| File name: | sage-windows-amd64.exe |
| Full analysis: | https://app.any.run/tasks/08958d78-b7d2-426e-8279-ac0a98a81ae8 |
| Verdict: | Malicious activity |
| Analysis date: | October 27, 2024, 17:12:35 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows, 11 sections |
| MD5: | 0404A0DFA1155B0C87BF39779ADA5696 |
| SHA1: | 4AF3F5A94B26A01A4CBE32B95FF03C9C3BB0FFA3 |
| SHA256: | 4BCA5E30B434E1A6B8DD118EB982CA96DFAC5346DACC49AAD22FC8A6AFDAD262 |
| SSDEEP: | 98304:RJX5m3DyA8qSXAzMjKkVWcFauMaOhYh9UCKggrCIUla61S32xKLDclxdRLL//iOo:CpFMC8 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- sage-windows-amd64.exe (PID: 3128)
The process bypasses the loading of PowerShell profile settings
- sage-windows-amd64.exe (PID: 3128)
Executable content was dropped or overwritten
- sage-windows-amd64.exe (PID: 3128)
- node.exe (PID: 3608)
- node.exe (PID: 3620)
Executes script using NodeJS
- node.exe (PID: 6264)
- node.exe (PID: 3608)
- node.exe (PID: 3620)
- node.exe (PID: 4548)
- node.exe (PID: 1572)
- node.exe (PID: 4040)
- node.exe (PID: 1184)
- node.exe (PID: 6124)
- node.exe (PID: 4164)
Application launched itself
- node.exe (PID: 6264)
- chrome.exe (PID: 7104)
- chrome.exe (PID: 528)
- chrome.exe (PID: 5196)
Process drops legitimate windows executable
- node.exe (PID: 3608)
INFO
Reads the computer name
- sage-windows-amd64.exe (PID: 3128)
- node.exe (PID: 6264)
- node.exe (PID: 3608)
- node.exe (PID: 3620)
- node.exe (PID: 4548)
- chrome.exe (PID: 7104)
- node.exe (PID: 1572)
- chrome.exe (PID: 528)
- chrome.exe (PID: 1788)
- chrome.exe (PID: 6756)
- chrome.exe (PID: 6128)
- node.exe (PID: 1184)
- node.exe (PID: 6124)
- node.exe (PID: 4040)
- chrome.exe (PID: 5196)
- node.exe (PID: 4164)
- chrome.exe (PID: 4040)
- chrome.exe (PID: 7256)
Drops encrypted JS script (Microsoft Script Encoder)
- sage-windows-amd64.exe (PID: 3128)
Reads the machine GUID from the registry
- sage-windows-amd64.exe (PID: 3128)
- chrome.exe (PID: 7104)
- chrome.exe (PID: 5196)
Creates files or folders in the user directory
- sage-windows-amd64.exe (PID: 3128)
- node.exe (PID: 3620)
- node.exe (PID: 3608)
- chrome.exe (PID: 5196)
- node.exe (PID: 6264)
- chrome.exe (PID: 7256)
Application based on Golang
- sage-windows-amd64.exe (PID: 3128)
Reads the software policy settings
- sage-windows-amd64.exe (PID: 3128)
Checks supported languages
- node.exe (PID: 6264)
- sage-windows-amd64.exe (PID: 3128)
- node.exe (PID: 3620)
- PrintDeps.exe (PID: 7144)
- PrintDeps.exe (PID: 7160)
- PrintDeps.exe (PID: 1712)
- PrintDeps.exe (PID: 692)
- PrintDeps.exe (PID: 6836)
- PrintDeps.exe (PID: 6308)
- PrintDeps.exe (PID: 7040)
- PrintDeps.exe (PID: 7116)
- PrintDeps.exe (PID: 6864)
- PrintDeps.exe (PID: 5640)
- PrintDeps.exe (PID: 2780)
- PrintDeps.exe (PID: 7136)
- PrintDeps.exe (PID: 1084)
- node.exe (PID: 4548)
- PrintDeps.exe (PID: 4584)
- PrintDeps.exe (PID: 6196)
- node.exe (PID: 1572)
- chrome.exe (PID: 7104)
- chrome.exe (PID: 528)
- chrome.exe (PID: 6380)
- chrome.exe (PID: 1788)
- chrome.exe (PID: 6128)
- chrome.exe (PID: 2684)
- chrome.exe (PID: 2796)
- chrome.exe (PID: 1432)
- chrome.exe (PID: 692)
- chrome.exe (PID: 6756)
- node.exe (PID: 4040)
- node.exe (PID: 1184)
- node.exe (PID: 6124)
- chrome.exe (PID: 6852)
- chrome.exe (PID: 5196)
- node.exe (PID: 4164)
- chrome.exe (PID: 5276)
- chrome.exe (PID: 4040)
- chrome.exe (PID: 6568)
- chrome.exe (PID: 6396)
- chrome.exe (PID: 7256)
- node.exe (PID: 3608)
Reads product name
- node.exe (PID: 6264)
- node.exe (PID: 3620)
- node.exe (PID: 3608)
- node.exe (PID: 4548)
- node.exe (PID: 1572)
- node.exe (PID: 4040)
- node.exe (PID: 1184)
- node.exe (PID: 6124)
- node.exe (PID: 4164)
Reads Environment values
- node.exe (PID: 6264)
- node.exe (PID: 3608)
- node.exe (PID: 3620)
- node.exe (PID: 4548)
- node.exe (PID: 1572)
- node.exe (PID: 4040)
- node.exe (PID: 1184)
- node.exe (PID: 6124)
- node.exe (PID: 4164)
Create files in a temporary directory
- node.exe (PID: 3608)
- node.exe (PID: 3620)
- chrome.exe (PID: 7104)
- chrome.exe (PID: 6128)
- chrome.exe (PID: 5196)
Sends debugging messages
- chrome.exe (PID: 7104)
- chrome.exe (PID: 5196)
Checks proxy server information
- chrome.exe (PID: 7104)
- chrome.exe (PID: 5196)
Process checks computer location settings
- chrome.exe (PID: 7104)
- chrome.exe (PID: 2684)
- chrome.exe (PID: 1432)
- chrome.exe (PID: 2796)
- chrome.exe (PID: 692)
- chrome.exe (PID: 5196)
- chrome.exe (PID: 5276)
- chrome.exe (PID: 6396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 2.39 |
| CodeSize: | 5654528 |
| InitializedDataSize: | 12912640 |
| UninitializedDataSize: | 621568 |
| EntryPoint: | 0x13f0 |
| OSVersion: | 6.1 |
| ImageVersion: | - |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows command line |
Total processes
196
Monitored processes
65
Malicious processes
5
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 528 | C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Temp\playwright_chromiumdev_profile-XXXXXXjVpTbb /prefetch:4 --monitor-self --monitor-self-argument=--type=crashpad-handler --monitor-self-argument=--user-data-dir=C:\Users\admin\AppData\Local\Temp\playwright_chromiumdev_profile-XXXXXXjVpTbb --monitor-self-argument=/prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Temp\playwright_chromiumdev_profile-XXXXXXjVpTbb\Crashpad --annotation=plat=Win64 --annotation=prod=Chromium --annotation=ver=125.0.6422.26-devel --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffbca9d99b0,0x7ffbca9d99c0,0x7ffbca9d99d0 | C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: The Chromium Authors Integrity Level: MEDIUM Description: Chromium Version: 125.0.6422.26 Modules
| |||||||||||||||
| 692 | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\bin\PrintDeps.exe C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome_wer.dll | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\bin\PrintDeps.exe | — | node.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 692 | "C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Local\Temp\playwright_chromiumdev_profile-XXXXXXjVpTbb" --no-sandbox --disable-back-forward-cache --disable-background-timer-throttling --disable-breakpad --file-url-path-alias="/gen=C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\gen" --force-color-profile=srgb --remote-debugging-pipe --allow-pre-commit-input --disable-databases --disable-gpu-compositing --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3908,i,11623354092492883292,10258592165636618261,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=3836 /prefetch:1 | C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: The Chromium Authors Integrity Level: MEDIUM Description: Chromium Version: 125.0.6422.26 Modules
| |||||||||||||||
| 944 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | PrintDeps.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1084 | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\bin\PrintDeps.exe C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\notification_helper.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\bin\PrintDeps.exe | — | node.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1112 | powershell -NoProfile Get-StartApps | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | sage-windows-amd64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1184 | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\node.exe C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\cli.js install chromium | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\node.exe | — | sage-windows-amd64.exe | |||||||||||
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js JavaScript Runtime Exit code: 0 Version: 20.12.2 Modules
| |||||||||||||||
| 1432 | "C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Local\Temp\playwright_chromiumdev_profile-XXXXXXjVpTbb" --start-stack-profiler --no-sandbox --disable-back-forward-cache --disable-background-timer-throttling --disable-breakpad --file-url-path-alias="/gen=C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\gen" --force-color-profile=srgb --remote-debugging-pipe --allow-pre-commit-input --disable-databases --disable-blink-features=AutomationControlled --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3376,i,11623354092492883292,10258592165636618261,262144 --enable-features=NetworkService,NetworkServiceInProcess --disable-features=AcceptCHFrame,AutoExpandDetailsElement,AvoidUnnecessaryBeforeUnloadCheckSync,CertificateTransparencyComponentUpdater,DestroyProfileOnBrowserClose,DialMediaRouteProvider,GlobalMediaControls,HttpsUpgrades,ImprovedCookieControls,LazyFrameLoading,MediaRouter,PaintHolding,Translate --variations-seed-version --mojo-platform-channel-handle=3384 /prefetch:1 | C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: The Chromium Authors Integrity Level: MEDIUM Description: Chromium Version: 125.0.6422.26 Modules
| |||||||||||||||
| 1572 | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\node.exe C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\cli.js run-driver | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\node.exe | — | sage-windows-amd64.exe | |||||||||||
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js JavaScript Runtime Version: 20.12.2 Modules
| |||||||||||||||
| 1712 | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\bin\PrintDeps.exe C:\Users\admin\AppData\Local\ms-playwright\chromium-1117\chrome-win\chrome_elf.dll | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\bin\PrintDeps.exe | — | node.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
16 405
Read events
16 355
Write events
46
Delete events
4
Modification events
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | metricsid |
Value: 634745c0-7313-4cbd-869a-563700fc03aa | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | metricsid_installdate |
Value: 1730049222 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | metricsid_enableddate |
Value: 1730049222 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | metricsid |
Value: | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | metricsid_installdate |
Value: 0 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium |
| Operation: | write | Name: | metricsid_enableddate |
Value: 0 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium\PreferenceMACs\Default |
| Operation: | write | Name: | media.cdm.origin_data |
Value: 806FC6108C9C6CE5083FBA32142CB9EA8F419AA5546B3C079CA642CC2E1C4650 | |||
| (PID) Process: | (7104) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Chromium\PreferenceMACs\Default |
| Operation: | write | Name: | media.storage_id_salt |
Value: CA1DDE54259E5D5EEA618B03652520CE9BAE5BEFA4D30FCED2A117E0A93431A3 | |||
Executable files
19
Suspicious files
552
Text files
103
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3128 | sage-windows-amd64.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\node.exe | — | |
MD5:— | SHA256:— | |||
| 1112 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:F47787EAEA999C37CDF545D5A05565E2 | SHA256:364B40AC5003737CC8277267108496E34569EE28819D11816032E4151D3F0166 | |||
| 1112 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mhwqujde.anp.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1112 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ya1k2hki.fpj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1112 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uwezsqq2.s2a.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3128 | sage-windows-amd64.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\cli.js | binary | |
MD5:57B2616B7FA731F2D42009A75CDFB31B | SHA256:A0EF30B76AA5D64D49B74F454A15CB5FDB063149F3CC4758446941B724851F38 | |||
| 3128 | sage-windows-amd64.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\lib\cli\driver.js | binary | |
MD5:FFD56F75BA5FA446F8147116E786A6A1 | SHA256:19A6E632491F3C262162ED4E72816F7ADEF60213351388E079951D084EEE7C1D | |||
| 3128 | sage-windows-amd64.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\lib\cli\programWithTestStub.js | binary | |
MD5:0B5445EDA7183D861E92F643B6AB15FA | SHA256:5D174F60BB587514E4D5F5D2590255BD179B490A9FF7C4B553D0A22B0BACC8C7 | |||
| 3128 | sage-windows-amd64.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\protocol.yml | text | |
MD5:D62BFABD7F0E6809467F0781B52A9546 | SHA256:998E77D57AE92848EE841D9BE4071B68A56D5CF8D18A028520D520ECA8ADE4AF | |||
| 3128 | sage-windows-amd64.exe | C:\Users\admin\AppData\Local\ms-playwright-go\1.44.1\package\lib\common\types.js | binary | |
MD5:A7EF62A133EED5BBAA2A23637D04D13B | SHA256:EDF54261C4DE64F458B044A39A64AF998353D4AB54E16A2AD58349E323ABE3D3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
81
DNS requests
67
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6232 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
4004 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
4040 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.89:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
4040 | SIHClient.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1248 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4360 | SearchApp.exe | 2.19.96.120:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4004 | svchost.exe | 20.190.159.71:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3128 | sage-windows-amd64.exe | 13.107.246.60:443 | playwright.azureedge.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4004 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
playwright.azureedge.net |
| whitelisted |
th.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\playwright_chromiumdev_profile-XXXXXXjVpTbb directory exists )
|
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Roaming/sage directory exists )
|