Analysis
-
max time kernel
270s -
max time network
332s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2022 15:36
Behavioral task
behavioral1
Sample
d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe
Resource
win7-20220901-en
windows7-x64
11 signatures
150 seconds
General
-
Target
d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe
-
Size
161KB
-
MD5
59a50fc74408a0c6a8016dce13e585a5
-
SHA1
16793487424807c3ae7b6218b9cf5effff141e6e
-
SHA256
d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e
-
SHA512
16ddfccd03853a720ca66e9f89090b80076466d85e5391c132bf747ef0e4091c5554ae4987d014ac11f7f9f9668b4d6171f709da5733e08387339764e3477d23
-
SSDEEP
3072:1HIENA6jJVHO585ZI/0gPQLUmTw4Pf/W8WzQJJ5oziS:ym9VHQWgPQL1rne86kJ5S
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4424-132-0x0000000000400000-0x0000000000482000-memory.dmp upx behavioral2/memory/4424-137-0x0000000000400000-0x0000000000482000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe -
Loads dropped DLL 1 IoCs
pid Process 2124 regsvr32.exe -
Installs/modifies Browser Helper Object 2 TTPs 1 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034} regsvr32.exe -
Drops file in System32 directory 7 IoCs
description ioc Process File created C:\Windows\SysWOW64\c.ico d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe File created C:\Windows\SysWOW64\m.ico d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe File created C:\Windows\SysWOW64\m3.ico d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe File created C:\Windows\SysWOW64\s.ico d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe File created C:\Windows\SysWOW64\gjgsys.dll d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe File created C:\Windows\SysWOW64\p.ico d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe File created C:\Windows\SysWOW64\sf.ico d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ios.dat d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko\ = "cvshost32" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\ = "_IvvlbbdEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko.1\ = "cvshost32" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "njdbh7 Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\ = "cvshost32" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\ = "_IvvlbbdEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko\CLSID\ = "{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\ = "Ivvlbbd" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\VersionIndependentProgID\ = "JopaBlizko" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\ = "Ivvlbbd" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko\CurVer\ = "JopaBlizko.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\InprocServer32\ = "C:\\Windows\\SysWow64\\gjgsys.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B59993BF-D41F-427A-B7D0-EC11F4D6FB26}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko.1\CLSID\ = "{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\gjgsys.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68D9B1ED-EB73-428A-B20A-24C8C9FFB984}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JopaBlizko.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A7D5DFA9-9F96-492F-B1F5-4D1385C8E034}\ProgID\ = "JopaBlizko.1" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1036 msedge.exe 1036 msedge.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1720 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4424 wrote to memory of 2124 4424 d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe 82 PID 4424 wrote to memory of 2124 4424 d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe 82 PID 4424 wrote to memory of 2124 4424 d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe 82 PID 4424 wrote to memory of 1720 4424 d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe 84 PID 4424 wrote to memory of 1720 4424 d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe 84 PID 1720 wrote to memory of 2560 1720 msedge.exe 86 PID 1720 wrote to memory of 2560 1720 msedge.exe 86 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1624 1720 msedge.exe 89 PID 1720 wrote to memory of 1036 1720 msedge.exe 90 PID 1720 wrote to memory of 1036 1720 msedge.exe 90 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92 PID 1720 wrote to memory of 1156 1720 msedge.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe"C:\Users\Admin\AppData\Local\Temp\d7c554e6be24b8e353b89ea2441c46a0468ff4f4fb54ace3b039484de3cf957e.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\gjgsys.dll2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://configupdatestart.com/bind2.php?id=39134692⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff8a11e46f8,0x7ff8a11e4708,0x7ff8a11e47183⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4755634580286794610,16870958592652823573,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4755634580286794610,16870958592652823573,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4755634580286794610,16870958592652823573,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3220 /prefetch:83⤵PID:1156
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2632
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD5350389796f77883f91933203ca6aa448
SHA149c470a38b7e48a4b9a673580f22b4aa8268016d
SHA256977818d61f8a496bfafca28023b7aa2556231027bbd09cd20ff9abaef728cfb5
SHA512842ed73aba67e7b79c2cc7c8f7e39c2fafa6dd5e0983388c8b30dd02e2af9a5bab466cb3b7e65b4d9c0151d93fd49858b00fcd18d0baf70a87ee5721d8b17bd3
-
Filesize
272KB
MD5350389796f77883f91933203ca6aa448
SHA149c470a38b7e48a4b9a673580f22b4aa8268016d
SHA256977818d61f8a496bfafca28023b7aa2556231027bbd09cd20ff9abaef728cfb5
SHA512842ed73aba67e7b79c2cc7c8f7e39c2fafa6dd5e0983388c8b30dd02e2af9a5bab466cb3b7e65b4d9c0151d93fd49858b00fcd18d0baf70a87ee5721d8b17bd3