Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
14/02/2023, 18:11
230214-wstyasee8t 714/02/2023, 18:03
230214-wm3cgsfb33 114/02/2023, 17:47
230214-wdbheaed7s 6Analysis
-
max time kernel
597s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
14/02/2023, 17:47
Static task
static1
Behavioral task
behavioral1
Sample
f3cf52689d6f1e14cb5465a71f0ee7021abcb23748357402db53fb04df020da5
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f3cf52689d6f1e14cb5465a71f0ee7021abcb23748357402db53fb04df020da5
Resource
win10v2004-20221111-en
General
-
Target
f3cf52689d6f1e14cb5465a71f0ee7021abcb23748357402db53fb04df020da5
-
Size
1.5MB
-
MD5
f14c3274dad7bfc80b5ca15d99c10927
-
SHA1
622c7a39c64ce43edcdc6bb316b446244c00879a
-
SHA256
f3cf52689d6f1e14cb5465a71f0ee7021abcb23748357402db53fb04df020da5
-
SHA512
23382ec77a1a22ed0df5972c4487972adf8b38cb1b4eeca52e63e5cd8e23620830456bc253d48cbb650e88f151050c72334025848a267a8af95f6c3085bb491e
-
SSDEEP
49152:Do8eGalAsGPnBprM8Pvzo8b3kjQORxshYmkrM8PvP:k8eGjssnBnvU8b0jQORx4YHvP
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\88cdaf11-2431-479e-bcbd-76306678b104.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230214185715.pma setup.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 03000000020000000100000000000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0\NodeSlot = "5" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\0 = 8c003100000000006b556573110050524f4752417e310000740009000400efbe874fdb494e5624972e0000003f0000000000010000000000000000004a0000000000b0897300500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4396 msedge.exe 4396 msedge.exe 3400 msedge.exe 3400 msedge.exe 4584 identity_helper.exe 4584 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3784 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3396 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3396 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe 3400 msedge.exe -
Suspicious use of SetWindowsHookEx 36 IoCs
pid Process 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe 3784 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3400 wrote to memory of 5076 3400 msedge.exe 100 PID 3400 wrote to memory of 5076 3400 msedge.exe 100 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 316 3400 msedge.exe 102 PID 3400 wrote to memory of 4396 3400 msedge.exe 103 PID 3400 wrote to memory of 4396 3400 msedge.exe 103 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104 PID 3400 wrote to memory of 1984 3400 msedge.exe 104
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\f3cf52689d6f1e14cb5465a71f0ee7021abcb23748357402db53fb04df020da51⤵PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:?url=https%3A%2F%2Fwww.bing.com%2Fsearch%3Fq%3D.one%26form%3DWNSGPH%26qs%3DSW%26cvid%3Da7aa16b3a514482699a74d98e24e582b%26pq%3D.one%26cc%3DUS%26setlang%3Den-US%26nclid%3D8C922EBE40031A9B9519ED93DE46A449%26ts%3D1676401020753%26nclidts%3D1676401020%26tsms%3D753×tamp=1676401020753&source=WindowsSearchBox&campaign=addedgeprot&medium=AutoSuggest1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff6df346f8,0x7fff6df34708,0x7fff6df347182⤵PID:5076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵PID:316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2476 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:82⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4960 /prefetch:82⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:3360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:12⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5008 /prefetch:82⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:12⤵PID:3484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 /prefetch:82⤵PID:4624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:82⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4412 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff693915460,0x7ff693915470,0x7ff6939154803⤵PID:4612
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17363204215140415183,11641849115881843139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4584
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2972
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2220
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3784