Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 19:46
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2952 XWormLoader 5.2 x32.exe -
Loads dropped DLL 17 IoCs
pid Process 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe -
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x0007000000023d61-622.dat agile_net behavioral1/memory/2952-624-0x0000000006B90000-0x00000000077C8000-memory.dmp agile_net -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormLoader 5.2 x32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 XWormLoader 5.2 x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz XWormLoader 5.2 x32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS XWormLoader 5.2 x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer XWormLoader 5.2 x32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion XWormLoader 5.2 x32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 4356 msedge.exe 4356 msedge.exe 5100 msedge.exe 5100 msedge.exe 1612 identity_helper.exe 1612 identity_helper.exe 2764 msedge.exe 2764 msedge.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe 2952 XWormLoader 5.2 x32.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 2564 7zG.exe Token: 35 2564 7zG.exe Token: SeSecurityPrivilege 2564 7zG.exe Token: SeSecurityPrivilege 2564 7zG.exe Token: SeDebugPrivilege 2952 XWormLoader 5.2 x32.exe Token: 33 4600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4600 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 59 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 2564 7zG.exe 2952 XWormLoader 5.2 x32.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 5100 msedge.exe 2952 XWormLoader 5.2 x32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5100 wrote to memory of 4592 5100 msedge.exe 83 PID 5100 wrote to memory of 4592 5100 msedge.exe 83 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 1116 5100 msedge.exe 84 PID 5100 wrote to memory of 4356 5100 msedge.exe 85 PID 5100 wrote to memory of 4356 5100 msedge.exe 85 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86 PID 5100 wrote to memory of 1120 5100 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/zLixM61⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdf10046f8,0x7ffdf1004708,0x7ffdf10047182⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:82⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:12⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:82⤵PID:1064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵PID:2744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1216 /prefetch:12⤵PID:1908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5548 /prefetch:82⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,7416786363057772590,15809312320024778870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4404
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1136
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\XWorm v5.1-5.2\" -spe -an -ai#7zMap20766:88:7zEvent74981⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2564
-
C:\Users\Admin\Downloads\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe"C:\Users\Admin\Downloads\XWorm v5.1-5.2\XWorm\XWorm V5.2\XWormLoader 5.2 x32.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2952
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2560
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x150 0x2c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:4600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\01d02bd5-e779-42da-983c-199e43f1562a.tmp
Filesize317B
MD5afc6cddd7e64d81e52b729d09f227107
SHA1ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5f0df9ca1f97b09d8e5abbef313627b79
SHA1866d8953c8b416186a983ba54cc41ba558e7c819
SHA256abe48e986c170dbc32824a159af7e78a49ece7130303c396018346c0827c1710
SHA512b383407af5cf172c87029be75fe59eeb16e03ae543f57d4a4231486fae8e8da173bcb1ffea40736dd8b16493782d915bce59f7f0424719ae63626cb16c01954b
-
Filesize
390B
MD5a902aa7942d30554ea70c00366baa255
SHA19ad752178e695b1c90362700ccd4e4d61f9144b6
SHA256096ee0320bbb1383bc312ab5973bce172a75083355dd85241447b1cd0b75dfad
SHA512748f769d19b8d1a1c29ebdb1ea4def80c1ea8675086e5319d8f6e171d2a14d1638c13c3d9bff34514b633a436bf2308e0a6268e0f88500d90645d693ad633bc0
-
Filesize
5KB
MD523fb6713826946b50c2a64721e38fe3a
SHA10e0fcea6f06cdc64a065cf37347e939fdb76bdcf
SHA256fdcc16e0946d4e49b0685ed45de92624121c1cc73584e3ebcc5cacf46056df66
SHA51226fe6e8ab8c203757d2fc97bf8de752408d7a4567284271405fb5f98e2750bf1f975b5da0d8b83e9bdaf16152941f6165b87877948e24e093b517bdfef1ef879
-
Filesize
6KB
MD566fc269185c21a42e69a5386dca650a1
SHA16d64b685d4bb6e818bf80f21e70ad73443e302a2
SHA256dae72c40fa572c8385f2e4c82a16eaa4af14b59d03a01e6ee2758d67209d9211
SHA512ccb914d2e73ac5b1cf8804d397dbe12d3cb613d2f3ef2c39a47ed34880363eb6bec46466039771a89cff615d9e14710f5d0d02dc1e973cbc265d24dff36e9d09
-
Filesize
6KB
MD558b0d8ae997e309baa574a0d9c91a742
SHA1c074afd0f61c0bf5eca075ca59aaca49bbe54641
SHA256cec27b3b7a291c96d7a66765083139931bbdc8fb045b4aa1e098239de084220c
SHA512cefb34b8d2d5a1fb6aaa087401f492e6769a77b3592f861bbb2405280dbfbfa32ecfb875a87ffec9ce25275c5112f4343af72e1044ee17adbd6b4b5c96ebb254
-
Filesize
6KB
MD5e84e329543b18ec2f37c057c91ca6ecf
SHA17186489a21134db80bfb2c62f3608999ec0ca475
SHA25635dfc54460b1840564b4a071b987a76bb67ca00918e9a54bab3d5c1e31503870
SHA512d532ab3369f4db10c491d31779841016f7ab833a315b049fdc1963a02d15d01f667820897bb296ecb6b21fde05830ebca26696a385b64c2e057552bfa243da8c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5981fcbb6b5b15665bbb5cdefb7dfe27e
SHA128241d818424dcc835b265bb48641ebaa835656a
SHA256b4eeda2e30a3278e4b81d53beb3d570c4cfd806ed8df05bc980373eedaef0401
SHA5121f75abe0d8a4f6d192865208cf2ce0e1bdee246a0061b7bc815ef895293d45c12541020f3d67653f43ef05fae8d430292dad609ba916e34b20a3cfca92ebb0ac
-
Filesize
10KB
MD592939132b41de6aa15ee1741b252d4df
SHA12a8a752a6b738af3e4e56244abea62fbdd63dae2
SHA256f0d024c0b62de47debb8bcadedb6948301982f7a4afc4bf27052068226228489
SHA5127a462346de5158433515628e495e0e247637305d77858a8e3cc1dcfb79d1a0401bc93f3524a6dd9d3944479046042364cad4e09b41a3257ed0f8bc430f516bbb
-
Filesize
84KB
MD50b0e63957367e620b8697c5341af35b9
SHA169361c2762b2d1cada80667cd55bc5082e60af86
SHA256bd9cdcfaa0edecdb89a204965d20f4a896c6650d4840e28736d9bd832390e1c5
SHA51207d0e52c863f52ecb3d12fab9e71c7a18d54cbedb47250bee7e4297ff72ed793c23a2735c48090c261fe4633d53d03e305c1338dfc881bb86874d1633ff6ecee
-
Filesize
361KB
MD5e3143e8c70427a56dac73a808cba0c79
SHA163556c7ad9e778d5bd9092f834b5cc751e419d16
SHA256b2f57a23ecc789c1bbf6037ac0825bf98babc7bf0c5d438af5e2767a27a79188
SHA51274e0f4b55625df86a87b9315e4007be8e05bbecca4346a6ea06ef5b1528acb5a8bb636ef3e599a3820dbddcf69563a0a22e2c1062c965544fd75ec96fd9803fc
-
Filesize
1.2MB
MD58ef41798df108ce9bd41382c9721b1c9
SHA11e6227635a12039f4d380531b032bf773f0e6de0
SHA256bc07ff22d4ee0b6fafcc12482ecf2981c172a672194c647cedf9b4d215ad9740
SHA5124c62af04d4a141b94eb3e1b0dbf3669cb53fe9b942072ed7bea6a848d87d8994cff5a5f639ab70f424eb79a4b7adabdde4da6d2f02f995bd8d55db23ce99f01b
-
Filesize
1.9MB
MD5bcc0fe2b28edd2da651388f84599059b
SHA144d7756708aafa08730ca9dbdc01091790940a4f
SHA256c6264665a882e73eb2262a74fea2c29b1921a9af33180126325fb67a851310ef
SHA5123bfc3d27c095dde988f779021d0479c8c1de80a404454813c6cae663e3fe63dc636bffa7de1094e18594c9d608fa7420a0651509544722f2a00288f0b7719cc8
-
Filesize
350KB
MD5de69bb29d6a9dfb615a90df3580d63b1
SHA174446b4dcc146ce61e5216bf7efac186adf7849b
SHA256f66f97866433e688acc3e4cd1e6ef14505f81df6b26dd6215e376767f6f954bc
SHA5126e96a510966a4acbca900773d4409720b0771fede37f24431bf0d8b9c611eaa152ba05ee588bb17f796d7b8caaccc10534e7cc1c907c28ddfa54ac4ce3952015
-
Filesize
138KB
MD5dd43356f07fc0ce082db4e2f102747a2
SHA1aa0782732e2d60fa668b0aadbf3447ef70b6a619
SHA256e375b83a3e242212a2ed9478e1f0b8383c1bf1fdfab5a1cf766df740b631afd6
SHA512284d64b99931ed1f2e839a7b19ee8389eefaf6c72bac556468a01f3eb17000252613c01dbae88923e9a02f3c84bcab02296659648fad727123f63d0ac38d258e
-
Filesize
216KB
MD5b808181453b17f3fc1ab153bf11be197
SHA1bce86080b7eb76783940d1ff277e2b46f231efe9
SHA256da00cdfab411f8f535f17258981ec51d1af9b0bfcee3a360cbd0cb6f692dbcdd
SHA512a2d941c6e69972f99707ade5c5325eb50b0ec4c5abf6a189eb11a46606fed8076be44c839d83cf310b67e66471e0ea3f6597857a8e2c7e2a7ad6de60c314f7d3
-
Filesize
6KB
MD56512e89e0cb92514ef24be43f0bf4500
SHA1a039c51f89656d9d5c584f063b2b675a9ff44b8e
SHA2561411e4858412ded195f0e65544a4ec8e8249118b76375050a35c076940826cd0
SHA5129ffb2ff050cce82dbfbbb0e85ab5f976fcd81086b3d8695502c5221c23d14080f0e494a33e0092b4feb2eda12e2130a2f02df3125733c2f5ec31356e92dea00b
-
Filesize
319KB
MD579f1c4c312fdbb9258c2cdde3772271f
SHA1a143434883e4ef2c0190407602b030f5c4fdf96f
SHA256f22a4fa1e8b1b70286ecf07effb15d2184454fa88325ce4c0f31ffadb4bef50a
SHA512b28ed3c063ae3a15cd52e625a860bbb65f6cd38ccad458657a163cd927c74ebf498fb12f1e578e869bcea00c6cd3f47ede10866e34a48c133c5ac26b902ae5d9
-
Filesize
241KB
MD5d34c13128c6c7c93af2000a45196df81
SHA1664c821c9d2ed234aea31d8b4f17d987e4b386f1
SHA256aaf9fb0158bd40ab562a4212c2a795cb40ef6864042dc12f3a2415f2446ba1c7
SHA51291f4e0e795f359b03595b01cbf29188a2a0b52ab9d64eadd8fb8b3508e417b8c7a70be439940975bf5bdf26493ea161aa45025beb83bc95076ed269e82d39689
-
Filesize
238KB
MD5ad3b4fae17bcabc254df49f5e76b87a6
SHA11683ff029eebaffdc7a4827827da7bb361c8747e
SHA256e3e5029bf5f29fa32d2f6cdda35697cd8e6035d5c78615f64d0b305d1bd926cf
SHA5123d6ecc9040b5079402229c214cb5f9354315131a630c43d1da95248edc1b97627fb9ba032d006380a67409619763fb91976295f8d22ca91894c88f38bb610cd3
-
Filesize
12.2MB
MD58b7b015c1ea809f5c6ade7269bdc5610
SHA1c67d5d83ca18731d17f79529cfdb3d3dcad36b96
SHA2567fc9c7002b65bc1b33f72e019ed1e82008cc7b8e5b8eaf73fc41a3e6a246980e
SHA512e652913f73326f9d8461ac2a631e1e413719df28c7938b38949c005fda501d9e159554c3e17a0d5826d279bb81efdef394f7fb6ff7289cf296c19e92fd924180
-
Filesize
109KB
MD5f3b2ec58b71ba6793adcc2729e2140b1
SHA1d9e93a33ac617afe326421df4f05882a61e0a4f2
SHA2562d74eb709aea89a181cf8dfcc7e551978889f0d875401a2f1140487407bf18ae
SHA512473edcaba9cb8044e28e30fc502a08a648359b3ed0deba85e559fe76b484fc8db0fc2375f746851623e30be33da035cec1d6038e1fcf4842a2afb6f9cd397495
-
Filesize
187B
MD515c8c4ba1aa574c0c00fd45bb9cce1ab
SHA10dad65a3d4e9080fa29c42aa485c6102d2fa8bc8
SHA256f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15
SHA51252baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4