Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
17/02/2025, 01:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://scanpaq.com
Resource
win10v2004-20250211-en
General
-
Target
http://scanpaq.com
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 83 3976 Process not Found 53 4060 Process not Found -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 8 IoCs
pid Process 1308 setup.exe 3680 setup.exe 1560 setup.exe 4988 setup.exe 3984 setup.exe 4764 setup.exe 624 setup.exe 2164 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\notification_helper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\ffmpeg.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ca-Es-VALENCIA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\Analytics setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\canary.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\internal.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\nl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\edge_feedback\mf_trace.wprp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_helper.exe setup.exe File opened for modification C:\Program Files\msedge_installer.log setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\lo.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\vi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\sv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\prefs_enclave_x64.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\eu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ml.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_200_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\sr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Dev.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedgewebview2.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\lt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3984_13384230934114884_3984.pma setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\LogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\libEGL.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\gu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\LogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Analytics setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\metadata setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\is.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\gd.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\hu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ja.pak setup.exe File opened for modification C:\Program Files\msedge_installer.log setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\oneds.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1560_13384230933560485_1560.pma setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\es-419.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\mip_core.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ro.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\x64\EmbeddedBrowserWebView.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\TransparentAdvertisers setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\metadata setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\dev.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\eu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\libGLESv2.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\onnxruntime.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Edge.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\es.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\resources.pri setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1460 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_click_helper.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mht setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\PdfPreview\\PdfPreviewHandler.dll" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_helper.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml setup.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" setup.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3972 msedge.exe 3972 msedge.exe 3684 msedge.exe 3684 msedge.exe 3088 msedge.exe 3088 msedge.exe 3088 msedge.exe 3088 msedge.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: 33 1308 setup.exe Token: SeIncBasePriorityPrivilege 1308 setup.exe Token: SeDebugPrivilege 2872 taskmgr.exe Token: SeSystemProfilePrivilege 2872 taskmgr.exe Token: SeCreateGlobalPrivilege 2872 taskmgr.exe Token: 33 2872 taskmgr.exe Token: SeIncBasePriorityPrivilege 2872 taskmgr.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe -
Suspicious use of SendNotifyMessage 62 IoCs
pid Process 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 3684 msedge.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe 2872 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3684 wrote to memory of 4224 3684 msedge.exe 88 PID 3684 wrote to memory of 4224 3684 msedge.exe 88 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 4660 3684 msedge.exe 89 PID 3684 wrote to memory of 3972 3684 msedge.exe 90 PID 3684 wrote to memory of 3972 3684 msedge.exe 90 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 PID 3684 wrote to memory of 2160 3684 msedge.exe 91 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://scanpaq.com1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaa9b46f8,0x7fffaa9b4708,0x7fffaa9b47182⤵PID:4224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:12⤵PID:2980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:82⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:3480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,4846186111619193268,12424869990905584567,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2848 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3088
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3444
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3744
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REI0NkE1MTQtODM3MS00M0I5LTg0NTktQTkzNzlGOTEwRkFBfSIgdXNlcmlkPSJ7N0YwMTVFQTgtNTcxRS00NDI3LUI4NTYtMzY2NjY5M0FFQ0QyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjQ3NkM4QTEtNkY5MC00OTRCLUEyNTUtNEE1QjhGOUM1NEE2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODIxNjkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1MzE4NTEwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODk0MjI1NjMzIi8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1460
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\MicrosoftEdge_X64_133.0.3065.69.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵PID:1476
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1308 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cc3a6a68,0x7ff6cc3a6a74,0x7ff6cc3a6a803⤵
- Executes dropped EXE
PID:3680
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1560 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6cc3a6a68,0x7ff6cc3a6a74,0x7ff6cc3a6a804⤵
- Executes dropped EXE
PID:4988
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3984 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75da96a68,0x7ff75da96a74,0x7ff75da96a804⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2164
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
PID:4764 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff75da96a68,0x7ff75da96a74,0x7ff75da96a804⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:624
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2872
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{17C6F295-5216-49F1-B1A3-F67827F267FC}\EDGEMITMP_183ED.tmp\setup.exe
Filesize6.8MB
MD5bdb1aecedc15fc82a63083452dad45c2
SHA1a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb
SHA2564ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f
SHA51250909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d
-
Filesize
71KB
MD5acea84796b55793672e761524cff4b8d
SHA110e1fef863847db4aed32745f0b7993c02feaf2c
SHA256bc04e65767739c44fea4ce9d87b364533fec92a6de8a461e8aa4976c0e578bd3
SHA5127b338dab5d8e3584abbc591ea81aa0029639c35ab527f1b793eb6c6bf5fc5c4877c15395dcdf7f7694372701c92e95a745d53762968419fecbee87e7820c0440
-
Filesize
99KB
MD54cf3d6769583fc83f717b32d28d2d9be
SHA1d6a1bbfe54ab30cd6e2ac9a01a46cb25450890ff
SHA25625d567382efa5104891229bf215a001b5c670a5a5ef5c734ec6a69ab81e785ae
SHA512a5655afc15b26b85d95fdf58b82d2b853a2f4ecf8487b565a11fb7ca301d89f78b7ce327b53c257e733ff4da6586c3614e6059384d814f96ef0765b4778a4795
-
Filesize
102KB
MD592b129211b60620e76ac15bf71587e06
SHA12fae59ba86bfb75e668b4c7a0ee926185207df64
SHA256cf39374272a0481a6020cbc818553ca227ce54ea56891ee676160aedab04f831
SHA5120269eea34ae18f253aa307b83e661812eb512edcd8643a759a9ee3f6d1bef244061bf0f328de9a1123c5f5f6cdf7f3ad71c4a4c12388e19a9d5f751b51430191
-
Filesize
152B
MD5801be0c9974f5b19e11410cdca27cef7
SHA131a5e111c6f20b94362d662d101cca5edb64b401
SHA2569a89f5f26ff7dea0fd13726ed7d8e9dc9535288c75b25eaa6bc254324aa5e36e
SHA5124bfb4783ca4f9e0affe002b2dbafc3f40e1e051cd5e8a787f6a926e467f307ee253c8a84a43b6882a2b1d11f8e17bdb02c4d74247a1e1716a65ab74df7fc1135
-
Filesize
152B
MD56393f79a5df6261cd25a71a1c7cf2a13
SHA1881fc5e01962af69cd5cfb630a37f2e7da96e95c
SHA256551698eed11cef04d0a7bf97ad2c84e78cd45d1e984d104c95b825959d9b9674
SHA512f9f2b59ed4a20270213d3ce4883ada26edf911df2928fc6f6572812ef70103c61497a8ae4b75c4bcbd6048e90e329b4bf00d07b2d22b5a0c5fb67c9781373852
-
Filesize
6KB
MD5da66d616b4a3aa2bdb3d6932a87ad48b
SHA1aab5b6395bbf81e5fd0a5d45e32111a9eb82faa0
SHA25652d5914b83623b78b9438d5a9dc383500a8e7bc2b49e1c6cd1ba3196fd1892e6
SHA512ae1136c11ebf0772c2402d537331d29dc232f5ed29b4145f8325ed87e5c6792ffa3520ad345c27d25760bd7a8a9cb1a044542398db473eff441a445a0b65704e
-
Filesize
6KB
MD5f46820a4858f328c2a1d7fa53fb6e9fe
SHA1c0da45828aa2641fa78ff86b5240f4cda02e5cab
SHA2564d9cff5bf083186b7722da0d611e9467bc32b5a7fb6cc387e6e4caa699911bde
SHA5127a4bf4233a5e7a6090fee39ce5033fb234f46241d0691583f10754354260572b537759e1aeecf9cdcbb396c715c196278ec766181a0ab17a129f9fe613de7541
-
Filesize
6KB
MD516d70f9f5188d6cf03803d5722d422d5
SHA16e4dcab29b0b4d37b602fcb46134cd0d8a5e5de4
SHA2568e191916d1bd850225da6ed592f668502e844a4ea41d9f65d4832c096763579d
SHA5127172072b288a5c9113db638b0baabd49ced01aab611d52f46725fdda72080b4f1c846fb60bd7997166c7dba1c781ec6937449d1a912fed132ab45545c29def9a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD59f09f454a73a2c2b576c6a0f2f3cd5fb
SHA1169c746a183199324645824bd7618c8b0fc82588
SHA256f32e5dfa282dc767eeb82009a946eb8ea96befa798cc30d51b94611a53236cd9
SHA512ee46a5bd1dea857873d605c88324202d80c1f04db61c634443fa75ecc2f2f607e8ae69cb380d5270f195abbd36aa9d0c2c940ab7b7f8e0840c2b135a615e2d31
-
Filesize
11KB
MD561589d2f6ce53a1353e6f9934b32cf1b
SHA1b4cfa367aed0362b993202210b34be9ace929fb2
SHA256f41ddcbb3ab1c87c95d2d9b8edb39eec69ec828bbf758688a3537b79aa4f2e01
SHA51248f48610938bdfaa0c9077639b99ad72481658458cb9d663098375de427745c2c9fbdc3f36826290d0f08e7f9c99ae8e7c816162049f641904fdfa7c45e38bd4