Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2025, 12:14
Behavioral task
behavioral1
Sample
cum.exe
Resource
win7-20240903-en
General
-
Target
cum.exe
-
Size
63KB
-
MD5
6ae8830520e0bf079fc97aa207673ac6
-
SHA1
8eab31bfba85b5847573bda4257f79c607f0c297
-
SHA256
f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c
-
SHA512
cb8e918f34780d91673fdcc6bf3a70d2a1bf82bafb62f59ab6fc0f98b5ee09a8ed404d99fee25a4d5f55f9b7c4a5dc280d41725c596e6ddb8fae158542f14596
-
SSDEEP
1536:+62ZBUFWbPZEYUbeM9odcrXuEdpqKmY7:+62CWbP6YUbe1cr5Gz
Malware Config
Extracted
asyncrat
Default
127.0.0.1:1337
127.0.0.1:26550
147.185.221.24:1337
147.185.221.24:26550
-
delay
3
-
install
true
-
install_file
hawktuah.exe
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Async RAT payload 1 IoCs
resource yara_rule behavioral2/files/0x0005000000022f6b-108.dat family_asyncrat -
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation cum.exe -
Executes dropped EXE 1 IoCs
pid Process 1160 hawktuah.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1892 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1424 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4460 msedge.exe 4460 msedge.exe 3280 msedge.exe 3280 msedge.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 5080 cum.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe 1160 hawktuah.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 5080 cum.exe Token: SeDebugPrivilege 1160 hawktuah.exe Token: 33 5548 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5548 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe 3280 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3280 wrote to memory of 3024 3280 msedge.exe 86 PID 3280 wrote to memory of 3024 3280 msedge.exe 86 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4036 3280 msedge.exe 87 PID 3280 wrote to memory of 4460 3280 msedge.exe 88 PID 3280 wrote to memory of 4460 3280 msedge.exe 88 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 PID 3280 wrote to memory of 532 3280 msedge.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cum.exe"C:\Users\Admin\AppData\Local\Temp\cum.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hawktuah" /tr '"C:\Users\Admin\AppData\Roaming\hawktuah.exe"' & exit2⤵PID:1500
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "hawktuah" /tr '"C:\Users\Admin\AppData\Roaming\hawktuah.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE32.tmp.bat""2⤵PID:4228
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1892
-
-
C:\Users\Admin\AppData\Roaming\hawktuah.exe"C:\Users\Admin\AppData\Roaming\hawktuah.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3280 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d98546f8,0x7ff8d9854708,0x7ff8d98547182⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:12⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:3036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:82⤵PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:82⤵PID:736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:5468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:5772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:12⤵PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:5944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6844 /prefetch:82⤵PID:5452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:12⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:5720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:22⤵PID:5492
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2560
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x500 0x3201⤵
- Suspicious use of AdjustPrivilegeToken
PID:5548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD52bd6e5f4658a6fd24a758ebad474b4bd
SHA13ef52bd166eedcbec01407c4a3c055c4b2a970d4
SHA256ac937674755c467119a1232cadfa5c465319a09d51cce7fc3828e5f6594a193a
SHA512e809cbbd165194b68bfd67041c9bbeecc3eb09363e39c3431ba29cad2916d2c17688cdfb1115b93cf7db59e4f0403fece18fd30dc928417713909578b4c5840a
-
Filesize
3KB
MD531235b2c67ddf3c4deba37ea76ef190d
SHA1954ede41f8cae9159d1814ac2c467c6e97c23376
SHA256a8bc2f56d4a8b1274bd0c443ac346d959756fa4b5da90b5ea6e4bdbf8c6476af
SHA512c1b7bf15ffcfa782b09533455da8f0d1b7ffd4c6808172518c96f2ad81fad7ea335bc3b28cd0662a04583964ca897f57a76418aa0bb5e7cb8af6e42a837d5606
-
Filesize
7KB
MD501352c766526ecaea1833b2a0ead7f2d
SHA1e5afbe81a58247314fe606337eaf4b6eda2bd2da
SHA256172b1da5cb96998c49fdc8c98f1f75893bd46ee4294ecb04327022ad079a3bcc
SHA512e74111010d6c6a9237aac9d4b1c2c1fb543a478eec8a8400e7eda44b794d84b98c759fe3fd92cbd205e5976360114677c5a1bd6b51727fba90f4ad37707ca14a
-
Filesize
5KB
MD5640f4e8d61ea4bd87af8301387bcbbc3
SHA192d5855889d5cd3fe58cd1888d24d142ce61e137
SHA25683be6b381090129794c37892cc10fdc65270f64192db7cd7b505671100b36c57
SHA512136fb14070f38f5e11ce688de05ffdd1ba2bbd78de4091810fd52f2cb25f59b56638e5d912b9da81387cb783e981b5123c4c3e9eae772490b4423027b8d49c3b
-
Filesize
7KB
MD5b95fbd760841669aa9e44f354c4f4268
SHA1caa752a062b24d69c9baa821656333149e0366ec
SHA256403f271efd049c7bffbae4a416c6f4f0beea3de539b287b803b4c5d92008e719
SHA512b28511d71c334786a53faad53a2c6989ec685f06134512c622c57bb7a7aff6f6d44c00a7b2149314c6c54a552148c72992bdc866167832e84ea84dc396e4afdb
-
Filesize
8KB
MD5a6690fe67c49f2f8bcdfe290e787d5f0
SHA10235afc1a7fe1d8975a0f30c3e9958ace00ddb3d
SHA25687f66209c779a1db47c9fa1e097f657f45910ab64ca28ff0328b686506889a6a
SHA512d4453e517c819b6be845ca813c4eebfe01e1543ef31d89cd15683d543cf43bd51dca5b349bd53f0ff67b46969cfc5c6c543867e3c6e0399898493031d098777d
-
Filesize
8KB
MD5b40be2cd3b29dcab2336af93631bfbfb
SHA1b6903c24e18855eec27e2eb05424d101c89ab29d
SHA2564289da47b420f06b44917ca996375ce66e60d1f335cb1d8a0ae3d414d80ae30a
SHA5123d9f7747ffdc76365c6f709f0a18c797687153159ceb58181dc06d23d3275416584164919147c662808edeb42edf007cbbd5ca57c2431fa37f26e98be6c42524
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5353e9d141292a045f4ae8b3f1a98c8f4
SHA14376a20191367b9c11b40825f7dddfe422022e48
SHA256f4923c9612673070f00436f4d3f36cce08d4b1fb89b8c294f719e10eb0f9b5a8
SHA512130d65b8917c1deabf7d3f719617dce60cba9ec77f2c8c36561ebd8024eb0c68e7a624fa2092e55740a20e8e8f642558ce1cc3d6ed5ca52dc2214902e8519ab4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581875.TMP
Filesize48B
MD53afb023486eaeb0086677c029d15e46f
SHA1546ce9bb4ce616cd3aff90be4a2454da2c2b8a6b
SHA256eaaa3bc546a95d60f2ed644342f3ac851aff40fdd4fc28b819b3a36dbadac259
SHA512eacfc68f0c1336bc01c9af334375f69933bd8e3e11ca7a3801ed5d5b2da064c087c0e82b1040f3cfbb57ee5b4ab8ac8325cc4754601cb0ff3b52da54bc3ffbcb
-
Filesize
1KB
MD52a41b1c9086dd79c4a651f6f6dd1f8e6
SHA11727a4b30b995229fd110a33d07a596ab4681fb5
SHA256c3ebff775b8abd863676f4abfff3e5af11dbc07f2798927631c2c393108bc047
SHA512416dffafcee11ec32464ac4973cca91c37e0c085ac4303fe5e48d298844665ca16ebf07a302b641e15ea5ea0f1b79b7d0c4c8927669f6837c8f13017aaf8566e
-
Filesize
1KB
MD54705dc78a550663e71290f3b40f05ba7
SHA16746d09bbc4cbf700b406a662a0fb0c107211deb
SHA2569b4cee726ebf76738219a02f4f06e7af3e709edc6cf141ed906c7dd995a72111
SHA512dd30f364e3f785aa24c94b8072c13147fc7e7e10598d15af54f912b9c9831c8f3c9a5ad24cd04c307baba95744a1ca6920f2c59784810ee4a6d482133b3a94ef
-
Filesize
1KB
MD5ebe6423b99b36352d9867c3403b7b1e0
SHA1d253625ed2ebb593e0f328a9d9af93e98d945d2d
SHA256276c5bb525d9b23c0c0dc78f67bdb8a9eccfe5dd0c3c44b80ddadf309e0d0148
SHA512d50c8b5646871de23d1ee9bdc3640fa484f1105f4cca02e1d199ec45f07bb6e8b8283d4ce77d2093c840d98a57c8d07b63544de82ba2b8a8484fadf7e29ee397
-
Filesize
870B
MD5b529360fd9a53cf68b6df4a1b873402f
SHA1bb29703271fa75b3a00f992bbe7be755f0e5b89b
SHA256b08b050e7d715afab7413c5dd6a8f855e1f96c72a00deeffa02e360615626c04
SHA512ca8f2fbc23150767e1e86a65eb43f7aabd9de0a358c9d67d7aa62fccf54774acefe9acbe0914b4d8c03f324435e80f411b9fb477015742dd40841f131a4b040d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD54f5f105659e47ff387f988a06a8073f0
SHA100cb1f5667869449eb596d2e9a9303e871cd58cd
SHA256c21f152c5f9e327660ac6c76d4e298e7bc955d48949ee299ee84d6043ca0ccc7
SHA512ee7b140d40edaef0da7d172b4930f3c62ff948db1ce85c4643a99c6edc6f45af7760f09dcec2303067ab56e737c4f78538ba150219513e8f577c0338c312dc13
-
Filesize
152B
MD5eda4e9d12e3b10c9f99de7b8010e3364
SHA1c44532a5b5d03febecc71ba4df998b1385f4e554
SHA2566729eb2cd76a8899952980b2977f2f2e35177dc560e8779f2c7461d4372f1a7b
SHA512f3ee8638df2a60361100bb6cc075c22b2126308d602939ef2e722d7aae7886f64a636074d6084b1b7664f1cc12e7aa61676ac2a71bee8044f06c194c1dee9f23
-
Filesize
63KB
MD56ae8830520e0bf079fc97aa207673ac6
SHA18eab31bfba85b5847573bda4257f79c607f0c297
SHA256f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c
SHA512cb8e918f34780d91673fdcc6bf3a70d2a1bf82bafb62f59ab6fc0f98b5ee09a8ed404d99fee25a4d5f55f9b7c4a5dc280d41725c596e6ddb8fae158542f14596