Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12/12/2023, 14:32
Static task
static1
Behavioral task
behavioral1
Sample
5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe
Resource
win10v2004-20231130-en
General
-
Target
5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe
-
Size
1.5MB
-
MD5
a5f2d196defbc17bc990ef7375d1e2da
-
SHA1
68f8bd12b67358e9bdc3ba84f056c411a47c48bd
-
SHA256
5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2
-
SHA512
569ada391d90c284233c4846ef29e8bf4730b9aef7cde9b937d66baea7341fb73e9519e837e5f8a7a331824e580b3c2445439ceb03293ed5dbdaaba5b22c61f2
-
SSDEEP
24576:fyoF07TnV3GXc9KXeFDG8+WPwVxbleripDJwDOFASQ4PirRyPzEGmY:qy03nVl5PPgNlerctwqFPQ4qrRqEl
Malware Config
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
risepro
193.233.132.51
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 7IN7FZ32.exe -
Executes dropped EXE 4 IoCs
pid Process 1692 Bx6hD92.exe 2328 1wy75vG2.exe 7016 4NB208cq.exe 6508 7IN7FZ32.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" Bx6hD92.exe Set value (str) \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 7IN7FZ32.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x00070000000231da-12.dat autoit_exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 7IN7FZ32.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 7IN7FZ32.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 7IN7FZ32.exe File opened for modification C:\Windows\System32\GroupPolicy 7IN7FZ32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4NB208cq.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4NB208cq.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4NB208cq.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 6640 schtasks.exe 5688 schtasks.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1876 msedge.exe 1876 msedge.exe 1296 msedge.exe 1296 msedge.exe 1728 msedge.exe 1728 msedge.exe 5268 msedge.exe 5268 msedge.exe 5636 msedge.exe 5636 msedge.exe 6112 msedge.exe 6112 msedge.exe 6588 msedge.exe 6588 msedge.exe 7016 4NB208cq.exe 7016 4NB208cq.exe 3176 Process not Found 3176 Process not Found 6488 identity_helper.exe 6488 identity_helper.exe 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 7016 4NB208cq.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found Token: SeShutdownPrivilege 3176 Process not Found Token: SeCreatePagefilePrivilege 3176 Process not Found -
Suspicious use of FindShellTrayWindow 38 IoCs
pid Process 2328 1wy75vG2.exe 2328 1wy75vG2.exe 2328 1wy75vG2.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 2328 1wy75vG2.exe 2328 1wy75vG2.exe 2328 1wy75vG2.exe 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found 3176 Process not Found -
Suspicious use of SendNotifyMessage 33 IoCs
pid Process 2328 1wy75vG2.exe 2328 1wy75vG2.exe 2328 1wy75vG2.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 2328 1wy75vG2.exe 2328 1wy75vG2.exe 2328 1wy75vG2.exe 3176 Process not Found 3176 Process not Found 3176 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1256 wrote to memory of 1692 1256 5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe 89 PID 1256 wrote to memory of 1692 1256 5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe 89 PID 1256 wrote to memory of 1692 1256 5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe 89 PID 1692 wrote to memory of 2328 1692 Bx6hD92.exe 90 PID 1692 wrote to memory of 2328 1692 Bx6hD92.exe 90 PID 1692 wrote to memory of 2328 1692 Bx6hD92.exe 90 PID 2328 wrote to memory of 1728 2328 1wy75vG2.exe 94 PID 2328 wrote to memory of 1728 2328 1wy75vG2.exe 94 PID 2328 wrote to memory of 2184 2328 1wy75vG2.exe 96 PID 2328 wrote to memory of 2184 2328 1wy75vG2.exe 96 PID 1728 wrote to memory of 4232 1728 msedge.exe 97 PID 1728 wrote to memory of 4232 1728 msedge.exe 97 PID 2184 wrote to memory of 3292 2184 msedge.exe 98 PID 2184 wrote to memory of 3292 2184 msedge.exe 98 PID 2328 wrote to memory of 848 2328 1wy75vG2.exe 99 PID 2328 wrote to memory of 848 2328 1wy75vG2.exe 99 PID 848 wrote to memory of 1612 848 msedge.exe 100 PID 848 wrote to memory of 1612 848 msedge.exe 100 PID 2328 wrote to memory of 2744 2328 1wy75vG2.exe 101 PID 2328 wrote to memory of 2744 2328 1wy75vG2.exe 101 PID 2744 wrote to memory of 4812 2744 msedge.exe 102 PID 2744 wrote to memory of 4812 2744 msedge.exe 102 PID 2328 wrote to memory of 3236 2328 1wy75vG2.exe 103 PID 2328 wrote to memory of 3236 2328 1wy75vG2.exe 103 PID 3236 wrote to memory of 3656 3236 msedge.exe 104 PID 3236 wrote to memory of 3656 3236 msedge.exe 104 PID 2328 wrote to memory of 3936 2328 1wy75vG2.exe 105 PID 2328 wrote to memory of 3936 2328 1wy75vG2.exe 105 PID 3936 wrote to memory of 424 3936 msedge.exe 106 PID 3936 wrote to memory of 424 3936 msedge.exe 106 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110 PID 1728 wrote to memory of 2140 1728 msedge.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe"C:\Users\Admin\AppData\Local\Temp\5f909dbd60988d3d230825e22b616d2865d9d819d2b03739a982ddeccfe97df2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bx6hD92.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bx6hD92.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1wy75vG2.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1wy75vG2.exe3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:25⤵PID:2140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:85⤵PID:232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:15⤵PID:5260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:15⤵PID:5248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:15⤵PID:5884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:15⤵PID:5980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:15⤵PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:15⤵PID:6188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:15⤵PID:6208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:15⤵PID:6512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:15⤵PID:6736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:15⤵PID:6920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:15⤵PID:7052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:85⤵PID:7028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6356 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:6488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:15⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:15⤵PID:4284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:15⤵PID:1140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:15⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:15⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:15⤵PID:5792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:15⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2076 /prefetch:15⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8344 /prefetch:25⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13535300433490844053,1909880396025376444,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:15⤵PID:1212
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login4⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:3292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,17025690643760989129,1411174540545396376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,17025690643760989129,1411174540545396376,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:25⤵PID:4048
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16819794862981006312,13280893650261723418,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16819794862981006312,13280893650261723418,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:25⤵PID:5452
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login4⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:4812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8484537144312331127,9095308673671198888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:25⤵PID:5144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8484537144312331127,9095308673671198888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5268
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login4⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:3656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,4302751548187538015,2853244566311934591,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:6112
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform4⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,11811535930178237432,5893724216950123838,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:6588
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login4⤵PID:1588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:4848
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin4⤵PID:6084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:5136
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/4⤵PID:6228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:6384
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/4⤵PID:6932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffb2c4346f8,0x7ffb2c434708,0x7ffb2c4347185⤵PID:6960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NB208cq.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4NB208cq.exe3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:7016
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN7FZ32.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7IN7FZ32.exe2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:6508 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:6640
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:5688
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5276
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:6716
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b1d2202f74b448801d3f092bd89c1ced
SHA17dea3fdc9b375de768c508da42e468c0f974dd33
SHA2566f15e3e1d666d9d7534198b2c0b03a5c710b0ffd6049b4d121e2ace2c476d32e
SHA512adfe22f0ff9bf03ef14013194e2497f7d8c7631f741320611c0c77ea02887844edfab338c9b66f5afce1994f2364066641c9991eb2cfb1eb6d9a0143a50cd410
-
Filesize
152B
MD58f0cdba3e639a70bf26cf85d538ce1a8
SHA1b457faa0d6c55d56d61167674f734f54c978639b
SHA256c1e48c2dfaeb607efc713e1b5c01d1ee8a9491d8f3a2a5f4f3887e6c1f8c2f63
SHA5123c270fc58170c37f51427aac2d3092ddbbc17832556718612cebb0c32c04e7e3b7e157969d458a4b9c3e8bf781c23489319338960cefb5cf530673f2b8f81609
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5589bd8334453a3bb9975aac38e252818
SHA179471eae37053dd79cfe6bd3e5498df1b9c95d79
SHA256a21db491c61ca07f2cd766c5ec5cffb719cc92b082c251dac3f8a09410be2625
SHA51234780ad1ea8e42ce362dafd4ed2f19df0f59529a6ff52bd02e164cf3222a826fcc6736550cca5bc0b2856b8992961f48e1a104ded59e63009eb303073e7c3339
-
Filesize
6KB
MD587b0cca832a27434cbc28e38797969e0
SHA113ee7a4f04d297088399e9943194ed4d234204b4
SHA25628938d42def3334295d9500af8b9ee45318880905aaf4731fa5d0bb2584e1aa2
SHA512362443b53055a715a688af0a5c3bc619c065fea539a5002f326fe817760814139a323433a47fd4f80d616f1cf04a8050ab4e0696426f960245dff636c3d09653
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
2KB
MD51c83f7260fd55ec8147eb827a2fc1bcf
SHA166d7356f47d8ba082343bdcc78f906c3a7a4bbe3
SHA25669b04d13b7b848bfeb975388698d122669849ba130195264e5eb8c7f6909e863
SHA512fc18a35bec54b55d2f09c074330d7e17e8fc6763bceb41a2c2914abe4727d0b79f1cf32a533be0dd0d3f08c2e240bbf57c710bbaafae4a0356a45b30db688182
-
Filesize
4KB
MD5b55f9a7ec69142866e57863828a294cb
SHA1a720de2d00550dd01b79fc0f5efc42ff495a0e7d
SHA2560e82f71b3368a0128eb792b948da2095526b3d60bfabfe83e9486d40599d530d
SHA512e7bb4a9d4d7b11d1c7fbbd2972c3d5b870c779dabb7c582e217ae6cc903156da77d3f1d4ee308bee20b8b62b1218e4a35d8817d1cba6701e00b4d1ce5137dd5a
-
Filesize
2KB
MD5766256462cc6a47197e55d68abe67ee0
SHA18a48b2d65ccbe726c7e848ee36a73fda61912126
SHA2565475b30564a8294b225e899dcb35f328f9835aae6da424a3982eac4feac9edd0
SHA512330f1d1234bc32fd5600897946b879a766c5cf9eb0c94c63b94bf0a3f2388b786786add21ade4208ecea6adc2895589cf74c968f90e72da24f830efb5e7ce81b
-
Filesize
2KB
MD544ae196ffba323bea0b4c2add619e575
SHA1b0c7ba14bd833e7ee20df666f1e8a52cc1b92aa2
SHA256762511f31cb51cbccb295bdf3a38769fa018c91460406b4c3b6ddf63216e6776
SHA512f8157cccec77983d1ed8f947db77915b9b80726225c064d603af3a089c1c5af840f6d92cf059f7a3e1608af436878aa0a6c80dc17f56d3dfc0be96d1680a43cb
-
Filesize
4KB
MD5933f7efecb3eab07411f23ada68e60d9
SHA13f7ed744f484214b56855e5cd4f64b2b5e00bce9
SHA25673964d829c9f9a0d12977f0f990e1f4fbe08e17034a3fd5ae9c60d714dd6a1d4
SHA512c625c75174ebda347380b5c4fc2f138d799a257a323bfc72ace3551159c80b2758c6e3d3fddde23a6de22f9fd8412269b590e2de04cbae7f6156ebbc73832cfe
-
Filesize
2KB
MD521d44a6c21f08fb4366daa9b4d1d0d53
SHA149e1aa208ba1fc1fbd20b7a6c38703bd0eb71c13
SHA256ecc5b33b99a09dffd2d8f1114eb714dbdc1842a85c113b32826e66d1b5413215
SHA512ef301bd819a592a2eddff11f0b3bf0993a3d914cd18964900cd1edda266c413ac4ffb84acc0a0653b6b4046e86d17fd633fc054ee16fba5ef6d3faaf911d91de
-
Filesize
2KB
MD5d4f9a852c4e03ac674cebf38db73e221
SHA1b8719b91eb4726fd767add03027317190691606c
SHA25645da746cea841a7b0968c35f75d3fac77e67deea6017a864b06ac0d406e58d1c
SHA51289a283837a8e84ec55c33bf59352e7b597053f860e7e0769be0b21b659bab05c865613b351d65b0a67ab5e74f23baae774fdcdd4e564d851b67f07761bc05d64
-
Filesize
4KB
MD5d0d49f081f77f0457d3123dfc9e83255
SHA1094817ea9a507fd514dba44fe52868e44995c5d3
SHA256c0455996749532be40ac8975df2b1e3f371e52137617eeb564d1b73608bc85e8
SHA512760bd64634e535bd390fb87c9358074144cd713414e7b269a4ddfee57d301511aff14a8b5d834574b330cec4dd04ae8a95e55b49922e882afd33feeecc065964
-
Filesize
4KB
MD529026f8c7fcf96dbf963c56a86d1fde8
SHA1a5d2b837debf30d4b2fa13b03785ea676d5ff291
SHA256fe15ee9aa140064d92086cb3594b8c40a5833e080d3029d6d35b5cc0b5af2be6
SHA5128706714205ae9055f911d2102dedcd3669cb421d83a8da731b3fd8eefa28f3b48653120584c316b6acadbd538c9e2f969973f209f602f56865ce2c8ef5dd302f
-
Filesize
4KB
MD55ca090c63d9d264ccb5d4cdda15c72c2
SHA12d5541cb33d318678977e7e11796e54ed3a016a0
SHA2561f6259b41de6f0d80f88b279b124aea802c98ec0b2fc30b647231e26f7374164
SHA5126871b67eef1b64faa4450e61b3a4b9a3f532ccd567af30915fbcdc35077df7a9dde4f65d9f22a2cbff46b3905996a4c13a4dfc8c26532728a417d28dec4c7aea
-
Filesize
1003KB
MD544cc01f972057820d7e1c3cb77cb64b7
SHA1d935a3b7273935b9e8db1a0737c405ff0cbd4d09
SHA256ca85ce37dc2a99f7a4f101c3acf49579afe2e2547ed70985490c34b12f450268
SHA512101b1267645bb8e59cfc5f79ff12cb5ec911e4d49fd1d794513ed772c382733f17f0a6a344dc7f8644b2b93a5a4d9ac976765965f1120e97b817ab22b9acfd71
-
Filesize
551KB
MD5a9802852dcb1628e3e6dd189a90c58f3
SHA11f4c45b6e66110e4d2ebfa83c26d9deb88a9f8a6
SHA2560d00c5992bfa1fc5f532c92a9a4acb7c8948da792252c8f595289927f22e5085
SHA5124c8f1795a92e25dc48f4a70c125a605a13e2617a1335c1928fe4ef880a0cdb0fefeb09916f683e90db319a853c013befdbd9c40d5153561ccef1455e3fc9cb26
-
Filesize
898KB
MD59c7318490eb691f13187bd07f12b7a50
SHA1ae629b05f8437e120e65d7741f54ba73aba04cf9
SHA2565c1212988b5f75a875976e64254d7f023590fc78234ec2b2b361bce762f00c5d
SHA51292039a8072cb5da24376f108235c7a3a6d31893b8a52e26578ac1329a0f9a4bd7bee6469f2261ad2f45351559c2132bb1d77f300600c1716deca724623caae94
-
Filesize
38KB
MD5ac56fa7c561f8d04bfbfc7c6bf97a91b
SHA1f2191fa70d141a00d28f3f4ed247ec5e8fb8a515
SHA25662d6d6c66addc3293db9f580e15c0d3b1afbc39b6f75f7a7ee99a1916c19b1c6
SHA5126b14a0d39fbeed306ba4f63297b8c990c308a22556f78f5ec56e63a5d2bd200d4e8857008d6cb263d35ac1ec73da4e394913d87c9ce45229ff203242371050ee