Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/12/2022, 18:26
Behavioral task
behavioral1
Sample
54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe
Resource
win10v2004-20220901-en
General
-
Target
54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe
-
Size
836KB
-
MD5
83ecba294e7e30467f9aae0397175b81
-
SHA1
441a86c928101e3441ab2ae8e8e62e173b0b3d00
-
SHA256
54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024
-
SHA512
d2ca39863a65a4e3eff42c660285337b0ae32543ef3c863226f1d1b5212ced2ea51ca40261c0174edd13e8922ef8bb8c6fc9cd2911230dac2bd2bdc48d5864e3
-
SSDEEP
24576:qKVsmm/LW+VAtm5no1KRGmsVRM2wpnd8gQj:DY/LnA62KRG7VRT0dEj
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/5004-132-0x0000000000400000-0x00000000005AD000-memory.dmp vmprotect behavioral2/memory/5004-135-0x0000000000400000-0x00000000005AD000-memory.dmp vmprotect behavioral2/memory/5004-138-0x0000000000400000-0x00000000005AD000-memory.dmp vmprotect -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 www.checkip.org -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d878b4ce-8cf1-4abf-91bc-3ae39aea10a7.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221206224507.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 544 msedge.exe 544 msedge.exe 2904 msedge.exe 2904 msedge.exe 3996 identity_helper.exe 3996 identity_helper.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe 2324 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 2904 msedge.exe 2904 msedge.exe 2904 msedge.exe 2904 msedge.exe 2904 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe Token: SeDebugPrivilege 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2904 msedge.exe 2904 msedge.exe 2904 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5004 wrote to memory of 2904 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 82 PID 5004 wrote to memory of 2904 5004 54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe 82 PID 2904 wrote to memory of 2656 2904 msedge.exe 83 PID 2904 wrote to memory of 2656 2904 msedge.exe 83 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 1488 2904 msedge.exe 86 PID 2904 wrote to memory of 544 2904 msedge.exe 87 PID 2904 wrote to memory of 544 2904 msedge.exe 87 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89 PID 2904 wrote to memory of 4944 2904 msedge.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe"C:\Users\Admin\AppData\Local\Temp\54df29f1f4f7f20c2b963b58b4ea25928123b8f68ab040fdbf8d4852535ee024.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://synboz.com/2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd525746f8,0x7ffd52574708,0x7ffd525747183⤵PID:2656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:23⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:83⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:13⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5348 /prefetch:83⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:13⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5644 /prefetch:83⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:13⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:13⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:83⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
PID:2204 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x220,0x230,0x7ff653f95460,0x7ff653f95470,0x7ff653f954804⤵PID:4284
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6596 /prefetch:83⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:83⤵PID:3352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:83⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1884 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2140,15183747544987288567,4959190374996973808,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 /prefetch:83⤵PID:2604
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b0a042e2e7b0e4ffd8774a10d2d4f418
SHA1dbe2ab9066f96c09be7a64f73107225f0cf022da
SHA2562b01d2c1cb508c48ceaf433f6cdef6d03ae47d2e474044863ef7a630976956d9
SHA5129374a25065761868869b396af3dda24e6f3cc3b071574df83d128819164f528aab81d5b9ecb9f16d5612e3f00472ad47d7e138b9615ba188895be83b2d7b7960
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD573fb1ce93455611c0b5d845e00552992
SHA1664b5ca558f78be3959313615e1c6f8dbd28a017
SHA25603d62f79997867d8f976ddc7eb9e490a39048bc066da4e6a7e2ff36f854bd6b8
SHA5129692a44935adbc27b13660c955343e9e1bc57ac429c6f7b884b65becef892cdc662adcc1578779de406e03592a159a284c1b11e6e9f08a5400a26760f1311e79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5a26e594a02656e6e250d9b5ca18e587e
SHA1a7240409ba5e6f66574c56409e6242b9d8a6e1c1
SHA2562b9c645d0c3cbc0ba59cb769217c4b7ed7a0dcf2a3985e754257294cddfa3521
SHA5120e283cc8519c20f6c7030b892c8d2f783c927b375b0134d8ee19a4311800b6b261708acc24206c05d1e4f26b9325e1ee26807e1bea4ba88fefc1c8152f2de195