Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
64s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 17:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.mediafire.com/file/aw8xqkjpgfz2va8/RecoverInstructions.zip/file
Resource
win10v2004-20240508-en
General
-
Target
https://www.mediafire.com/file/aw8xqkjpgfz2va8/RecoverInstructions.zip/file
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 3336 powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 3304 msedge.exe 3304 msedge.exe 2644 msedge.exe 2644 msedge.exe 6920 identity_helper.exe 6920 identity_helper.exe 6572 msedge.exe 6572 msedge.exe 3476 restoring.exe 3476 restoring.exe 3336 powershell.exe 3336 powershell.exe 3336 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs
pid Process 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3336 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe 2644 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 1364 2644 msedge.exe 84 PID 2644 wrote to memory of 1364 2644 msedge.exe 84 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 2416 2644 msedge.exe 85 PID 2644 wrote to memory of 3304 2644 msedge.exe 86 PID 2644 wrote to memory of 3304 2644 msedge.exe 86 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87 PID 2644 wrote to memory of 1384 2644 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/aw8xqkjpgfz2va8/RecoverInstructions.zip/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f40f46f8,0x7ff8f40f4708,0x7ff8f40f47182⤵PID:1364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵PID:808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:12⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:12⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:12⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:12⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:5204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:12⤵PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:12⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:12⤵PID:5372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:12⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7880 /prefetch:12⤵PID:5388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:12⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8572 /prefetch:82⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:12⤵PID:5196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8860 /prefetch:12⤵PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9244 /prefetch:12⤵PID:6164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9500 /prefetch:12⤵PID:6268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9676 /prefetch:12⤵PID:6340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9624 /prefetch:12⤵PID:6440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9956 /prefetch:12⤵PID:6512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10224 /prefetch:12⤵PID:6596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10272 /prefetch:12⤵PID:6604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10468 /prefetch:12⤵PID:6772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9964 /prefetch:12⤵PID:6780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9492 /prefetch:12⤵PID:6936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11104 /prefetch:82⤵PID:7020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10176 /prefetch:12⤵PID:6896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:12⤵PID:6908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,9206517233607804527,13006952626620716952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8032 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6572
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1820
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:512
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5520
-
C:\Users\Admin\Downloads\RecoverInstructions\restoring.exe"C:\Users\Admin\Downloads\RecoverInstructions\restoring.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -WindowStyle Hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
Filesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
Filesize
19KB
MD5ce1093c800c0933d7c9674eda75790d8
SHA1371c2dcde092f51b18852e2617bc6c0c176f5873
SHA25657781a723db9a2483067bcbc89d1f30f7e2f22ae2d18aab1e45ad894d8cdab89
SHA512fdbb31c607cc9a4bd75c42cbc552fb40d82e53804d156244ed2daa124c75e1680b908589f7a3ad8888b9b03ebfd1f4b3e83e19f84e3a746cf210d0b8a1678533
-
Filesize
64KB
MD59a8ceef2725801e17be5c55b0a7b6887
SHA1567f8cc2c9704f0f9186e50bb7ed9582bc3ac924
SHA256c34f0544214631ecebb3d75ea3e9876f8096703b293266fdcb6426952fc98027
SHA51257c534210f5905ae7d74e3adb6c39ad3d387797786b9a9b8def51508f83b83e97dbca9a48dd0bf38dadb6ea81dc5769d704c8ad58471baf727866eb06c2c4dcd
-
Filesize
207KB
MD5e955953b801c04327c1e96c67dd3c618
SHA1f9061d3780f153e863478106bf1afd85132bccb0
SHA256e8965a2d52ef25918ebee58ab6971745d396177a7943acf1ed53a65bb4dddd45
SHA5126318ff1eb838954dd73dab5ed891d47f4f39089fa5e899d30183c32269c5620bd09d169af4cf8303e3d5c2ebab23cfe9ae5d9fa5c3281023abb009f66a25782a
-
Filesize
53KB
MD524fa0adf54cb9b882bdb4490335ad4e4
SHA150a541baf9fe5b54f2e43c98e2cbf8a62114fff6
SHA256d218e7ce7734be45df564a83e854cbd8776baa7ccef6bb66cfa17c30b2f1de1d
SHA5127bdc388ac83cd5dceb26b4824ed6c1d47da85ec114016c04628a460e4fe4f0f8f59ffe8ef4680828ef01271c4520cf394a34aa591803152279a6c61b79bf99fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5f35d260a7f66486335442dcafcabd5ae
SHA1102e11234607037b1f8fb91a70576dca06e381da
SHA2567d86e7017f28e2c9753e0662b2fb4f8f55f543f10eb6bee28fd18645fbaae9ba
SHA51271a746da31d4a797f6828fba8976562e64698f824404a712eacfdb2e89b5a099751115f11240b7146ed970c20cfcc17ffbef0f71ebca2a614a1e98c2914213cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5cea5aae0f85f7391ee09502dee70a78d
SHA1773a2c85c3298da8cf2beebb9f4a20a5d0cc1757
SHA2565ae22c07f036cc61e7ad714ce155ff63ccf206fb668567d56089f549f2245895
SHA512313603a197d03d16d3e1d59afa35f83692b3e9bb4547a57e2d3131b9800195ea739702900b25511f991114941ea910bdfd7e6d6af41c528c5be51856771fde7d
-
Filesize
16KB
MD5ab7beee5e5b1b2bc21c331417d812737
SHA11ab225537ebc78e6962d56912eacd878e98fe5f5
SHA256bc775273a32524e07527994cc497b4d09bcec797cd2bba0efd42591867bb02f5
SHA512509f596ed2e473112c3a9037764355b609261fb7e60ada135669d91e748d42138e99eda1e23e355e1db7fc2fb1e2b7bb00314b43ab8d2f66c136e436ee5934cb
-
Filesize
5KB
MD5f936c4c200edd6f16abf39ac6f07e135
SHA1f67d8413bd03d1dd9c81f34d7d6f06b97a2009e7
SHA256010de790345fe64a190a244703c0a8746a37fc10ff469296cf2fa44ae9f96413
SHA512ff867263b647666ec62b5aa9a86143ffb8119aa2600f7dba3c15321022cdfd24c60cba60dd71ef71ba7ff5234f3e31851054cf2df6633991ba721bc5f4679084
-
Filesize
12KB
MD5a7e55bf44a98faefc622fe149335478c
SHA16cad5e447cbb0b66e7bd47fc6399f143bdda62a2
SHA2564a17b93da7797e94d61b116e377eb4625d7c0c42d40c84401bd6c3ed76ee1a88
SHA512ee872efab4f35a603e4ce2d176d654562d881f2b318bea50f9f29a2e61cdf60adbdb693ec0b143734eb036accfedf997d738518da68c10f5ece92d05132cb57f
-
Filesize
5KB
MD5cdbac341da383df08f2cefcdd3e08c0f
SHA18cc61d60575e7099075ace80d926b4654ae3732f
SHA256fe9f0fb6fd2eee7e2d21c7b5a3b0cb2ab56034d15037eef28a8f5e8790549638
SHA512c8c3eb23988325eb9c57eb9c5202b04eb491367156de769d3bc329ddd36460016beeb26f1fceea088e1b11adfc38de999e77e2ebeef54a340235a619c49fb3ae
-
Filesize
2KB
MD59bf1f031cf23d1a9637c2c47be1f8c49
SHA1cd0c37358580ca1f3739b328b74f9026674b9a11
SHA256eafef29bfb6908a2c6b1e069b68579686ae19bae4e54039a0fa42a6cf4fc2248
SHA5126066ad9e39b9d1e1a3f2c81a001674bbebac2e208221d2bc5bdbdcca497cf2cf40b37b677c8275391b73d2ddd26c84d43a5ba4165a6b8dd0f01dcb4c6e050fd2
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD56e829a9c2528f1b08af7b568be24a649
SHA15438527d624cd314737cb1ed61a8b5dcf9ed9607
SHA2561177363d0b09aa3f5497dd65e4ceeccca050d414b300c8309f350398afaf7296
SHA512ab0bf0da2639680c19c6ab90b539929ca12d46cf901761de17ccf488aba5d59a4a81a316cc8d2ed4f32304e084094fa1d5b48eee5f729ac3bd9908d514af583c
-
Filesize
11KB
MD5025e44ed5d675219513e2ee955199b9f
SHA10056085a2d01fe3c96bff82d6ba11fc40e3d75f4
SHA25638b0ab6afab66a84270f88a39c86f43a5b72706a4dfb42ca9dab9be5cb8f5801
SHA51273c4ebac3d59b5044e00c8a7b61ea1fc8b08633f8d7aff599945b3e59ff09be5439fe2c7f2af7fb6a2beb83ceb8e00e3075d5f6ee9c2d1821313b1301a7894c7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
15.3MB
MD5539eb863cdb1331cc1f8da9b19ee1136
SHA1cf0c2a64318048e840ef796c3cdd71bad94572d0
SHA256816dbae953a1d989cf319b1fada795604c039cbdc1e55c2cfedd924fb446cd04
SHA512ff46ae60c6e5c2cc88ddea225e7a02a7d2110212f5de8e39074fecc881c461eccf60a6745f84d40652ca8a421dcf4b7dced196d05e4e550cbbbe61a7bbbf9fe4