Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 04:43
Static task
static1
Behavioral task
behavioral1
Sample
93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
Resource
win10v2004-20231127-en
General
-
Target
93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe
-
Size
190KB
-
MD5
33ee67252b8ade3591f16c3a8d79d9b0
-
SHA1
14ba7ba845d9de1779e56eb1f022040a8be21bab
-
SHA256
93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186
-
SHA512
639a9cb719d6ee8ba47c05ecdf7b00b68d46b7513fdae6839e1945594336099e507d6adf4b9e1c54e64feb80e45c24173fddc38ba4f630e4bcf213db413a6ca9
-
SSDEEP
3072:WJW9jLf7NlY6HOnu2XAaK7tiAHZhPRox5Jxq:r9jLzNW6HOnu2XAdtiAHZ
Malware Config
Extracted
smokeloader
pu10
Extracted
smokeloader
2020
http://host-file-host6.com/
http://host-host-file8.com/
Extracted
djvu
http://zexeq.com/test1/get.php
-
extension
.hhuy
-
offline_id
gG3wF8nDWRqLztkHPAxMzpvNVlmLBMgQKmKiCNt1
-
payload_url
http://brusuax.com/dl/build2.exe
http://zexeq.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-5zKXJl7cwi Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0834ASdw
Extracted
risepro
193.233.132.51
Signatures
-
Detect ZGRat V1 30 IoCs
resource yara_rule behavioral2/memory/2908-52-0x000001FCC7C20000-0x000001FCC7D50000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-55-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-56-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-58-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-60-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-62-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-64-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-66-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-68-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-70-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-72-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-74-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-76-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-78-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-82-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-88-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-90-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-92-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-98-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-103-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-105-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-107-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-110-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-113-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-115-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-118-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-122-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-126-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/2908-129-0x000001FCC7C20000-0x000001FCC7D4A000-memory.dmp family_zgrat_v1 behavioral2/memory/6444-1402-0x0000000002630000-0x0000000002704000-memory.dmp family_zgrat_v1 -
Detected Djvu ransomware 6 IoCs
resource yara_rule behavioral2/memory/3824-40-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3416-44-0x0000000002620000-0x000000000273B000-memory.dmp family_djvu behavioral2/memory/3824-43-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3824-45-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3824-46-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu behavioral2/memory/3824-198-0x0000000000400000-0x0000000000537000-memory.dmp family_djvu -
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" 2YD6343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" 2YD6343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" 2YD6343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" 2YD6343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" 2YD6343.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection 2YD6343.exe -
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 4003.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 4 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
resource yara_rule behavioral2/memory/1408-131-0x0000000002740000-0x000000000278C000-memory.dmp net_reactor behavioral2/memory/1408-136-0x0000000004E90000-0x0000000004EDA000-memory.dmp net_reactor behavioral2/memory/6472-717-0x00000000020C0000-0x00000000020DC000-memory.dmp net_reactor behavioral2/memory/6472-727-0x0000000004F60000-0x0000000004F7A000-memory.dmp net_reactor -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 4003.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 4003.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation 4D90.exe Key value queried \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\Control Panel\International\Geo\Nation 4003.exe -
Deletes itself 1 IoCs
pid Process 3432 Process not Found -
Executes dropped EXE 14 IoCs
pid Process 4552 4003.exe 3416 4D90.exe 3824 4D90.exe 2908 566B.exe 1408 6466.exe 440 6F54.exe 4672 Oz4ED41.exe 3472 gV7DZ85.exe 4784 1Fj83nk1.exe 696 4D90.exe 2892 4D90.exe 6472 2YD6343.exe 3524 4xE421HP.exe 6444 7qQ3wu74.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3264 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x00090000000230d1-19.dat themida behavioral2/memory/4552-32-0x0000000000160000-0x0000000000B1C000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features 2YD6343.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" 2YD6343.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3635043082-2972811465-3176142135-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\48e7e499-10e9-4c11-aab2-00308b19ae3a\\4D90.exe\" --AutoStart" 4D90.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6F54.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Oz4ED41.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" gV7DZ85.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 4003.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 100 api.2ip.ua 104 api.2ip.ua -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x00070000000230e9-191.dat autoit_exe behavioral2/files/0x00070000000230e9-187.dat autoit_exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4552 4003.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3484 set thread context of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3416 set thread context of 3824 3416 4D90.exe 110 PID 696 set thread context of 2892 696 4D90.exe 121 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 3100 2892 WerFault.exe 121 5792 6444 WerFault.exe 177 6228 1408 WerFault.exe 113 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4xE421HP.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4xE421HP.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4xE421HP.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4960 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 4960 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found 3432 Process not Found -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4960 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 3524 4xE421HP.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeDebugPrivilege 1408 6466.exe Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeDebugPrivilege 4552 4003.exe Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeDebugPrivilege 6472 2YD6343.exe Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeDebugPrivilege 2908 566B.exe Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found Token: SeShutdownPrivilege 3432 Process not Found Token: SeCreatePagefilePrivilege 3432 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4784 1Fj83nk1.exe 3432 Process not Found 3432 Process not Found 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 4784 1Fj83nk1.exe 3760 msedge.exe 4784 1Fj83nk1.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 3432 Process not Found 3432 Process not Found 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 4784 1Fj83nk1.exe 3760 msedge.exe 4784 1Fj83nk1.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 3760 msedge.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4784 1Fj83nk1.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe 4448 msedge.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3432 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3484 wrote to memory of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3484 wrote to memory of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3484 wrote to memory of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3484 wrote to memory of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3484 wrote to memory of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3484 wrote to memory of 4960 3484 93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe 89 PID 3432 wrote to memory of 4296 3432 Process not Found 104 PID 3432 wrote to memory of 4296 3432 Process not Found 104 PID 4296 wrote to memory of 1772 4296 cmd.exe 106 PID 4296 wrote to memory of 1772 4296 cmd.exe 106 PID 3432 wrote to memory of 4552 3432 Process not Found 108 PID 3432 wrote to memory of 4552 3432 Process not Found 108 PID 3432 wrote to memory of 4552 3432 Process not Found 108 PID 3432 wrote to memory of 3416 3432 Process not Found 109 PID 3432 wrote to memory of 3416 3432 Process not Found 109 PID 3432 wrote to memory of 3416 3432 Process not Found 109 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3416 wrote to memory of 3824 3416 4D90.exe 110 PID 3432 wrote to memory of 2908 3432 Process not Found 111 PID 3432 wrote to memory of 2908 3432 Process not Found 111 PID 3824 wrote to memory of 3264 3824 4D90.exe 112 PID 3824 wrote to memory of 3264 3824 4D90.exe 112 PID 3824 wrote to memory of 3264 3824 4D90.exe 112 PID 3432 wrote to memory of 1408 3432 Process not Found 113 PID 3432 wrote to memory of 1408 3432 Process not Found 113 PID 3432 wrote to memory of 1408 3432 Process not Found 113 PID 3432 wrote to memory of 440 3432 Process not Found 115 PID 3432 wrote to memory of 440 3432 Process not Found 115 PID 3432 wrote to memory of 440 3432 Process not Found 115 PID 440 wrote to memory of 4672 440 6F54.exe 116 PID 440 wrote to memory of 4672 440 6F54.exe 116 PID 440 wrote to memory of 4672 440 6F54.exe 116 PID 3824 wrote to memory of 696 3824 4D90.exe 120 PID 3824 wrote to memory of 696 3824 4D90.exe 120 PID 3824 wrote to memory of 696 3824 4D90.exe 120 PID 4672 wrote to memory of 3472 4672 Oz4ED41.exe 119 PID 4672 wrote to memory of 3472 4672 Oz4ED41.exe 119 PID 4672 wrote to memory of 3472 4672 Oz4ED41.exe 119 PID 3472 wrote to memory of 4784 3472 gV7DZ85.exe 118 PID 3472 wrote to memory of 4784 3472 gV7DZ85.exe 118 PID 3472 wrote to memory of 4784 3472 gV7DZ85.exe 118 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 696 wrote to memory of 2892 696 4D90.exe 121 PID 4784 wrote to memory of 3760 4784 1Fj83nk1.exe 124 PID 4784 wrote to memory of 3760 4784 1Fj83nk1.exe 124 PID 3760 wrote to memory of 4396 3760 msedge.exe 125 PID 3760 wrote to memory of 4396 3760 msedge.exe 125 PID 4784 wrote to memory of 1668 4784 1Fj83nk1.exe 126 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"C:\Users\Admin\AppData\Local\Temp\93e23f12fbeb062c763c84866314199d9bd130033115ee931d50be51c5f1c186.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\343A.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵PID:1772
-
-
C:\Users\Admin\AppData\Local\Temp\4003.exeC:\Users\Admin\AppData\Local\Temp\4003.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4552 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4448 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:33⤵PID:6252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:23⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:83⤵PID:6760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:13⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:13⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:13⤵PID:5640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:13⤵PID:4612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:13⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:13⤵PID:5256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:83⤵PID:6384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14668648385304711785,3367607800016618191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4980 /prefetch:83⤵PID:6396
-
-
-
C:\Users\Admin\AppData\Local\Temp\4D90.exeC:\Users\Admin\AppData\Local\Temp\4D90.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Users\Admin\AppData\Local\Temp\4D90.exeC:\Users\Admin\AppData\Local\Temp\4D90.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\48e7e499-10e9-4c11-aab2-00308b19ae3a" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
PID:3264
-
-
C:\Users\Admin\AppData\Local\Temp\4D90.exe"C:\Users\Admin\AppData\Local\Temp\4D90.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Users\Admin\AppData\Local\Temp\4D90.exe"C:\Users\Admin\AppData\Local\Temp\4D90.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 5685⤵
- Program crash
PID:3100
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\566B.exeC:\Users\Admin\AppData\Local\Temp\566B.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\566B.exeC:\Users\Admin\AppData\Local\Temp\566B.exe2⤵PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\6466.exeC:\Users\Admin\AppData\Local\Temp\6466.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 22122⤵
- Program crash
PID:6228
-
-
C:\Users\Admin\AppData\Local\Temp\6F54.exeC:\Users\Admin\AppData\Local\Temp\6F54.exe1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Oz4ED41.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gV7DZ85.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2YD6343.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:6472
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4xE421HP.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3524
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7qQ3wu74.exe2⤵
- Executes dropped EXE
PID:6444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6444 -s 6243⤵
- Program crash
PID:5792
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Fj83nk1.exe1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2320 /prefetch:83⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:33⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:23⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:13⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:13⤵PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:13⤵PID:6284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:13⤵PID:6616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:13⤵PID:6748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:13⤵PID:6932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:13⤵PID:7056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:13⤵PID:6436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:13⤵PID:6632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:13⤵PID:7152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:13⤵PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:13⤵PID:3680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8264 /prefetch:13⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:13⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8648 /prefetch:13⤵PID:6428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17288631596389950459,14217106118013143238,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9152 /prefetch:13⤵PID:3592
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login2⤵PID:1668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:1020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7580873702800239064,7082520195997237181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:33⤵PID:5304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7580873702800239064,7082520195997237181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵PID:5188
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵PID:852
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13906737394333911450,3341372604459557844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:33⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13906737394333911450,3341372604459557844,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:23⤵PID:5196
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login2⤵PID:2148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:2324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,15930691946751608274,13153657859695741700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:23⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,15930691946751608274,13153657859695741700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:33⤵PID:6060
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login2⤵PID:1820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:1092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5142126469591650117,18177171949595903564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:33⤵PID:6476
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform2⤵PID:5056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login2⤵PID:896
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x168,0x16c,0x144,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:5588
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin2⤵PID:6732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:6820
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/2⤵PID:5980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:6352
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/2⤵PID:5940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147183⤵PID:7160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2892 -ip 28921⤵PID:1172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff990146f8,0x7fff99014708,0x7fff990147181⤵PID:5180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6084
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 6444 -ip 64441⤵PID:3228
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:848
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1408 -ip 14081⤵PID:6196
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
2Disable or Modify Tools
2Modify Registry
3Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD53e61f1b5c83d57794fb57876a8ce4886
SHA1d69fb46fde92526ba21a2ee39d9b98445310a71f
SHA25644c1f59f48fca1dbbcb999232154f060a74d760bdb510accace016de59ed4233
SHA5121bc86558d62a6730c2ab9b2382d68b5b35feef499b489c595ffc9fc4b776d63c0f23afcaef91b008bee22145d92067c7344d2f45ecc8d78d5bbe64ac1b2a1cdb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5d454e7a527eb704a79a8b442cc5d2b65
SHA11677bb3771ce4d0e5a4c7d949ce70efcd4ca8483
SHA25620b8b32c126efa2a5b52b64e5acb614e3f5ea688ef39b0897e0d50135d6a860c
SHA51229231e9a37e1494dec806306a2c7f4eff9f5d9e05a6e374ba1119ae83ab33ad0132a57ee61e5865a5263bb6f2d51d9181317b180ef9e7ed74aecca93c5381224
-
Filesize
152B
MD5f289d5218316bc0c88de5c2e9853e6da
SHA1cc85691d7273f8d20e62ac293afe3163a5a235cd
SHA256a3b0df05d59cc11a638af7b7d25af5089847d0b157cc5d20575f6175c625bfdf
SHA5124b830d07238719d691e48faa74bb8cc9ada70107283d7f36d317764ab4be206d7345c101d7a1675a40d02945ff90c1b622902be7d6a9fd138a4fe954f827031b
-
Filesize
152B
MD575a5561fce685815bd524b5a11a6aba2
SHA13f8454ca45fe1b7f7f5ca8b1bd0cad36b20c556f
SHA256991bedcc309c9747aba329e1929726f48a15c19c0faafe9f667388366dc56d9e
SHA51217a4c739823ee0a16a84699c7881363b6edc846272e75895ff78f9818064b3b27a278d53a647254aa4d39529f21a0d1dead82597f226731f44ee79ea2b087bee
-
Filesize
152B
MD55990c020b2d5158c9e2f12f42d296465
SHA1dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4
SHA2562f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643
SHA5129efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c
-
Filesize
152B
MD5208a234643c411e1b919e904ee20115e
SHA1400b6e6860953f981bfe4716c345b797ed5b2b5b
SHA256af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458
SHA5122779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize312B
MD5aacda2f314717240bf04eb9b04be308e
SHA158d10ebfdd3463ec710a28062355641f127eb271
SHA256d6964cd24575404084e4b9655e690e0cd7d62adeeb2730988d000c2759079a59
SHA5122db09bbc5c5ec07c53b07e0f0d72cbdcf3536563683b46f42c457ecf67167490dbed430c674ce5eeac9eb015c05c2a582e894605698f6873ab370428303bb904
-
Filesize
5KB
MD5d789060e1156823c973bfec9be3e9ee3
SHA1332e08aa8904421ef5e3a1bc337af43b615b33bb
SHA25625619e037443169beec9c14942a522f7d8d5ecc07b2d1e074be27448f772bec2
SHA512e078aa89e0203aea0fcfa1b6fa188f832ee02897d1b95b1975cbe82233706babd8258fe1ecdabc642def2240314678f0ec8c5df89ac9d6e4862805c1830e072b
-
Filesize
7KB
MD59c67369e823111c517448f014491f3a3
SHA12924812d4f27e470d7b0cc666a5bf9f1b6a194dc
SHA256577bcf6b9eafc57f29aab9a62f485c9a216e625924585f7f1a78faef68ae2564
SHA512951333486475d1e37d9eb784c414d56069161112fb5c59ca07ee8860ad487d72d59f6e99ba2b0c2037c787b4f7066d225d22939c4be096aab12dd9a9ebd4ba30
-
Filesize
8KB
MD515edc8f72593e5a6b883e6fc14bc7921
SHA13839a9190d64a7300beb1bd82eba3c783f354012
SHA25629dbd6ed72ad3e114d4a28e7de6d92f61b3c2199f89ff761c361d20a2199e4b5
SHA512083e0eb4bde840ffcfa91b4722ec8bf3a6d80b1121badb888d2a8c76a717966af45f1a0764c7ca35ad4cdbfd108961c74d6d59631d3ab51cdedf60ae2dd51626
-
Filesize
8KB
MD5715ef78b14dd074188c801e5c7e0869c
SHA18b06129629e4b73b8df10cd0bf2cf1fd59ee48ad
SHA256267539825481a53cf4b05238ba06aeed57ee44f4a29b4788f09c9eda431fcf84
SHA512ccfdc44d4ff1c38a9ee3d06697fad7656e2bbaafa20611760b785ddcbaf8c0f2466bd39ecdb15a0fa9e3084c82bc7f10e3be6bf51ef96b362767aaa50f5c059e
-
Filesize
8KB
MD536905c6efb2e9806df23249b5330871b
SHA1216bf2c9b9cb7f2a67b978c352e9d6efa9e0e885
SHA256f53f4b72410369f0bed1eb7e8dafc1ccbd3b9b63df1ba96ce903648851f7f123
SHA512bb6fce948e6bca5fa09266700ba7747e9c35bc37e527a44b69dd9c524643171233942c1680b2a291cbd088ccf8c4b2b9253d3da3d412fe3bd1dc1c4cc3f50725
-
Filesize
24KB
MD55a6206a3489650bf4a9c3ce44a428126
SHA13137a909ef8b098687ec536c57caa1bacc77224b
SHA2560a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28
SHA512980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78
-
Filesize
1KB
MD5b2ed2cbd56898852d4673f1e73236533
SHA151cdeefa9ec4a9ac79ca6f44d77e71aeb59098ce
SHA256164efa6e2e8e8ec834d755650faf45c45381a8b9581104c5c2078e9183245cb2
SHA5124a4dac4e8e477e7339df52a110938ccc4d86ae26045cedeed1d5bc5d3ca78548b68ae345336e9b311706bbf939d87b9c1f46672380f0c132ddce73cfe4264489
-
Filesize
1KB
MD5b2eecd1b1ba62b5add6f8e63bfaca3ca
SHA1a6f4ac73d8f2508d28c057aeeabab1f783f72da0
SHA256f5f926e7e52f8f26e56048546f54755b0f07a82193d1f951f64c04c47b1e421a
SHA512b236b56789c9812795770fbf1451a4392d158b8ad59e011c1894c167a0f8014d67dcb7f49246005a15dd54e47af161848df3d977f7394314f7c253c51595d276
-
Filesize
1KB
MD5ff2b32d838645a4e3cb68037ae0d51f6
SHA1cdc3779bf85a0dfbd4ba3a50d97596ec84aefb77
SHA256cf0953f21a1e90920bb92c2bc154ab84583ce2ba15f1622952a9b8a76c980727
SHA51271905240aace326676c623c318ebc69dc3c63e7a59c31978bdbef55efb65fe2412ef5b2d64ba1729b54b515fda8a1fe3c10391906864753edd6e85722144d617
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cb6ed296-a008-4b82-8511-bf5f493e3fd4.tmp
Filesize111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD5b870c83fb3effe89ef276112cac9d2ee
SHA1fdf6c334a6a3219be4814c19823f4179f9a46d72
SHA256820172e89bfe836d3e0b752bee70004dcc5720361ade524b170207c0cd0c9479
SHA5129b77097a2da6426a07627eb46a04cf96656870aaa8f63b2e086db83f6591c8361193221d44756483612d15a48d0bdc864ff086d5e1a6c6d4a68d27729f5c10fc
-
Filesize
10KB
MD5f3ee5fd04c876b4334362f9568109362
SHA1dbd1a5b57fa50b711093c176a154ceca66dba149
SHA256d66f4d5e9bece36af155bc9350d6f4445c9b3f7a8fcd41b9e905f74fdcba49b9
SHA512687be862a45212a964e59b3dcad9f3c7bb60e48470c50f818e5f7c0c100a577e450ff60c3f89fed2522d2d42dc3983f938caa8ed6cf5fcec5b17cfa206ba7595
-
Filesize
2KB
MD56a7413064b301c13e2d3a57387876867
SHA1f2e762ad3d4745d66bff1302e9607d8c7b88bec8
SHA256d85b43ff17c3aa60b36f0fcad21dc4b5da36ff298d26266cda46f344b2bd1440
SHA5129a078e395d2b0e64137548c38e4613c8401eb3847d06414b315f5a870630d9617fd2b43967df22dcc0c6fba8f96c36b3842c4cc24081b1aad4316bfd353dca0d
-
Filesize
2KB
MD5edd2f1e3a442f7c299be4373c3062976
SHA1c58c00484221cca5fff15429593fd165ce756321
SHA256af5ff775ab4a866ce552caa888a2bfa12192b3f4c86901e094cac4e11deda0d8
SHA512df5222dd67165f87c9f63472ef3d298401377c2f84d1fd3dd1186cd8ea49194c545e637d2800cfd2d25e9778ce9c67cd47ffde96dd5394dd181c7a39be623cda
-
Filesize
10KB
MD5b6bc0f050ab48b7639e2a3a948892951
SHA1866b4b93ba256612bb08071524b55d78ac82ebc7
SHA2564d83d9ab56e44b27dce671d8c868394b0c930e7cfe82b664450228f858002f2f
SHA512e32d60b19164b05650d223e651fab66604a12bcc17ec8b29ee7cdc167bf6ef6c9b7fa8599d60f3e59a76cedcdd66e85be115c5037ec30e185abcc0e53b039fc8
-
Filesize
2KB
MD51a95825131ccc2679ebcdaa8a4790e6c
SHA15383f7316517fcc7a6db207224898fd7b5cfb717
SHA25635e242afc4a7e389bff0effe08c602ae334ec62281c969a5a996856c485993f9
SHA5129f47ebe816d75038607223e4a1be344f8c622c735e7d6229aa3e54437a6ec0458272f8bc2f889d56ebaab243e4b2fe84a6ed3f110ed81ddf1c539ddc6087a81d
-
Filesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
Filesize
3.7MB
MD59adb9cee1abeaf442c9de0ad6e1ffbc1
SHA1d09c01e1330fbfd3ab2410bceddcaf74c1393998
SHA256554ccf8442669bd6301dfdab3e7333eb5996f295004585e3db6161a9b2bd00a8
SHA512546fb243b5952d693436aa3f1105fa050683f6854d5bc685da874f3d2b112b4b5f4dae48630eec51e5ea3a74e172b9d172d12c98ed71c3ba56fe18a83ac34fea
-
Filesize
703KB
MD5454440503db62af8520be0827389df6a
SHA1473f9a477bdb8a408e7fad05e858dbbaa76f1dda
SHA256b816a1f49cf7a431b9c23d32cb60eb6bae72d88b23b19a861e5f690488b00d57
SHA5126c7f3847a00033394f5b8adb1fadb177b6103ccd6a9205dd2dad45e550805a0cf8295df2353bbf62ce9e629c3218e6c44621f716ebef23931b34ba4102debc15
-
Filesize
1.2MB
MD5ab0443c4b5ae89cd913377183852ecb3
SHA123cf5fb65377cfe0af63adede50c50fb24dc32ab
SHA2568252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
SHA512149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b
-
Filesize
337KB
MD57a721dbf14dd3eb263a9ae638f3b659f
SHA113452bd20b632687b51c9d0f9c1c4f80f0d14eea
SHA25652c1c503ec181013e94aa9ec40f4dd18aa7f4f9b1205ac194d62e514fcb984de
SHA512b1a9cb5ed60c364edb6f900cad5cd07377d08fce7782111bd94bd540598f22ad0768c56d50575eea2a896384c68f1f6d28a8d870809340e7df27fd88658a942a
-
Filesize
1.7MB
MD5d705e3aa388d03b7956742e5ea495167
SHA1cfb6c5de8a7b2cf45e337989e5fd03e2def58ba7
SHA25606afd9c627a35789aff142aa9c3042b57d9de609f6b47ddf173e332bbcc314b2
SHA512926e2dc6252e178fd8ab707b9be9a9a6b7332b48a2c2176340edcc76da79917d412921d1c129785a740e7dc61466040052cb953990d1ca44afc1991988abf03f
-
Filesize
1.1MB
MD586b8cef1ba13b3c3b9ff2ded5c5835e9
SHA10d25eae2e1b0f6c5ea29d6c593cef46ccabd0f83
SHA256e30e8e2a4203da16fa50410f35d505acab3bda4f00afa0ed5683fdb0a6c35a12
SHA5129fdec0a033043cd157ff4724180dad130b57a03dd6b3f1bb07cd23eac287ac7db1654aa39bf8ab00f3731588f39f5e1d11073d30ffc3474f57c00e2a8ae6e47b
-
Filesize
758KB
MD55177f9d2842b74a2be7f5aba232faffd
SHA19b6c926c477183ff5682d2afe0cb62de976379c7
SHA2563f631a363d36dce5c91238bcde6bb465721778887e036ad1016b185a4b4f9a63
SHA5126fa2f49b55f799a8f82a8d520db344383f645c834291d731278a08e344309a9d7064ab6123e56d43a00fadbbd79694d85355b011a145aadc607137bc26befd15
-
Filesize
320KB
MD5f9986eefb6d2213d8b7d8d27a221ad50
SHA1dbe7a39d6997e011a6c4ac1c5c50af2f018fb7f8
SHA256d1f83d7fb3af99040e0371677254483c8828f239ed1cd3d1923cc953a2cc2746
SHA512a33240cf68409e4b2c08c7e77a6afa4d2a1ed8c068e8fdb07c181224b93c972feeba7ad8ade3c6fdf8df7e4f21b6e139cf649f00ca8443754a60a23656fbbcce
-
Filesize
256KB
MD5328b9335d21864bb377c850b2db079fd
SHA1e0f2e906daf8bc05e446af14169e5195ecf093ec
SHA2560e33056073214a6b9beb9971c64c541aa9b5227fb86a30cac1dfba493c905971
SHA512c396b5b6d64f15503952eb74167a10bc23bf90b99a89a9260d206476546b861a8fe9ad502579ac1770f910d76b068d4b889e978eaba7f9b66ec1d2ff5fd3bfaa
-
Filesize
898KB
MD54e903722f062f52bcbbaea07fcb804c6
SHA1c81aff391e1910e733a14e2933a440581933064e
SHA256f09a3cecfeeae14f9165245c4ce951eb4eaaf4a7d061d8f6af7e8a561ad6edfa
SHA5122d9f9472e18221c2e9fbe7a6dddface65db74a07ef0819096ed905fcb0e652c760b840172099519519c84184442410dc71e9a872fb170fb805ee47ca3cb72bff
-
Filesize
896KB
MD5f5f7ae3ee6e2f270dee0eec7f51cbfbc
SHA1dafd403a0077f366965155fcd2b9153be5a31097
SHA256c247f153990e439d4b28f23cf98ce8c59a59f375a4aa3b15b8009c8cfee305aa
SHA51260e16e78a537cc4157b4eec8323fadf97cbf4b78a7ed741c0c92a352d65d68c577c64059a13b4b1c58602989d22f076bb6591f4271c8124ed21eaf7cb704617d
-
Filesize
182KB
MD57c843f9498585e492c94721ad7113b63
SHA103dd3da5b0fae5c0a037cb242d9f0c0e8c989354
SHA256a25674069b6df920ad68ce548f7678c8e4620717ee97a93554fb3d4e8293d307
SHA51270546c2ff3b17046beffda3e4b64e78b1efeed6dceb80c79d91354bad9dacc4b978a59c541878b3f4e656e6d804dcf2c1af6b36a1bec265471f2f9f0dd83e3c0