Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
185s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
10/08/2024, 01:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://tyloocheng.com
Resource
win10v2004-20240802-en
General
-
Target
https://tyloocheng.com
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{4A2574D3-273A-4F68-8E5E-367492553EB3} msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 688792.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1996 msedge.exe 1996 msedge.exe 2684 msedge.exe 2684 msedge.exe 2008 identity_helper.exe 2008 identity_helper.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 2496 msedge.exe 2496 msedge.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 2540 msedge.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
pid Process 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4104 taskmgr.exe Token: SeSystemProfilePrivilege 4104 taskmgr.exe Token: SeCreateGlobalPrivilege 4104 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 2684 msedge.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 3032 2684 msedge.exe 84 PID 2684 wrote to memory of 3032 2684 msedge.exe 84 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 2412 2684 msedge.exe 85 PID 2684 wrote to memory of 1996 2684 msedge.exe 86 PID 2684 wrote to memory of 1996 2684 msedge.exe 86 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87 PID 2684 wrote to memory of 2484 2684 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://tyloocheng.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fc5b46f8,0x7ff8fc5b4708,0x7ff8fc5b47182⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:2484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:12⤵PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:3356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵PID:4072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4716 /prefetch:82⤵PID:1248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4908 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3920 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:12⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:12⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:2940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:12⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵PID:1280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:12⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6288 /prefetch:82⤵PID:2016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:82⤵PID:3088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:82⤵PID:1984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:12⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,9577842903257701507,9095023456621026246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:12⤵PID:4408
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:512
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3944
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
67KB
MD5a074f116c725add93a8a828fbdbbd56c
SHA188ca00a085140baeae0fd3072635afe3f841d88f
SHA2564cdcda7d8363be5bc824064259780779e7c046d56399c8a191106f55ce2ed8a6
SHA51243ed55cda35bde93fc93c408908ab126e512c45611a994d7f4e5c85d4f2d90d573066082cb7b8dffce6a24a1f96cd534586646719b214ac7874132163faa5f28
-
Filesize
41KB
MD500d4cc262b70dd3d386111ff78fb0812
SHA1628d4dcee1e82d04ab3969c29e256cef10101407
SHA256956916ddd6bb5ebde0f5df3605a524d1624ea335cdc6bd5bf26681d3a5ac5239
SHA51212f3cf77c4ee58eb00b08ced394d35e35237da4bc9ca62b1408c6dca4350068aa94d3a0e98132aa0e6cbcbdb7dee9c2b9c5399ba7c4780442200ad37a4c2b1a6
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD53f06d90f781a40e2014b2b3a97c48b41
SHA1660682729eda776fef2b49c1e4be9860a032bed2
SHA256c051c48247b58ba107b7ded31e6a3913c8e0c890e547047080132f4ad81545e2
SHA512ebaca5aa11d984601460b0def00e974411397a00efa251b221145eab261a8180c8e35347693e1ec3a1528b8dc206259593f21fc1618fa79840f588286c7e6224
-
Filesize
43KB
MD5209af4da7e0c3b2a6471a968ba1fc992
SHA12240c2da3eba4f30b0c3ef2205ce7848ecff9e3f
SHA256ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403
SHA51209201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35
-
Filesize
73KB
MD5cf604c923aae437f0acb62820b25d0fd
SHA184db753fe8494a397246ccd18b3bb47a6830bc98
SHA256e2b4325bb9a706cbfba8f39cca5bde9dae935cbb1d6c8a562c62e740f2208ab4
SHA512754219b05f2d81d11f0b54e5c7dd687bd82aa59a357a3074bca60fefd3a88102577db8ae60a11eb25cc9538af1da39d25fa6f38997bdc8184924d0c5920e89c8
-
Filesize
18KB
MD51e189ba7cf9fdad9e0a805d7187468a8
SHA1a7dee632474d8ad353c011627b25445036ff361e
SHA256ef165ed0f488a103580126eec20ce0900b98f45b586acfa279cae99d089c4272
SHA5128a428f7b6fe0e240ec25fa6a323ef457cd723508a89afbbb8e0e8da863bb4202dbbbb24089a6691afaa293d295397459728ca38fae7e9d82639a2929f1c326cb
-
Filesize
210KB
MD548d2860dd3168b6f06a4f27c6791bcaa
SHA1f5f803efed91cd45a36c3d6acdffaaf0e863bf8c
SHA25604d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77
SHA512172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5425a5cde072f7673d764b3e35a979517
SHA17821638b5a2a21cc90de3b3378f5092b3a3da4f5
SHA256201da4c772d6a8fe54b3eeb6918998d1bdcd7a631868580da6add7ae4a5a2a97
SHA5120db52f51440f26b8c5318f9c0cc1f97b745cbfd6f4354010514fdfef4c25ccb3d0b98d404fe7dbbc1736c681d6e0ea2c543b6dd700ca5ff55e794360cddd5fac
-
Filesize
1KB
MD57d2d780ec004689a54728639ff728ceb
SHA1a795ef5f5a4c644ed3a94452e62200e088280ff0
SHA256e9a465ccacb6244adcfcfdf7ea7dcb66313a675bd94c027288f38be35bcc39b9
SHA5125fd3863d339f482e73a7729569255b34e249c963291b1df6b7b9be55379fc137e0ea8d3d6c5c976d54427a33da8f089d5e9837bdf3f1227ede29ab3e440021bb
-
Filesize
541B
MD5731538e40457c4f9464558ff391f4de8
SHA1c5dcce344d67e74b2c1477380889af0426221d14
SHA256111401c3e66f5445b32a14a2995b886821d622f39751ca4826ff4e6df4494435
SHA5128dfdccf074d54207582c732820fd54dd80fbb570b7e57245e12f947bf0c7ed5d195b0c63dcc7a1d5b3b434404123531de11de731de31ea8e021c39b4b56a8256
-
Filesize
6KB
MD514675cd7d9c42a57ac309d7ec21aab6e
SHA1ffbad88e376920e117e3f7374df0af4ef006a638
SHA256bd7fd656ab034ff7c4ccb80c22538c0c0b7fee9a9c3388acd62de35a5e05dc60
SHA5121a365d6bf59e69857a6a0b2a51de8c43508bb10c485ed7d1e1b39e9852b6777eefc330f927cca62ded0974e19c390c2570f55af4b724caac48ee27e7f1c405a8
-
Filesize
7KB
MD5341c3b15caf8968f5ff725b8bb250144
SHA1270cf38384c3bccbcc35c183361644334ad344cd
SHA256bd8cb75b4ac775e5b13852b977b60b1ebbaa54c0fc90a09d5fa53248ffbecf87
SHA512e35ec2a1d283677eeb5569e7ede86c0c830805d8e1c220a9cd18f3a548608ac8ee67c3592c6f7d586f44135dac18a2807fa6a778375b986237c9fcd333424dc3
-
Filesize
7KB
MD5201545b30b23909bf05c8d86911f8b78
SHA1deffe9fa11330ad05965019d80165b379e922b6a
SHA256aea2a27078af6519c92917f63d8a607529cb0bd592b03d7dcc3789617a7052b7
SHA512b5fc434ab5386db1215a0e5dc3f7ed5df5159cc0831bb5ac7eb4352efd7f1ccf2e207971a369b04a9369547f2f7fa54e397f6bda2086c0db63e821661a16dff4
-
Filesize
7KB
MD52a86e3c760d58607395a02fe4f9f5472
SHA19c3acab637d3fc999bdd28af24fa7313693728ca
SHA256ccaafe34ce9865936715ae7f1aa14da4067ba20e711087959e592398a01f6c46
SHA512a9c3b6a291b1b50f56ca818c175dd8bdac0ffbf8e59e87f0405f301add0440f1e9fb09105770e6892db1c9908f2ba801f1871c9f591a9a6db1f1c39135abcafa
-
Filesize
8KB
MD580c854f627dbbe619b729a75b2b5706b
SHA11698acd2fd4637d4248c57289ef149c80ec8d389
SHA2565684c4d790b373119d19c802b1041c492360d461fc05d51a86292fd0397ac387
SHA5123ae53cb4688c231574f9dcd2747cd4954162a018b1cdc547e974991dbd729a50612a8b9e0430b759eeac6f646358a02ac133f65811c24524d1d204a5139a436e
-
Filesize
6KB
MD58618d95448e30edd96c8e306ef2e5f31
SHA1f0d016ba72212b57d45444dc79e67daca1800c14
SHA256908498e1579a67282d2862991a601b99e650c17c455ed5846aab4b30a2635017
SHA512a9a0db786149f8c3ac9a5b989e356532d3a404c68997f11043140592282dc5f9db0ad70582e106660dcdc46042ee1a2b7695a2aa3253f34916c016971b81aa14
-
Filesize
868B
MD538733a72f6d4fb80bac36ed5e826b3ca
SHA15254b8503baf86c44d0a99698b18c42bc747d503
SHA256c301e06af6903bf33c72030d008bc08647798bd29e1d4654cc519634a3cfc7e2
SHA512bad714f69479b0b2801cdef69b5597e367d07877e3bdd9edd6b9d1899036423ad3dfd54bdacdc380f0980c0f5356e89ddadf8dfa3ed08b5c22db744bc71b2a3f
-
Filesize
868B
MD5e95a50c90384f71697e8caa2a4f14541
SHA1e6f697d22772c3a8a79c660f909c55f0ad9f1ee4
SHA2560141e005f805bc77e396f33ba629f58f3e80da60327314f799dd6487170d5fa1
SHA5122adb49349c17d25bd4a0c95a2c1e52e9f8ce522a6a654eb22adba5e3cef07a44675e85db682bc942fb28e6c22692e66b8cac34e765242c731b75a35c44b546a7
-
Filesize
536B
MD57a2620678a12bacefd6af7e5377de4b5
SHA16549f51e1c3c68b5e5a770e3d94afe9cf62d8d07
SHA25632cfd1e45612f12a85815b51266f364767f7cf240fad283d43a28f5656c4a30b
SHA512db51716bbbad5e8417f6684d801c7f044cbe7d6a27e535d945d8c47b4188f957c0815c86aa89ecad83a65a4ce1595b6da66bb5c4785906d2a588c065018c5002
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5a59ec5787cf941b566bb62e54ae325c7
SHA1ba27569ad7b90bd83a792fb9945cbea813b0281c
SHA256ba4abf4ea94020e09e08be630034d2a02cf7fccc892baa70da08da6fbb81473b
SHA51283c26bd14e27f0c975091946ac5e95f18041cc8cfb399abe2afbcba004cf3d230388bbab023a07c42dd95b038e2ecb2718b58117339624540b6e7e2b180ca080
-
Filesize
11KB
MD5d0a33e2b0db6a0f23d77ae2c1e2041ff
SHA1a92f8f8bf4587201fdbb832d56ef8e928f8354be
SHA256a058a68c82e9f98f522d60ba5c9b491845f2e3bb9572353480c4d2788a75e0ae
SHA51260ddc1b8f1c66f5d8e83021cb83e2430b353e07dcc9711b8697b67ac16718f5dee0e39cbb5709e58509eca66ef096acdfbe0a416854a0af0bdd16effcfa6d2e6
-
Filesize
12KB
MD5a3ac0ccf7a21dd3ff3c4ccaef8f96d8f
SHA1d6ad6d7962979243ccd4ec2462f8c53b349ed159
SHA256995ddd458fd28ba35cf9f150df887e433416d87d89173d1b5fb13de28169ca1d
SHA51273f80e140ba3dd0fe596f00c2b630227614578f4ed49251f97d393ed2142f6d5f69dd118964ba762efaa9f581b620c50d5efa6174d48885975c88e25d3101468
-
Filesize
3.8MB
MD546c17c999744470b689331f41eab7df1
SHA1b8a63127df6a87d333061c622220d6d70ed80f7c
SHA256c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a
SHA5124b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6