Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/03/2024, 17:12
240307-vq9qasgd66 107/03/2024, 17:11
240307-vql91agd49 107/03/2024, 17:10
240307-vpztpshd2z 107/03/2024, 17:07
240307-vm6t8sgc75 607/03/2024, 16:58
240307-vgylnshb5t 807/03/2024, 16:58
240307-vgsqeshb4y 107/03/2024, 16:49
240307-vbnjhsfh89 807/03/2024, 16:45
240307-t9tyhsfh44 8Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/03/2024, 17:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win11-20240221-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 30 raw.githubusercontent.com -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4181651180-3163410697-3990547336-1000\{4C33C496-5EF1-4AFB-AC9B-A7EDF55F2FC6} msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Melissa (1).doc:Zone.Identifier msedge.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3156 WINWORD.EXE 3156 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4340 msedge.exe 4340 msedge.exe 3112 msedge.exe 3112 msedge.exe 3620 identity_helper.exe 3620 identity_helper.exe 2228 msedge.exe 2228 msedge.exe 1804 msedge.exe 1804 msedge.exe 4172 msedge.exe 4172 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 1808 msedge.exe 4012 msedge.exe 4012 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of FindShellTrayWindow 41 IoCs
pid Process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe 3112 msedge.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3156 WINWORD.EXE 3156 WINWORD.EXE 3156 WINWORD.EXE 3156 WINWORD.EXE 3156 WINWORD.EXE 3156 WINWORD.EXE 3156 WINWORD.EXE 3156 WINWORD.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 2704 3112 msedge.exe 79 PID 3112 wrote to memory of 2704 3112 msedge.exe 79 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 1384 3112 msedge.exe 80 PID 3112 wrote to memory of 4340 3112 msedge.exe 81 PID 3112 wrote to memory of 4340 3112 msedge.exe 81 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82 PID 3112 wrote to memory of 2920 3112 msedge.exe 82
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffce4ae3cb8,0x7ffce4ae3cc8,0x7ffce4ae3cd82⤵PID:2704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵PID:724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:4488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1276 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:3412
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa (1).doc" /o ""2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3156 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122883⤵PID:2404
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:3020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵PID:3040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6668 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:12⤵PID:3612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:2936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3324 /prefetch:82⤵PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1904,13412913011620942907,7054736891540037844,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4536 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4012
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53b1e59e67b947d63336fe9c8a1a5cebc
SHA15dc7146555c05d8eb1c9680b1b5c98537dd19b91
SHA2567fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263
SHA5122d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0
-
Filesize
152B
MD50e10a8550dceecf34b33a98b85d5fa0b
SHA1357ed761cbff74e7f3f75cd15074b4f7f3bcdce0
SHA2565694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61
SHA512fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5322f192239dd7e32fc32e7ac6db90026
SHA1276a4e75d0ae61620f3eca849fc08fd09a55e592
SHA25637e6b7fd530d95e4d84bf7b60ceffba1c0ff78d34556838c69f5f743c543390d
SHA512cf9fe139ac6dfe054a6280625519061197dcc9eda5ca342a8d112719ad28437ed7ebf3aaca8eb93ccacc5773afbdba4c68717e4bd98f9353a8702aa3fdbee520
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
649B
MD5d95b2fedee61b730884ffa51d8e3cbcd
SHA122fe607473da7cf4b15e0132f5a32672bf0c2747
SHA256d5acf4d2fd9d6691f97e1cd4c19bca4d41a0d4633b597e5551f549e34bdf27ad
SHA512d385b33fc848375ff05a599cee76242d912e2a2e51e1980ff78ff765f0814eb96d4c084b5ca29f6b15396ec307f752f22775813c9cc35d8bdd342a698c270e50
-
Filesize
579B
MD546fa4f5f7344089589d117bd7599b3a9
SHA1b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA5126b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c
-
Filesize
5KB
MD553932c19f3dd8b3325f4f2b239059bbb
SHA1451c72aa743038f02e6fe2bcb70def26a604967f
SHA256d51c40025ffaea3c5fbedc24327743b82655329e3c850665a94ef79e1625948e
SHA5120d16ca804183fd9eac48dc168d18a034246cd55d730183bf6dcb344bc94f2f8725ce2af64c053e39bc840346ba3660f4a5c6bfe06bf5ebc803a1198c8476b485
-
Filesize
6KB
MD5eb1214d38dbf6e2b178f5498c48af1d7
SHA137984ec8305d7ca7c18a62d8546a5ef8d0c850fa
SHA2561e253ae73752b5ddafb2edd25fd9456cd5dbce69dce1d18c6975b45aef5cbcf6
SHA5126497a931a287e2709887c6612f327441c233925ea12eaef9f4c334f4f5fb7f727b383f86f42ca5ad36f1a6d63d51949daa3be3b30a1011c9d2fc10c1b8773243
-
Filesize
6KB
MD54dcb698e82fb9ad1da4b56ddc710ce38
SHA1a85c5db0a914e3b07fe0e50e0a5e156c7a00ebb3
SHA25689e2a75629c88a399cab2438d5990a8d1c20499a892652905a5fec5fd2f53df5
SHA512ef6b4d25a100909bc552332ab09c1664eea5488e2f363a512d5bd92aaf729cb35c2cdad93e107efad51bd0d38199fe7d880a0ca1da16df83712945cd49eda3e0
-
Filesize
6KB
MD523033f9cf31e88cd1173b72c8d7b0f20
SHA14b2e275fdd1ce83754d177845948f4cebcd4338b
SHA256b42f93f904bc9217f442ccb7c0811ab25ed4a98d7395f40ed9c6d8ed0f044ca8
SHA5123bbaed264b6c178b411ac3923d76f32e6f1a588a1cc4d5fada268ceb4e196b65939817c87fbbf11d6ea38a1961d85b69314486bcf4b3de42afe5622e80ec9517
-
Filesize
6KB
MD5ecf8ea6778a90c0af3feaf32e22885ff
SHA13f9463089ffc5154e1ff57afb8420e94ad0872f0
SHA256048c9c3ac3009917bd2754310b5c09a8d9f80695d7c0b8afdbae4e940545583d
SHA51290255f59744287e17dedcd4de6f9f4c9198d7a52ba5cc8c95558a0070ff996d8e5257b02ab333897c4367c57b44227a6d73e7d1133c74c398a2082594b0e9208
-
Filesize
6KB
MD5fcb614a85dc7301fac97b43f65569fc5
SHA1e023489e7002c7081a82d91405ea7c3a5c64ba5f
SHA256de5e6116546046d5605b42dcfcc7b3451c29dbde0b53554aeb5aef3ddd761892
SHA5126a2a3f2bfe0cfef09149fa810108b58192d93907d795440427a86fc722a39ea80fb54a4278e429c21b9dfdb36e840ca31b25406f3bc3151ae8d0b5742e25e3fe
-
Filesize
1KB
MD5085c0a39fa6ceada40e33b73db6686f6
SHA16a844c8f5c71efac72847b712c224c937af2c5b2
SHA256a6b0fa91c2ec36dacb750da1f3ba70bbc86f21209bdef4fd8b053c8a85901482
SHA512a063bc2e33caeb6e7f441c2daa603d5958426fe293a8cf8b6eb72aa959e26146e5677eb269d07bb7346c53f91ce2fbd8d6fcddd22e0544e7141f72123af3e53e
-
Filesize
1KB
MD5ddf8c6c6352ff47884ea16e1e68115f7
SHA16b89f00c404d8b3a350721ec212a65509ad301cc
SHA256fda3e15a3a13660f385c2a2cfc554a2f90072898b678fefdbc0511eec964a946
SHA5125ba98c974ae2c79b6a93b72167457f05cd80339f7fe6c5d2100ad398562e694d1d5771fecde1dc2bf18d777803ac621e84cd27a18023e49770d054779c627368
-
Filesize
1KB
MD5c88a91f199925b8ee183b9e8e605770d
SHA1f54ae7e3206d55fbb5fd6fba93c74be12fe06011
SHA256f989e2a7fef355064cd7af8f2b2ddca1d4b7f9d82b3bcd717d7579cd752ca31d
SHA5123bbebc7d7e2e2e26a42a21a67f5f609b18f70cc7176c37653f59a727588f0d122712fabd9aa2129508e05f414c8aa25e0c9b0dbeb48c540764aa09c15f2a0f90
-
Filesize
874B
MD5b73f3a8fbd3e1fa0f1a564b0794cb100
SHA13c3d066fd04adbc9a299beeb33b5e505aca9cf0b
SHA256edd6a4f38ad0753059e2f477606a18e62c8142822f6232dcdac43a2429ffb397
SHA51265861ecaaf21351998106c468044c2309541ba82068826fb362a285471f7c7e3a6bb5fd99e49206105b4d637de9ba5e0551125b0dfc7a561959096d84f25a1ea
-
Filesize
874B
MD53cb6d1d576f6957a966873beedcc5fdb
SHA1804d5b0869f42800ae0867b268ad85aa9efa453d
SHA2567efc2f518444868b3c91502ff646b182022cc400df1de2e620a47087622a848b
SHA5120acffee2d5b066a802194098ef261d82ea92b7aca751ef2fbc9cfeae935d9e975221b4bd3374e3d0f0036a3e2df1cd61b94c5f75f788c979502662a2b4902e29
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5dacd51799e5d9f3be23fb6251eb57fab
SHA1dc3bc8dcba1e29e4333fc22979dcc193bd5721d7
SHA256deac1ce231af4c06daca8001f168154a6fb321dfac0e831fea3bc39fc8acc8e1
SHA512f205f5a9410798d0f1133e6ab6357a855a2b12879943852706204c646c6fe379cb49496997fa5bc227b113a6e669820c82196de9e706d84fb80b237ef19d3c2a
-
Filesize
11KB
MD5c30f4a80c4c2c2297863f19f6a1830bc
SHA15f2f4b5d1919ab2f680738b4804177979d740afb
SHA25697721fd58de03496bd9350e51ae57cd9cee2818ebfe0bfeb90964ba104b97432
SHA512323dc280111a6ff9b691c4a3298d1a0641382cef8d55062d2d3296f5904e79ce8cd875c84f1f550560d8df5dd06c905df8f522481767ab967b521a1e79dd10c4
-
Filesize
12KB
MD587055fbd32a8949d45282db253dece6b
SHA110f1c082709d5950ecc47054f7ad7edfa7ec6c52
SHA2568100c6bbbed23790ecd741e9a9dacb6eefd8cbaa4485e7ebe960921a4d16b206
SHA512df93629a01d59195de19d57325f807d9218d14c9a9a18b4e38ed98ae6f47f78b8a703334582dbdee17a355f708f1ef41a8ed461c22090e0b2d9079a458058b86
-
Filesize
11KB
MD55bd2e2341bdeef10c5c19790f0d64968
SHA108f21917e711cb8c22057a3d0303ee331580b291
SHA256089d4ceb6a7de4d5c909a21e8c142ae7abb02653836b6a9351770732d00003b6
SHA512d75331f2622f9f17c3c524c8db5dd532ef48bab2f251dc658867502bd9755c5f2531b067ed256a820600983e9de851990f8afd6c7899b8e147232ebca61e9eff
-
Filesize
11KB
MD5644dedbf962de6b2e62101303865d882
SHA1b14d8fca9b671f6b8c1c4815a512a68007cff6ff
SHA256996ae5e6b6daf28e69bf333cb8783f4143a884c6a0d93c5f9403fc9e1a28a251
SHA51238a096ecebc7871eead7abda8747742c4f51195145d36b961f4764c4294cc6a31b07bfecebf813ec57d1efb39e1c2c72d695e68edd52178185008b70dd3ef63c
-
Filesize
255B
MD5c468ac2ea54e1aa7d9c427f41898aabe
SHA1ec8b1503edb3f0f14168dadfb5899e948c73ff95
SHA2563df63fca5a83d7cdd339bf1ea03b60a1db0795081cd669c17bdc399393554e28
SHA51278b8d23deea8ef440a8c876eb471cbeffb546f37e2efa3cd53aeff18a6c1a612ca1cc1a5a59279e91e5dc78720b94a85adadbef7542c9d34559e9e544a976241
-
Filesize
31KB
MD518883ac2e013bbf3b3530d976b9ec123
SHA1cf8ce61304e9d5a7bcfcb94d33fa9a71f875640b
SHA256b739bf3a3b96da685b9ee893a0c2ddebec9bb1bd2b551b426741256dee54ca92
SHA51283f755703c912c6748cba1204ef281ab95acd85a66de46a7847022379aad167832f950080f359e7e403aba9ff7a6ef4fe34ae87f6c90df49670484e109cc5674
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize12KB
MD54bc5f819e93aafeb7ef080493088b5f0
SHA1deee1153286c0b22c1f3e4109f8d8991125146c9
SHA256f81ff1c08b95822dad02d183f21da0f18f2c64e2befdcd9a3a658f7dc1821b44
SHA512bdf10cdd37e1d8f4241f91d92091dcba7c413aa06d124195e93cc8eb4edc75b4b1b36cd57ae953ee75a53f2ed83bf3f386f1e6176f2fcb2aff1758cb5f31fdbd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize14KB
MD5ccd9eeb2b8dc252d7ffb2e8e896491f8
SHA1f428ee5b67bbe47825989c0a161086d708f9d7db
SHA256d904980beab4fc3316881401ebb47a454b4b0bc850baf6f5288a7d4456a35ec5
SHA5128a3fac601804d0bd8987f325c0326dd30bfa91a3b4ad0b5708b075d43141f4faaef1d1e75011e0f7b91abf9c966dd7f70c77e08490ef22010e130ff267f760b5
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5f4d3091df78bd56ba514867df9ab63f1
SHA1c893be7e553497d34d17b30e6ee47e7b8d17f58b
SHA256301cecccdc9e01ec8199c3f90cdfa144e2ffcc8f9e55a87d074b3d1058df9f9d
SHA512659aaeebf1339ea7899fd686970e71b6d6ea37d1f6eaea3a8b7f5b60637e53575c791d4b809dfd4d126fd26afd953c624ea84e4db2aba46bc1da7d52551f30da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize3KB
MD5930b7249e51bb6594c8303241a8121e3
SHA153899d3680edb2dc4d69ad8d68b0e99ed004a9d5
SHA256b6267766fb560b52d8fc99f726a2eaaa5593e7fecc4f51cf993243008154dc3e
SHA512f64ef4429f1b0ef0510716da260a988a99b44076bd4775b5fdcfbf7a9355aa4c75e5c0f564a25cfb900001dd1510ba7372f144cc1eccc1677ffb0ca80f197da8
-
Filesize
40KB
MD54b68fdec8e89b3983ceb5190a2924003
SHA145588547dc335d87ea5768512b9f3fc72ffd84a3
SHA256554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
SHA512b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6