Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
21-01-2025 03:08
General
-
Target
0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe
-
Size
2.0MB
-
MD5
a163c7bc85bb9c2a1e55cf1bdbc6a334
-
SHA1
871c64f2c6297038ebbac6616bc535d09db38673
-
SHA256
0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590
-
SHA512
dec52080226cf1f16107750b5cccc500033ecd050d5ae022f640761d3f5f29cb6ba1c86d845c04ed4321319572a8924a9d72ce2c6bf7897c71744c99f9f55d23
-
SSDEEP
49152:qnsHyjtk2MYC5GDczMmPITYbNbNWo4kSH3OqtwIz3:qnsmtk2aFzFPIT4bNJFY3OqtP3
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe"C:\Users\Admin\AppData\Local\Temp\0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe"C:\Users\Admin\AppData\Local\Temp\._cache_0606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtube.com/watch?v=RfDTdiBq4_o3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd68fe46f8,0x7ffd68fe4708,0x7ffd68fe47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3356 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,6073257720422131592,16049400306726068497,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:14⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://keyauth.cc/app/3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffd68fe46f8,0x7ffd68fe4708,0x7ffd68fe47184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9132532488195767762,11911641243380248982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9132532488195767762,11911641243380248982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtube.com/watch?v=RfDTdiBq4_o4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd68fe46f8,0x7ffd68fe4708,0x7ffd68fe47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7597161408353037608,10194235325685741594,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7597161408353037608,10194235325685741594,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://keyauth.cc/app/4⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd68fe46f8,0x7ffd68fe4708,0x7ffd68fe47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,9080157092793456748,8759710523390910065,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1972 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,9080157092793456748,8759710523390910065,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Application not setup correctly. Please watch the YouTube video for setup. && timeout /t 5"4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo Application not setup correctly. Please watch the YouTube video for setup. && timeout /t 5"5⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\timeout.exetimeout /t 56⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5a163c7bc85bb9c2a1e55cf1bdbc6a334
SHA1871c64f2c6297038ebbac6616bc535d09db38673
SHA2560606279933789b017a32a8b929f24524647249029e68c51b0b05386bb7c86590
SHA512dec52080226cf1f16107750b5cccc500033ecd050d5ae022f640761d3f5f29cb6ba1c86d845c04ed4321319572a8924a9d72ce2c6bf7897c71744c99f9f55d23
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
49KB
MD565da8d6932ad74d3b51694b5a28dd0bb
SHA1aa6e37cdacda153f499c299299a4dacf50c93765
SHA256309ec80a404d5ba8c9816e0932bff343c8e205fe36819908682289ed7c7ae482
SHA512bfce7ba0e18dde7d6f833709e565f704701d7a51b14d7c11b06cdce0b057290a334219c9aa4f7ea098c097eb779a2ceca397a9ad1ede0784348f78c81fd55015
-
Filesize
720B
MD50969a5bfa836d5db83fd9f752cd87511
SHA1687667a93a139b6864a4821a9f06498f964ded4e
SHA2564b404b90be7d415c27386cc9f0b6670f71eb1d7b71e034b2d583629e669b11db
SHA512b78e031bcbe76237e3a77d7aaca1ced733f8cd0677c0e4da1f8f3c762323b079a50759be431649516d3fea8b29c4f478f6ca54cc72e4c0339dad01398f724197
-
Filesize
2KB
MD59cb6a10e052e08c6e11dcc5b353a7c8b
SHA1b7476d140ed495954a537fead01ddb805802c203
SHA2565c1d170d32dc137aaa0dc1aa8b7cf303b3201fc3e842a85074063f81f0ee63fa
SHA512f746eda01c301d22f8aed9d7c1fb980d61443d9f4d64bac7434eba5d6413a883486a8e72b05d103dfe16a8d974854078733efc1ec7d1f1593886a0cad6113169
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
7KB
MD50b275b0cbaf099e40b290c3c42715888
SHA1aff631eeb288ed53d5f8aa00dd0b44c85f9f06cf
SHA2562a19255783e99bb5742e009f27acbef6d072ebda7fee89059730716ea3c41328
SHA512e55505a22754a9ced29ec50a75a214e5e3ca80c59d3364126a5bcc00d08e2e3883954aefb8a7e0267f7d25cd8f43cb8cbfd18b6ad0471d25ee6e6725af78397a
-
Filesize
7KB
MD515f6b1b3c2fe16d71d81c504b0b477c3
SHA17ce79a7fd08af9172fe58f30bebad1f3a0a8cc38
SHA256688ce6ea2cf6b0d200f566c242f4a93d81bd88e966a29b2780d27b9dda6897b2
SHA5125a8940169f427b3a2ed84ae5709ea4532208f9f39f24ea477458218653692ad5a8117fba71235c37be9c21ff2ebb2fca059283dc9764396259c1ae29e2004d0d
-
Filesize
6KB
MD50018ac095119178d253555efa31b3bf2
SHA19a33160016943ae6addab5ed15906e6b1baf54f7
SHA256d9c119947b6ba5874837aa90e13b28cae314bf9cabb7f500293208fc5288b1f0
SHA51267f99a7e8c05bebe97099976e91041df8a46cece10a26e30f36a3c72b448937a6df4517622da4d4612744bb8df4af61d2fa85d38616bd8f693c6d7a8d9b5e0e1
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
146B
MD51e1bf89f78404ad80dfdc2364d95d817
SHA106671ac80fcaedd80f9890756b10e82cd17213af
SHA256acc10098a17e86677a83d280c73617b82871dfdfbad9a367376fa206625ad90d
SHA5124ba1dae57a54d00b0e58b5ceb6a633aed90504f0d236669e4b4d3482f06bb8f35db986ab1986319c333df3e220135c17f883a6c4cdca627cd9576318c809dc32
-
Filesize
89B
MD53d82b6d81a24787c609ef37d262c5fef
SHA165b8bc68dcea45ccc5570237fea503db4082db5c
SHA2566a0ad1d7fd07d67da1d02038714c7bfe57d217856a9ee2badfb5434f1c8e67a0
SHA512d94b4767a730a780a1e3cb080307c075ef9326cfd08e49b28a3008b9117ad50913ebdd8f5964033522d7e82ec9b08106f1cbd30a8e3da3982705fed7ddff7209
-
Filesize
82B
MD519568c07cdfff33f9a9fafecc42d9e80
SHA12f15c7227b50785917b8cd7a08a5bfb1e71f586d
SHA2562f98c969bbede34d385e53dc4e7841d4a4f33fc60795bd76162f777a69806ee8
SHA5122787328e114c1a90970fffe8f2717eb9ecf66e5aa93f8146c491448f4d5ad432240db6686c1ceb4d6fe894ca8f758ea791d54d8b88168a24f0eb1f130a1ccf4d
-
Filesize
26B
MD52892eee3e20e19a9ba77be6913508a54
SHA17c4ef82faa28393c739c517d706ac6919a8ffc49
SHA2564f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2
SHA512b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae
-
Filesize
82B
MD518f8556888de7ad7fcf614027b0e7c1f
SHA12348b832e8c770ac88769ca55174f43f75b19034
SHA25678c8c9166c69e1bfb5ef7cd865cb9bee6474b676ca17ee3483b70bd1ecd7aab4
SHA51270b1a23eca165356c0cc68f7bc3214da4ce74a0daf307be9efb1e4509e0ff9d4bb301992086d465c945560442089ea6f5ab0dbf1f1dd32d2b42bc823f9d96204
-
Filesize
146B
MD57ea50ca6b01fdc3e00fc7eed61f28b59
SHA14c6c84b77f492a03652030cc89109fddece9b000
SHA25654da034b42a93c2ed7aeaf83cde9cec3d58a9646e10974029bf20099035ef4d3
SHA512ea56311255bf2d6ba090ebf662d866e1f66a2ef4b255fd2ab40e97e2c1966298edf192e5e8373a56e167fcf4e563ec1292ed7fbe2204421890dd2dd97023a18f
-
Filesize
89B
MD5a93b14707f41d55ed5595dacfa60cc11
SHA1ea2a77ecacd945e23d050d50b16ff1511088e218
SHA256993613946e8eadac2a29a35d6137bc72402ae7e435e5a651a82bc34d3ffefc25
SHA51242ef01e3cf877ea3045206eddf5fa142a7692c2992bc94ed79c025545168cf999754a6ab40ff1b6848bf2122f6cff26a26f0262904b23d111f0f082911be5d2b
-
Filesize
72B
MD53e5c4e60b8171308a642c9d8b51c77ae
SHA1dbd8f425f4b44b3c4f0366b6467130936d659ff9
SHA25677217d0d762b03756519b3c1ef74804089570c57100535262c84b49b7b5a5f84
SHA5120a3fb212940acffb0ee1d641cc1e0f4fbbc1203ab0f8153f309b4aedab6f74d3fb2c5d4c0d64109edcfacd64e3e9f78b1b81781510e091e01d93aaf031fcf58a
-
Filesize
48B
MD51ea244889f7489216090bbb4c69d0912
SHA136e9060035c5430bea6a462dcbaf56f946d0467b
SHA256f937383bbf5e7eedab5fcf6cc519c08d7f13b63037bc7608f8b95bda53858aca
SHA512790d73d28a1891805e787885cab5632f93db382a66a5c268befcf3a6f438516f897afe6d69102e00ea5d65784ad29f449c29cffc2f8a4a8861f47e9ba9b0115f
-
Filesize
873B
MD542c8359aad8ba95cc2ed19ad18085c96
SHA1c6b1e7aa3cdd6d4a27f4e5e07ad94e3ef547e324
SHA256027629dc8418fc9fe4694ed8a2d2409fc3b0c282844560f1f7f83abbd33595a7
SHA512515cb1e441c491939718ec972f0e5e0d50baff9181c599d4f8052d374afcddf2359d88f2f8da92b6e7ee9dc0c84acfd18aed98e7248fd4793a30894daf44c036
-
Filesize
873B
MD57036db4085da294b09da6fd5392aa5b5
SHA13f7d298dc84e4f168d5c9026c68567163f6ceeab
SHA2566695402be2a2a4a52376fcec45ff8d5e6e5de5e0a9536092f5303087ff5181a3
SHA51292353b58e8f5207bc692ad5ea49d337c6c8e752cb6f760ce9e99936a5920726ff73c34f0d6b033dbd33ea5896a37e7b0d482f2762993f2f786b73103a2c30ecb
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
8KB
MD57893743129f8aa5dd320dd33292a5cf4
SHA15ee661784e24e6b2006554f26670495dd2b938c3
SHA25678f3e70c818e3ecde9158bbae8667f96233ecde3971c9e6c5e8357236765d9b8
SHA512f9d92383686f6666cbf953124ac77d56aa798a93d31cadc3637f17b6bbcf572c7338cd3f7d08bd1f503718dc93343150b7be20356a26ac642dc4fbe9c3016dd5
-
Filesize
10KB
MD5932a497f810bebcce79f716d67806e32
SHA157fed40763f311ec056f3551e36329700b8c8098
SHA256539dca0e16e6c4c72b618ef0ab7290e69f97c3be506b334872af3d188b2c5ff5
SHA5129726d85160964fdcaf746457ae280231784fea5db6e02f6ff95323b8146ad71fe2396fe1b3ad2197c7d4fd02ee003066803a68d44e4c88577e225fd6e9695579
-
Filesize
8KB
MD53947b02bf5bf36f3bc2ba9d1294dcd3d
SHA111f5657d02c9fa7187566aa40889b93169d5db42
SHA256e8341eaccfc8558b21ae5a956da748c461f976ef4a0e460fac81828c99d1bc7e
SHA512ea8c3462dea5991b415f3472ca7b556141e9a82b102d5ccc762bbf875a69acb2684bb0e4fe17b333cce670a6e8bf2e0dc13d180a8c89fe3764468850958f7366
-
Filesize
8KB
MD5d73beb670f69022e08c7a0b2b2bd91d2
SHA154c7e57ff86fee182713d236945bcf2a6a730b1e
SHA256f465d163ca4ff4cdd1681e9d1a0e17a7e5b76dd2a6d74dd5fa4783a132adc76f
SHA5122f9e72c18a81488a727094ed5801f80053748f7592fab6d4bb7577fc50c94af95125df923621b92f5abe0c2d1e44bd7ee6d8918686d2d4c4a0872c6d4fce1462
-
Filesize
2KB
MD59d9078946c2d101691844182b56bb5d1
SHA18ccb8adbac2c7fe59633baec4433c88be9ff035d
SHA2563a4a6fe3d9d366a298de4ce07e7589f87216003af762b00ac7fc1627e1e559c6
SHA5129a2a60698818ea21701a7d2fc96a4caae067c44dbda9a51d61733c38551eb2cc8d75bdc1eaba1a36a39ca8dc2bb4dd73366b128f9619a725825dd79fd44cb469
-
Filesize
4KB
MD50ea6127d069e8746a486340d13817d2e
SHA17332f39cab59f7d2c0b6a76b42db0343657d268f
SHA256f13ac89d99804db47068864af806dc235693815c871f7c2ad7b74d60b7c2f074
SHA512859a873353713e0b80309b1011c9d5feebd5288a66d36c51240c726be373352e6c3d72afe67a245ca0a82531c93362169dfae8764f447f3f189bf93346938233
-
Filesize
1.3MB
MD5b9773451b024cd03b844bc09cd17a3f4
SHA1c3b11a40d7e141b1712e89ec6f4d0a7a273f7e6f
SHA2568a1cda86fda420345e59cf46954aa2ac713a4549d2d2a2f36f27c0f5f01a1a82
SHA51244923981b897fa080684960375eb5dcf562e86b1de012126ccad8bcd147e0b78eded1dec00faacef8a273355d553829f6e7c1ac101c6ccde8d976426b952312b
-
Filesize
21KB
MD5447e3d75f44899bb64966466a6d14aa5
SHA16753bdca82c49a16a81105e167e29578d51967ef
SHA2560c05f4a4ad37d9327e6df503c7a5c958e0c051429f3571940a2903440a7549e8
SHA512134e92fae43b92836dbe8834c2b86b50fc78dbe27247b37a6d74e860a12e465b17873c7c2dc3c484edd4796eca1979727169ee21cec2b7c427d4a6d5e4d9a008
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
2.1MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
2.0MB