Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31/05/2024, 15:39
Behavioral task
behavioral1
Sample
nursultan nexgen fix.exe
Resource
win7-20240221-en
General
-
Target
nursultan nexgen fix.exe
-
Size
1.5MB
-
MD5
a3d07c747770c9a471a44446e46e33d5
-
SHA1
8340534fb1770bae9660287ddb0496e243efcfe4
-
SHA256
16015088c3352a8257f420555e7ce6245aa0e6682deeca79bf7e08c24e1ac3de
-
SHA512
307cbdddaa9f426f8ceec060c2c0b1ab5ed3573e327dbcfdda7b1dfd22cf17559f017d835d71bdd15397fa95b0c7dfbfb4cd6b51cd5b2adc1d1cddc8ffe27f99
-
SSDEEP
24576:U2G/nvxW3Ww0tpfnNGcvUCxt9groiK5Cg3ZRvm43TzvmF2cK07:UbA30pfnLRRgrheJROuTzvIR
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4616 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3304 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2932 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3968 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2312 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4192 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4136 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 876 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3508 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2796 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3432 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4968 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 1940 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 1940 schtasks.exe 92 -
resource yara_rule behavioral2/files/0x00070000000233f3-10.dat dcrat behavioral2/memory/2832-13-0x0000000000640000-0x0000000000772000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation nursultan nexgen fix.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Containerruntime.exe -
Executes dropped EXE 2 IoCs
pid Process 2832 Containerruntime.exe 5008 StartMenuExperienceHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 7 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\55b276f4edf653 Containerruntime.exe File created C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe Containerruntime.exe File created C:\Program Files (x86)\Windows Multimedia Platform\9e8d7a4ca61bd9 Containerruntime.exe File created C:\Program Files\Windows Sidebar\Gadgets\sihost.exe Containerruntime.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\sihost.exe Containerruntime.exe File created C:\Program Files\Windows Sidebar\Gadgets\66fc9ff0ee96c2 Containerruntime.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe Containerruntime.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe Containerruntime.exe File created C:\Windows\Sun\Java\Deployment\c82b8037eab33d Containerruntime.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 15 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3304 schtasks.exe 2932 schtasks.exe 2312 schtasks.exe 2796 schtasks.exe 3432 schtasks.exe 4124 schtasks.exe 4616 schtasks.exe 4988 schtasks.exe 4192 schtasks.exe 4136 schtasks.exe 876 schtasks.exe 3508 schtasks.exe 3968 schtasks.exe 4968 schtasks.exe 1916 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings nursultan nexgen fix.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 264 reg.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2832 Containerruntime.exe 2832 Containerruntime.exe 2832 Containerruntime.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 5008 StartMenuExperienceHost.exe 1416 msedge.exe 1416 msedge.exe 3608 msedge.exe 3608 msedge.exe 4320 identity_helper.exe 4320 identity_helper.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5008 StartMenuExperienceHost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2832 Containerruntime.exe Token: SeDebugPrivilege 5008 StartMenuExperienceHost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe 3608 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4352 wrote to memory of 4356 4352 nursultan nexgen fix.exe 83 PID 4352 wrote to memory of 4356 4352 nursultan nexgen fix.exe 83 PID 4352 wrote to memory of 4356 4352 nursultan nexgen fix.exe 83 PID 4356 wrote to memory of 5096 4356 WScript.exe 94 PID 4356 wrote to memory of 5096 4356 WScript.exe 94 PID 4356 wrote to memory of 5096 4356 WScript.exe 94 PID 5096 wrote to memory of 2832 5096 cmd.exe 96 PID 5096 wrote to memory of 2832 5096 cmd.exe 96 PID 2832 wrote to memory of 5008 2832 Containerruntime.exe 114 PID 2832 wrote to memory of 5008 2832 Containerruntime.exe 114 PID 5096 wrote to memory of 264 5096 cmd.exe 115 PID 5096 wrote to memory of 264 5096 cmd.exe 115 PID 5096 wrote to memory of 264 5096 cmd.exe 115 PID 3608 wrote to memory of 3432 3608 msedge.exe 122 PID 3608 wrote to memory of 3432 3608 msedge.exe 122 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 3068 3608 msedge.exe 123 PID 3608 wrote to memory of 1416 3608 msedge.exe 124 PID 3608 wrote to memory of 1416 3608 msedge.exe 124 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 PID 3608 wrote to memory of 2724 3608 msedge.exe 125 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"C:\Users\Admin\AppData\Local\Temp\nursultan nexgen fix.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\portagentbrowserweb\WRLLAAz5wgYRSh1EMNi6f5aM.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\portagentbrowserweb\6X9rFgrS3wv5iM7PLkmLFP1j.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\portagentbrowserweb\Containerruntime.exe"C:\portagentbrowserweb\Containerruntime.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5008
-
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:264
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Gadgets\sihost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2932
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\WaaSMedicAgent.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\portagentbrowserweb\services.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\portagentbrowserweb\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\portagentbrowserweb\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3432
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\AssertDebug.htm1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6c8346f8,0x7ffa6c834708,0x7ffa6c8347182⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:82⤵PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:82⤵PID:2020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:2900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10204179118063286447,12940372907972741345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:404
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
5KB
MD5b63d86330430134881f16eb740bfec17
SHA1582f03cb70d6a381504305aaf6ef877f48579df3
SHA25663c4c6f4e9ef5fd77dbdec28557c48b8e9ca1babd72681a0de9022a9c537ee09
SHA512d7c9928d699492695d7e8076c61a75b31df301525605de94d2f75d5559c5c11753e439787bca24ad669761c5838807e77ea910520b37452aa5dcbd3b485812bb
-
Filesize
6KB
MD50d4ddbaf33fc04e4da4f0d31c7685613
SHA19738a58bf59882f4962c0504a4ddf20824529769
SHA25608bb7d8bde6e97064a608c3cd54fb3acc88e9a7c596e08c86befbd994cad8bab
SHA512cee53f59d4bca1a35cd39fd82d1e06e5149bafe58d7f4f438007d186a678d96ed5c823d075feeb031071e9eb03dc7eb4875764997293c45aa5c1d5aed92fa269
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD55f564575b62ea655b9f57b0130bb7027
SHA17ab9a07391979286506402bc01b0e65c13715f3c
SHA2569353a4144b944dcda4496d80894264ec983fecc4894f15a70d1c967143ed8714
SHA512c76e8093ef1c48c6cab74aea7437078eefbf2c9ed891d95318afa7ea02a07c37d4238754d2707692eb4488c332d4c408e4554d528e8a4ef0d274a75a86bd3719
-
Filesize
157B
MD5c8f8a078dace2ff4cb106803c9199643
SHA1a5029ff4c4f0f24b0fbe2951c9a8002501ebd3b5
SHA2561b99d39fa273f33b072c67e0df7d33b1699fa17b7c7139467a658302a5ed0e0d
SHA512efaea3b4653768bbd135a0ec55319df2464f1d440ad982f31a5eff05c5ba5032f4718683ff6419c668bf1f34a117b5a101f56d1efc1d74ad93e692c52686f999
-
Filesize
1.2MB
MD55887a563351ca99247b7e2c448bd9f2e
SHA1b24695e88143863297535989900bb7521ea86d67
SHA256e74cbd74c838db604926e27322342c02f803b95f98680d4089b5c01ed93fb390
SHA512b7d82bd09ba64891b75bbb9356de74a1ed0835709a391698c1301825777418f57e4f2ae3c260d3f7b6ada05d0e7ddeb4a6b75901fdf53bdd82ffa2febb685107
-
Filesize
220B
MD561a07f2f9e8e9b1f5175b2d60c3e3f18
SHA1e695b0c2b43c786453bf3f6ae504f0626951d281
SHA2565c75708ec9e4fe419a2fd1067bd5793bacb28140177cc6b36300fbf28e7c23d1
SHA5128ef3529f6bf504224e7803019f1e162aead7961bc1a5115f50fb5f580570e8b04707da21a7aab4eb7f1554a3b5333597fb3335e5f6a74dabfdb0583eecb35b5d