Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
610s -
max time network
615s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
28/02/2025, 18:39
General
-
Target
Xeno.exe
-
Size
69KB
-
MD5
4e8074b05433894b629f67b4770d5474
-
SHA1
f71e57d6bda8a72a7760d358e63664136b8a7bb7
-
SHA256
480c3389177a32a663b3c484507f00a646a6b4a10c3532527bdc0dcd78c7d259
-
SHA512
de0726f1335c757925170f496181ee66b29231034c6ab205f54fc265370485bbf1eedfadaaba4b57fd78d6057860630ccd1bada035d71ae74b8f0a5349329e89
-
SSDEEP
1536:2SuDiZ0QURBoIKoPyS2I+bqpO1Xd7UEx6M0O8RLZ68i:2SuDaURKkPJt+bwwURO85M8i
Malware Config
Extracted
xworm
cause-indexes.gl.at.ply.gg:17210
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral1/memory/4572-80-0x000000001C000000-0x000000001C00E000-memory.dmp disable_win_def -
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/4572-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3660 powershell.exe 3020 powershell.exe 2892 powershell.exe 4796 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation Xeno.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Xeno.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk Xeno.exe -
Executes dropped EXE 3 IoCs
pid Process 4964 dajvys.exe 2300 xvcvhn.exe 3760 yeafgs.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe" Xeno.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dajvys.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xvcvhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yeafgs.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Xeno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Xeno.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Xeno.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Xeno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion Xeno.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate Xeno.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 4796 powershell.exe 4796 powershell.exe 3660 powershell.exe 3660 powershell.exe 3020 powershell.exe 3020 powershell.exe 2892 powershell.exe 2892 powershell.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 4572 Xeno.exe 3928 msedge.exe 3928 msedge.exe 3604 msedge.exe 3604 msedge.exe 2396 identity_helper.exe 2396 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4572 Xeno.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeIncreaseQuotaPrivilege 4796 powershell.exe Token: SeSecurityPrivilege 4796 powershell.exe Token: SeTakeOwnershipPrivilege 4796 powershell.exe Token: SeLoadDriverPrivilege 4796 powershell.exe Token: SeSystemProfilePrivilege 4796 powershell.exe Token: SeSystemtimePrivilege 4796 powershell.exe Token: SeProfSingleProcessPrivilege 4796 powershell.exe Token: SeIncBasePriorityPrivilege 4796 powershell.exe Token: SeCreatePagefilePrivilege 4796 powershell.exe Token: SeBackupPrivilege 4796 powershell.exe Token: SeRestorePrivilege 4796 powershell.exe Token: SeShutdownPrivilege 4796 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeSystemEnvironmentPrivilege 4796 powershell.exe Token: SeRemoteShutdownPrivilege 4796 powershell.exe Token: SeUndockPrivilege 4796 powershell.exe Token: SeManageVolumePrivilege 4796 powershell.exe Token: 33 4796 powershell.exe Token: 34 4796 powershell.exe Token: 35 4796 powershell.exe Token: 36 4796 powershell.exe Token: SeDebugPrivilege 3660 powershell.exe Token: SeIncreaseQuotaPrivilege 3660 powershell.exe Token: SeSecurityPrivilege 3660 powershell.exe Token: SeTakeOwnershipPrivilege 3660 powershell.exe Token: SeLoadDriverPrivilege 3660 powershell.exe Token: SeSystemProfilePrivilege 3660 powershell.exe Token: SeSystemtimePrivilege 3660 powershell.exe Token: SeProfSingleProcessPrivilege 3660 powershell.exe Token: SeIncBasePriorityPrivilege 3660 powershell.exe Token: SeCreatePagefilePrivilege 3660 powershell.exe Token: SeBackupPrivilege 3660 powershell.exe Token: SeRestorePrivilege 3660 powershell.exe Token: SeShutdownPrivilege 3660 powershell.exe Token: SeDebugPrivilege 3660 powershell.exe Token: SeSystemEnvironmentPrivilege 3660 powershell.exe Token: SeRemoteShutdownPrivilege 3660 powershell.exe Token: SeUndockPrivilege 3660 powershell.exe Token: SeManageVolumePrivilege 3660 powershell.exe Token: 33 3660 powershell.exe Token: 34 3660 powershell.exe Token: 35 3660 powershell.exe Token: 36 3660 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeIncreaseQuotaPrivilege 3020 powershell.exe Token: SeSecurityPrivilege 3020 powershell.exe Token: SeTakeOwnershipPrivilege 3020 powershell.exe Token: SeLoadDriverPrivilege 3020 powershell.exe Token: SeSystemProfilePrivilege 3020 powershell.exe Token: SeSystemtimePrivilege 3020 powershell.exe Token: SeProfSingleProcessPrivilege 3020 powershell.exe Token: SeIncBasePriorityPrivilege 3020 powershell.exe Token: SeCreatePagefilePrivilege 3020 powershell.exe Token: SeBackupPrivilege 3020 powershell.exe Token: SeRestorePrivilege 3020 powershell.exe Token: SeShutdownPrivilege 3020 powershell.exe Token: SeDebugPrivilege 3020 powershell.exe Token: SeSystemEnvironmentPrivilege 3020 powershell.exe Token: SeRemoteShutdownPrivilege 3020 powershell.exe Token: SeUndockPrivilege 3020 powershell.exe Token: SeManageVolumePrivilege 3020 powershell.exe Token: 33 3020 powershell.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 4964 dajvys.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3760 yeafgs.exe -
Suspicious use of SendNotifyMessage 25 IoCs
pid Process 4964 dajvys.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe 3604 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4572 Xeno.exe 3564 OpenWith.exe 3760 yeafgs.exe 3760 yeafgs.exe 3760 yeafgs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4572 wrote to memory of 4796 4572 Xeno.exe 88 PID 4572 wrote to memory of 4796 4572 Xeno.exe 88 PID 4572 wrote to memory of 3660 4572 Xeno.exe 91 PID 4572 wrote to memory of 3660 4572 Xeno.exe 91 PID 4572 wrote to memory of 3020 4572 Xeno.exe 93 PID 4572 wrote to memory of 3020 4572 Xeno.exe 93 PID 4572 wrote to memory of 2892 4572 Xeno.exe 96 PID 4572 wrote to memory of 2892 4572 Xeno.exe 96 PID 4572 wrote to memory of 4964 4572 Xeno.exe 101 PID 4572 wrote to memory of 4964 4572 Xeno.exe 101 PID 4572 wrote to memory of 4964 4572 Xeno.exe 101 PID 4572 wrote to memory of 3604 4572 Xeno.exe 106 PID 4572 wrote to memory of 3604 4572 Xeno.exe 106 PID 3604 wrote to memory of 4032 3604 msedge.exe 107 PID 3604 wrote to memory of 4032 3604 msedge.exe 107 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3812 3604 msedge.exe 108 PID 3604 wrote to memory of 3928 3604 msedge.exe 109 PID 3604 wrote to memory of 3928 3604 msedge.exe 109 PID 3604 wrote to memory of 1108 3604 msedge.exe 110 PID 3604 wrote to memory of 1108 3604 msedge.exe 110 PID 3604 wrote to memory of 1108 3604 msedge.exe 110 PID 3604 wrote to memory of 1108 3604 msedge.exe 110 PID 3604 wrote to memory of 1108 3604 msedge.exe 110 PID 3604 wrote to memory of 1108 3604 msedge.exe 110 PID 3604 wrote to memory of 1108 3604 msedge.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Xeno.exe"C:\Users\Admin\AppData\Local\Temp\Xeno.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Xeno.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Xeno.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2892
-
-
C:\Users\Admin\AppData\Local\Temp\dajvys.exe"C:\Users\Admin\AppData\Local\Temp\dajvys.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffde2e346f8,0x7ffde2e34708,0x7ffde2e347183⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 /prefetch:23⤵PID:3812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:83⤵PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:13⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:13⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:83⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2604 /prefetch:13⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:13⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:13⤵PID:664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:13⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4104 /prefetch:83⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:13⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:13⤵PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:13⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:13⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=6572 /prefetch:83⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2192,14889864905874467016,17083400106573577207,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6752 /prefetch:63⤵PID:3544
-
-
-
C:\Users\Admin\AppData\Local\Temp\xvcvhn.exe"C:\Users\Admin\AppData\Local\Temp\xvcvhn.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300
-
-
C:\Users\Admin\AppData\Local\Temp\yeafgs.exe"C:\Users\Admin\AppData\Local\Temp\yeafgs.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3760
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5004
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:416
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:3764
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1860
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3564
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x308 0x3481⤵PID:4712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
152B
MD540a7fd2af012a0035df4439e84a91899
SHA1bd0c6bec4e1bf2c0c84702b8505796975b75cc48
SHA256d19928a212694cfa6674d5b9efa82707baabdca4242023343af8dc711b355326
SHA512e68fe33f1ea0cb67d4f845724c860e70e032f1dbdf0685c7a2dd417b594f2c5c0959152a95904ce4f05eac03e31a88738f7a34de569769760dac21ae8722077d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5d7f70b9deccf300caecd2180779ea912
SHA196e0ccef900eee6bcaa2d02e2d0c598d6f926c33
SHA256bd4fbce7c9f9c93e542d03206bfee7ca4295798286911e0547632995d8d9b12a
SHA51249356a806a295a57865061852d3a4e12eb4727d042660baf0fa479799cf9f195b0f62ed7a3eebbf0ffa23b5278e05e26639dd768c0bcebafed0d7c15878a7e5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5ec5e8b3cd6a219bda523a742ebedb833
SHA1b675d085f32e50fe4f055c98c8357110333084c6
SHA256491a88ca578b1b66b7c9501637cf80f59116a6f5bff4adb10969f2abf4c0f454
SHA512ce2a462e66150e9ac3885a95025929a9af5099344fa95624ee99225c633202c282c81f849bec222c4867d2dcaa970fd60fb1afd6ee1f325819483e76a0c19000
-
Filesize
689B
MD5b8b7579cdd944e861a354bec8cbac731
SHA1c768f670ada804f6945671ccc304861611b6ca81
SHA2560115b445bd7f415464656580a12ea514424093e33c2c082cbcbd3c3223ccc9d4
SHA5124dbdfb21604de2ea7a48cddc773843cddb809470e341f2f06ca2e9f08ab57b7b5980db837e04a82c5370be19972ad5625e4fe53694fdf57094778d437f1fed34
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
689B
MD5274a2da1b5ff510f3f00d88d87f59368
SHA1359e2d78aa3842a4a4b7f6a33cb6eb46f12004e9
SHA256850de5b1595479449609698c0dae0885639a01520815d2789455a92f2bd77c51
SHA51271961bb567986a1e75e9822fef8cea9ba0f1f5429de16529c1268c1c26f1f78de71f9dc127ea0cfd917191c721aeee86107b47e97a720385b059582685017666
-
Filesize
5KB
MD50e195b977c4179c7fee362f68374d646
SHA171d47efa12e878f07c71c2a72bf98f1b7905de22
SHA256d736751005641e8f36e38fed5d86b9f1cea7081b97ae049d2dbd33bafdf964ae
SHA5129715272d9a438ae7c691e8af7047921f90eda127c9ae56e26fe3604984a48001b72e6d8a812986a63e335ec7b2c46e0d394bb21dc9975e6cfcc24d1c21b4713e
-
Filesize
5KB
MD54d3797badcc2a27c2437d8c0f26164af
SHA16247ab49900cee72a29c219d140a49491b4011f3
SHA2569fe828e3a9646020f3c41d49616c3ebf591d05e655658cb9f78abdfb60be60c7
SHA512ec1aeedc55a42f686fcf9413124a1d04e813bfbd4b5e78673bf1ebf926e1427ba6c5bba4c3e436fffb889c69018ca55b908abbab0f516bf625492921b986e601
-
Filesize
7KB
MD52b231e23da252ea8aecc6c1c95d0684e
SHA150909c7812bc7d247a02a48c8317f7ae163699cf
SHA256f927015160192c45607adfe425c42d8f21d7a99f570b698315f7c1769a4d2980
SHA5124cc15d6e154d1d9742a3df515751b29505b8dc4f90a2173ded8d4669b15618a619770c33c6966df2c0f93871005faf1d921ca8245feb65b1073cd0f06b8ea984
-
Filesize
24KB
MD57cea671c9d512a2198dd38982941633f
SHA148ab2bcc5acbb87e4552f399c611aab5417b9729
SHA256613ef4fff59958c618b99c48e9f3188d1a2490f3287fd6ab6c73b40c5563ca2e
SHA5129f4f8fd48307fceb178b71885ace114e8a1fb498679c0b6814bc48ff8f6023b85d8086c5561366422ec25dca96d8413ae8458f52c6728649b99dce78fb3ce33a
-
Filesize
1KB
MD550752e60a5c437a558483c7771ca7a4c
SHA1f0682db61896d1217ee49bd6d6f405adaec1ac84
SHA256c81d4d40d2fc70987ccd1fce77eff49965a4b074d4ae08b5897afc947d869a4c
SHA51246be5e7eb0062e51b461ffd733c223cb258e5742a375d507aacbc4058f0e75021b27dd37b1c49d5cda36c10820644f73ed2b4d6a0ad77b1a4b7999d32fa368c0
-
Filesize
1KB
MD5b44f5ca8c7ae8fdf5718e8c4f051c140
SHA104d35fd7cb935fe8a30c5375a886ce68d5b02eac
SHA256e878ece24e35b26dca9f7cc7df61d4e4b5840df92cdffd1b581cfb0639a2e93d
SHA5128142bbab593088010140f78d92f3dd9d9459109544ed3b1ade529c9af392a5a5468cd27b4dee8f5f69b0e1bf727417bcca3b7ddb330594b1e5ac41be9ea41beb
-
Filesize
1KB
MD5387ccc14636be0ab39220c027d112218
SHA1e9a515b2fa1d583c1746b07a65391801993dba78
SHA2566b51d859148a91c74ed1ce12420bf9358bf5b397992d8d9dd885af69a125db04
SHA5129adac36026d6a233e27087c201e7a6e649dc87a9522447e3986710f57dea99b09e7d3ea3e1fa086697d6dd33a63b10226485d07c7dc93b4ad2ce6842b72180cc
-
Filesize
1KB
MD5bc9fb99be143054ea8fb14a119e95960
SHA1f10428d1020f53af9652a46b5eacf772f2b16eb5
SHA25636a94b9b16e2f2cb9fbd75069a88775571e48ba29b37e464b01ae95131d97659
SHA512ca4829d5aaada76484e35862df63072f7d37a4e0d95bfdf728f16d41f75d7818e553bf4420e361de9efc2dffa7d41968d6a7d2f93cce59bef536a12796e3f285
-
Filesize
1KB
MD5f7d5e6dff8a5b3dda4c832dc4060b48b
SHA12651b4ceaa2d9cb85e13ba4673a6200813d1b2a8
SHA256f2935d712ef6d95c2a1b73113b547168ad8de3cac1213d1322fa6d38981ef158
SHA512ba2f09dc3598ce9f96ba753abebc9f7211d596f7b502d058526aebde9c23888bfddc5960bb97c72a34692e43567ee949aeed338019005558af7ca2801a570689
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54cfe18106bfac44665fc04db7d8bff7f
SHA1b0ae7127783f8bde6f0216485c245d3c70d76095
SHA25687447eb4e5bffd7750f74b81caf5218339b0784ba3e6ba4edec2ca9f6d1ac4c6
SHA512cf09a0692e364aa99e431a8154b686406b54785f5f5b396230a2e2ffdc6d8009b561ebc2cd7a1199540cbf9e0a7b62f41e9eea8442c7efc535f8a84b36ab84bd
-
Filesize
11KB
MD595be16d3b9e1fea7c8a31166bee859d4
SHA18500315e752a583e2bb3a6101efe7a4e5fec8b25
SHA256999c1f71a602a65b8affca1b1ef4eccf6b085ab4da5060acb01618264bf69d31
SHA5126d27bc090279da6e1a53a916e4c56bae73104d1dc85a88ca11d229e7f58c7762c70ce686d9fce19a0bf83252639172a63ee7e940a48003d857e00c29f44587aa
-
Filesize
1KB
MD5f0f59cccd39a3694e0e6dfd44d0fa76d
SHA1fccd7911d463041e1168431df8823e4c4ea387c1
SHA25670466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401
SHA5125c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee
-
Filesize
1KB
MD579746cd4afed7fd14cb13cd145136c65
SHA1ea7097a42b05cc684b8ff034f5ac6e952a92cb03
SHA256871da5dca905d702b2be2c905a8d00d5a80be53791ab4433664e582ac98ba9ea
SHA51231fe60352d385911fa0ebcc21aef64bb8a8dadc124a716a42b9d9541c0c080446c54045d91b244738dd66b33d8bdad87c2acd72b0cf0b77aa3754ff94119f7bd
-
Filesize
1KB
MD55b6f7dfa5ec0387fa9726d85120371b7
SHA1e3d5d917716b722f8639eeab70958e8f4140e955
SHA2567375bbd067e473decffbff9e7f3b440e853d2a1d316192d7178eec1ccb993629
SHA512f2a099fc8f3e937c358c698144faa4b395a72fdea49eca4110574297e9a02737c37a6d28451f56a3f2e470d21aa60108e47cb899041a718fb507a6495eca9a32
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.0MB
MD5ae250258012727720a7be047f3a551bb
SHA1a605d60d81c6002c8a67c8770c6a7133a281359c
SHA25675cca561fd994676c8925dc592a324739c15e834deae2e0c26cd09519c2f84d7
SHA5129c3e2e449270a74be1af746752946c77dcdff677f4d38767f4eac65b292dca18d5e6935e2c134e625d762af7dd7e3a35ba01ade3c34cc9ae1c66e28d6506ad62
-
Filesize
360KB
MD52f0c1f93f38047e74921bfd00599c37a
SHA1a052301f981f4ab4c8667b543e16bd407e23348b
SHA25670d56bc08d401f0903a9421fa2434a82df7e72d30774fa21a51b822148c51cce
SHA512fc962d66fd5d0ae865ad53bd5d914789e83304b1fb2cef3bbe32630ad0680a34faf580a8e10e646329a169e31cf98e1d42e02ab5a88cc333fa57f65779e1fc0f
-
Filesize
500KB
MD507a9f858f9867f52163d7cec3bd899e3
SHA1d7feae9f88b807606b747a27ac95ede57b2615f5
SHA2560fde5da043382f46f04eaa04028fba0d127c20b87b88fbd7966805d5c93307ca
SHA512e07185b51ea52aa9850beaa099a621383a06d452666e96b25e2f0a9f7152fe5f4dbcc8a75a6cb336ee80c4273f85d04abdc142e7d0f87a4f2a9b85a51036cb30