17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd

Analysis

max time kernel
44s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
18-02-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7z2401-x64.exe
Size

1.5MB
MD5

de644b4e1086f1315c422f359133543b
SHA1

54be86d121879b0e5d86604297c57a926d665fa8
SHA256

17a507cce4066c4be7db53d64d9a9e11dfecfd4f2411393690506e591b5895cd
SHA512

714d41254352d91834a4b648d613e9b4452b93b097b5781ec5bf3ec7c310a489d3a1c409b2f0a6946822b96f6943b579910d26a5f4324b320d485e856dbdcb1a
SSDEEP

49152:8yEuRNRgYQYk6tC0tkaNuiXatTQY7quUncuTVyvn65:8yEoL7tCzlqLcuBz5

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
572	7zFM.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2401-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2401-x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2401-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2401-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2401-x64.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
3744	msedge.exe
3744	msedge.exe
2724	msedge.exe
2724	msedge.exe
3520	identity_helper.exe
3520	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3744	msedge.exe
3744	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	572	7zFM.exe
Token: 35	572	7zFM.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 3744	572	7zFM.exe	81
PID 572 wrote to memory of 3744	572	7zFM.exe	81
PID 3744 wrote to memory of 3564	3744	msedge.exe	82
PID 3744 wrote to memory of 3564	3744	msedge.exe	82
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 1672	3744	msedge.exe	83
PID 3744 wrote to memory of 4260	3744	msedge.exe	84
PID 3744 wrote to memory of 4260	3744	msedge.exe	84
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85
PID 3744 wrote to memory of 552	3744	msedge.exe	85

C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe
"C:\Users\Admin\AppData\Local\Temp\7z2401-x64.exe"
1⤵
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
PID:2612

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.7-zip.org/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb8bca3cb8,0x7ffb8bca3cc8,0x7ffb8bca3cd8
    3⤵
    PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
    3⤵
    PID:552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2924 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,1000448496542295653,1475827574857517081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
0bb139023eb3e17dedf9780a66e99a1a

SHA1
da841883ee156ffb2c1718e6aa20d30d4d578691

SHA256
0cdacb5eb70ca2b16ab333ee870983750103865fedb167c9d6068019b8197a4f

SHA512
ff9c15ac88bb233d9dd1dfb66a0dd9df5d87e7ae0ca282a6223fcd2ee69896056f330d9af6a4a7f913f9ed97b5bf77e8adfaa43270a7e39eaa91d039cb8f445d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
929KB

MD5
6156ebaea891ddbfcb1187f628ec7577

SHA1
778fd5d5dec21f95c5aa554567e06da8295b9a47

SHA256
4853947e14bf30ab40702c34f80fb113c45619a73f89a938f2284c786e35c9fe

SHA512
ed166095ceb46ff77e1081263aea03cb97b5d244a7e4060b6b37c847fd496a7e577f297846414ff130e01484f44f9da2566e2572c6cd69e9b419c311799a511a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
90bbaa873cb1024ace83f887dfde38ae

SHA1
922416490e14f9098df969a56b75e7523f108e53

SHA256
2ff8abbbdad2acf5f04a3b47624055a0f2c36a09b0db3945b494f7eb92ae87bc

SHA512
60587031845ee5ae354c760bd2714a47ff561d3bd6e8aab7b2073d1b9c6b544c7eca94078d9cdefcd87b44adce4e814852c1e8f6af8ca3bdd5b0ddd0312e57b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c167c9e7436bf862b46b1485869a72f0

SHA1
f60be974d89346983b9fa73c1fe53da1d3c9780c

SHA256
e5bc3bcca170e8a5b1f701c2dc5a2b460647463368002690f6b8386912a5c39a

SHA512
3d880f89b17a1342d7812a9dfe65b41e057193801f9846197aa27e80d9bac8e365532a5a92247791ebf3a6dd87f9bd0ec8c2405b63cdfffaabc6e226e52206e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32cd64b301486e317c484b6f7ba05f34

SHA1
7a10d281e4d410c709b2fbed70bb448219631b16

SHA256
1114c45338d8d16089fca8ea65bdc53a541b9e77178a18e85567cde8cba24aed

SHA512
a9e40894c9e11af7b6908ea17ac39394f1ab03f3cd4b175de9b59654917ff008e735cf447e6f1d17ec755014c09e67f4f94c9d2f9401d7f6b90a206586b411be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b2f087f643b526693d79cea92fb300e

SHA1
f2700e196f26f98fb6b4381ad214fdc0a259659c

SHA256
30885a2408153e9633b275b2f7a3b69ad4d1a2745e73c822b90ce6e323d28355

SHA512
0a340f94f56ff0ab1a8cd556c0b70fdcb760eb26afb66a291048cce09a1ee78acea610c51a348d36753b542a5bbf55fd558acdfaa87bf0a016014f27f3f93f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
e67bdf1ce87505d2ce006e9133777507

SHA1
fd48fce929f03f4940249ed8eb97acf65d1ca3ca

SHA256
8e8b5ec847137c2ebd16688b2d4c1ad6d4b3cc3dbbbd0d072492b4b4d06d3edd

SHA512
b2eea8dfc5994cc58173ca28fde492acf4899e6f87f1cd85a90e4b4b71b442ee30b2d1fd07c3c22c0a47320bcf0304cf0232285a04ec24420ff4771848d6a706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e8838a39f661348f3e2966f0c054962f

SHA1
175b7aacfbec1afcbd000d9949796b6a7640ba20

SHA256
a386a235129b1d400c5eba37fa4aadf8151e1528cdd894e4f6df6b535e21578b

SHA512
c14f6db621b469cf319a74f65362deca34f1f4bae6a3c42fd736aae77ed586a60b764d732ee03d4230688922c3cfe5b9a5a051af2b5d233eb5598fad2c779fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
44da2f302b1afb35da768ba83f6d1c6f

SHA1
a9f2c4de37190839357f6f73ff8ff669a88957de

SHA256
20d7813022a5d49c25bdb162feef510b4967f8f10d1fc07c5b8995f444221626

SHA512
19178e81078389b85f711b00007ae5e683cd4932e3de3abd65e172c7e74e90d856b4a64720e7813d0a0c752326cc9991bbfd092d08d03aba02ba78a22cffb8d9

Download Submit