Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1706s -
max time network
1713s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25/07/2024, 18:10
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).msi
Resource
win7-20240705-en
General
-
Target
Setup (1).msi
-
Size
4.4MB
-
MD5
c4de73561e5d359aee3e8626434f95c7
-
SHA1
1020b4a315ddc4dfd4132315a98b0a15212068ed
-
SHA256
036a82bb69b5354a85df9eac8c66a44ae82294a1aea105e2e51da1a4a87cdb84
-
SHA512
25f6186f44f19bbf7dbca2df6c29753ee80281080d7e032faeae9d2d60cbcd3bf1268dd8fb4bd882bc18ee8b7ef61446a68fc290f1dbab900c4df9e869372c61
-
SSDEEP
98304:eVHYDgBzP/in0iuWhi+l4OLGIHi6h9iM:+ZzPqn0iZiuHfiM
Malware Config
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 5 3316 msiexec.exe 8 3316 msiexec.exe 10 3316 msiexec.exe 48 2280 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.ini msiexec.exe File created C:\Program Files (x86)\World Wide Solutions\World Wide Web\WorldWideWeb.exe msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSICA07.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICAA4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICD0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE120.tmp msiexec.exe File created C:\Windows\Installer\e57c95b.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\e57c95b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSICC2D.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSICAC4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICAF4.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{311288D1-772B-4E78-91B8-0A2E9C2BAEA9} msiexec.exe File opened for modification C:\Windows\Installer\MSICC3E.tmp msiexec.exe -
Loads dropped DLL 17 IoCs
pid Process 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 2816 MsiExec.exe 3856 MsiExec.exe 3856 MsiExec.exe 3856 MsiExec.exe 3856 MsiExec.exe 3856 MsiExec.exe 3856 MsiExec.exe 1732 MsiExec.exe -
pid Process 2280 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e34d5b1d972792500000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e34d5b1d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e34d5b1d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de34d5b1d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e34d5b1d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1028 msiexec.exe 1028 msiexec.exe 2280 powershell.exe 2280 powershell.exe 2280 powershell.exe 2432 msedge.exe 2432 msedge.exe 1736 msedge.exe 1736 msedge.exe 5152 identity_helper.exe 5152 identity_helper.exe 5132 msedge.exe 5132 msedge.exe 5132 msedge.exe 5132 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3316 msiexec.exe Token: SeIncreaseQuotaPrivilege 3316 msiexec.exe Token: SeSecurityPrivilege 1028 msiexec.exe Token: SeCreateTokenPrivilege 3316 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3316 msiexec.exe Token: SeLockMemoryPrivilege 3316 msiexec.exe Token: SeIncreaseQuotaPrivilege 3316 msiexec.exe Token: SeMachineAccountPrivilege 3316 msiexec.exe Token: SeTcbPrivilege 3316 msiexec.exe Token: SeSecurityPrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeLoadDriverPrivilege 3316 msiexec.exe Token: SeSystemProfilePrivilege 3316 msiexec.exe Token: SeSystemtimePrivilege 3316 msiexec.exe Token: SeProfSingleProcessPrivilege 3316 msiexec.exe Token: SeIncBasePriorityPrivilege 3316 msiexec.exe Token: SeCreatePagefilePrivilege 3316 msiexec.exe Token: SeCreatePermanentPrivilege 3316 msiexec.exe Token: SeBackupPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeShutdownPrivilege 3316 msiexec.exe Token: SeDebugPrivilege 3316 msiexec.exe Token: SeAuditPrivilege 3316 msiexec.exe Token: SeSystemEnvironmentPrivilege 3316 msiexec.exe Token: SeChangeNotifyPrivilege 3316 msiexec.exe Token: SeRemoteShutdownPrivilege 3316 msiexec.exe Token: SeUndockPrivilege 3316 msiexec.exe Token: SeSyncAgentPrivilege 3316 msiexec.exe Token: SeEnableDelegationPrivilege 3316 msiexec.exe Token: SeManageVolumePrivilege 3316 msiexec.exe Token: SeImpersonatePrivilege 3316 msiexec.exe Token: SeCreateGlobalPrivilege 3316 msiexec.exe Token: SeCreateTokenPrivilege 3316 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3316 msiexec.exe Token: SeLockMemoryPrivilege 3316 msiexec.exe Token: SeIncreaseQuotaPrivilege 3316 msiexec.exe Token: SeMachineAccountPrivilege 3316 msiexec.exe Token: SeTcbPrivilege 3316 msiexec.exe Token: SeSecurityPrivilege 3316 msiexec.exe Token: SeTakeOwnershipPrivilege 3316 msiexec.exe Token: SeLoadDriverPrivilege 3316 msiexec.exe Token: SeSystemProfilePrivilege 3316 msiexec.exe Token: SeSystemtimePrivilege 3316 msiexec.exe Token: SeProfSingleProcessPrivilege 3316 msiexec.exe Token: SeIncBasePriorityPrivilege 3316 msiexec.exe Token: SeCreatePagefilePrivilege 3316 msiexec.exe Token: SeCreatePermanentPrivilege 3316 msiexec.exe Token: SeBackupPrivilege 3316 msiexec.exe Token: SeRestorePrivilege 3316 msiexec.exe Token: SeShutdownPrivilege 3316 msiexec.exe Token: SeDebugPrivilege 3316 msiexec.exe Token: SeAuditPrivilege 3316 msiexec.exe Token: SeSystemEnvironmentPrivilege 3316 msiexec.exe Token: SeChangeNotifyPrivilege 3316 msiexec.exe Token: SeRemoteShutdownPrivilege 3316 msiexec.exe Token: SeUndockPrivilege 3316 msiexec.exe Token: SeSyncAgentPrivilege 3316 msiexec.exe Token: SeEnableDelegationPrivilege 3316 msiexec.exe Token: SeManageVolumePrivilege 3316 msiexec.exe Token: SeImpersonatePrivilege 3316 msiexec.exe Token: SeCreateGlobalPrivilege 3316 msiexec.exe Token: SeCreateTokenPrivilege 3316 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3316 msiexec.exe Token: SeLockMemoryPrivilege 3316 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
pid Process 3316 msiexec.exe 1736 msedge.exe 3316 msiexec.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe 1736 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1028 wrote to memory of 2816 1028 msiexec.exe 87 PID 1028 wrote to memory of 2816 1028 msiexec.exe 87 PID 1028 wrote to memory of 2816 1028 msiexec.exe 87 PID 1028 wrote to memory of 3744 1028 msiexec.exe 103 PID 1028 wrote to memory of 3744 1028 msiexec.exe 103 PID 1028 wrote to memory of 3856 1028 msiexec.exe 105 PID 1028 wrote to memory of 3856 1028 msiexec.exe 105 PID 1028 wrote to memory of 3856 1028 msiexec.exe 105 PID 3856 wrote to memory of 2280 3856 MsiExec.exe 106 PID 3856 wrote to memory of 2280 3856 MsiExec.exe 106 PID 2280 wrote to memory of 1736 2280 powershell.exe 108 PID 2280 wrote to memory of 1736 2280 powershell.exe 108 PID 1736 wrote to memory of 4572 1736 msedge.exe 109 PID 1736 wrote to memory of 4572 1736 msedge.exe 109 PID 1028 wrote to memory of 1732 1028 msiexec.exe 110 PID 1028 wrote to memory of 1732 1028 msiexec.exe 110 PID 1028 wrote to memory of 1732 1028 msiexec.exe 110 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 4960 1736 msedge.exe 111 PID 1736 wrote to memory of 2432 1736 msedge.exe 112 PID 1736 wrote to memory of 2432 1736 msedge.exe 112 PID 1736 wrote to memory of 776 1736 msedge.exe 113 PID 1736 wrote to memory of 776 1736 msedge.exe 113 PID 1736 wrote to memory of 776 1736 msedge.exe 113 PID 1736 wrote to memory of 776 1736 msedge.exe 113 PID 1736 wrote to memory of 776 1736 msedge.exe 113 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Setup (1).msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3316
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8922498AECA8DAA2DD3BDE101B93846C C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3744
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6EC1E98E48512F604CFE20213856CA382⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3856 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssCEEC.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCED9.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCEDA.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCEDB.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://start.artificusbrowser.com/notification/?verify=110mrdd17219311104⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9b04f46f8,0x7ff9b04f4708,0x7ff9b04f47185⤵PID:4572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:25⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:85⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵PID:2560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:15⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:85⤵PID:1784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:15⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:15⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:15⤵PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:15⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9723285858152355042,12535267456780150598,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2388 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5132
-
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 79EE20BDEE88F384C7D81FCF08C9B70E E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:1504
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2344
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218KB
MD54a736dbe4cc7112d137046d7f24a7ba2
SHA103ae91084cced76794730a6fe948e4d08196dac6
SHA256a733ebb63a1a10731db3b1addb72fcc0509ab134502498fcdf3df8d4836d4b3e
SHA5124971ae76108060ed45b36433b45d74f9c232d37b0d195c27009568b39d24cc24a8a4099248421ba8366e45cfe85382557b2e9a04411ab0ec381f0e879db9ad94
-
Filesize
538B
MD56acdc8d4706a9477b8beed782370a6e4
SHA125bb511813901d4f08abdc643cec6906988b6ce4
SHA256bfd7b7399cd2b7995995214e85130b94f5fe704efdf9e7c6aeb67c709d1da04a
SHA512a28e304ddbb4ae24c88117f5240e6a694e1a605a0ed1f2b02ed451b37b1625904ac1890e6f64698ef9029b3201d12ef043249524d75f9d579ee19f9f69b8e231
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize1KB
MD5c75b3e144031a2892308be13711c75fb
SHA180e2f4741a798b7af6fe19b9d94a473439c4bcd7
SHA256c3a2829e6eb9d93f2f474e38574c8e435730049cee2cfc51d973015671036a29
SHA512e26eb3a5526d1816f800b4333de4ae601224e5f148c94e542a6158322392faa41defc4ffa3fb00aa9ef6f847775d8b2c6f3481761de6ec6fa61f5a299a2bf295
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_A9CA4191D05D34A8E11E01F09820AAAF
Filesize1KB
MD5143568624d585b98c72fae5f5281e8db
SHA17f86a14d1372925918fc0d2e953e9600ebb3e1b5
SHA256d7796537314e9f3c50b7e7cf3dbdb9e57f0f6b8a900860faf655f5cdd8fe91f4
SHA512cc4ac22c2e6c6c4fc66c9bf805cc0a1e3e3fda8f57dc6e6415626e2b3e8e2ad38cfa57dc11467b6cbe85d46c963a414289c4474d2e34ca52a90ec701b276ced9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Filesize532B
MD5837de91f56b9c25142c04c199fffbafb
SHA16f9d83badf512e0d053a726498e0ae6f00d750cd
SHA256bcb9c8accbe514369c80228cc076e91cc9f92a3a43ed41f215948f60280f3abb
SHA512fafeebc63bfe5a2129547436016b1090267921845b30ba6b6cbe08ba92207c53b655e0bc00a34434831da1faafda62367e2de477d2ebfe8f8f4ab1f311466500
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_A9CA4191D05D34A8E11E01F09820AAAF
Filesize540B
MD5bf45c5bcd2253d1067645f2adac6d0cb
SHA143d21ce6cac554a5e3307b1e188ef7acc53f51a9
SHA2563d1f6ffa319e7f22fd7354dec2f46eebba047099545b988dfeac632ceef7d57c
SHA5123cf53950f9f4c3bcc32764e41488b598c1193547c13c50f05e7f659b70f86d071d0601f3bdeb335d5a8f815a5de92ad972a1922d5fc5dc2416f97576b9a2ee6e
-
Filesize
152B
MD51790c766c15938258a4f9b984cf68312
SHA115c9827d278d28b23a8ea0389d42fa87e404359f
SHA2562e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63
SHA5122682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb
-
Filesize
152B
MD58dc45b70cbe29a357e2c376a0c2b751b
SHA125d623cea817f86b8427db53b82340410c1489b2
SHA256511cfb6bedbad2530b5cc5538b6ec2184fc4f85947ba4c8166d0bb9f5fe2703a
SHA5123ce0f52675feb16d6e62aae1c50767da178b93bdae28bacf6df3a2f72b8cc75b09c5092d9065e0872e5d09fd9ffe0c6931d6ae1943ddb1927b85d60659ef866e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5952ad1581f3d95e1f53cc04e1c349100
SHA1478566b12258b8f80ae035a27603f738650322f0
SHA2567c49ef562b589946beb2496a17396a3ecdf7885cc6dd7852d9b918dfe662c5b1
SHA5120b7d8e78ca78c5dfd8dbfc9a6c19e81f75f310f8e7d1bac137c77ed39543b724d2e429bf7d7b20fb6b2be3b8f35d2e2f3bd6c4047d86d09562d610bc56204ce0
-
Filesize
716B
MD5d59b837a5da3965c80a5b617270ea482
SHA1d3af00359283e3d6a8f0c7f01ebc1197271bab17
SHA2560f478e5123de4501150c358c7ba8dce8d17ac3d34c5a8616c81a969b7b7f9489
SHA5123c661471f807eed2b952c218959f0fe58abe3e1b91a11c051e70ab564b3b794af2ff5f0cc3d1d7695a40406a2ef42ceedbdd0c7134ed6ccab78221e52c90d9e7
-
Filesize
6KB
MD5525baf3927274f64cdcec1f8048f9809
SHA12cc3fb15b81eeb69f48ecfcd7a434ddc88732975
SHA256028a89d0d0c51d64696a6f31d818e983426f67dd474d132c16d756e0a02fb2ea
SHA51217abd483c15957d548a33e440aa9084ff06b4254c998f651521d3e3fd233d5b477be3736e43b1da1bc10df90b83efc61a39156cd5077f547969c61aea48eb86d
-
Filesize
5KB
MD5fb3118559ae742a9a2cbcc273fc09eb7
SHA104ab7e09c11dac0a8d2bdd556410b03c97d61f8d
SHA2569fa6adcb4844328d99efd562985b27f70e7a3800d67c01f6b8134cec96877a91
SHA51295c7d0a42de3ba53f4a46d3be4ca117d9888e73a779d99cf3e1443cbfe17cba6d75899b618ce1fd6610de349995c0c66bf37084d046999c2474f16cccc4ce6b0
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5cb465de4d08e87215feac0a73fba7af2
SHA105365cca100d0a790c0d074305364a1c9e3056ba
SHA2568a371c5b3070fbee279e583745808fbb8dbab006a73c62ce23ab31614535702c
SHA5120a6c01473f1532abcaeaf9e54249a5954247a9cfd270ad0832b1c22f76215996c269f6acd01e0699583b5f6990774e76d2d2b027703b6e33d03e67fe8b6c4ae5
-
Filesize
819KB
MD53604517a3e6e69ba339239cf82fc94a5
SHA1c4757e31f9c8a90ee5de233792da71c8915050c5
SHA256bdd1d14c9cb54b19f6a7f37adbc7537ce8fd2f6fa59a74a4a90b08c7979708d2
SHA512c22ffc410886fae221dfee6ab469e44694f87cecce14d505a059f5fe01c1b4e1ad93c15b78c7623e821a37737491e89c627ddae5d03c407a877835ab6d611619
-
Filesize
1.1MB
MD5cc048c7aadc4adf3a29d429f1f5eead0
SHA16b4d89df901427fe955be2d58ad91a6de30be9d6
SHA256d23c6ac751423ff6961694437e67d7b608102bd351e3e0cd10d34d026a1a08ca
SHA5120e67c0a4db70e19ead49f6c0fd41045f3fd9ee688d75a6da2916e347b70783843fa0e3d6cfc2b0bcd5e16a6045ba27707dff655556ebc725c126082e45cee2fa
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
35KB
MD5ffb79f02b7a4c6ff5b9869fce3c1285b
SHA179c88af7d57430b8afcfaeeee452b9f93a004bc7
SHA2563c98870e58cc784584fdf97f9a2c7e0ee311f10287873ccc46046c7b691e38b7
SHA5126ff0768db251959f380feb03d0bc003d34982d9de76c76f89fdecb3c9fe18e95316fbdd77366043f0e7f57233e89267d56b9bc618d7f5c35f248cbcc71d7216d
-
Filesize
35KB
MD503d2b8bd9a2217a0a4ffd5a2acae8741
SHA1f6f439e2036eb740d8cc1b4bd96b4a4df80a2339
SHA256c847aa04bed0e2f97634215f7d8bebac5e51f6227cfd9655a3743a7dc1d8607d
SHA512265f730f9a524eef0f99613da3376e49ce428cb5369a5517e0594d9f73ea7d5d0f05c2ffded9a3614cb2148c09c9f530e60c4e70cbf480635ff4bdbc372b8eb3
-
Filesize
215KB
MD532fbe2ada353606f81f50faaf2e9f4ed
SHA1bd696491057c8bee9979bd29e1ab9694eb5630b0
SHA25618eaa658aa74d95a46b37a55a09ca64fcec3fd924787c7e1e32bdde14de556e5
SHA51289b757348d844423b2287e9cb543f30d935637e3ba4f3a07bd8b6bed9dd9161efbcd1a8f4f62182980ee80737853ae3bb30d0ec630073f829403fcdf659a5227
-
Filesize
758KB
MD5419cea1c6064e430860508e269f0cd2f
SHA1921841797df087a1adc93877467e30e00c7d1d7e
SHA25610575139bca9cb43ea44a9883308fdd83cebe6df59f68036337ab72530f0a8f4
SHA512c6597fff8febdc6aa26dc91147532af6892a49e789903fcfed57fe8131a43bbfaa59b93035a4b2bbfd580fcf098ddd478e2110890381269556f387c689fb3c35
-
Filesize
23.7MB
MD57ed77d25fe9d7e22c22c8e2cd5cdabe6
SHA17df4f8aff6f253401fd809010e052d2a7701cb16
SHA2565bdb7253cff7a83bab0642c402374ae30091f961dba07063673cb25d13b3b90a
SHA512c925d99a6d4f7d56131824dc37ef6abdd9860b5a154295ba9f9a452e628832cfeb46747c4e6939ef72584e144b22e76f8cf8a58a533e8ed04be9e0fea1ffa405
-
\??\Volume{1d5b4de3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b9a079aa-ec18-4808-9f85-69464439db33}_OnDiskSnapshotProp
Filesize6KB
MD52c203073fee1ff08be3b106afbf5b5bf
SHA1aa4c386c78b49a2835887d62f065e0d562c6e3ce
SHA2568e1d1231eff739d32b55fa296e2fcda2ceba822b6f256201e4fcc0898c46966b
SHA512b5323353563b4e43308b1d1dff3c9f125546495956574b71eab258a71ebd5b5f6ed678663a35660ace5f5cf3d953b033632cb804bd69d806d70c247b5631e60f