Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
10/05/2023, 16:51
230510-vdaenshb79 710/05/2023, 16:48
230510-vbkgvshb73 710/05/2023, 16:45
230510-t9wr4sag9w 710/05/2023, 16:45
230510-t9ll5sag9v 7Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2023, 16:48
Behavioral task
behavioral1
Sample
6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe
Resource
win10v2004-20230220-en
General
-
Target
6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe
-
Size
277KB
-
MD5
adeaee20a2a55c73b0e8871a1ec4e4b1
-
SHA1
1fd6e2b2e04d17ef2b990b9338aa48ddf6e547ae
-
SHA256
6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054
-
SHA512
7db1a7c485b7020bb3ef284e88895afaed70b373c813f6eaa2fe7d98acbb94e23c20d5984e997794a07d52c7b4d05a83bdd5c55d95e8b233b5c5d8ea4ec7f710
-
SSDEEP
6144:HXzKdNY49u8rVEV0IGvWz8mvP6ru01net5Gy:Ya4Az0IGvWXr012
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/1684-133-0x00000000003D0000-0x0000000000470000-memory.dmp upx behavioral2/memory/1684-147-0x00000000003D0000-0x0000000000470000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d1d62ddc-fb46-4b7a-a81d-6428f7a4b358.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230510164924.pma setup.exe -
Executes dropped EXE 2 IoCs
pid Process 2708 ITS SB App Switch.exe 3592 ITS SB App Switch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 4784 msedge.exe 4784 msedge.exe 804 msedge.exe 804 msedge.exe 1632 identity_helper.exe 1632 identity_helper.exe 6108 msedge.exe 6108 msedge.exe 6108 msedge.exe 6108 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe 804 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4484 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4484 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 804 msedge.exe 804 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1684 wrote to memory of 2708 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 85 PID 1684 wrote to memory of 2708 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 85 PID 1684 wrote to memory of 2708 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 85 PID 1684 wrote to memory of 3592 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 86 PID 1684 wrote to memory of 3592 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 86 PID 1684 wrote to memory of 3592 1684 6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe 86 PID 804 wrote to memory of 2092 804 msedge.exe 94 PID 804 wrote to memory of 2092 804 msedge.exe 94 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4292 804 msedge.exe 97 PID 804 wrote to memory of 4784 804 msedge.exe 98 PID 804 wrote to memory of 4784 804 msedge.exe 98 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99 PID 804 wrote to memory of 2816 804 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe"C:\Users\Admin\AppData\Local\Temp\6928d305e0f42deda0cd03a35d378aa4a8fd0524983d27e699e8c6a93becb054.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"2⤵
- Executes dropped EXE
PID:2708
-
-
C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"C:\Users\Admin\AppData\Local\Temp\ITS\wincsecb\264\Production\ITS SB App Switch.exe"2⤵
- Executes dropped EXE
PID:3592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9a33346f8,0x7ff9a3334708,0x7ff9a33347182⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:2816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:12⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:1324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:82⤵PID:3820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4384 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff67c265460,0x7ff67c265470,0x7ff67c2654803⤵PID:236
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵PID:3312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵PID:4064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:5252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵PID:5432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=176 /prefetch:12⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:12⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:12⤵PID:5184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:12⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:5996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7600 /prefetch:82⤵PID:6064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:12⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8369916107938702753,2118863979565255941,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1852 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6108
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3940
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x340 0x4ac1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5462f3c1360a4b5e319363930bc4806f6
SHA19ba5e43d833c284b89519423f6b6dab5a859a8d0
SHA256fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85
SHA5125584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417
-
Filesize
152B
MD5d2642245b1e4572ba7d7cd13a0675bb8
SHA196456510884685146d3fa2e19202fd2035d64833
SHA2563763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1
SHA51299e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\261534b8-c16b-4efb-87fd-e7739ee40ea9.tmp
Filesize2KB
MD50b6caebd1e9350ef11410a9553073ad5
SHA18377154c882ba25e4b186364a4f1285fd10583c6
SHA2560a62e4a3d374900a0533b855f2c386b9e2feaa70901970332a4c801b5faacbd6
SHA5128fd48ba2abf5b70d395aeff1bc67207956eb05f572d006aeefac6eda4060f26c5cda5cfc20c4b4f6754037875d42564656bb5c1651db4adfe1dc02c049ca3bc9
-
Filesize
32KB
MD5856f85cc1b07156fa844b44a10c236c2
SHA17cef457c0e1cd0c20f4e699564ea8997f0332021
SHA256c61aa9ce7b32f93630abac1a4b27382f9333e0ff69477c9d9099070ae0742b01
SHA512bc0bb4fdbf799dd4a7d10d806a85de3b47f44bf7fc08aea2f80b39e57c1856759f1789dcf9b0860b9deaa60c6bb97976631d0cfedc4cf5b60a9d8e90cb7c3b79
-
Filesize
24KB
MD5fd6a5931452e461da518b42c5c07659a
SHA16abc1c8a3a1226118b28c568f65e0caf0d54cae7
SHA2562c9e9fee80939d3fd681c8738b59f36d84669446c424a74777804654c10e6db3
SHA512871bdeff4381bad10a14f88db5dc319e8bea27c2776be30ac7f199f1d62c83c17d99de3ea45f1466269288dee40464b0c328f67d94842f9f1db23982a3f59c4b
-
Filesize
346KB
MD542c2b3ec00a18584834bd620bb32b1f3
SHA1daf9e3139262ef6d98efcfef593365802222283f
SHA256e38232ee17ee71e19ec5adef5aa18d91b9b3dc940d8200ec668954e7d3b4e2ad
SHA5122121b8bb6ed2672f4f260c5e6c4ed605ff2abaf679d29c7952240a84af6cbae27ef38cac6184e0d023a68a00cedc4db167158ff63696058c33a0f79d1c840a8c
-
Filesize
161KB
MD5d0689623f131fcb540b6b70ff1c8b55a
SHA150726cae90a7d1cd36246d1d929a2ab77a785de6
SHA256345aa90fb35c263b36c1fbe3dbe0d4151029eb80bebb0b759b5344960e950883
SHA512e7ba0546266d2e798912cae355aad65b73fa8c108349ea73074700701e55617c46a49edf531e2424a98aee1d85ce340ce94def0b121eaa191c0e510074fe58c3
-
Filesize
1024KB
MD52f80fb118990d37f1623bbca6b950313
SHA16ca8638a311829a91985c11f6b7beefa17300b55
SHA2566ea4783ecbd75a034c912aaaf99ff627eed83631bb319bc67d7c69cee241f650
SHA5125eaca9e6499e81ca8bd6eb816a09b170d98f3f0749639cb95d7fdfad6fd996afa74c516d46d2ff6800a56bf66e05a7f4ebec2894e8268602a5a12231d8014b53
-
Filesize
1024KB
MD5a2c0b83487ce731802a07282dc2bef74
SHA1a9616f203ac3b700a57d4efba7a8dd00b44a8165
SHA2564a6bf2dee3514558491845582c2cfdfafb41c2f87168a6884d2e7c2bcafa74af
SHA512587d74852a5a6c67d68ff4fbd0638f69c4b3f6cc875fc1076eae8e6adbca688a6a32bc915bcdce17d77e09b10aa4da476617ba39acded0a216d04cce98f4ecb4
-
Filesize
1024KB
MD5f460fb62a2749f07015fbc60edf62113
SHA1a01519cd9c3609b2a86f02e2a7c11f57ac141f76
SHA256f717ccb0c2a8401b006de48cd5a2b3bd031a7ca666526ec632c7de0b5d1da21f
SHA512879376cd4a028077261fdccc68ca8322a62ec72abffc3411af3b5bd96410b2d96173c988acc87e9d80a0e0084cf0973e7da533cd4a7faed1edeffe70c1b364e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5e256dfd145bb1f89f48f193903e4c02f
SHA1f2891acd419f89725d93b17b4e00c777645c3f16
SHA256f1cb999fa85063d2a282f8c7a3a0d548428344413fc8793c9a3839971e40aae5
SHA51290f8546265d7e2aff261ea8b539bf737fe103e071aa25392dddd6f87a41740c3c7c217d69386241b996c8e96c5c0142b5ed6068d9b977f060822842cd0891d45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583dfe.TMP
Filesize48B
MD5aca2e1a43e9f857d1aebdbe44838fc83
SHA1c4694816126b116dc91d77dcc3657241c9ab1e6d
SHA256cbc0cdd2d263149d8ac0afee6cb90a0c5c2ac630f6cbed2e0d3beb60ef2e4307
SHA512e8cca8f63d02915b68c94a0e416cfebab33af66cb2859a7eea90b061b23aaae7d1107a47c5c786b8312109fedf403236f1a9d5c820fb78d9e270391a398838d4
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
2KB
MD5ac12d72bae241ac38f90a885bee2c7fe
SHA1ad1aa0cbd6ef6af111469cb29589fdce499a571a
SHA2564ab057430e83622cf0b97d60d30b3f70947eea7a525519d6c85de2f581cdc6d3
SHA512d097f46c3b3f0c5f3def12b62145d3a52f323f0cb3a802738b78dc4729fe05760ae47d04dad6b7fda341f3d4e656d86797d538c2e3b9e0e92c272a8e4182a2f4
-
Filesize
5KB
MD5b056e8827da271214c58e190fd813b32
SHA1131a33d395d0840ab83de034c09fadf07f7329f0
SHA2569333c4e3f2e3ff28096061d2dc446bcc1162ec86ebe7320b0969af453344cc10
SHA512ed5701618de739867eafca59ec16715e91e14f2f2c48a39fd9cca273e7df7defb036ade197c0a83660a4f961fa6dccda46da93d79b7fb36bf72d8de7e1d5d63f
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD555ce29bf1cc6219be84afe9c757deaa0
SHA10749d38fa3f74729ecb1a61edcc8748119f36e1f
SHA256becfce228491050b7bdde56cd8d5b453372caaa650c449969e3bfe63da8f6205
SHA512793850419fbd4e53f79ecc493d30be4e921e4254edd24ca1ff91b7bc1802f72c61a062274f63efa5ff1cf4746b00175e90e7c294ec7d1c1e9aad9cd7f3334b1a
-
Filesize
5KB
MD509ab8113ec294a51a676b34493525a1d
SHA16cb865777f2d08251abc87bf40c0b381ded97286
SHA2560a04cefb8666bce19fb8e88a22eed94efb944fb4728b20da06ed13130642883e
SHA51238f664ca43c4e3c48cc6d7eb2c1d35d609524c041fa13f6c967c35ae2ab7dd22f7356e13bb9a397f753655f009cfc659f1806811b4d3c1782bb08e1afe87da16
-
Filesize
6KB
MD5ddd2ca091901b5bb4c92352f472260e9
SHA16c13358b3c20432f3a36765da383b8eea56546f1
SHA256212c07c4b75e69b6a601bb32463bf9c0264d5645a578046c8fc7807a5d016824
SHA5128540b3a808def0f6a2e133e7e7d0bae5d0180c56e89e4cce5ac59460cc0ba0dd747ba5b1c06bdf8bd6742c2b383f035525f3fe23f347a16e516a2aca69f3f56a
-
Filesize
6KB
MD55f5937163b4c9fb552ada452df2a6260
SHA1097280540d56e068ffcd1862c30af87d77f54dd9
SHA256bf6ca828d0a5a53b2ee45256287697696c2194347fa838471e44396eda293371
SHA51256f8100f8dde2d28131f42c981e0c312fa2a9042c0ef3987bd52214cd8eb8d9ee3b579106e7bdbb6fc6e6321af97ca6eae71de7573858747aa4dd3d27cd7f4f3
-
Filesize
7KB
MD55ea55389d08b9690f1037f11ec052031
SHA14c07e1dc67d77f4da260a68311c45e5fdf0fc033
SHA2564615d116231cdce94febb5e1be0d85c43430eb2a917bcfcd82e7216c8862d683
SHA51244d389788d7352f1e15d9daee0f3de058420a1402a5f784c8664acb9e352a769b3eed81222953b53bf763468120a730e0467a2b87b5a682360cb26fc8a7675b4
-
Filesize
24KB
MD5130644a5f79b27202a13879460f2c31a
SHA129e213847a017531e849139c7449bce6b39cb2fa
SHA2561306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1
SHA512fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01
-
Filesize
24KB
MD569b72d0a4a2f9cbec95b3201ca02ae2f
SHA1fcc44ae63c9b0280a10408551a41843f8de72b21
SHA256996c85ab362c1d17a2a6992e03fdc8a0c0372f81f8fad93970823519973c7b9c
SHA51208d70d28f1e8d9e539a2c0fbac667a8447ea85ea7b08679139abbbbb1b6250d944468b128ed6b386782f41ca03020e3a82491acb1fe101b09635d606b1a298be
-
Filesize
2KB
MD5c03f4d77f1386aca721dfbdeb4379c82
SHA1f1c65a1b180df28aadb67077c2cb1b731dbdc943
SHA256d02a07974e8edd7e2d8e41a30a0588bfcd5eed03e0af8a9578b847bebb8d9140
SHA512d414dc3658a8d492e15382524034a7b556f4e340f9278d0b829118ea3de7f22a7b11888db4d1820e4f401f00852b5a5693d888ec37a9e7f02f157ca762e1a40b
-
Filesize
538B
MD50b30f8fb601955953d4715b37f0acae2
SHA1cea5ef363e39fa56f022119ea7ac0b317115137d
SHA2562244297015f67c23dcecebae9afcfd8ff7791f9b4944f2a1e7668d237172ec35
SHA51268d621bc72b533f86f9b596f33e00559d8186a859aec3890f1fd671e5cad1d772ca1a8ee53c1c55a2f18d692b2d22250d80ebd772cb66946b0d05ff4a8d58aee
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
9KB
MD53c9100de315012a9ba2cd7f634e67965
SHA1efc35a0af429e684194b7c096da2f6e9eef547a0
SHA256ff1c246d397753aa25400266c55ff502501062746c55e9da69fedd4fdaa53503
SHA5123a1dbe91310e3bb2a42aa4bc4c924f53fb220bc7b05f4f543fb3b445f8bb8c8a7f78c712944a6a0e8ba725a6757b37f250ec0e5ab347de45e8d0d38070b1b56b
-
Filesize
12KB
MD5a04edff169f8cacb82e6326abb5db665
SHA1667a9454cb62c0063727a31a5c170de769a8f506
SHA256468cbb01ec160e778b38c5b7a74866b9551a2b4bf5827ee07bdae711aed33f48
SHA512470762ab1ac6fb6005fdf39aa3efd76439f727264a8f571677fdb1ebf86fcebc94271a5d0fc49b2e9fe4ee8ee77fae718fcd6820370805e21791a1c8cea91836
-
Filesize
87KB
MD5368332fca74f48697d842c5f4698ae1d
SHA10275153a1e62bd0eca0b02168895517ed66aac56
SHA2563a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59
SHA512fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5
-
Filesize
87KB
MD5368332fca74f48697d842c5f4698ae1d
SHA10275153a1e62bd0eca0b02168895517ed66aac56
SHA2563a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59
SHA512fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5
-
Filesize
87KB
MD5368332fca74f48697d842c5f4698ae1d
SHA10275153a1e62bd0eca0b02168895517ed66aac56
SHA2563a4a5b128c3a042010824fd33b719466b0d9320aa051ca3d5f1690124766ad59
SHA512fd9f1d1a4337e00fef5e9ea10a7fdf553e98df2cf2fdf818b68689a89de3c1d324de389e0c9ef863fef08a3dff8150db173b2203e9e92efaea67865e8d2805b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD580401c0fc961715bfd9ea0d7e6c81fa0
SHA1ab9b21cb3fd0f0cd4f7e84b8f9a8b2e124e280ef
SHA25602ced62383b23d576a91e2f36165343bbeff9283323dc4ad5d9a045f70e9193e
SHA51203b3a5692989b8f7857706be5ac63da5805a55ec9eb784b9f8dd7425879111ffd27ba790a088832ab2dd4dcee4d60637b8ced923460352236338329e361ad2c4