Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-01-2025 23:28
General
-
Target
https://mega.nz/file/JVE1yLoA#GzhdqwICQXOwoJNfOEWelduHIsQMPJAayGLXJLlKrLw
Malware Config
Signatures
-
Detect Xworm Payload 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Downloads MZ/PE file
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 2 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/JVE1yLoA#GzhdqwICQXOwoJNfOEWelduHIsQMPJAayGLXJLlKrLw1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbcc2046f8,0x7ffbcc204708,0x7ffbcc2047182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4800 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6892 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14527365361806860755,1824063214234942221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x2f41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NitroGen\" -spe -an -ai#7zMap30513:78:7zEvent55501⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\installer.bat1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
600B
MD5f03d6557e651fd24a9f562e5dbd4e6e9
SHA1229f7ee90c04bae023207c2de1b140141f351330
SHA2565226a4b82c29507534059ab0c8da62101633656bb5f655c5f91fa9cf163a8ff8
SHA5121527ebb92cc5b7f6fd031b6c9205e996692d4497d2e861f775d2687dc2eb22ad0f1f6cd6c984b87fa03d63982d89e4208811a0633cba24420363f8cae021e84c
-
Filesize
72B
MD5e4c502edd50d60d554bde19418b7fce6
SHA1f87bc7e5ee03808584aaed0fb675f127a2b4f2bb
SHA2565b80473016fc0fd5e70a965443ade18d6afa1e4aa26e0bda128c11694d468dfa
SHA512ac34bf6d312b1d7cdfd0b01247136611d5a3e048dd8cdf4aea13e2048d61ff0ccf1baeebe49f92dc775472b66929a79073c9de86e21e9b457487f5513f1c7970
-
Filesize
552B
MD53c87566e208b33c5c8eeec1c4aa86974
SHA1c1799287a8c52e8bbb29194338613f4a71c2830b
SHA256f67a5bb417ee0e5668b864b9b7587364bc6e43cd962d49725474bcb5cc90b04a
SHA512449df6d1b3714370c559e75237b71d4b1a8d1616989e6d181d043f4d9d9ec2c2f3e2a02e602ffe35ab29c020fcd5dc0cfe4f988d89a62ea0060ac4d3c8ef51df
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5fefdb0b7169157a7decfaebcfa6a3f40
SHA13cb9c675f9d5d859ca40da2c1aadb4dce23ad9c4
SHA25611e4e9ad8a567f2bb8503842fa80ca61c2f33cca3699815f82e9a04a9b2418d3
SHA51281d5b1cd4fdae852c8a0f32e8db246938e22df2e57167096f894b61330dbfb8b20320cfed4bfa804204fe4f8201a342ce8dcf37f33fe74eefa2137a3075cb40e
-
Filesize
2KB
MD5462dd2f78eba17ea538d2b9a4cbd748a
SHA17705dfcee170c2b0c41ba71b7d85e1a4ee614828
SHA2568a252fc6646ff66fbe64169656f7f667d31e49b380ca8e64e421e2a7918eac9e
SHA51254e54a4d602e4c152edd2729bb528fc718fda04ba7da4baa8dab47bdfec2f784414237a36f9ded9da70623210a2ac86c2f02084c4e327e35aaa0698d00bff8e2
-
Filesize
7KB
MD56fb1fe9de29d86522a5be29126fa2494
SHA1d102390b5e9b0462417099c88610ebc6ec7c02d2
SHA2562a63be85ed535eb12e1a7a5e6d5271e8a6439912e5ed988e64430fdbc540ae5c
SHA512747c7952e433b12c11e517079df2393a94e8fe5a7a77044b74c97f5e4cc7e14cea4e1b6d394297ec2de05427b5b018b4fdfddf57f751854fff9f8ba641a45c24
-
Filesize
7KB
MD5b7b21047ee30e3c1ce17fb033301e245
SHA1d6a6e6a08820b9e6c6cde8cfa3894ee64c14e158
SHA256eff39bf67030f88e8598f587e91763ad7266be2a5bdbbfe10880df9ed84eec09
SHA512c444897c70891d6e104d009d5b6df933d0760b059efea8c32695602c9409889ce68f2d5dc9c69748f40a54fc9cf689ee6962d75f39d0399daa8d05e280698905
-
Filesize
5KB
MD58600c0c252790ef57c4924cd24d83a41
SHA1441130897fee2391cad263cb8375eb2aa8200e1b
SHA256857ab0ce41bb311d486e17f9dbae133b4b3cb39d60e16af8261d783a6964d7f7
SHA512f7f7c4b0b196e461ba2f7b6272514cac09f42b91f7cbd0ef48f5245e6fac1e32597dfd2a77f34af0d23c31282ab271b24dc7561da243fc87491011f1acec00e6
-
Filesize
6KB
MD50830212a9c369b197cfbf31d587718dd
SHA102d33d69dc2fa9522428b8b35dbbee2366fe152e
SHA2565fee4d32a85e876b9698f728e497fc8c53bae43391a226a65bdbf06a84c0cd97
SHA512f980e1983a8317cc05d27a78c1ec366ea66a17f98a525e9fe86adc76e847c73afbba764f104bdc0b7e75a3bccc15ac62a3e06be0ccb515c1428f189b82ee68a3
-
Filesize
7KB
MD537149286ebd7bed711dd9ffa9b8d54ae
SHA190b2b99cd5f159388ececfbf88026bae9a578a97
SHA25699ce0db6336033226a4404dc107cdc2e0fac2695bc5cb3821b23c66e39045e2f
SHA5120146bb8a18a308bb67b52e2460a9f9fda71a03890cc7c0934c6bc87531b8b26a89fdf9c17b1481106190f4c4b4beba2e9c05c2f68a41f2175d55d79b2827a9dd
-
Filesize
7KB
MD5020f929774dbf4cf36737f8baf0e57ce
SHA19f6453d954d62dd232746db3d65dd11aef2f30d2
SHA25649f9cbe53b71c491f8a9dc5066e6e54a7ccc9ef3adab1408358038ddcf557913
SHA512f5dd842073a6185421b786eed62082e4d0ca42e8e1c38bd4c1653dd3ca5293bcabd02ebfc745172de2d01286e7fb2966b39de33e06f4b2f790cc851af49ffef7
-
Filesize
6KB
MD52943207d02bf2209c9e34ca61fa7c131
SHA121da40ca20c95bd6471651209628ab9ef69787ac
SHA2568ec4afdaef5495ad762562b20be8b378f049142e1882f7cf75f31c9412361222
SHA51253589fe11453ab269b3985fc4e01931517fd9895359b22416f2fcd9fd5bb7b03b682a065dace68f5fb0e1e3198a07dfe6d1d7d0b067e45d9594e0fc05e707c20
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
72B
MD560ab64a912fe84a8fe2b6f60c4b5fe73
SHA1630372e4da3249cdfa6b242b7bb6f047cf4019c8
SHA256409b64a5820f39b9bef036cc458099308d0d211ff25e1bd4bdba69159bc705fb
SHA512dae941b58a0fc55df6d92b8a7c0fac15e7d45b2bf0f35a4696dd7b2a1ef006c6aafb3bb59069dfe357c009044e8267fc28acfceab09856ee72cc6dc078be68c2
-
Filesize
48B
MD54a9f664656bd62d3ffc4083b4a62bf73
SHA18ac24f6b837c980984c4d4dd7cbf6e54eb4852a6
SHA2569d6388ba44e818836e8e0ba636515e31e70c5123cabfa6e840c654bfa3c86e64
SHA51250e539d83bba7e3f5c13ed13cfdca6f168a91603d675d36e7e0a3b35dd546205dc8b66366c5fc3e5e2b9f67891e9f5a6921d3c1e78ca831e37bebde5a7c54bc7
-
Filesize
370B
MD5dcffdd58b24f9dd24adc157c3cba7663
SHA193f31b499c4d2d621283cba8886caecf14f65157
SHA256d1616ac5ffacfa3f265bdb0021f29fc74dc3422ee32bcf64433da6077b07d44e
SHA512b35692c363d4850803d8d2f0d15574066d8bd4dd2dab92abeb886ac5cb293deb51f5d3bb93c7daf639495decadd2fd82c87d61baf01345335cfeaa06a0a56897
-
Filesize
203B
MD518ea143744206580bc58ee234b5f88c2
SHA12c3358f2948644ccefbfc3a7eeba710d11e5a238
SHA2564316be50b64b1bc901d1ce7dd007ab6ce3144f13dcbf214c67015d4d4a14a308
SHA512dc297faeef2f07bb8e975aed8a7da37ebde40fa50a4337bf37f0ee4f570aa6d56afe765b92a80c1dc82fe2be5a3fe370a1ae963b0507b7de6c66b7f355c6be1e
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5c137f5f4b10a67c49e8bd55d7a4f91cb
SHA18fa662b8885dab81663a4cfe6b88b3ebe43bf573
SHA256d28c6a1313a510dafc1d30b6a3b06717577657d8963140b6f67bb722db684842
SHA512d9934f17b3cafd069e1ac278cb420c02d96b6577124ce2e5a08e7866e145b6a2b7452538a63d5e19bd3cfd858c58ad34a1fb450950f38019ede46fa8e158c414
-
Filesize
10KB
MD56da90929a979f6bd8583b67281640c6a
SHA162676933ecd182fff6185140e25aaae85c249fe6
SHA256a9f02810cdd9f25abbcf4a31cfc8c4647a2587b1d04d3824ffe19c6c7606c019
SHA512dacc0185753fdc00523c3a198844993093e127a9b0e65f4e377e183d5b7342356b269deefaaa671a3f4653bdbaa2cc15d09e283e03dc822f77beb09efc0094c8
-
Filesize
10KB
MD5634e45c2c9aed831f00a883a5ca12878
SHA1fb417cae7aa77c2a8ad89ea425548f1006f27c11
SHA25648d4e4427c88260f8a2622e1571147a64fc64e7e44fb19b35d3bbfc76eb4eece
SHA512600469e701036de73b1f0164037f3daf2a9db3dde0aec70e70e8009343695b6f08f927004c71930b184adf83ffc77a118a6366d8ac66c665e6006b21dc740c96
-
Filesize
50KB
MD57423221a2acbf08a3d7db972291de395
SHA167290519bbf80bc822a0c85c8a503cbdaa0922f1
SHA256afccdbb4d2be91d5b8de74fb8a0b4cb8b6f217808fcf6e1c8722fd2c8e01446c
SHA51217bc1894f504082f4d724fdb65de5157a104533f242ee3d383bddde3947b871997267f18616008f7c8414e4ce94a3d0c7db5af88273c98001a38e2944496648c
-
Filesize
244KB
MD5ba199a53400605e0dddec76f0bbb5d4f
SHA181182bc28677dd07a8731d196244fb9643bde827
SHA256f273e967b289bf3c275aae486b8a49918a136c332fce84986417aac2f65d3a6a
SHA512578b6ac9bad24da3811239c8346e7d8fd33e2e3b1a322dddb829ce6336b5683421913f4dc8a12190d404ac8aa86129458b6ff3c24911a54986a485a61da815eb
-
Filesize
276B
MD5bc249488fab9079781ca9b449099e94d
SHA13dcf256d4f741789e301219e8892e1eda18371ea
SHA256751367b4ad3954eaa4066f296968fe16831f51cf54bb7c84c616726696acae78
SHA512570dca797b71b83551f1467c492178e6e994df0d0e42400605075e8bac85491fe1fdcf3e307e9f4f65d1d22426abe3d20a96c110f9cea0b451d993615e64c20f
-
Filesize
84KB
MD5b1bae7168c48fe861841581037f1f458
SHA10f997e96af7bb5ef166e218d719cc18d0294d9b6
SHA256ddf84c03c1ad102b4e6cec8208857202135e3f2e9ca6e6bbee1fa5bf184bdb76
SHA5124924fea79cbc262aaa908a67dec3e68c4a93d5ec1cfd5a039dfe93480614e8c1c70e75d76621dac1574be80b972c3e933f160b2ae9ce6d80bbe4b853f344505f