6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Size

100KB
MD5

30176318f2356a0a46b9e5261a7f9410
SHA1

051de56145c2cc4a27e9d23affc817011e26b34e
SHA256

6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e
SHA512

702777b43d69f4577edfd73f5cf62723958ca4fe09a920d39466fc2282cfe87848c7ce77a9d63bcd96e6c3cfce40c6fe5ce21a31da71b23e15d91da061165605
SSDEEP

1536:EIzNykHzvBL2yx8zUpZamCSgd2oujiiF87/aeAZxdMBhGMDkOgU5kj6IvOTM5ZZW:tyYrBL2yxWmCzd2d87qix4OgUWvOJ

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2588	netsh.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Oturum Yöneticisi = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Oturum Yöneticisi.exe\""	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3e5d972f-f038-49c4-977d-e5d536539fa6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221211080129.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\MIME\Database	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
4988	msedge.exe
4988	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe
5676	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4988	msedge.exe
4988	msedge.exe
4988	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4468	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	83
PID 3400 wrote to memory of 4468	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	83
PID 3400 wrote to memory of 4468	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	83
PID 3400 wrote to memory of 4124	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	84
PID 3400 wrote to memory of 4124	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	84
PID 3400 wrote to memory of 4124	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	84
PID 3400 wrote to memory of 2588	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	87
PID 3400 wrote to memory of 2588	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	87
PID 3400 wrote to memory of 2588	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	87
PID 3400 wrote to memory of 1528	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	89
PID 3400 wrote to memory of 1528	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	89
PID 3400 wrote to memory of 1528	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	89
PID 3400 wrote to memory of 2232	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	90
PID 3400 wrote to memory of 2232	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	90
PID 3400 wrote to memory of 2232	3400	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe	90
PID 2232 wrote to memory of 3708	2232	net.exe	93
PID 2232 wrote to memory of 3708	2232	net.exe	93
PID 2232 wrote to memory of 3708	2232	net.exe	93
PID 1528 wrote to memory of 4884	1528	net.exe	94
PID 1528 wrote to memory of 4884	1528	net.exe	94
PID 1528 wrote to memory of 4884	1528	net.exe	94
PID 828 wrote to memory of 4988	828	explorer.exe	95
PID 828 wrote to memory of 4988	828	explorer.exe	95
PID 4988 wrote to memory of 1328	4988	msedge.exe	97
PID 4988 wrote to memory of 1328	4988	msedge.exe	97
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99
PID 4988 wrote to memory of 4476	4988	msedge.exe	99

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe

C:\Users\Admin\AppData\Local\Temp\6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe
"C:\Users\Admin\AppData\Local\Temp\6dea7398e16808fb79e95e9df606aa4a00f88cb2d716201dc95c64403ca2d63e.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:4468
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe http://www.google.com.tr/
  2⤵
  PID:4124
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall set opmode disable
  2⤵
  - Modifies Windows Firewall
  PID:2588
- C:\Windows\SysWOW64\net.exe
  net stop security center
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop security center
    3⤵
    PID:4884
- C:\Windows\SysWOW64\net.exe
  net stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop WinDefend
    3⤵
    PID:3708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.com.tr/
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ff98fd546f8,0x7ff98fd54708,0x7ff98fd54718
    3⤵
    PID:1328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
    3⤵
    PID:4608
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:2080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:5020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    PID:728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
    3⤵
    PID:4812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    PID:4032
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6f2555460,0x7ff6f2555470,0x7ff6f2555480
      4⤵
      PID:4916
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
    3⤵
    PID:5496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1740 /prefetch:8
    3⤵
    PID:5572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4026798523573069049,16575836111400419048,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1464 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5676