Analysis
-
max time kernel
107s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2024 06:13
Static task
static1
General
-
Target
cm-chat-media-video-1ed1d8e4b-814a-5abe-bf48-9183d87c3fae22700.mp4
-
Size
354KB
-
MD5
20e7c30e0ae7351db59ebea7e922a944
-
SHA1
3663755f85d76e11c8fd6e66945b5f2119b84c6d
-
SHA256
00bfd28fd4ac55a7fd87527842dc892cea858282d880640fe10f3c8cdc4e56ee
-
SHA512
efcfe5e10793ce9f77ef007c419ed3020417a0a69d642cfb7209d165e2d1afdab37cad183b6568f66edf80e270656f6559c3b8c255a58373b9ab37e88729971c
-
SSDEEP
6144:PLa4UVZw8TSp9OPNf1msHcaC3kR+wRj+yfMoZ5/Ny8qwXnMtKzU9bJpUPAPfUy:PHU4oSp4NtxHT+Wq8vNswX+9bvmAPfUy
Malware Config
Extracted
xworm
join-ez.gl.at.ply.gg:27599
-
Install_directory
%AppData%
-
install_file
WindowsUpdate.exe
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023cbd-168.dat family_xworm behavioral1/memory/4536-215-0x0000000000820000-0x0000000000834000-memory.dmp family_xworm -
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk FlareExecutor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.lnk FlareExecutor.exe -
Executes dropped EXE 3 IoCs
pid Process 4536 FlareExecutor.exe 2080 FlareExecutor.exe 3608 FlareExecutor.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1620 2680 WerFault.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-940901362-3608833189-1915618603-1000\{BE14FCAF-BFE6-41C7-A166-DE8FB016083E} wmplayer.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 898709.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2472 msedge.exe 2472 msedge.exe 4688 msedge.exe 4688 msedge.exe 4124 identity_helper.exe 4124 identity_helper.exe 1068 msedge.exe 1068 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeShutdownPrivilege 2680 wmplayer.exe Token: SeCreatePagefilePrivilege 2680 wmplayer.exe Token: SeShutdownPrivilege 3048 unregmp2.exe Token: SeCreatePagefilePrivilege 3048 unregmp2.exe Token: 33 4816 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4816 AUDIODG.EXE Token: SeShutdownPrivilege 2680 wmplayer.exe Token: SeCreatePagefilePrivilege 2680 wmplayer.exe Token: SeDebugPrivilege 4536 FlareExecutor.exe Token: SeDebugPrivilege 2080 FlareExecutor.exe Token: SeDebugPrivilege 3608 FlareExecutor.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 2680 wmplayer.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe 4688 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 4464 2680 wmplayer.exe 85 PID 2680 wrote to memory of 4464 2680 wmplayer.exe 85 PID 2680 wrote to memory of 4464 2680 wmplayer.exe 85 PID 4464 wrote to memory of 3048 4464 unregmp2.exe 86 PID 4464 wrote to memory of 3048 4464 unregmp2.exe 86 PID 4688 wrote to memory of 2136 4688 msedge.exe 109 PID 4688 wrote to memory of 2136 4688 msedge.exe 109 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 4212 4688 msedge.exe 110 PID 4688 wrote to memory of 2472 4688 msedge.exe 111 PID 4688 wrote to memory of 2472 4688 msedge.exe 111 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112 PID 4688 wrote to memory of 1916 4688 msedge.exe 112
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\cm-chat-media-video-1ed1d8e4b-814a-5abe-bf48-9183d87c3fae22700.mp4"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 23482⤵
- Program crash
PID:1620
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:1016
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x508 0x4d81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2680 -ip 26801⤵PID:544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\TestNew.mhtml1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd353946f8,0x7ffd35394708,0x7ffd353947182⤵PID:2136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:22⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:5536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:5924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3360 /prefetch:82⤵PID:6036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6040 /prefetch:82⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6404 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1068
-
-
C:\Users\Admin\Downloads\FlareExecutor.exe"C:\Users\Admin\Downloads\FlareExecutor.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,7665373927953223448,1333790536696036513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3312 /prefetch:82⤵PID:4464
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2020
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3892
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5368
-
C:\Users\Admin\Downloads\FlareExecutor.exe"C:\Users\Admin\Downloads\FlareExecutor.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
C:\Users\Admin\Downloads\FlareExecutor.exe"C:\Users\Admin\Downloads\FlareExecutor.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD50e3b72827d030df25f7b598e7186f4a1
SHA19c48905c7b5684c7c54644658468befbfb25ca89
SHA25619337844ce837777d1e43614f2be476d832d4686f7e1d5b9025afb59696a7669
SHA512ea84874218d8c40a1e90629ad5c42c350eee11502e661a7fc81e8ce99b14db8fedc09848b983e19aedc04186cfcd2c6f3381b860fb776a1e7af8250d93b12526
-
Filesize
461B
MD5fd1df16e5ae974ef9e79e4e2e5205c39
SHA16743d08d1c6859f735a6efb535f92e9523f2f9d1
SHA2562d001f514741e5d1a76faec370f330a898df2184bb72a7b92f30dea26bb88143
SHA512501696917016794edc9cfb5f55a0bfeccc58c1397fab7a73749c4ab66e70824bbbdd30b7d74e0a78e1eff44847a701e5e30df89a4f280989d9510a9193232a33
-
Filesize
5KB
MD50ad8bccf0b452c4730b910acbe83ddcc
SHA15fac6081eb32f61a814f3e68774685178c641496
SHA2566bf0255f94706d8510c65c10ec5a44f89197d235bd54b824b7f4410c52b27f29
SHA5124dac354402ba986e5b67f12a41a4e380bbdc6879ee6b440447e719609a02321a80900bcf37e37ba2378c562c13479cda2287e711c6e61ae5b4a431df5ef2b1f9
-
Filesize
6KB
MD5234591e788bee92db6ebe783b9d5230b
SHA1c66452b448e7a6d81f4eb33cb2e3d7292dc3fbe5
SHA256eb002df693e7b4cb5bcb33a5f76afe4fa6293106f3ddee9053d2f0bfc7666d56
SHA5124dfdcfc612194b3d9ef366af54ddf87fc97484fba958ab73045895c8586f14a568406a21d1430412ed46c07adaf413dbbba74b1fb9782cc12699e0776c153ba7
-
Filesize
6KB
MD59df608b19766b032ec818a648caa91c4
SHA15eb21d42be2c137e221b3b24b20497b0b8075062
SHA256fa57f2a2f8bfc8ed4a7a3fcece3aea614037768d6342308525bc08c3152aa72d
SHA512e82635b596e843dd577e4468d99f9fa2e3b92e032efa48465df395a9e291b7a1b7ddfa91b8ecf940e804b9ea09107d659e2070899117b4fcac17804acaac942f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD570a534cd43483a20c8720c703167574b
SHA19927a7941ff3fb8299533e3b55cb2bbd85bc2f76
SHA25614dce935f29fff4bd38075ce4de432305a94e3a070d63aa34fd6cc4d94b7c718
SHA5123014edec0c399d6da39555fc0bc0a35600704d448fecbd40d875b470fe177d23b9318c6f9729ba0a36b41172ec46d05b44567b41b4c2dfd6376e33220848686c
-
Filesize
12KB
MD5e63d1413bd0c1c69631af4b40d3724e5
SHA1c814cd9d7a47c5b74f0bd5bc437edc78ea3c4a2a
SHA256fc1d81ae007fd32fb7497b04fdeb3d30dbb0dc4fe206e0b55e35a6953f735063
SHA51273e83e981dfe52e5174653f0546b9df5bb6c24cd30df84aa8641a7f0b40aa4c6060afa0c123a9277cd39acac3bc868fd938a3f273517f05c65077a10ba5188a6
-
Filesize
256KB
MD5563088ad0f20fabf9dd62c6ba8ae1636
SHA1f9cd2fd153afa1a12ff990cf27c32b8c9c44e878
SHA256eb897bf202d32f067728f1b666eb16e9926557efa8676b72db11411013030184
SHA5128229dfb1d96b6a34b91b1e5c463833e7859331be880f585c48af1ba0ace0465ac755c7f22a9e6f30284266165f850e8f85af76157eea8136b2d6f79db02d3092
-
Filesize
1024KB
MD53c2f0ea775b46f6dc66de46c9e23bbef
SHA1a04d65c7152cf75c8f56296795de23281deed6c9
SHA256524b780bd48dd7f8a760e6182839750d3ceec2d2e22c33a5f147548db5f35438
SHA512774ffda5c7b0762d498fac5e0fdc4e7c295584e7981047cc54565d6f0fe10932ea075db177c62d8ace89b85daa5a8fda3021a635b090e5f0e99394b36d5db609
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
1KB
MD5cb4693a4c94f233d8b59965638f509b4
SHA1939469cceffe56033233fb5185903c5a729bc981
SHA2568b515b482b2dbbf6d403c68fb625af0f9c147f9cbac438394b10e183ae2fee54
SHA512858274d4d7af1bfd53b8806af9e106cc5fb20165664cee9c55720901a0aca3bb538b78f49ba40d0336d218927467b1d1ed3b16acefe4792349ef6b16f217e71a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD59b036ebb3e39d6d9f244d17825ca508a
SHA16f4cd893ee51e216f24e103154648485c2ad2c78
SHA2568ea992a7bded828cab843cef35496d959b226e3417df5854cfa034ce035dcc61
SHA5120e790b116c8adad1b6b3ebffb71acea0fe402a4bb1541d39eecb6d204c61066ec6ac128a3d8feca6852a218eb5af101d5a10705c01b07e0646f119a95ec3769d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5f98b268916f2fb66a0edd709eb0da3f9
SHA1c8958ce81a0e4c70f697c54e53b711245f500832
SHA256ec287fbc1ccd7676c24dc38a0cc3d789644cdd297a54a06a407107e6cb56b473
SHA51274386acf3445eacab260e29cbbffbf20e229d968ad62921177af13466c913457d67994066f76a9cbedb62066b625ade39c285004d10456708ab3080af103e7e6
-
Filesize
57KB
MD5b0484e39d03d0e736b9b9a841d8ecc3d
SHA1d0d1ae9e0bc802bb0a9f29c59e952e70a8b180b1
SHA256b7339aab9ce037f4fabdb866b76583530005c6bf752f46f97e57caebc6b0688a
SHA5120f12ab18cbf944b838d62ea40f5fd3b17f1d4fe18338aac8c98108fa05a61be956f27a709dafac56c5467186bf42a133e0f7c4045b674fe3991831eec659f27f