Overview
overview
10Static
static
Setup (1).exe
windows11_x64
10Setup (10).exe
windows11_x64
10Setup (11).exe
windows11_x64
10Setup (12).exe
windows11_x64
10Setup (13).exe
windows11_x64
10Setup (14).exe
windows11_x64
10Setup (15).exe
windows11_x64
10Setup (16).exe
windows11_x64
10Setup (17).exe
windows11_x64
10Setup (18).exe
windows11_x64
10Setup (19).exe
windows11_x64
10Setup (2).exe
windows11_x64
10Setup (20).exe
windows11_x64
10Setup (21).exe
windows11_x64
Setup (22).exe
windows11_x64
Setup (23).exe
windows11_x64
1Setup (24).exe
windows11_x64
10Setup (25).exe
windows11_x64
10Setup (26).exe
windows11_x64
10Setup (27).exe
windows11_x64
10Setup (28).exe
windows11_x64
10Setup (29).exe
windows11_x64
10Setup (3).exe
windows11_x64
10Setup (30).exe
windows11_x64
10Setup (31).exe
windows11_x64
10Setup (4).exe
windows11_x64
10Setup (5).exe
windows11_x64
10Setup (6).exe
windows11_x64
10Setup (7).exe
windows11_x64
10Setup (8).exe
windows11_x64
1Setup (9).exe
windows11_x64
10Setup.exe
windows11_x64
10Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
1742s -
max time network
1776s -
platform
windows11_x64 -
resource
win11 -
submitted
21/08/2021, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win11
Behavioral task
behavioral2
Sample
Setup (10).exe
Resource
win11
Behavioral task
behavioral3
Sample
Setup (11).exe
Resource
win11
Behavioral task
behavioral4
Sample
Setup (12).exe
Resource
win11
Behavioral task
behavioral5
Sample
Setup (13).exe
Resource
win11
Behavioral task
behavioral6
Sample
Setup (14).exe
Resource
win11
Behavioral task
behavioral7
Sample
Setup (15).exe
Resource
win11
Behavioral task
behavioral8
Sample
Setup (16).exe
Resource
win11
Behavioral task
behavioral9
Sample
Setup (17).exe
Resource
win11
Behavioral task
behavioral10
Sample
Setup (18).exe
Resource
win11
Behavioral task
behavioral11
Sample
Setup (19).exe
Resource
win11
Behavioral task
behavioral12
Sample
Setup (2).exe
Resource
win11
Behavioral task
behavioral13
Sample
Setup (20).exe
Resource
win11
Behavioral task
behavioral14
Sample
Setup (21).exe
Resource
win11
Behavioral task
behavioral15
Sample
Setup (22).exe
Resource
win11
Behavioral task
behavioral16
Sample
Setup (23).exe
Resource
win11
Behavioral task
behavioral17
Sample
Setup (24).exe
Resource
win11
Behavioral task
behavioral18
Sample
Setup (25).exe
Resource
win11
Behavioral task
behavioral19
Sample
Setup (26).exe
Resource
win11
Behavioral task
behavioral20
Sample
Setup (27).exe
Resource
win11
Behavioral task
behavioral21
Sample
Setup (28).exe
Resource
win11
Behavioral task
behavioral22
Sample
Setup (29).exe
Resource
win11
Behavioral task
behavioral23
Sample
Setup (3).exe
Resource
win11
Behavioral task
behavioral24
Sample
Setup (30).exe
Resource
win11
Behavioral task
behavioral25
Sample
Setup (31).exe
Resource
win11
Behavioral task
behavioral26
Sample
Setup (4).exe
Resource
win11
Behavioral task
behavioral27
Sample
Setup (5).exe
Resource
win11
Behavioral task
behavioral28
Sample
Setup (6).exe
Resource
win11
Behavioral task
behavioral29
Sample
Setup (7).exe
Resource
win11
Behavioral task
behavioral30
Sample
Setup (8).exe
Resource
win11
Behavioral task
behavioral31
Sample
Setup (9).exe
Resource
win11
Behavioral task
behavioral32
Sample
Setup.exe
Resource
win11
General
-
Target
Setup (14).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
description pid Process procid_target PID 4672 created 4592 4672 WerFault.exe 79 -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4540 4592 WerFault.exe 79 -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 49 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates sihclient.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordLength = "8" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4540 WerFault.exe 4540 WerFault.exe 3424 msedge.exe 3424 msedge.exe 4976 msedge.exe 4976 msedge.exe 2972 identity_helper.exe 2972 identity_helper.exe 1032 msedge.exe 1032 msedge.exe 1032 msedge.exe 1032 msedge.exe 3540 identity_helper.exe 3540 identity_helper.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeRestorePrivilege 4540 WerFault.exe Token: SeBackupPrivilege 4540 WerFault.exe Token: SeBackupPrivilege 4540 WerFault.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe Token: SeTcbPrivilege 2216 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4976 msedge.exe 4976 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4672 wrote to memory of 4592 4672 WerFault.exe 79 PID 4672 wrote to memory of 4592 4672 WerFault.exe 79 PID 4976 wrote to memory of 4660 4976 msedge.exe 106 PID 4976 wrote to memory of 4660 4976 msedge.exe 106 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 2832 4976 msedge.exe 107 PID 4976 wrote to memory of 3424 4976 msedge.exe 108 PID 4976 wrote to memory of 3424 4976 msedge.exe 108 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110 PID 4976 wrote to memory of 668 4976 msedge.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"C:\Users\Admin\AppData\Local\Temp\Setup (14).exe"1⤵PID:4592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 15682⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4540
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv AQ4ciwWch0+5spMnjZvMow.0.21⤵
- Modifies data under HKEY_USERS
PID:4516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4592 -ip 45921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4820
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:3168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f147182⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:82⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵PID:4864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4700 /prefetch:82⤵PID:4148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1240 /prefetch:82⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5284 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:82⤵PID:3908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4888 /prefetch:82⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1040 /prefetch:82⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4780 /prefetch:82⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:12⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:82⤵PID:4644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,9203466305192266744,15148699007926329741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:4384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:4416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f146f8,0x7ffa20f14708,0x7ffa20f147182⤵PID:4404
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
PID:5020