f3381b860fb776a1e7af8250d93b12526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
fd1df16e5ae974ef9e79e4e2e5205c39

SHA1
6743d08d1c6859f735a6efb535f92e9523f2f9d1

SHA256
2d001f514741e5d1a76faec370f330a898df2184bb72a7b92f30dea26bb88143

SHA512
501696917016794edc9cfb5f55a0bfeccc58c1397fab7a73749c4ab66e70824bbbdd30b7d74e0a78e1eff44847a701e5e30df89a4f280989d9510a9193232a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0ad8bccf0b452c4730b910acbe83ddcc

SHA1
5fac6081eb32f61a814f3e68774685178c641496

SHA256
6bf0255f94706d8510c65c10ec5a44f89197d235bd54b824b7f4410c52b27f29

SHA512
4dac354402ba986e5b67f12a41a4e380bbdc6879ee6b440447e719609a02321a80900bcf37e37ba2378c562c13479cda2287e711c6e61ae5b4a431df5ef2b1f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
234591e788bee92db6ebe783b9d5230b

SHA1
c66452b448e7a6d81f4eb33cb2e3d7292dc3fbe5

SHA256
eb002df693e7b4cb5bcb33a5f76afe4fa6293106f3ddee9053d2f0bfc7666d56

SHA512
4dfdcfc612194b3d9ef366af54ddf87fc97484fba958ab73045895c8586f14a568406a21d1430412ed46c07adaf413dbbba74b1fb9782cc12699e0776c153ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9df608b19766b032ec818a648caa91c4

SHA1
5eb21d42be2c137e221b3b24b20497b0b8075062

SHA256
fa57f2a2f8bfc8ed4a7a3fcece3aea614037768d6342308525bc08c3152aa72d

SHA512
e82635b596e843dd577e4468d99f9fa2e3b92e032efa48465df395a9e291b7a1b7ddfa91b8ecf940e804b9ea09107d659e2070899117b4fcac17804acaac942f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
70a534cd43483a20c8720c703167574b

SHA1
9927a7941ff3fb8299533e3b55cb2bbd85bc2f76

SHA256
14dce935f29fff4bd38075ce4de432305a94e3a070d63aa34fd6cc4d94b7c718

SHA512
3014edec0c399d6da39555fc0bc0a35600704d448fecbd40d875b470fe177d23b9318c6f9729ba0a36b41172ec46d05b44567b41b4c2dfd6376e33220848686c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e63d1413bd0c1c69631af4b40d3724e5

SHA1
c814cd9d7a47c5b74f0bd5bc437edc78ea3c4a2a

SHA256
fc1d81ae007fd32fb7497b04fdeb3d30dbb0dc4fe206e0b55e35a6953f735063

SHA512
73e83e981dfe52e5174653f0546b9df5bb6c24cd30df84aa8641a7f0b40aa4c6060afa0c123a9277cd39acac3bc868fd938a3f273517f05c65077a10ba5188a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
563088ad0f20fabf9dd62c6ba8ae1636

SHA1
f9cd2fd153afa1a12ff990cf27c32b8c9c44e878

SHA256
eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184

SHA512
8229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
3c2f0ea775b46f6dc66de46c9e23bbef

SHA1
a04d65c7152cf75c8f56296795de23281deed6c9

SHA256
524b780bd48dd7f8a760e6182839750d3ceec2d2e22c33a5f147548db5f35438

SHA512
774ffda5c7b0762d498fac5e0fdc4e7c295584e7981047cc54565d6f0fe10932ea075db177c62d8ace89b85daa5a8fda3021a635b090e5f0e99394b36d5db609

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
cb4693a4c94f233d8b59965638f509b4

SHA1
939469cceffe56033233fb5185903c5a729bc981

SHA256
8b515b482b2dbbf6d403c68fb625af0f9c147f9cbac438394b10e183ae2fee54

SHA512
858274d4d7af1bfd53b8806af9e106cc5fb20165664cee9c55720901a0aca3bb538b78f49ba40d0336d218927467b1d1ed3b16acefe4792349ef6b16f217e71a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
9b036ebb3e39d6d9f244d17825ca508a

SHA1
6f4cd893ee51e216f24e103154648485c2ad2c78

SHA256
8ea992a7bded828cab843cef35496d959b226e3417df5854cfa034ce035dcc61

SHA512
0e790b116c8adad1b6b3ebffb71acea0fe402a4bb1541d39eecb6d204c61066ec6ac128a3d8feca6852a218eb5af101d5a10705c01b07e0646f119a95ec3769d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
f98b268916f2fb66a0edd709eb0da3f9

SHA1
c8958ce81a0e4c70f697c54e53b711245f500832

SHA256
ec287fbc1ccd7676c24dc38a0cc3d789644cdd297a54a06a407107e6cb56b473

SHA512
74386acf3445eacab260e29cbbffbf20e229d968ad62921177af13466c913457d67994066f76a9cbedb62066b625ade39c285004d10456708ab3080af103e7e6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 898709.crdownload

Filesize
57KB

MD5
b0484e39d03d0e736b9b9a841d8ecc3d

SHA1
d0d1ae9e0bc802bb0a9f29c59e952e70a8b180b1

SHA256
b7339aab9ce037f4fabdb866b76583530005c6bf752f46f97e57caebc6b0688a

SHA512
0f12ab18cbf944b838d62ea40f5fd3b17f1d4fe18338aac8c98108fa05a61be956f27a709dafac56c5467186bf42a133e0f7c4045b674fe3991831eec659f27f

Download Submit
\??\pipe\LOCAL\crashpad_4688_SSSRFGFPXXLJRSJH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2680-39-0x0000000009830000-0x0000000009840000-memory.dmp

Filesize
64KB

Download
memory/2680-40-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2680-41-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2680-55-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2680-38-0x0000000009830000-0x0000000009840000-memory.dmp

Filesize
64KB

Download
memory/2680-42-0x0000000009830000-0x0000000009840000-memory.dmp

Filesize
64KB

Download
memory/2680-37-0x0000000007660000-0x0000000007670000-memory.dmp

Filesize
64KB

Download
memory/2680-35-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2680-34-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2680-36-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2680-33-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/4536-215-0x0000000000820000-0x0000000000834000-memory.dmp

Filesize
80KB

Download