Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/12/2024, 13:48
241210-q4kacaxjas 810/12/2024, 13:46
241210-q3gstswrgt 1010/12/2024, 13:44
241210-q1vxnssjgm 810/12/2024, 13:42
241210-qzx1mssjfj 8Analysis
-
max time kernel
65s -
max time network
65s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/12/2024, 13:48
Static task
static1
Behavioral task
behavioral1
Sample
a.html
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
a.html
Resource
win10v2004-20241007-en
General
-
Target
a.html
-
Size
1KB
-
MD5
d5fb513907e0bf30fd3a61a2ecd4dd51
-
SHA1
edb774f15d961ada35f581d84d8faa5a47422850
-
SHA256
6764182453f39a713e142b15b917a28f06bdf57cbf75f537a38dc4213555598b
-
SHA512
c7f8e36e09fbf4d7b47c764090e368d9fd0eda8b30f60ea67c06b92c3af01b7749285f3ddafa109c08dbd14b0a78f1f82cfa4f18721ec66eb551c90567b60755
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2548 xpaj.exe -
Loads dropped DLL 1 IoCs
pid Process 4080 msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 66 raw.githubusercontent.com 67 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 xpaj.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\CoolType.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_mt.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_lt.dll xpaj.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\Microsoft.PackageManagement.MetaProvider.PowerShell.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.MsiProvider.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\libsmartscreen.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationClient.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationClientsideProviders.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_kn.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\psmachine_64.dll xpaj.exe File opened for modification C:\Program Files (x86)\Windows Media Player\WMPNSSUI.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\pencht.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ms.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadds.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msadcer.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\tiptsf.dll xpaj.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Conversion.v3.5.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\d3dcompiler_47.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msader15.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\UIAutomationTypes.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_et.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.IO.Log.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Extensions.Design.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_bho_64.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_nb.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdasqlr.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_bn.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\PresentationFramework.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdate.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_ru.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\mojo_core.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sl.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_sq.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_or.dll xpaj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\extensibility.dll xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.CoreProviders.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe xpaj.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\mip_core.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Services.Design.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.DataSetExtensions.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Entity.Resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadrh15.dll xpaj.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Windows.Presentation.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\WindowsFormsIntegration.resources.dll xpaj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\psmachine.dll xpaj.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xpaj.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 252158.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4228 msedge.exe 4228 msedge.exe 4080 msedge.exe 4080 msedge.exe 3420 identity_helper.exe 3420 identity_helper.exe 4284 msedge.exe 4284 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe 4080 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2548 xpaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4080 wrote to memory of 696 4080 msedge.exe 83 PID 4080 wrote to memory of 696 4080 msedge.exe 83 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4848 4080 msedge.exe 84 PID 4080 wrote to memory of 4228 4080 msedge.exe 85 PID 4080 wrote to memory of 4228 4080 msedge.exe 85 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86 PID 4080 wrote to memory of 4364 4080 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\a.html1⤵
- Loads dropped DLL
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd71646f8,0x7ffcd7164708,0x7ffcd71647182⤵PID:696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:4364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:4264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:12⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵PID:1584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:3368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:3256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:12⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:4348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5668 /prefetch:82⤵PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:82⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,7366194825042682248,1671044822388203788,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284
-
-
C:\Users\Admin\Downloads\xpaj.exe"C:\Users\Admin\Downloads\xpaj.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5e0a6c1645974ac0209c4bf3284c196c2
SHA1682587bbd57c14afe7a6c5deee9780b510b238a4
SHA256e5b90f44020dbae3ead162f3ff5b57ec4ba36fd2f773405af803b5d4778b3a0a
SHA512292b3283f60b618f12483d2d63c0155ed75d00402a03ed02117c63666e9fd79bf7c2334eb5989f1ad6d4331d811b96cc43042ea3af93dad6221459a985e42fed
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD58ee5fc4eb6a44bafa1847c22348b3f10
SHA1cf6d852e57dad96b73b56195cc120169e2e876bc
SHA2569a7c39336c6a745bf848f3e3289fb50543cc8d1ca85e8e51cf1a5cde21798ce3
SHA512cd739b23576f604f5cb4eee5706658b5ef0cd853bf6e5dfcaba527c25dbe5a204e314615c8e07f166ec63c61e83f3f9a6405bdc11d62370f0f5a7f8511f962c3
-
Filesize
6KB
MD5b85c685600c7ce959a34ec904d46388e
SHA1dcdd0bd5eea5a6e24bf7834368b8ad083d5919d1
SHA2569f716ec0ceefd1e4130c863bcdcd2a55f4658948537dafd929ecf0f5fc8bbeea
SHA512561c9538babb6c5e144836ff2813c66304d5e69fe2edb95db9857c6f437bca1e32cc531f7b9fc7761334472e978e6d9c142eed61caefb593bbc8bf424bfe678a
-
Filesize
6KB
MD5d2255d631f679b0b0031267e188deea2
SHA11f4c3eb7f0ccb3d114eea04e5ed295074bbe7f0b
SHA25677508834224a9ae2249f35e8963602a3c8c92029ed57a782874d501042a02f16
SHA51217a97efa56d54484170cf6639bb374baefc7aae1bbe128d915d7ca61bf99ac31b962ae11fbe68e52b0127d525fd80b6228e479c7f7c9c8385a849dc78a026a44
-
Filesize
5KB
MD5bff2844c0c2ecea5d4bbcdf8960c1363
SHA18a3aeda5ccc65f75424119087bc44ff481763357
SHA2560d5f6257f98391ad251285cbd8ac9d2cde0c4f9fd9aa9092eba8bb0b43cb59c3
SHA512d54c3c508bf935408799d83d9c8d655a845a0e4d5c07ca774f727d52446a0af3972e56891a111ea251d8d9c0449fb36bac0efa3c7790c79f4862f4f8d49c03a3
-
Filesize
6KB
MD529a5c680d78f9b75d82f69a57bdaa125
SHA1e4e6c36da322ded1b77a2bfc478f8135069ae51e
SHA2561473645db367ea0d07edc98459278e9c4ce2e42f3c5d6a3164e9626b24a49e97
SHA5129855361ee6a75e488044dd7c74afa6fe52a8087d0d1f83101e494136fc90b5c6bd1de635782186423697bb1cef54e036f7f2fb0587347612dd22bef01fe49bd0
-
Filesize
1KB
MD5adc8cfed889e6c10d7c776382de2727f
SHA18e2178c4dd0f76ee0bd70141be13cb36655baa43
SHA256b50cc0424514987ee4189150103b62e1446a98dca15f75ef94019c8b2a8f55f6
SHA512e3bcee3e80c82a89f5563a29c73af8448475b004470059bb03e3705ab866961212212d05a83a3b416c14c9ef3530274f07be64e0dca1fae3aee95f9f85851edb
-
Filesize
874B
MD525db5cabdc107eeba43d91f6e4e552c1
SHA15a7c5f28d3157c025c6d014acea7029e670765ac
SHA2561641e8739d9997eb453a23e7c18650677264ed2e2b3b576ffcfe3516cbe8386b
SHA5120d39260512249981527bdc0ecbbb69a0c48a9b8ba5819167f7c2247f53b7d19deb6a3a19654733d0b16de6342d27fc9672ccc95eaab9abfc0a3d07143542dbe6
-
Filesize
874B
MD5f75e0dfa12ba99a6f55d471685d47283
SHA13dfe4a23c8fd1fc5b84dd1dd617228685d9d7d31
SHA256dcd356f5b3c783901fd55fcf7ebd7262f5a24e860857c59d5853f0e657cf866f
SHA512ea5ec425416ef97272aee6e62f06442bd0afe31a03c013a8c4c0e6103754ebe2545ecb809b3c7ab77b930f1547b8f6d5bd448fa42d866e4b8c59b54b58bf3015
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5f940ae6c94b65c8703108122ae7f56bb
SHA17561667c97facb44060f12798eba62132eb60b0d
SHA2569f0e49b751f9e59c31cc0bbb28a1d5b43eb7f7cfb84ba3afec6ab0e78c3a4f79
SHA5125aaa1344d9edd2de53ba9c15befcd0f670b6b08d6a6a2a7cb9c696c0a2e58ab7dff8f1de2d8bccadc54a676ca6e9c0e6f9c805f2609ba421234aa2131a4bf017
-
Filesize
10KB
MD51a565263b331011163cad230e723ea8a
SHA12452ef873789ec31a12f39883545243d6614bdad
SHA25692cb2060621ef4e7ff65d2c7ad4658095f3afe1853e86b0f266c80ff85234d46
SHA512603df921f0fef8675841b6d572910a4d04cf9b426e090fcba76620a1f058d662f903093e87c730e1ba9380ab6e7cfc4d9acc3da4feea52c76bf0815b1685c482
-
Filesize
219KB
MD5d5c12fcfeebbe63f74026601cd7f39b2
SHA150281de9abb1bec1b6a1f13ccd3ce3493dee8850
SHA2569db7ef2d1495dba921f3084b05d95e418a16f4c5e8de93738abef2479ad5b0da
SHA512132d8c08f40a578c1dc6ac029bf2a61535087ce949ff84dbec8577505c4462358a1d9ef6cd3f58078fdcae5261d7a87348a701c28ce2357f17ecc2bc9da15b4e