Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/03/2024, 17:57
Behavioral task
behavioral1
Sample
CS2 Bhop_[unknowncheats.me]_.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral2
Sample
out.exe
Resource
win10v2004-20240226-en
General
-
Target
CS2 Bhop_[unknowncheats.me]_.exe
-
Size
444KB
-
MD5
ddfda1f4f000dd283aeacf61bbf09e94
-
SHA1
dece52d7bcb5b25c216fc5b5edd66a80c2cac1e5
-
SHA256
543a201d0a4ab2e487db61022719c3ccb74054c42f851b1582f41b2146c8ffa2
-
SHA512
7a5f0cf34b84fec3774be35ea2f9f6e14414da692c6d8c66c7cf7be2d80a4243e058c488b74b7b7be0fb6bfa434d50f8e6a8e3ad45cba47c1309a554b6535c9e
-
SSDEEP
12288:ofsVoCyy14HcQCOLD/JsShH2gTy88V9ibL:o0VoCdkcQhbF7yg
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/3504-0-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp upx behavioral1/memory/3504-14-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp upx behavioral1/memory/3504-16-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp upx behavioral1/memory/3504-108-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp upx behavioral1/memory/3504-125-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp upx -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/3504-14-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp autoit_exe behavioral1/memory/3504-16-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp autoit_exe behavioral1/memory/3504-108-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp autoit_exe behavioral1/memory/3504-125-0x00007FF7B2500000-0x00007FF7B260B000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\windows\BITLOC~1\autorun.inf cmd.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\windows\INF\TermService\tslabels.h cmd.exe File opened for modification C:\windows\Fonts\jsmallf.fon cmd.exe File opened for modification C:\windows\Fonts\serifft.fon cmd.exe File opened for modification C:\windows\Fonts\YuGothR.ttc cmd.exe File opened for modification C:\windows\INF\miradisp.inf cmd.exe File opened for modification C:\windows\INF\sdstor.inf cmd.exe File opened for modification C:\windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\ACROPD~2.DLL cmd.exe File opened for modification C:\windows\Media\Ring08.wav cmd.exe File opened for modification C:\windows\diagnostics\system\Bluetooth\RC_DriverProblem.ps1 cmd.exe File opened for modification C:\windows\diagnostics\system\Power\TS_IdleDiskTimeout.ps1 cmd.exe File opened for modification C:\windows\diagnostics\system\WINDOW~1\ja-JP\CL_LocalizationData.psd1 cmd.exe File opened for modification C:\windows\IME\IMEJP\Assets\JpnImeModeToast.png cmd.exe File opened for modification C:\windows\Installer\$PATCH~1\Managed\1D5E3C~1\100~1.402\F_B2C0~1 cmd.exe File opened for modification C:\windows\Logs\WAASME~1\WA4A66~1.ETL cmd.exe File opened for modification C:\windows\BITLOC~1\fr-FR_BitLockerToGo.exe.mui cmd.exe File opened for modification C:\windows\Boot\Resources\de-DE\bootres.dll.mui cmd.exe File opened for modification C:\windows\diagnostics\system\IESecurity\TS_PhishingFilter.ps1 cmd.exe File opened for modification C:\windows\ImmersiveControlPanel\images\AppsRtl.png cmd.exe File opened for modification C:\windows\INF\wsearchidxpi\idxcntrs.h cmd.exe File opened for modification C:\windows\diagnostics\system\Apps\de-DE\CL_LocalizationData.psd1 cmd.exe File opened for modification C:\windows\diagnostics\system\Printer\RS_RestartSpoolerService.ps1 cmd.exe File opened for modification C:\windows\INF\nulhpopr.inf cmd.exe File opened for modification C:\windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\AcroPDF.dll cmd.exe File opened for modification C:\windows\Fonts\smallet.fon cmd.exe File opened for modification C:\windows\InputMethod\CHS\ChsPinyinDM06.lex cmd.exe File opened for modification C:\windows\Installer\$PATCH~1\Managed\68AB67~1\157~1.200\ADOBEC~1.EXE cmd.exe File opened for modification C:\windows\Cursors\aero_busy.ani cmd.exe File opened for modification C:\windows\Cursors\aero_nesw_l.cur cmd.exe File opened for modification C:\windows\diagnostics\system\Audio\en-US\DiagPackage.dll.mui cmd.exe File opened for modification C:\windows\diagnostics\system\Power\it-IT\RS_Adjustwirelessadaptersettings.psd1 cmd.exe File opened for modification C:\windows\diagnostics\system\Printer\RS_StartSpoolerService.ps1 cmd.exe File opened for modification C:\windows\INF\wvmbusvideo.inf cmd.exe File opened for modification C:\windows\Media\Characters cmd.exe File opened for modification C:\windows\Cursors\ns.svg cmd.exe File opened for modification C:\windows\diagnostics\system\Apps\RC_WSReset.ps1 cmd.exe File opened for modification C:\windows\diagnostics\system\Device\CL_DetectingDevice.ps1 cmd.exe File opened for modification C:\windows\Fonts\ntailu.ttf cmd.exe File opened for modification C:\windows\INF\nete1e3e.inf cmd.exe File opened for modification C:\windows\Fonts\ega40857.fon cmd.exe File opened for modification C:\windows\INF\SMSVCH~1.0\0000\_SMSvcHostPerfCounters_D.ini cmd.exe File opened for modification C:\windows\Media\Windows Hardware Insert.wav cmd.exe File opened for modification C:\windows\assembly\pubpol24.dat cmd.exe File opened for modification C:\windows\BITLOC~1\da-DK_BitLockerToGo.exe.mui cmd.exe File opened for modification C:\windows\BITLOC~1\et-EE_BitLockerToGo.exe.mui cmd.exe File opened for modification C:\windows\Boot\PCAT\nb-NO\bootmgr.exe.mui cmd.exe File opened for modification C:\windows\diagnostics\system\Printer\RS_PrinterDriver.ps1 cmd.exe File opened for modification C:\windows\INF\c_mediumchanger.inf cmd.exe File opened for modification C:\windows\INF\netax88772.inf cmd.exe File opened for modification C:\windows\Installer\{AC76B~1\FDFFIL~1.ICO cmd.exe File opened for modification C:\windows\Boot\EFI\pt-PT\memtest.efi.mui cmd.exe File opened for modification C:\windows\Boot\PCAT\en-US\bootmgr.exe.mui cmd.exe File opened for modification C:\windows\diagnostics\system\DeviceCenter\TS_DeviceCenter.ps1 cmd.exe File opened for modification C:\windows\Fonts\vgas1255.fon cmd.exe File opened for modification C:\windows\Globalization\Sorting\SortServer2003Compat.nls cmd.exe File opened for modification C:\windows\Media\Invoke_48000Hz.raw cmd.exe File opened for modification C:\windows\INF\RemoteAccess\0000\rasctrs.ini cmd.exe File opened for modification C:\windows\INF\wvmic_shutdown.inf cmd.exe File opened for modification C:\windows\diagnostics\system\IEBrowseWeb\uk-UA\RS_Resetpagesyncpolicy.psd1 cmd.exe File opened for modification C:\windows\Fonts\s8514sys.fon cmd.exe File opened for modification C:\windows\INF\c_fscompression.inf cmd.exe File opened for modification C:\windows\INF\mdmdf56f.inf cmd.exe File opened for modification C:\windows\INF\MSDTCB~1.0\0411\_TransactionBridgePerfCounters_D.ini cmd.exe File opened for modification C:\windows\Installer\ea9f.msp cmd.exe File opened for modification C:\windows\Boot\EFI\it-IT\memtest.efi.mui cmd.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 3504 CS2 Bhop_[unknowncheats.me]_.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 776 msedge.exe 776 msedge.exe 2016 msedge.exe 2016 msedge.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe 3900 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 2016 msedge.exe 2016 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4588 taskmgr.exe Token: SeSystemProfilePrivilege 4588 taskmgr.exe Token: SeCreateGlobalPrivilege 4588 taskmgr.exe Token: SeSecurityPrivilege 4588 taskmgr.exe Token: SeTakeOwnershipPrivilege 4588 taskmgr.exe Token: 33 4588 taskmgr.exe Token: SeIncBasePriorityPrivilege 4588 taskmgr.exe Token: SeDebugPrivilege 3900 taskmgr.exe Token: SeSystemProfilePrivilege 3900 taskmgr.exe Token: SeCreateGlobalPrivilege 3900 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 4588 taskmgr.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe 2016 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1156 2016 msedge.exe 103 PID 2016 wrote to memory of 1156 2016 msedge.exe 103 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 4376 2016 msedge.exe 104 PID 2016 wrote to memory of 776 2016 msedge.exe 105 PID 2016 wrote to memory of 776 2016 msedge.exe 105 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106 PID 2016 wrote to memory of 2320 2016 msedge.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\CS2 Bhop_[unknowncheats.me]_.exe"C:\Users\Admin\AppData\Local\Temp\CS2 Bhop_[unknowncheats.me]_.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3504
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaeae546f8,0x7ffaeae54708,0x7ffaeae547182⤵PID:1156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12904073445041192337,4686067208016480126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:22⤵PID:4376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12904073445041192337,4686067208016480126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12904073445041192337,4686067208016480126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:82⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12904073445041192337,4686067208016480126,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:4212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12904073445041192337,4686067208016480126,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:1084
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4012
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2492
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops autorun.inf file
- Drops file in Windows directory
PID:3508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
152B
MD5279e783b0129b64a8529800a88fbf1ee
SHA1204c62ec8cef8467e5729cad52adae293178744f
SHA2563619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932
SHA51232730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b
-
Filesize
152B
MD5cbec32729772aa6c576e97df4fef48f5
SHA16ec173d5313f27ba1e46ad66c7bbe7c0a9767dba
SHA256d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e
SHA512425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0
-
Filesize
6KB
MD5af2dd2d0e1ce68c51e3186c0888e9a0c
SHA1e7ac92d9a2daafa491550916098db8c460a5ab26
SHA256377a870b5134f4fd994c3382185d1aeb6d9112433503c027123ac467edf5a5bf
SHA51277606d626047aebb991838ba64784c35452499dab14571b3fe8a46028150274fab45d34c55e91aea58297aed79a6ddc1dbc5c75f805f535258f8ff74e61633eb
-
Filesize
6KB
MD55c1380517ca9adff804814efaf720fc4
SHA138a640a61b2152e7c232a008115baac50fbd9fdd
SHA256408d8bca3a869b32ffcc86a17ed7cd3f01f8a605cb867f71c0e32fd4fafa8cac
SHA512a7f122ef4f2f5adb6dfb41884ec6098c77841a8e5204da2819f6594613ea312179f6ff29ee8aede90022aca28f5e9c98f53f59e6d50599afaebfa4721ee6a242
-
Filesize
11KB
MD56cfb2ef96a19b339aa788c1be9f1c45b
SHA1373ae16b4cd9b5a61992efed60539f19890f0ab3
SHA256297319f9e6789d0d5add63581ffdaa28e2c0870e1ebcdbeedb0c2004dcaae881
SHA512f5cab8f35f63ee8c515501946704422258221947b0796781f1fcb605752188b48529e72bddd86c57672ea9b726dc9036fa82ca8230e58b794cac14f9a0db324e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58