Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
131s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
05/04/2024, 09:04
Static task
static1
General
-
Target
-
Size
431KB
-
MD5
fbbdc39af1139aebba4da004475e8839
-
SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0
-
SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
-
SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
SSDEEP
12288:BHNTywFAvN86pLbqWRKHZKfErrZJyZ0yqsGO3XR63:vT56NbqWRwZaEr3yt2O3XR63
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0002000000029e10-21.dat mimikatz -
Executes dropped EXE 1 IoCs
pid Process 2444 8CDE.tmp -
Loads dropped DLL 1 IoCs
pid Process 2684 rundll32.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\dispci.exe rundll32.exe File opened for modification C:\Windows\8CDE.tmp rundll32.exe File created C:\Windows\infpub.dat [email protected] File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4052 schtasks.exe 3060 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{D75A2987-CCEA-4368-80DB-97C8416FACB1} msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\cat-blue-eyes.jpg:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\cat-ceiling.jpg:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2684 rundll32.exe 2444 8CDE.tmp 2444 8CDE.tmp 2444 8CDE.tmp 2444 8CDE.tmp 2444 8CDE.tmp 2444 8CDE.tmp 2412 msedge.exe 2412 msedge.exe 4044 msedge.exe 4044 msedge.exe 5036 msedge.exe 5036 msedge.exe 4256 identity_helper.exe 4256 identity_helper.exe 1524 msedge.exe 1524 msedge.exe 3024 msedge.exe 3024 msedge.exe 5356 msedge.exe 5356 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
pid Process 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 2684 rundll32.exe Token: SeDebugPrivilege 2684 rundll32.exe Token: SeTcbPrivilege 2684 rundll32.exe Token: SeDebugPrivilege 2444 8CDE.tmp Token: 33 4468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4468 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 55 IoCs
pid Process 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
pid Process 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2228 wrote to memory of 2684 2228 [email protected] 80 PID 2228 wrote to memory of 2684 2228 [email protected] 80 PID 2228 wrote to memory of 2684 2228 [email protected] 80 PID 2684 wrote to memory of 3080 2684 rundll32.exe 81 PID 2684 wrote to memory of 3080 2684 rundll32.exe 81 PID 2684 wrote to memory of 3080 2684 rundll32.exe 81 PID 3080 wrote to memory of 912 3080 cmd.exe 83 PID 3080 wrote to memory of 912 3080 cmd.exe 83 PID 3080 wrote to memory of 912 3080 cmd.exe 83 PID 2684 wrote to memory of 4824 2684 rundll32.exe 86 PID 2684 wrote to memory of 4824 2684 rundll32.exe 86 PID 2684 wrote to memory of 4824 2684 rundll32.exe 86 PID 4824 wrote to memory of 4052 4824 cmd.exe 88 PID 4824 wrote to memory of 4052 4824 cmd.exe 88 PID 4824 wrote to memory of 4052 4824 cmd.exe 88 PID 2684 wrote to memory of 1368 2684 rundll32.exe 89 PID 2684 wrote to memory of 1368 2684 rundll32.exe 89 PID 2684 wrote to memory of 1368 2684 rundll32.exe 89 PID 2684 wrote to memory of 2444 2684 rundll32.exe 91 PID 2684 wrote to memory of 2444 2684 rundll32.exe 91 PID 1368 wrote to memory of 3060 1368 cmd.exe 93 PID 1368 wrote to memory of 3060 1368 cmd.exe 93 PID 1368 wrote to memory of 3060 1368 cmd.exe 93 PID 4044 wrote to memory of 1988 4044 msedge.exe 97 PID 4044 wrote to memory of 1988 4044 msedge.exe 97 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98 PID 4044 wrote to memory of 704 4044 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\[email protected]"C:\Users\Admin\AppData\Local\Temp\[email protected]"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:912
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2571996363 && exit"3⤵
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2571996363 && exit"4⤵
- Creates scheduled task(s)
PID:4052
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:003⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:23:004⤵
- Creates scheduled task(s)
PID:3060
-
-
-
C:\Windows\8CDE.tmp"C:\Windows\8CDE.tmp" \\.\pipe\{9EBC2D35-254B-42EE-A151-99BB53FD6449}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb1d173cb8,0x7ffb1d173cc8,0x7ffb1d173cd82⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:22⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:12⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:2656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:12⤵PID:4388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5704 /prefetch:82⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6424 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:12⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:12⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:12⤵PID:780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:12⤵PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7572 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵PID:1880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:12⤵PID:5348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8464 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,3842213936166244355,9513142624015521221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:12⤵PID:5496
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2224
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1488
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E41⤵
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:4204
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD5437a813327b3d60333ff153b42ab17f8
SHA1fcc7f22be6ff0d1b9287c7dd194b1958ec6217f6
SHA256103942089c668e49f90ce0546b6adad55980c564304b5cf2ec9b7ac2017abbe1
SHA512ee96e4f926f7ff80ef2b40a54e60dc2f50b47589d7a034db599e930a54f10b0e85995d6921224624421873981ba156bf505226b7f5771781dbcecc985b861dda
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD57662fcaf70fc5714ccad28ad46cf8802
SHA170760ddbe0e42d9637a81a96bfbf246a19fa067f
SHA256f867888eb6002610b8dd777fde8a28517da1d4835af4d056b6ce929b8d4d7a46
SHA5127dd74d47d4b18c11da6ecdbb624f7c8362ba71e50b6bd3e74411ea7a643aa41b4e1d93772944565fd7e54ae55ecabbbbe315ca1ed4300ffd8d216c131061ff0a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize330B
MD545dee8019dcccda6119d7fd42de4b780
SHA10951b22f51e3818eaf84e26491180fedf7f07902
SHA25683e65a1e978e9f52ef679783e441486485ad8656b7baf74b145117f75a5d4aee
SHA51270c2533166259c03b992b771e157737a3def976ebe6b55cd7cd31e7fac1221c3f5c4f77f7ea2705d4cdfcb07a822dd277be108b78f2f1d198fa357995850b3a8
-
Filesize
152B
MD57c194bbd45fc5d3714e8db77e01ac25a
SHA1e758434417035cccc8891d516854afb4141dd72a
SHA256253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3
SHA512aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d
-
Filesize
152B
MD5caaacbd78b8e7ebc636ff19241b2b13d
SHA14435edc68c0594ebb8b0aa84b769d566ad913bc8
SHA256989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a
SHA512c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc
-
Filesize
1024KB
MD566e8d3f233fbcef98b88e11acbcf6ba6
SHA12b8b441695468ffcceafc2c4820a64632a98ced3
SHA25628e490622aa7aa0a7ca15f3b804ec193205908d99b1402594b08252d71e7c731
SHA512d151aaa04e68f4f19fc403620eb68525bd3e064b298ac6482917908e14e28f7b9970e8651621c682ec8cd04bf963cd716a5decdc43234863415c9c753015ffdf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize168B
MD50c26c3e8bc2255b6aaf339d83bae45e5
SHA1ac73883347affd6172ad199df1ef200a9a2fe2af
SHA256443d515aa35d6c4c15c170159b25f0de47055220bfc071fe9eb3ecfeac0e033e
SHA512a02e9703bc1b3a15d61fcd7ff3cb53f8fa1483f83d1e283d3e5a2b5e7ddc38494f1c3e46f2f9393dc2500c2bf80b9b479ac87b7ca1d4431d286ca67976378b37
-
Filesize
3KB
MD5874964609bf122c20dda7611120d806e
SHA19cdfb9da25870ac1b17630a0e8136c8b3abe8811
SHA2565b1756cc9171d480ae586351fd44afcd57de00b3aa0835c334f24981dc6624e7
SHA512b48ece5819d3c0c8c9b6ec6f909baf4cf69a1631d53215147a9ee540917a2610a5d2ba8ae9dda677228ec0b82196f507f7b6411d6203c3d5cdb2195e07e7df0b
-
Filesize
5KB
MD5e457fef1c6f2ec4ad8301f22c046fa6e
SHA1e0f586ee8db133336614720ea23585c0b6b13017
SHA2566d6634b3cd4f57baf807772f1d860145344e35daf31b055dc3a43d4febc80c99
SHA5126c3c892e152abc9709ac786854fe6a4501ae6220d893d88694455434b06e463543c4ed498ec9bab964f8f7c4eb5a5d209c2a0eb65fb99f35c36442fa2ad992bf
-
Filesize
6KB
MD5ef94403d10be40d0a09de81fc1c7c410
SHA113c05c19b03225b27140780c0b5fe129d6079134
SHA25660d622f2dcc28f3b185692f02298c74e0202a79f956b111eb88005d02d44ce86
SHA512c0853bc44851a756e88336d02d1e06e86e6be585fbe33cbd0b1db528a722c89f378c414b34a6a4865e9cead74dc9e84e72380afcd688acdee48597ae01dc2160
-
Filesize
7KB
MD55e26adbe7cd230d522d1278ee48a2983
SHA1b2b7ec548dfcedfd65ff29fcd4b7fc774c27caee
SHA256b09298f22fd0e4f1c98c33117ed8d334c12f7e865e961a989b8c886550fbb391
SHA5121ce4b36febf5b5a13f3be5a03b02a80be608ea847bb20aeb063ed21cba683c2e77fa7ed55ee2a4b4581fdef3e9e6fb28685f3bbdf8e993d1f7be60cf79cb4542
-
Filesize
8KB
MD55c1e6d1f03a0fbcc17a847e99aeff355
SHA17389dbf888d091604060a73c6500c1e136293532
SHA256f83941fc650f1a17dc92bdd6900979fca809cbaec979f70c6647f55c706a1640
SHA5128c40774fed8c74faed274f6e7eba2f5f2972e29aa68bac4da8227fe60f3217a20baccbb2d64d133a7dc9652d64839d72bcd92ceb33992f5b7da511d39fd6bda7
-
Filesize
5KB
MD5be46b326f7dd75fc5aeb79b38f97dfcb
SHA11eebb56330fa2be299615d5d520c559f8a8384eb
SHA2562c4be4996665575bdd7e7790a6f1cfddbb91fb181323d6c327c2121d92ce93d0
SHA512641ad69264f384e5406ea512bba376f7482adc697473761db31197bcf260f2c19b1caf79fbc354add780178c7c74df5ee19e8affbbc4c378c5c16a5af5a0ced9
-
Filesize
3KB
MD57a7ff88f5c53e46c3d25f2c2ce64b7ab
SHA1021627662c710d7001b3d4248cc8cf230a2c0d58
SHA2567cc5ff1538a4b6cf9843fbbddc6ad0d9c5f8a097c7d8518abba9e2b68e825fb6
SHA512d617c39d986e971c5c209a4573a198842f312ee6a7a36095a134f79418c579df1df8632c47185c7a12f6e7cf81441414fc07837f2999816269ef9382f5416fa8
-
Filesize
5KB
MD5d2c3f5116413133bab16a497c9d7b38e
SHA1ab32f97a11fb8e716bca91b1bd71c4247afb2c76
SHA2566583263ec77d5b540be7c34d7c381afdb35a207d1e85f8a3c07c8fee834c3d3e
SHA512f80553f935c7e139d84e08c09ab90b7db71a83eb22e8bd8d9df877f14b4332962776042966404a77526d04d4a3978b259f444257aacf0a8e2dd5048dc5237ccf
-
Filesize
370B
MD50fd17b6d020b1c2e87c58a2f4df9c978
SHA111a2bdca6caf4a67f73c6f6b67dc95e0d6b77a4c
SHA256171cde9ece8216e1cb0c7bb00d06b2d9be1e3cbb53044fcc5945a8ed77051f1b
SHA512798ffc335540adf6888d18e75fbda03512ee8d3890a00d177644c5bb68732e8a2a3d14f943758150ea3d33181effda70066d3943b33ee53c6540822dc074df14
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD548334c3d09ad89dd46157be606e209e1
SHA138934db3137a61d91f327360914c3251f5a06e3b
SHA256b22840aba6cc55c369a0258dec8cd45a5ef3cca1d3c63929a9f9b8fc53d6e311
SHA512ef6c5673d655d711fc43edb67cb14f925921633be2e6b853124590d347b86d6e5f684562c78454b26e5f7383efb38730316556b4bffb176621b1a30a8ca6f56c
-
Filesize
11KB
MD58e6b18002005c255d22b96a3b61744c3
SHA137552e38cef42e8958c08f81f37789dd0e679d6c
SHA256c78fa2e09ae407bf3a3d1a01f8499150bc3e674bc4bf613f16d78d2cf39b0dc5
SHA5121968cfb4ac82546e20eef12a32ab0fecf78df2af26548216b355de5f0492819515775f2d211e66926148bde9a4ea597cc1459765f76c8dfac39b9b86116cbfc9
-
Filesize
11KB
MD5b4e8224dfc0192016c03756c3f6a3e69
SHA12b5b39b3179c71ebf68a0531b6513421be30b1bf
SHA25655712c2f6e000cddd0539adfd7844412479534b61147403df06216142afe5a2a
SHA5126562bfe069019f97682c83a61fd0948b1d0f615116adca554b84b8136a93cc38d3366cf5c6499274ec9a820d33e0473d2011601fad6d221044395f87019ef92d
-
Filesize
123B
MD575fb4ad145331b3459b27fcdfc7e4dd2
SHA1cc37045d978c0c8cc179d3fefa0bd3faf8effa3c
SHA256241fa2e7f5d19219c6ab4e560f546257d29a56ed061c95633a6e6e3106717853
SHA512aad2236a20b9c745e41d9e5d4027a90f995a5bb5593209e415f673c16c4fd852742e7b1d800eb2c16b8954108bd9498a93ba4304fab254464efa265bd9c48a72
-
Filesize
121B
MD5e021d670cd8b924e08b2c9c07db0eae6
SHA1d4ccb33b0381fc080575a9e84b6e59ce1de2b5db
SHA256a971a71157f0051a20ebd9f79e8991ec1da42a9ca3ff3e0819782ddc7b3ab60f
SHA5128a9475ea7e901f80cc21933a375ebb57ad38519c2ac24ec302ab9f8d6e4301cfd70511f63a2a8e35a3da5a857be14556aee082c4e8a0fefb620201cfb924ccd4
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113