Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08/11/2022, 21:52
Behavioral task
behavioral1
Sample
bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe
Resource
win10v2004-20220812-en
General
-
Target
bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe
-
Size
617KB
-
MD5
0e8fb5ec5566befa08c757351491cb70
-
SHA1
236c310aa65f46e8b41111d83774e4339dd0fcac
-
SHA256
bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c
-
SHA512
fcb58f9eb1f2d41826e7307b25f601eefbb6a00e8152dae8ec7beed2b379c864040fb9222adcb12dc7564979af6a03002a765ccdb61bccebbc4feed3eb41468e
-
SSDEEP
12288:XlQzsQQ+Cq7PQVHV63VXT4d0lyxuHUsrskfeabs:VQQQZt4V16lXkdP7UskGQs
Malware Config
Signatures
-
resource yara_rule behavioral2/files/0x0003000000000723-134.dat aspack_v212_v242 behavioral2/files/0x0003000000000723-135.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\64e94fba-d944-407a-b01e-826bd475b2ad.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221110052439.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 4280 msedge.exe 4280 msedge.exe 1452 msedge.exe 1452 msedge.exe 1324 identity_helper.exe 1324 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe 1452 msedge.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1452 msedge.exe 1452 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 3752 copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3876 wrote to memory of 3752 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 82 PID 3876 wrote to memory of 3752 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 82 PID 3876 wrote to memory of 3752 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 82 PID 3876 wrote to memory of 1452 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 87 PID 3876 wrote to memory of 1452 3876 bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe 87 PID 1452 wrote to memory of 4332 1452 msedge.exe 90 PID 1452 wrote to memory of 4332 1452 msedge.exe 90 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 1516 1452 msedge.exe 95 PID 1452 wrote to memory of 4280 1452 msedge.exe 96 PID 1452 wrote to memory of 4280 1452 msedge.exe 96 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97 PID 1452 wrote to memory of 1680 1452 msedge.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe"C:\Users\Admin\AppData\Local\Temp\bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe"1⤵
- Checks computer location settings
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876 -
C:\Users\Admin\AppData\Local\Temp\copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe"C:\Users\Admin\AppData\Local\Temp\copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe" C:\Users\Admin\AppData\Local\Temp\copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://jc.110160.com/ad.htm2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8845846f8,0x7ff884584708,0x7ff8845847183⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:83⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5432 /prefetch:83⤵PID:5008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:13⤵PID:588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:13⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5712 /prefetch:83⤵PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:83⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:3764 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff74fba5460,0x7ff74fba5470,0x7ff74fba54804⤵PID:4752
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6468 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,13303580115896448256,9997597612617817415,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4172 /prefetch:83⤵PID:4348
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3456
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe
Filesize617KB
MD50e8fb5ec5566befa08c757351491cb70
SHA1236c310aa65f46e8b41111d83774e4339dd0fcac
SHA256bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c
SHA512fcb58f9eb1f2d41826e7307b25f601eefbb6a00e8152dae8ec7beed2b379c864040fb9222adcb12dc7564979af6a03002a765ccdb61bccebbc4feed3eb41468e
-
C:\Users\Admin\AppData\Local\Temp\copybc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c.exe
Filesize617KB
MD50e8fb5ec5566befa08c757351491cb70
SHA1236c310aa65f46e8b41111d83774e4339dd0fcac
SHA256bc2a85617df8b07e9e8627986ae7ff57e92ed1b134de91fcd6ec6e9e86da7b6c
SHA512fcb58f9eb1f2d41826e7307b25f601eefbb6a00e8152dae8ec7beed2b379c864040fb9222adcb12dc7564979af6a03002a765ccdb61bccebbc4feed3eb41468e