Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
10/02/2024, 16:13
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win11-20231215-en
General
-
Target
AnyDesk.exe
-
Size
5.0MB
-
MD5
a21768190f3b9feae33aaef660cb7a83
-
SHA1
24780657328783ef50ae0964b23288e68841a421
-
SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
-
SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
-
SSDEEP
98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 discord.com 25 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3632047111-1948211978-3010235048-1000\{4454A16C-8DA9-44B1-9F3E-4EC36FD11C73} msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1768 msedge.exe 1768 msedge.exe 3932 msedge.exe 3932 msedge.exe 4224 AnyDesk.exe 4224 AnyDesk.exe 4824 msedge.exe 4824 msedge.exe 3144 identity_helper.exe 3144 identity_helper.exe 972 msedge.exe 972 msedge.exe 6104 msedge.exe 6104 msedge.exe 6104 msedge.exe 6104 msedge.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 676 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 4932 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4932 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 4540 AnyDesk.exe 4540 AnyDesk.exe 4540 AnyDesk.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 1768 msedge.exe 4540 AnyDesk.exe 4540 AnyDesk.exe 4540 AnyDesk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2272 1768 msedge.exe 81 PID 1768 wrote to memory of 2272 1768 msedge.exe 81 PID 1824 wrote to memory of 4224 1824 AnyDesk.exe 83 PID 1824 wrote to memory of 4224 1824 AnyDesk.exe 83 PID 1824 wrote to memory of 4224 1824 AnyDesk.exe 83 PID 1824 wrote to memory of 4540 1824 AnyDesk.exe 82 PID 1824 wrote to memory of 4540 1824 AnyDesk.exe 82 PID 1824 wrote to memory of 4540 1824 AnyDesk.exe 82 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 500 1768 msedge.exe 84 PID 1768 wrote to memory of 3932 1768 msedge.exe 86 PID 1768 wrote to memory of 3932 1768 msedge.exe 86 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85 PID 1768 wrote to memory of 1200 1768 msedge.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4540
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\CheckpointUndo.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8639a3cb8,0x7ff8639a3cc8,0x7ff8639a3cd82⤵PID:2272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:1200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:12⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:12⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:3380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5880 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5908 /prefetch:82⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:2216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:3192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:12⤵PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:12⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:12⤵PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵PID:3096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:12⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:12⤵PID:6000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,7598956889324578385,2112528493917019002,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1344 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:6104
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3268
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1848
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004841⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:2972
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5552758a7bb19b27354a76866861c4801
SHA193a74b56e5bb5aa86a53db413081b3ca7ffb808b
SHA25653e1302ff50d199fd0002ddb9d4f66fd264b17e73a50e67299adf1243663530c
SHA51213889bc4ffe240d8a7cf71ca0f2a397f33e38106116f38b5b8fa6c977187899d2d7084d606288f2892d14776460c2fe450adbeb93d2d200caffefe9919076fcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2ba0cd74-6884-4926-b913-03542833eb63.tmp
Filesize5KB
MD51d27c482baea804a2362b6120947835b
SHA1c6669a541e8bf0676768ea082a4608b8ceb71070
SHA25692e6f7ab0161a79b0a85956b593bdec591a9d5d71fc628e06dd13070b67f0877
SHA512087cd7052a58e4b054fc055a10222da6369edebe1c2784f8eaf66761db6d9076a8e28ec1a8a387fb542f103b0a537cd861c8017f589e95b46e22f3311a67ab61
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5a9c8a6d224aa735730f555103863a27a
SHA1bfa7b3556b377db873d3daa56285691ca3138637
SHA256f20cbf0814d5ff4f3522d2c3796fbce6f04364037e3f0bfbce191301887de47a
SHA51236a5d819da80fb3ac9b93a2cf46b644e14a86296b470a58dae5fee8c59c68cf9b6c923b52ccdbdad4d281ad9725cd1e57cf087efe361bca0e22df39a9ddeee02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5af6651e1a9bcb6a63af9147c0e289af7
SHA1dace17b2e41e4919f882347fee456f2547d95e05
SHA25617453375fa78c62bfdecd168d48f7c4314dbf60e648ff490434b39cdaf43c125
SHA512740b3d5074970acf46897273dd13e14c2d5af2b088a28baae92849089b184e5e5de82e4b0540b737477f076b75929b5899781c05731799c0eb0a7b75ea700fe4
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
678B
MD547079d268dd3be82cd571b30037da7ad
SHA1f667c4874e660f3e084c76d7af7dd55f4b6f0351
SHA25658c8bbd2c25510db4b1218dbb97115a432bb464d13d67e4de14e6adfc017fb8e
SHA5129a14c6c0cf2b6500a2c659c4ccb1f59e382340c7d3255bd6d0908d6604dffddd29c1c593ed28fb4c2d04e5c6c641260bf0e0de3264d5ed402480957c6bd6f833
-
Filesize
6KB
MD571b4f4f01167db00389f1c8e710fe402
SHA1a4d3f63f546c7d3d24ffcdb4da80f682b17f4483
SHA256f1cf96a77f2fec9f872720a67501b7b8c5206fa3cdf0e4695fdf4f8369828fa6
SHA512a31493baba130cbcfc4465d98b1e086b51b4cecb0efc0c93207e5e67387fe6c6c72a6d955ec7b52075c4f9cef61f8f65ac7c03922a36ea550cf6198d2eb7c6ed
-
Filesize
5KB
MD56f688b5e0dab2a2b27e613d27bcc03b8
SHA1dab9a92d7338643db16d5b785c2ed98cc03aa67b
SHA256fb619ac10446ff476fb2894e2bb0086b4a4b699df44f4e5640c7a238e1a49b7b
SHA512712a20a43a4ebe89a08894605130510730db607be7c9bfafe3207813a9d109363470192f75738e1debf9470aba10dc2ac1bdd2acc15cb9d53f88a1721df2f11b
-
Filesize
5KB
MD5bd0923538f19618b92893e0b257540d4
SHA1da90f023b429b735ee8a2abe45d16c957e1085d9
SHA25683ba815ce8e89711e74e5370573a7b36850914219217d35c9d066142c4586ce4
SHA512d4c71135263302642261fd94e328a5bdfb60009edf345ac8d91611aea69f56a1a9af82cc6c317e23358e22797e7c1a6a25263955408c58fc6765318ded2f7b8d
-
Filesize
4KB
MD5be6be06a5cd313da506ac57bd7159fa9
SHA11b55b671bbddda6ef93f1b34c3c17a835602b321
SHA256414fd005a98f4f9d7ae9f9a3c736a1448c4a2da39496b756a1c01d3ca413e499
SHA5126400a8b4c61d34902c553c8152369e2929af5fe14cb153c648e64423b07ddb2e674d2dd1852c6b4ec358137ffa8c2f1da4d0da9db69147c3edb99034aadfea10
-
Filesize
25KB
MD563b6255b3f07d9e42bedebea98f2aca2
SHA140ebdc3a328e822aec42b2373d092dc73101342f
SHA25651efbb488012f6ba9fd2182e4f57da8fe07e915e6b2c000fe96617c1d25d349a
SHA5120e54c65fd7616217d813904524e84af94d966c93b9097053d0253f0e7111883f47aea07016b9d1096c6e6f877fe2c5754c035e82c6a5246418303da8662bf652
-
Filesize
872B
MD5018593d651e9efe59df2a4fa83d2b7eb
SHA128646e216010e49a7db4b831bdd9d80cdd0634e7
SHA25672417cf0be11b2f9140723d25b3e6d9af40a18ae7053cd03d5aea53384f892d7
SHA512792332ee9fdc6b5df4cd1fd5d982ff3529b9bf47637830b199184cff69fcc0f3d6babd8d93ace6dcc585e3fb02ad628fbdfe6a5b9883b408cdcda1bbbf98277d
-
Filesize
370B
MD54bb74d8da3aef99a535dbb8b17edf992
SHA157b87315ac17621f4476836211b087eb7ee0103c
SHA25698f4eb3224968d6857f3bb4c3863cf72c1c1b2116b780210ad634b3587457f30
SHA51287cf82c9928c51a9faa58624ca227c804720c5c10c7566f18957574ee147f70912f072565ccf24a63a130ec1319f86f53e947606b79e7a45befdbed191aec17d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD553a707f187675cb6cbed4db87f75563c
SHA1c1b71a5a6a457e6dddcaa8cc453a8cff12f99ba7
SHA2569baf996ea7ed42e1d9bb82ed966a35c2c49498f080bf94670a23287c679cbe2c
SHA512346c77c61c16df7733deea78c32f12f0ff42b884b201c5a27572dbc82fb3e1529a479fedd2f43781197c3f7d205955edf94d6f791b029fc627b12528e6c1b154
-
Filesize
10KB
MD5bc973b9559ab5a7753e42ea64be24c41
SHA15e97b3c56a1ff01eb2baec4c5b439e1c442e3aaa
SHA2568ac5a00388a8b2a5a5f42d75f3b865a8c0e1fc54351b2b931afeb2a3e67de5fb
SHA512721af84b26988996959fd735fcb4ac9ea4b6d63d1076d3e01b8312233a1cc58890a32d3bebd19ecf5264ae60ddb5155e8092e1addab8350a9f7c00afaefb3c92
-
Filesize
10KB
MD5d1e8f84f70b0cc2338900d5126568847
SHA1d6046f3163b9e92cc3b47e268585f757f938405b
SHA25601be9f146c76418fc694763723d7db32555c0f2a6adcbc14a5500f71dceddf93
SHA51254107ee86bd89c9ee76416d417744d3cb019f0decfa3188fb878ac1cf7b819c4720b6d82e0a8c6407d6be158a947c4bf86a8fa8f2c4dfbcb1667667fc90c4b12
-
Filesize
10KB
MD536cc3226b474e825b4071c459f025798
SHA13d8f71e75d2ad794cfe75841f6fd5e2571c0e1ec
SHA2565828513482e6356351ba5c6bee93baea6d46125e6ffb596091e13838bfafdfc5
SHA5129a70c6b00a0e2537ec46aaba068de267fe155562730fb983bd55914370df10d9e1bc0ba9054c4c562bff4bce360195249a50847964fd32f3360e6829735859d4
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
6KB
MD53b3a275bfb096d16c3d0d73647213b9f
SHA1d5d925fe7e9cfe84eab64acb682382827e486606
SHA256b0b7e94302f7869f28e6debc9fc7d5fadb0af28b66b2e8da4c590122ae7016bb
SHA5121b309b615efe7cbb88305aa28ca1234e17515e9d72c0c7631ab63284318675af8878e144e3461b0ba1b36499502fb360c37f678d1f30499b952ee3200174e406
-
Filesize
6KB
MD5e5035db5ab2f04e3c0f3f717644ec115
SHA180302c3d6d00634429dc40d945df4a6d2a86b81f
SHA256aeb69bb8efe36228b1ff4479750fceb79801567671366be60c13077fdeda586a
SHA512779ec0b42f7d01c40fc05c4b7a44e633ca2eb9abd7359407989c3715b0bdb4540055d1607d07b6fdceb750cab68bd45ec86128f2ae486b3a331d2cf56ae4075b
-
Filesize
2KB
MD57cccae79c29d220e39126bfb521ac3b0
SHA12918d48563dfda59b03559806b29dc7324e69b77
SHA256b9258b9c985c80854d519619016edd7e5675427352731304e1226cb351e6c68d
SHA512bbf961e798f2301903fb5cbab52bcfb47df91be5890cc82d1fe5ff29719c0347f9de1e47e18b0ab3ab53fd70bd7d8bbc21b1b9270fa12fe55f587bb465b28077
-
Filesize
2KB
MD5e40b754d54d1c65822d0b108de24d7c7
SHA1df0e51d39c85f046fa72db21234050cac5b99688
SHA256f21e13a0b792dbce6b12c860171e5830b8cd78208553c1ffb530998651851b64
SHA5126acfdacc94d628a56e43f404fbe13cd68cfbe5fc0c694845249f22d2a6f25a7eb3e423b88f943d1bbb2630f2aee8168052251b43384771b8526c5599c26e67a7
-
Filesize
733B
MD5758ec5872c70ba227038f7b9a5db32d3
SHA17e3a2b078027053ea4126a04320afbba2f895c38
SHA256e9bd7e017d6f5cf9479d6750c16d545304697d22e4c8533bedf1d7ac9d0f94ee
SHA512c213e3ebd369d27e32711fe4e37305be0c2a50bdae9aa25fa2a87d80654110221c9998699353c4ad6f67562c89a14547461e5dc1a4efb3f7ffe46bf806f72653
-
Filesize
733B
MD5fd5bdef87483b911a31262d399f23b4f
SHA1a14442176b9c72b4015ba6b900f43dd6c75512f4
SHA2560643fee8e010cd14a489160499811697e8582b97813cd522dcf768bf7fe80184
SHA512b0728f6754f5072b933670b05b84b2e6e9f24e3bdcdbd11eefcc9c6ab73cc65654cc834b677b7239bf905924c4dc08b1789b7a229ff68ce44c9184dc194775a6
-
Filesize
802B
MD557b086ca2c81eb9e427d7d0219a85403
SHA163d780a096c85cee40857df5911eeb6b0da0dca1
SHA256e11ca7c2118d6d3ec590f9e28cb38a11b5e84aee4ba03ae5d0176ffc0975d57b
SHA512bc78673565d1fc0c594f42f8bb59abcc6713fbc1fcf6fc76f4463c5c4fd4e7e7968773b78af349ff41998019e4aa9203aaf2af34881795d0f42bf9f9e2c82541
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD5edb120a33b11109eb59f447fe00f3b3e
SHA13e358cc22b40003369c6e41616ac44192cef7d59
SHA256d2f6c26e32204ee4733e81b9460a3e24381b61b9869863feebceadc836b45c12
SHA512349164136cf88c49473b4404ba07b4c22432183c6d4c7eaf3e81c6eddd645909f2708db40533534fcf5bdf01cfd7781be402af86dcc475b09d3796f370070998
-
Filesize
1KB
MD56dfde0b00a1ab443a8907f7b8b6403d7
SHA13a9e207487e937e01d6c80f2941ea7094601b452
SHA256324f7f770d20e5b59897c239135295413710a7f2db3e8c1d01638230aad79ceb
SHA5126602f8703fe06db6cfdab94fb0f2342e55d9ec24bf95ebca4d6677619bc3c3a68d44d455cc7048af214a5f2af91cd993f3e66153e7c46a336e52e4013b89ac6a
-
Filesize
1KB
MD537d959d723bd695a92e72cbcea53a8ba
SHA16b907834d34e24a917dcda13477abc75877d0958
SHA25666dd820c9b9b0b577a38709a4bd315236ed2dcb2724d33da265143c28909e430
SHA51292ff9b28dbc42abecfa59431ffea1ce21a8efef9447aed937f952f46afc720eacbadb8ae22f398c9301a9afff59dfce1e8563e8dd0f1b9ae27a4d8782de78980
-
Filesize
1KB
MD55665696e4693339d441fdb7f6cb07855
SHA179bf555b7daadc547ab3dee5976e32601966a873
SHA256c5a5c05874c2ee3ba7a53b786303a739e2477ecaa86c9ea893d01c0d885ec972
SHA512cecaa142c428c47b6d54bc558c24e4250256198e98284c9a66c1d6c44599072bf9e5ebbe554cf9fac40f97a237ae4cf920f94d536959a13dd9f006da66b0d747
-
Filesize
3KB
MD5cdcd83475b68b719990ed1a3497c2254
SHA17621b2d0c3ddf39809fd715254239efe4bef8999
SHA256a225c721e4cb478def6419ae8b21736a8b16b29d2c757d00f0d9f6fe35a98a28
SHA512885c1e4c059dc5a52b876149bfea9f6a0d5a7c8e206c83b7d6ec3ce82abfdffb7094e2a75af50aa211989596d244fca603aeb2af7e1640d94612c4eca964939a
-
Filesize
3KB
MD57d94744353e0625d4eebf6a5fc75a64f
SHA14daa3470e2c36a337727aa4b3600101a9aa88a35
SHA256d9cb5ad3ced9653a4be6886104936e9f26aff0747c341e07483f14c9f3ed426e
SHA512f9bd00cb3afbb75e62cde365c8488e310cd4ae6458716e777498fb25c8a160dc9872f3ad4b1edd32796c60079285c253d126955e31ea9f081d4c148d2422d39f
-
Filesize
6KB
MD5cb94aa1f51c0bde8626c00b76548aa80
SHA1c42710f45dec89814e0a6a7edc4bb152e05d2bec
SHA2563ce0542891f73b55bf5cac0fbb5b9c3efc6a1fcf042e1cc03393eb7697cd8cca
SHA512060b7c086933d0739740d6d56ef035d79299d0c8a00392f5c6b27f433d9bf461ba40a69e44aaf6b8981980de335596d1c386ce84d94e1e8256bea1b0d8552dd3
-
Filesize
6KB
MD5f3aa0ba2aa90f221d8b524a31bdaf830
SHA19639c8f65e3d2b6ec2288e778dd75507cb35728b
SHA256b3f75afa944db7d9d0f7fe50acd26248faec9697f127c4447d9c4cb825c39bfd
SHA5127275f2311b699b57967106712a50b456ea91b350cdede6b40a4952afcb69d0ce2df2ca089b997d1ad52843cdf14ec1191edce72cdbe494ecad199b7074844a35
-
Filesize
1KB
MD5ee7652a34feafe88588a99c7df95dbdd
SHA1c45bffe5b996a364cbbd4b6ab66c04b636b9d91c
SHA256598c9312fa4f83b5e964736895832e9e9edcf4640d93ee4b0540231192ef4d12
SHA512f2a1a63ac006af3ac17e1ec6d07ee8094b5cb5bc6ab1a8ba3d87932ed20598c900c984f8ca075a39d2dae91b618229c82c036e53355fa82d42a4f2ccc6b206f9
-
Filesize
1KB
MD52f49c2d4652890ac93459cf558edd486
SHA1c3040efe655e35fcad87970775c679c276fb0ac6
SHA25668b17dbb2685481b90cb12874b3b15a118c4b255ef17359644b93b02259808a2
SHA512d8196dd8d53afe068f3b904765158e820f99df6604c0c54b22e9bec983867b1e2650a04ee0e54f0e82caee12dfd5053b6d98ccba951c7a3c9f8e0e13ab6a4437