Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 03:36
Static task
static1
Behavioral task
behavioral1
Sample
e500fa3255076b636b945bdf3c093a58.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
e500fa3255076b636b945bdf3c093a58.exe
Resource
win10v2004-20231127-en
General
-
Target
e500fa3255076b636b945bdf3c093a58.exe
-
Size
1.2MB
-
MD5
e500fa3255076b636b945bdf3c093a58
-
SHA1
764ea6754ae63d7c8cd71df4eb8f5643800b346a
-
SHA256
8f51fd59b46dd511b8f1572c03bdd086c0384a716c88f647161810cda2e5f466
-
SHA512
6d42ce03835ccf9bb6b21b6d2a5fe03d6c1f9cebe23a62b519e227d2dc6a257a0cfd3591e60faed9a5c18c868e429d924ed8bf8f5130e1b2f16fc9ca6dde5f3f
-
SSDEEP
24576:dybMyPb2d40/FYWr1OzLIZrkyXoDPKLJGNWVSIJnGONqsRFkLUA:4bMO2JWWr1OzLIpoDwXxqsFkL
Malware Config
Extracted
risepro
193.233.132.51
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
@oleh_ps
176.123.7.190:32927
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/8200-649-0x0000000000C70000-0x0000000000CAC000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 1288 UU2rF15.exe 4028 1Lq08Hr3.exe 4420 4UI741VD.exe 2932 6IJ9jb4.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" e500fa3255076b636b945bdf3c093a58.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" UU2rF15.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00060000000230df-23.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4752 4028 WerFault.exe 92 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4UI741VD.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4UI741VD.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4UI741VD.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4420 4UI741VD.exe 4420 4UI741VD.exe 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found 3312 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4420 4UI741VD.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeShutdownPrivilege 3312 Process not Found Token: SeCreatePagefilePrivilege 3312 Process not Found Token: SeShutdownPrivilege 3312 Process not Found Token: SeCreatePagefilePrivilege 3312 Process not Found -
Suspicious use of FindShellTrayWindow 11 IoCs
pid Process 2932 6IJ9jb4.exe 3312 Process not Found 3312 Process not Found 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 3312 Process not Found 3312 Process not Found 3192 msedge.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe 2932 6IJ9jb4.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 1288 2264 e500fa3255076b636b945bdf3c093a58.exe 91 PID 2264 wrote to memory of 1288 2264 e500fa3255076b636b945bdf3c093a58.exe 91 PID 2264 wrote to memory of 1288 2264 e500fa3255076b636b945bdf3c093a58.exe 91 PID 1288 wrote to memory of 4028 1288 UU2rF15.exe 92 PID 1288 wrote to memory of 4028 1288 UU2rF15.exe 92 PID 1288 wrote to memory of 4028 1288 UU2rF15.exe 92 PID 1288 wrote to memory of 4420 1288 UU2rF15.exe 95 PID 1288 wrote to memory of 4420 1288 UU2rF15.exe 95 PID 1288 wrote to memory of 4420 1288 UU2rF15.exe 95 PID 2264 wrote to memory of 2932 2264 e500fa3255076b636b945bdf3c093a58.exe 105 PID 2264 wrote to memory of 2932 2264 e500fa3255076b636b945bdf3c093a58.exe 105 PID 2264 wrote to memory of 2932 2264 e500fa3255076b636b945bdf3c093a58.exe 105 PID 2932 wrote to memory of 2584 2932 6IJ9jb4.exe 106 PID 2932 wrote to memory of 2584 2932 6IJ9jb4.exe 106 PID 2932 wrote to memory of 4388 2932 6IJ9jb4.exe 109 PID 2932 wrote to memory of 4388 2932 6IJ9jb4.exe 109 PID 2932 wrote to memory of 2500 2932 6IJ9jb4.exe 110 PID 2932 wrote to memory of 2500 2932 6IJ9jb4.exe 110 PID 4388 wrote to memory of 1428 4388 msedge.exe 112 PID 4388 wrote to memory of 1428 4388 msedge.exe 112 PID 2584 wrote to memory of 4484 2584 msedge.exe 111 PID 2584 wrote to memory of 4484 2584 msedge.exe 111 PID 2500 wrote to memory of 1888 2500 msedge.exe 113 PID 2500 wrote to memory of 1888 2500 msedge.exe 113 PID 2932 wrote to memory of 2840 2932 6IJ9jb4.exe 114 PID 2932 wrote to memory of 2840 2932 6IJ9jb4.exe 114 PID 2840 wrote to memory of 4680 2840 msedge.exe 115 PID 2840 wrote to memory of 4680 2840 msedge.exe 115 PID 2932 wrote to memory of 3840 2932 6IJ9jb4.exe 116 PID 2932 wrote to memory of 3840 2932 6IJ9jb4.exe 116 PID 3840 wrote to memory of 3872 3840 msedge.exe 117 PID 3840 wrote to memory of 3872 3840 msedge.exe 117 PID 2932 wrote to memory of 4868 2932 6IJ9jb4.exe 118 PID 2932 wrote to memory of 4868 2932 6IJ9jb4.exe 118 PID 4868 wrote to memory of 3664 4868 msedge.exe 119 PID 4868 wrote to memory of 3664 4868 msedge.exe 119 PID 2932 wrote to memory of 3656 2932 6IJ9jb4.exe 120 PID 2932 wrote to memory of 3656 2932 6IJ9jb4.exe 120 PID 3656 wrote to memory of 3828 3656 msedge.exe 121 PID 3656 wrote to memory of 3828 3656 msedge.exe 121 PID 2932 wrote to memory of 896 2932 6IJ9jb4.exe 122 PID 2932 wrote to memory of 896 2932 6IJ9jb4.exe 122 PID 896 wrote to memory of 3972 896 msedge.exe 123 PID 896 wrote to memory of 3972 896 msedge.exe 123 PID 2932 wrote to memory of 3192 2932 6IJ9jb4.exe 124 PID 2932 wrote to memory of 3192 2932 6IJ9jb4.exe 124 PID 3192 wrote to memory of 1632 3192 msedge.exe 125 PID 3192 wrote to memory of 1632 3192 msedge.exe 125 PID 2932 wrote to memory of 3684 2932 6IJ9jb4.exe 126 PID 2932 wrote to memory of 3684 2932 6IJ9jb4.exe 126 PID 3684 wrote to memory of 260 3684 msedge.exe 127 PID 3684 wrote to memory of 260 3684 msedge.exe 127 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149 PID 4388 wrote to memory of 5504 4388 msedge.exe 149
Processes
-
C:\Users\Admin\AppData\Local\Temp\e500fa3255076b636b945bdf3c093a58.exe"C:\Users\Admin\AppData\Local\Temp\e500fa3255076b636b945bdf3c093a58.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UU2rF15.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UU2rF15.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lq08Hr3.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Lq08Hr3.exe3⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 6084⤵
- Program crash
PID:4752
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4UI741VD.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4UI741VD.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4420
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6IJ9jb4.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6IJ9jb4.exe2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,13068446937756066078,6021852844570923861,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:34⤵PID:6264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,13068446937756066078,6021852844570923861,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:24⤵PID:6196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login3⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12106218456587344862,5683428961114174247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵PID:5524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12106218456587344862,5683428961114174247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵PID:5504
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,677222931949727541,18116114282366122561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:34⤵PID:6376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,677222931949727541,18116114282366122561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:24⤵PID:6368
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login3⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:4680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7778299402181160110,16334703031582072043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵PID:6008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7778299402181160110,16334703031582072043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵PID:5948
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login3⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:3872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,11742010324969255733,15008954876034963338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:34⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,11742010324969255733,15008954876034963338,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:24⤵PID:6220
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform3⤵
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11186078075838282807,14598902519215163422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:34⤵PID:6204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11186078075838282807,14598902519215163422,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:24⤵PID:6188
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login3⤵
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,16413428518636740168,1725804575312762729,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:24⤵PID:6680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,16413428518636740168,1725804575312762729,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:34⤵PID:6820
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin3⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:3972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3975789424643372093,13181624448856022993,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵PID:6348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3975789424643372093,13181624448856022993,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵PID:6340
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/3⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:34⤵PID:6168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:84⤵PID:6272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:24⤵PID:6148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:14⤵PID:7088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵PID:7080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:14⤵PID:8000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:14⤵PID:8180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:14⤵PID:7260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:14⤵PID:7176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:14⤵PID:7876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:14⤵PID:2320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:14⤵PID:6728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:14⤵PID:6888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:14⤵PID:6648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:14⤵PID:8260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:14⤵PID:8300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:14⤵PID:9056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:14⤵PID:8464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:14⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9040 /prefetch:84⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9040 /prefetch:84⤵PID:8692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:14⤵PID:4552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,8476622840161750378,688032505002014025,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8844 /prefetch:14⤵PID:1624
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/3⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff8f46e46f8,0x7ff8f46e4708,0x7ff8f46e47184⤵PID:260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17345659135654049601,7341435080313770952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:34⤵PID:6288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17345659135654049601,7341435080313770952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:24⤵PID:6280
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4028 -ip 40281⤵PID:3964
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:7608
-
C:\Users\Admin\AppData\Local\Temp\AB6E.exeC:\Users\Admin\AppData\Local\Temp\AB6E.exe1⤵PID:8712
-
C:\Users\Admin\AppData\Local\Temp\4F11.exeC:\Users\Admin\AppData\Local\Temp\4F11.exe1⤵PID:5600
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"2⤵PID:8076
-
C:\Users\Admin\AppData\Local\Temp\Broom.exeC:\Users\Admin\AppData\Local\Temp\Broom.exe3⤵PID:7328
-
-
-
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"2⤵PID:8868
-
-
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"2⤵PID:7376
-
-
C:\Users\Admin\AppData\Local\Temp\tuc3.exe"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"2⤵PID:3824
-
-
C:\Users\Admin\AppData\Local\Temp\5702.exeC:\Users\Admin\AppData\Local\Temp\5702.exe1⤵PID:8200
-
C:\Users\Admin\AppData\Local\Temp\9777.exeC:\Users\Admin\AppData\Local\Temp\9777.exe1⤵PID:7352
-
C:\Users\Admin\AppData\Local\Temp\B197.exeC:\Users\Admin\AppData\Local\Temp\B197.exe1⤵PID:5476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD55990c020b2d5158c9e2f12f42d296465
SHA1dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4
SHA2562f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643
SHA5129efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c
-
Filesize
152B
MD5208a234643c411e1b919e904ee20115e
SHA1400b6e6860953f981bfe4716c345b797ed5b2b5b
SHA256af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458
SHA5122779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ba2110f-d822-45c0-9a87-5f33123d63f6.tmp
Filesize111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
20KB
MD5923a543cc619ea568f91b723d9fb1ef0
SHA16f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555
-
Filesize
33KB
MD5909324d9c20060e3e73a7b5ff1f19dd8
SHA1feea7790740db1e87419c8f5920859ea0234b76b
SHA256dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9
-
Filesize
5KB
MD55b40d4960815a74600d405962b4be512
SHA1b0967cc66fa0079586d9fbe49a98220bab0bfe5d
SHA25625f41a5b62adcd92601aa3c962d3ca65b1d8d8c9f422c630f505797f5ca044d6
SHA512a6c3a40993097975c4b600659425fbac1859b70d89fbfa75ebd4e6d85006a7635851370e3bc27a44dcd588503cdd4d02f3d0c9f3b78151beb0fbe607c04a0618
-
Filesize
7KB
MD5ee5ba1d23b29891607ccbb1b5c50255a
SHA1ab98dc7ab4b8471cdf5e30e63b144df3ba0b5e2e
SHA25666b5b2dd617eb54240170c07295107bc6d4eef8f8ac71c5bfd4242468f07438b
SHA51251133006944bdf1f849be5aa70233d9ce088217c7cda69a404ffff45003f9120e95ea6df4731909b550e1980d5e2dff5cd20d173332e773f882d6681f68699d8
-
Filesize
7KB
MD5482a9c701820d07e86edf7cbadba4cd7
SHA16060f836139e5311737c6a3a356056845984b61d
SHA2562bae98800d4d7bff11d8efb4102bdec8947d1d2ebe827b1be188720a3ceca0ba
SHA51246c8ff9cb63bb991eceb99d47eca486dd975074d3f57c0e9f41cd8b13c6571c40a99f5c4d54613fe1a9f03d3dd2b5db8eecce2d2083138f2baa8ef1c60f23446
-
Filesize
8KB
MD5934c97c81dc6e2120b2658ecd21e119d
SHA1337c29611fc946992f01ee6956bab1f6b8675fcd
SHA2565ffe1c604ad3f00f67fb7e687aaa8b8680ca747b1d93641b1297270ee139f04f
SHA512fe8fea35c44d0e1a7cf3060a190434fe4abf10c1f6838d6dc6e2c4d4af6560aa02891abab7cfba2eda797d5d87f43b5ac237da8a17e208624d451715df250b51
-
Filesize
24KB
MD55a6206a3489650bf4a9c3ce44a428126
SHA13137a909ef8b098687ec536c57caa1bacc77224b
SHA2560a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28
SHA512980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78
-
Filesize
2KB
MD50595cab7dd3fb688a7c05552318b1df0
SHA1f8c4c5b230e78d1d7568547d39a463ec9f4ebc9a
SHA2562510854668e00a5b726069d04415340fffc56af8a608729c7b3b4fc1b0addc4e
SHA512c1cd736fd4973981d5a9004390cffda4d570084306f31cfc497e7baafc2080c699a18deeba1800359a101f2693ceb8a3d45c3133d9dd7972b1c28543f67dfdb5
-
Filesize
2KB
MD5631a096c5ce2947bb016ac9eb22d1ff7
SHA1b8df1a28cb66a77a119a2f96ce878c4b68ebebf1
SHA256ef7c2e930ae2e977e11e2ef230351524aa157ecadc781d66f4394e189f5b2e37
SHA512b25470579c1bcb21f04b38ff340de5ad169e2a34aef0b9bfbf1e6c2647946aa073f65cfc7e857cee30ccbbd7ba37f39a6285ae384456c3b7e432e762861e48ab
-
Filesize
3KB
MD544abdf317538a949d3b6fcfd1201e891
SHA11db6cafdefcc38602c2a169093088207a37d749f
SHA2562cd1b6dcb10b273b9b08371049a7fdf79cfa892d8119694ec6ec246d68effc85
SHA5129f2a988b1051f85896b4d7aef0d3ad383ee65a7afcbf474e41c7ccce80f975a2df536b1590c9d25e2876740af900356c33adf2f0a1e4d3a789d58cde42489f97
-
Filesize
2KB
MD592d4286e6136dfb2e40b124873e2c2fa
SHA1acc13cc8ed0c28a2f268537d5479dfe8beb70328
SHA2560ecd3f8735f60485826deea8f23d62f2939d3b20c229d946bd4af782bab99e96
SHA5128a92dac4d4f22b74d7d76c7c3abb2dbc2ac3b2474d2f3207f124e793676ad6f00f96f57fac9f4af810da205b3b167d990766d7cb1542e339d0ab496d9a604cb3
-
Filesize
2KB
MD566a715125e1718e133b5f0a8ff3d9bc4
SHA1d6c2f13ad8db57ab029ec963d65a510800540dd1
SHA2563eab6108b9b7e54f2e31ff9254fcc801dd03e2d363f87c2748e9d1c851e677d0
SHA51238def6aefebf406b56d1cdb537698ace981e8f8d8ebaea96ab90e08255e190e4eda74d525211aebb4d860b3b1eeb35125a7fff5ec227153d4099bb4c0412fa57
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5eeb0415dd5b1aa463b13a5eac37fdcb7
SHA1ab9d5ce08dc12b3b1575528577fae4e4012db28d
SHA25661d17e53c47fdb53b3ba36de8f8e8f15167f9ab8894b64dce2c7ae30e68ead44
SHA51200486e429816d5f49e9948a1923fdd8a86ae8c347606aef7ea498524817651e7bc43cd5355e5da3af2665c995c2581fc8f16c86e78f15a7b5181d72f517c71f7
-
Filesize
2KB
MD5f07d97d59ca9ff432a1677caee6c910a
SHA13ab848285060535b316aa685f0493c04859c0d6d
SHA256116d5302998b99fc690359401d43271b761423b83886cd0b360ead6b773a3bb9
SHA5121351380fd42a37b92ce8a6aa6bd87866afa6849c87c85d917f7c4fff89fb5639e9e43c38df0d004768720e61187a7d402ac1635e49f34bf3123934b337345ee5
-
Filesize
2KB
MD5a17e03281a3ed50cc11a01d9007f6f9d
SHA1ff40138a3e7169e7b1fb89bc21bcb60496f0e29a
SHA25660778e6fe9dd5f91eb5db45143ab8fef276e3c28f7d3d5b08b066de65932711c
SHA51257cac5552d9dde712cb33cb30c50fce1b99c94d0388bc7b7ac43e46c07d5b2a93a925a1d80cc1c50e59b6e16cd3bc18aa94afb8081d75fa16b2194132a7f54fa
-
Filesize
2KB
MD51db016300f802e61973727b6cf92b6d3
SHA1f21cc5e88b8f9bfea1f593310544569479511667
SHA256c7ecfc3f348ad77bcbbcacb72341a5c173c3cb5644a70224a0451ce18502ceac
SHA512c0bc54d0aa26bf7f5d3b40e26c299c96da690eec0a995052b32aead88a9308af52f0ac802a1c369c65f11e77d458677ee01d2e5d28c8589556f1fbece7df3239
-
Filesize
10KB
MD536f9bdd3fb45c8769c9256583461e476
SHA14b3f1f62a2b355846b1b366e9775f2128186386f
SHA256a557140d01e24018c5baaaacbecbca939d2c26d75cdb6c2c39ecbd89714bcc15
SHA512b0a2e3295b4bcef570aab054865fe45a0c8e647d0b2c17ca103601adb6401d59a2ebf24e2c11b1cf108188e28b55f4889e3e5382fd37dc06227d219de0b24be8
-
Filesize
2KB
MD563669fe599117576f5ae7a560d96c3fc
SHA1d6ba9bd43c57b13f74a91e8ac95466c7cb787b00
SHA25618ce214519ca67956538696b5c33914118a9be3efe1a77caa60b002d51a52d09
SHA512ac2ac7c2d6cf3e3e1f26e74abda511b4975fe7f3306960447dd4e8876cdfd90d74d1d891a9275f16eed7a4b52e6c2e98ffa47e20355a18ab43c3c5414e3e1fa0
-
Filesize
2KB
MD59973ff2df0fbceee6f111c25921ebd4a
SHA10761f30480cf8d613ea10dc01aaec1db4935760f
SHA2566c25e8eb20356565342ca03845461532d42ad912b15d1d1adf4ac39124df7766
SHA512790ca83f5b0c2d34709939ddf9efe46b7c7e5a54ffa4f6ec566e4131ed4131502804f740695639bd6790d58bfd6abd415b33a6f1e7c16a48dc8b4266c0de74db
-
Filesize
2KB
MD5e9db75e3db8c20b16833d5b8840b731f
SHA1a07ed029e9a263100ba7ab5ce76088c1190dbfbe
SHA256731583330a74c481117df987545b1ae5b53ea55a20a7b729f9458691383f9033
SHA512f4849975dc85b8e2aeb259dcfb871548da67b0f88b1f4227103b985b0acc687df1df0b5b6733bfc08a28e752af48cb32af7a6a27e59a16b128acc8256f332e2f
-
Filesize
2KB
MD5c4bb16095c7647eb33ae5c87b79d59df
SHA151511d6548c3d34455ebc04aa3d6a15f726d8646
SHA2563afaa79c55cab483f5195200aed9d55410a6b6ab68b433de87ce947863517878
SHA512d40d3d8558ad3b8d3a891f490c703b45cf5f003acb393611e029a513885a381e890fc1f7a34f12ff9839f6c31691791463092f27dc08b811d805a3c1b2a2765e
-
Filesize
10KB
MD5c7b573783acb14a3caf96cfe9f5ab749
SHA18da853c9803d62715f4918d8655712d8916ce557
SHA25668a4f241a22c204757f158ac26be1ec9bbbf12ad66d68dfb85df28b86f7f85d1
SHA51205e07c76e72f27b7748dbf9b6be360f1af6332db5a4390bfa86756bad0b0beb9b0f5fc35cc4f3c2ff701956e579f379c15bdac7622f2b613ba9edc3627e289bd
-
Filesize
2KB
MD59defa674c8df5d27ce04bda630c947f6
SHA1ea90cbd5f563547050429346ba4b3d78a214e396
SHA25684c7ca206eacb30260d7e47b051322c862451c2cde57b4665ab4868d3ecb825c
SHA512c43c5c8b14be4a2aad2702349de4e89f2f1dbb7817ed935379668d65d968af503044e8277dca5568457ec80c20e691b2b4b74c1e79cd6c051f9fb67505b9c3d4
-
Filesize
1.8MB
MD55d9683446bd83330b5cbfd45307c23ac
SHA1a8d2e27701a04dfde87a77083d44a683ff45a6d3
SHA256a280bf7ef4b70656e5d907ee19d56e5ac8e84b114363a7616a4eb16803ac23f6
SHA512f163c519e224e039320da74d076deeb2ec85bbe714de7b84319e74234aae85557dae138617993ff692b8f029806b6350fd0aa53a283f47f54d23556877aade4a
-
Filesize
898KB
MD5eccc2b161b48d1d9a2c3f70469d42ee1
SHA14dfa5a56ecd85fc2391113a8f69e6e7c9bc50b72
SHA256e90f3eab0540cdc8a362552b1622ce02a69ea19f64b7221086f7ef5fd7545127
SHA512bb61d7f5fe6f044301a67c718d219e0d225c48433dd1df4ada14583c31c15816c1ff06431d04ba7ef0e9e8bc337f6c64c74630d30ee69dca3e799c53ac247147
-
Filesize
789KB
MD5fad6a2ad3d906f6ca2d31a9c067af4b7
SHA17ed2d51f093f15e8f2a85df4e02ac844a96ffc32
SHA256ece16090bcb2e607fc4109da1b4ad611030490a0912fd8d4673b10c3ff76a6e6
SHA5127fbf25820155a38ea6a33ee3e8b46944b07dda4e0a04a5ec2ad82bb217d68642829423dbd63e7ccd6d8e919d25394d53381438d85f1222561f7b1f0455478010
-
Filesize
1.6MB
MD53d069da94b6b91b9d8c9f51ea003b7ae
SHA1e48c4dcb0b117c877b48d61ce475ee820a20b060
SHA256e391de9e95864f2f7a49ac63226328c49d706c1f77f55b69160eec2055939c68
SHA512e4905bf42207a83e876671056da0fdeb13791de48a02179c52b77981c2984995ad52a82764f7c50d19134d4f36f05f019bf00e8942ba9c53ab44bd3d6cd56ae9
-
Filesize
37KB
MD5f4b15e6c814a0d6abf6325753b6d4037
SHA1489d628694d794492df545d8c73cb0f910a0b479
SHA256c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3
SHA512e6c76c630de0e4b4d664b5ad7c3c24ae06d65c3aeaf4835a35406ff7e90b4ecead8cf1b3581c794d1f3870f2d472ff9f7d18c7285302fefad98042312c5d12d1
-
Filesize
2.3MB
MD577471d919a5e2151fb49f37c315af514
SHA10687047ed80aa348bdc1657731f21181995b654c
SHA25652666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA5126ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844
-
Filesize
291KB
MD5cde750f39f58f1ec80ef41ce2f4f1db9
SHA1942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA2560a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580
-
Filesize
768KB
MD5bb62eb5da4f2a9ab8434396d9752fdb0
SHA1ad269614474763d1b6f1b39e51ff58b99bdd2e13
SHA25608a4f6f94fe0a0b52fab5283aa44f062bb68c1755205bd81ef924f352f2d209e
SHA512e4da83dbae17e1db6e57692a409ac9c05f7fba029fd1a75d2cee8a1d529475ff4698db371dfd14c846197226077d6699cf648b4428656861f0f5304e819e3632