Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3NLBrute 1....en.zip
windows7-x64
1NLBrute 1....en.zip
windows10-2004-x64
1NLBrute 1....en.exe
windows7-x64
5NLBrute 1....en.exe
windows10-2004-x64
5NLBrute 1....64.exe
windows7-x64
5NLBrute 1....64.exe
windows10-2004-x64
5NLBrute 1....32.dll
windows7-x64
1NLBrute 1....32.dll
windows10-2004-x64
1masScan_1.6/Input.txt
windows7-x64
1masScan_1.6/Input.txt
windows10-2004-x64
5masScan_1....UI.exe
windows7-x64
1masScan_1....UI.exe
windows10-2004-x64
1masScan_1....et.dll
windows7-x64
1masScan_1....et.dll
windows10-2004-x64
1masScan_1...._3.exe
windows7-x64
7masScan_1...._3.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ns.ini
windows7-x64
1$PLUGINSDI...ns.ini
windows10-2004-x64
1$PLUGINSDI...al.ini
windows7-x64
1$PLUGINSDI...al.ini
windows10-2004-x64
1$PLUGINSDI...er.bmp
windows7-x64
3$PLUGINSDI...er.bmp
windows10-2004-x64
7$PLUGINSDI...rd.bmp
windows7-x64
3$PLUGINSDI...rd.bmp
windows10-2004-x64
7$SYSDIR/Packet.dll
windows7-x64
1$SYSDIR/Packet.dll
windows10-2004-x64
1$SYSDIR/pthreadVC.dll
windows7-x64
1$SYSDIR/pthreadVC.dll
windows10-2004-x64
1$SYSDIR/wpcap.dll
windows7-x64
1$SYSDIR/wpcap.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 09:07
Static task
static1
Behavioral task
behavioral1
Sample
NLBrute 1.2 x64 & VPN - KeyGen.zip
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral2
Sample
NLBrute 1.2 x64 & VPN - KeyGen.zip
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
NLBrute 1.2 x64 & VPN - KeyGen/NLBrute 1.2 x64 & VPN - KeyGen.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral4
Sample
NLBrute 1.2 x64 & VPN - KeyGen/NLBrute 1.2 x64 & VPN - KeyGen.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
NLBrute 1.2 x64 & VPN - KeyGen/NLBrute 1.2 x64.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral6
Sample
NLBrute 1.2 x64 & VPN - KeyGen/NLBrute 1.2 x64.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
NLBrute 1.2 x64 & VPN - KeyGen/libeay32.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
NLBrute 1.2 x64 & VPN - KeyGen/libeay32.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
masScan_1.6/Input.txt
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral10
Sample
masScan_1.6/Input.txt
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
masScan_1.6/Massscan_GUI.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral12
Sample
masScan_1.6/Massscan_GUI.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
masScan_1.6/Packet.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral14
Sample
masScan_1.6/Packet.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
masScan_1.6/WinPcap_4_1_3.exe
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral16
Sample
masScan_1.6/WinPcap_4_1_3.exe
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/bootOptions.ini
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/bootOptions.ini
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/ioSpecial.ini
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/ioSpecial.ini
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/modern-header.bmp
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/modern-header.bmp
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/modern-wizard.bmp
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/modern-wizard.bmp
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$SYSDIR/Packet.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral28
Sample
$SYSDIR/Packet.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$SYSDIR/pthreadVC.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral30
Sample
$SYSDIR/pthreadVC.dll
Resource
win10v2004-20231222-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$SYSDIR/wpcap.dll
Resource
win7-20231215-en
windows7-x64
Behavioral task
behavioral32
Sample
$SYSDIR/wpcap.dll
Resource
win10v2004-20231215-en
windows10-2004-x64
General
-
Target
masScan_1.6/Input.txt
-
Size
19KB
-
MD5
6c77eedee0cf48fdefee2707f2e97f7a
-
SHA1
bce4777c80eb763c1b0cef8fd4031226696a9c06
-
SHA256
9216dd042d38d56980c78e65754d7e07e5dfd36aaabb712fe5c0f7487b97d445
-
SHA512
3f60f72a11e0924baf3e7a0c31e62f7ec6b646d131936effd04be922249f0ba43faa52a30b5b92cec8c7405b4f6a49887c737e1bbd115187818e235fcc8d9718
-
SSDEEP
192:9+pNQRVMKgpxCuHS6x8U2tmSlhHQgVW2y5lYPE2t+CKoi5G:9+pN8OKgpx7SQ8hQSlhHkME2t+Cvi5G
Malware Config
Signatures
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\lusrmgr.msc mmc.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 4532 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 1316 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 3952 mmc.exe 4888 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 4888 taskmgr.exe Token: SeSystemProfilePrivilege 4888 taskmgr.exe Token: SeCreateGlobalPrivilege 4888 taskmgr.exe Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe Token: 33 3952 mmc.exe Token: SeIncBasePriorityPrivilege 3952 mmc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe 4888 taskmgr.exe -
Suspicious use of SetWindowsHookEx 22 IoCs
pid Process 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 3952 mmc.exe 3952 mmc.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe 4216 osk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3352 wrote to memory of 744 3352 msedge.exe 105 PID 3352 wrote to memory of 744 3352 msedge.exe 105 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1792 3352 msedge.exe 106 PID 3352 wrote to memory of 1316 3352 msedge.exe 107 PID 3352 wrote to memory of 1316 3352 msedge.exe 107 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108 PID 3352 wrote to memory of 5308 3352 msedge.exe 108
Processes
-
C:\Windows\system32\NOTEPAD.EXEC:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\masScan_1.6\Input.txt1⤵
- Opens file in notepad (likely ransom note)
PID:4532
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4888
-
C:\Windows\system32\osk.exe"C:\Windows\system32\osk.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:4216
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x474 0x3cc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
-
C:\Windows\system32\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\system32\lusrmgr.msc"1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe8d7346f8,0x7ffe8d734708,0x7ffe8d7347182⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:22⤵PID:1792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2580 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3032 /prefetch:82⤵PID:5308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:4592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:2120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:12⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:82⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3560 /prefetch:82⤵PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:12⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:12⤵PID:4776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:12⤵PID:1760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:4480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:12⤵PID:3624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4438267007590971820,13715417766009569302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:1312
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4520
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51386433ecc349475d39fb1e4f9e149a0
SHA1f04f71ac77cb30f1d04fd16d42852322a8b2680f
SHA256a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc
SHA512fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e
-
Filesize
194KB
MD5ac84f1282f8542dee07f8a1af421f2a7
SHA1261885284826281a99ff982428a765be30de9029
SHA256193b8f571f3fd65b98dc39601431ff6e91ade5f90ee7790bfc1fba8f7580a4b0
SHA5129f4f58ab43ddadad903cea3454d79b99a750f05e4d850de5f25371d5bec16fc312015a875b8f418154f1124c400ae1c82e2efd862870cd35c3f0961426c8cd82
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize912B
MD5d3fadf7afb975309c479e4a78aeca1e3
SHA165ecd596eec0453897428926e4f27ebe13770be2
SHA256a708d0ed5f496a79b82d120b81827084f3a8a50d703fe62f64d6de8093546e4a
SHA512db888b11feb30c93ebc83b123ba1905837d867af48a3552a76adbc4ac87e9b4a3e08867ea3b2183bd023ff27aeae527ff9c60a7642a477c43a62f13f94cc6523
-
Filesize
5KB
MD59bda4c24d41f360911381d0f313970ea
SHA1ca1198c4af8b08913e2088f415acf7dbd4a1372e
SHA2564fa4dc636f42b31c4273c6ad861c92c294290749bd09b1b8f6e2bb417baf8668
SHA512dc657ecfe48de484c670e85b72315dab8a9fb460c801b788b59dc261320937bc1e32374a1d115c5f8cec2293ddc81b97da2563a7e33e582c93911fa4cde57065
-
Filesize
5KB
MD5d64ec1caf706c0b203cbf68c26bc74fd
SHA18a1ecbeb344d6040bfd114217f6d1479b647aa2e
SHA256966e72d382e02d352147846c5bb18c799c47b3b37b7323b589c3fbda7135deda
SHA5120b556c8259c57be4dce3872417020a97714366b7439ce8a7258d027f02ad98d01f91d32db40a33cfdf5249aafbc31c2e7cdf9f04d67dc75c74f471032e824664
-
Filesize
7KB
MD53fff7d64bb17e240699cc4b9c48f1a9e
SHA13a43d11c40b927cc8bf45e3fff4a0e66448f5182
SHA2561cd4856816dac84c351d040fb26bfcef022dc3e9eba24484e9cbaf183d8a43ad
SHA5127af919fbfbd72488ce213defbecf76e873bc20f585515961a91186e2f5ab4b13ef57f438ca22f660eec7ad31e9b36a000053bdd1810946a346434c3d8b7f5719
-
Filesize
24KB
MD5e664066e3aa135f185ed1c194b9fa1f8
SHA1358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5
SHA25686e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617
SHA51258710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e
-
Filesize
1KB
MD5b781df7ec5f7e3fd3d4a845f27cabe9a
SHA1eeebd5de324204562aea1deda4dc8aef9e06f0dd
SHA256d05852f74a4a631b1dc0cd3c956986fe5771fbd1eb2c5388965ccdfba0005fea
SHA51280910b5126ef1052fa22cce8d42d495d24668c141671dcbc9c373c986d5f9899bf7ff09ea41f10a554467a1c6407d74f2761f9ac84a74aae712958755da811f6
-
Filesize
1KB
MD55d874f263f7373068d85ed676ca72bff
SHA1823e2b66d40edc9c12e30f4e43ee7d96cd1bba65
SHA256ed983bbbec68c3694ed77d9d1a816064d720b2f5a13111db6694bf3eabb6e783
SHA51219ed3693c4af49b0471a99b8681f7b389aae58f6638bcb17879df341dff3fbf64ab8673ff0c99d9d977e72585bbe78aec1c9207033977dc3decd1f40b03cab69
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD58d4799aa072c0cccc6feb384e0a2d936
SHA1098d07319cdd6bd0bc78f00a6fe78cdb27eeaac0
SHA25696529a39b0c30c25e0f0a94b1273a9943a5d3416d0975ae49061d5b73c5878fc
SHA5126e610c50ffb2d3ab42a0f70a37648b33491a36ca980d7107fd7a0808e42afcadc4097b113e292cfa8c38d933f96830f1ba44198e55bafbf6db5e1030857e75c2