Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    600s
  • max time network
    441s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 13:12

General

  • Target

    https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82b1346f8,0x7ff82b134708,0x7ff82b134718
      2⤵
        PID:2448
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        2⤵
          PID:5108
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:464
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
          2⤵
            PID:5052
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
            2⤵
              PID:2408
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
              2⤵
                PID:2412
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
                2⤵
                  PID:1808
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4924
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
                  2⤵
                    PID:3180
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
                    2⤵
                      PID:3928
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
                      2⤵
                        PID:3620
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
                        2⤵
                          PID:4860
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4436
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
                          2⤵
                            PID:4536
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
                            2⤵
                              PID:4160
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:1220
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4660
                              • C:\Windows\System32\rundll32.exe
                                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                1⤵
                                  PID:2384
                                • C:\Program Files\7-Zip\7zG.exe
                                  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\TW\" -an -ai#7zMap19908:122:7zEvent21461
                                  1⤵
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of FindShellTrayWindow
                                  PID:3596
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\TW\EXM Free Network Utility V1.bat"
                                  1⤵
                                    PID:1448
                                    • C:\Windows\system32\reg.exe
                                      Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
                                      2⤵
                                        PID:2952
                                      • C:\Windows\system32\chcp.com
                                        chcp 65001
                                        2⤵
                                          PID:5060
                                        • C:\Windows\system32\timeout.exe
                                          timeout /t 1 /nobreak
                                          2⤵
                                          • Delays execution with timeout.exe
                                          PID:2304
                                        • C:\Windows\system32\chcp.com
                                          chcp 65001
                                          2⤵
                                            PID:1880
                                          • C:\Windows\system32\chcp.com
                                            chcp 437
                                            2⤵
                                              PID:828
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
                                              2⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:4660
                                            • C:\Windows\system32\reg.exe
                                              Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
                                              2⤵
                                                PID:3132
                                              • C:\Windows\system32\reg.exe
                                                Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
                                                2⤵
                                                  PID:2372
                                                • C:\Windows\system32\reg.exe
                                                  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
                                                  2⤵
                                                    PID:3544
                                                  • C:\Windows\system32\chcp.com
                                                    chcp 65001
                                                    2⤵
                                                      PID:3484
                                                    • C:\Windows\system32\chcp.com
                                                      chcp 437
                                                      2⤵
                                                        PID:2316
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Checkpoint-Computer -Description 'Exm Restore Point' -RestorePointType 'MODIFY_SETTINGS'"
                                                        2⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1516
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Restore point completed successfully', 'Exm Restore Point', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
                                                        2⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2384
                                                      • C:\Windows\system32\chcp.com
                                                        chcp 65001
                                                        2⤵
                                                          PID:4984
                                                        • C:\Windows\system32\netsh.exe
                                                          netsh int tcp set heuristics disabled
                                                          2⤵
                                                          • Event Triggered Execution: Netsh Helper DLL
                                                          PID:3160
                                                        • C:\Windows\system32\netsh.exe
                                                          netsh int ip set global taskoffload=disabled
                                                          2⤵
                                                          • Event Triggered Execution: Netsh Helper DLL
                                                          PID:4600
                                                        • C:\Windows\system32\reg.exe
                                                          Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f
                                                          2⤵
                                                            PID:3524
                                                          • C:\Windows\system32\reg.exe
                                                            Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f
                                                            2⤵
                                                              PID:1064
                                                            • C:\Windows\system32\reg.exe
                                                              Reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f
                                                              2⤵
                                                                PID:320
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c wmic path win32_NetworkAdapter get PNPDeviceID
                                                                2⤵
                                                                  PID:2296
                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                    wmic path win32_NetworkAdapter get PNPDeviceID
                                                                    3⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2016
                                                                • C:\Windows\system32\reg.exe
                                                                  Reg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
                                                                  2⤵
                                                                    PID:2760
                                                                  • C:\Windows\system32\reg.exe
                                                                    Reg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
                                                                    2⤵
                                                                      PID:4416
                                                                    • C:\Windows\system32\reg.exe
                                                                      Reg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
                                                                      2⤵
                                                                        PID:2380
                                                                      • C:\Windows\system32\reg.exe
                                                                        Reg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
                                                                        2⤵
                                                                          PID:1856
                                                                        • C:\Windows\system32\reg.exe
                                                                          Reg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
                                                                          2⤵
                                                                            PID:1968
                                                                          • C:\Windows\system32\reg.exe
                                                                            Reg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
                                                                            2⤵
                                                                              PID:4612
                                                                            • C:\Windows\system32\reg.exe
                                                                              Reg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f
                                                                              2⤵
                                                                                PID:3632
                                                                              • C:\Windows\system32\reg.exe
                                                                                Reg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f
                                                                                2⤵
                                                                                  PID:2968
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
                                                                                  2⤵
                                                                                    PID:3664
                                                                                    • C:\Windows\System32\Wbem\WMIC.exe
                                                                                      wmic path win32_networkadapter get GUID
                                                                                      3⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:1644
                                                                                    • C:\Windows\system32\findstr.exe
                                                                                      findstr "{"
                                                                                      3⤵
                                                                                        PID:1408
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v InterfaceMetric /t REG_DWORD /d "55" /f
                                                                                      2⤵
                                                                                        PID:3340
                                                                                      • C:\Windows\system32\cmd.exe
                                                                                        C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
                                                                                        2⤵
                                                                                          PID:4456
                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                            wmic path win32_networkadapter get GUID
                                                                                            3⤵
                                                                                              PID:4084
                                                                                            • C:\Windows\system32\findstr.exe
                                                                                              findstr "{"
                                                                                              3⤵
                                                                                                PID:2864
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v TCPNoDelay /t REG_DWORD /d "1" /f
                                                                                              2⤵
                                                                                                PID:4124
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
                                                                                                2⤵
                                                                                                  PID:4968
                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                    wmic path win32_networkadapter get GUID
                                                                                                    3⤵
                                                                                                      PID:4920
                                                                                                    • C:\Windows\system32\findstr.exe
                                                                                                      findstr "{"
                                                                                                      3⤵
                                                                                                        PID:1088
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v TcpAckFrequency /t REG_DWORD /d "1" /f
                                                                                                      2⤵
                                                                                                        PID:3544
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
                                                                                                        2⤵
                                                                                                          PID:3484
                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                            wmic path win32_networkadapter get GUID
                                                                                                            3⤵
                                                                                                              PID:1120
                                                                                                            • C:\Windows\system32\findstr.exe
                                                                                                              findstr "{"
                                                                                                              3⤵
                                                                                                                PID:1660
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v TcpDelAckTicks /t REG_DWORD /d "0" /f
                                                                                                              2⤵
                                                                                                                PID:1004
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f
                                                                                                                2⤵
                                                                                                                  PID:1508
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f
                                                                                                                  2⤵
                                                                                                                    PID:1688
                                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                                    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f
                                                                                                                    2⤵
                                                                                                                      PID:1868
                                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f
                                                                                                                      2⤵
                                                                                                                        PID:4848
                                                                                                                      • C:\Windows\system32\chcp.com
                                                                                                                        chcp 437
                                                                                                                        2⤵
                                                                                                                          PID:3520
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show(' You can only use this if you are on ethernet, if you are on wifi, press "N" on the next page', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
                                                                                                                          2⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                          PID:3620
                                                                                                                        • C:\Windows\system32\chcp.com
                                                                                                                          chcp 65001
                                                                                                                          2⤵
                                                                                                                            PID:4368
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /v "*SpeedDuplex" /s | findstr "HKEY"
                                                                                                                            2⤵
                                                                                                                              PID:404
                                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                                Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /v "*SpeedDuplex" /s
                                                                                                                                3⤵
                                                                                                                                  PID:324
                                                                                                                                • C:\Windows\system32\findstr.exe
                                                                                                                                  findstr "HKEY"
                                                                                                                                  3⤵
                                                                                                                                    PID:4284
                                                                                                                              • C:\Windows\system32\vssvc.exe
                                                                                                                                C:\Windows\system32\vssvc.exe
                                                                                                                                1⤵
                                                                                                                                • Checks SCSI registry key(s)
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:388
                                                                                                                              • C:\Windows\system32\srtasks.exe
                                                                                                                                C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                                                                                                                1⤵
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:1232

                                                                                                                              Network

                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                              Replay Monitor

                                                                                                                              Loading Replay Monitor...

                                                                                                                              Downloads

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                Filesize

                                                                                                                                2KB

                                                                                                                                MD5

                                                                                                                                6cf293cb4d80be23433eecf74ddb5503

                                                                                                                                SHA1

                                                                                                                                24fe4752df102c2ef492954d6b046cb5512ad408

                                                                                                                                SHA256

                                                                                                                                b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                                                                                                                SHA512

                                                                                                                                0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4506d29c-077f-49bc-893c-f831224e6dc7.tmp

                                                                                                                                Filesize

                                                                                                                                10KB

                                                                                                                                MD5

                                                                                                                                67acedfa24cc54ef4fcf2bc2c532b4ca

                                                                                                                                SHA1

                                                                                                                                b382bce354101a72fb29b8f9ed503d72dddafcf3

                                                                                                                                SHA256

                                                                                                                                bc49018037cc51cdb8f71f4f3250046f0b6fbe141b42c27e146a86df8daaaf57

                                                                                                                                SHA512

                                                                                                                                f6ccf87817fa6def0659baae20f5e8d02782a38758b7d9baf769474907af7de83fd2577cc8dd82221ab571ba16c553fa5887a41b6b1a2c933c065940cfcbfb74

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                Filesize

                                                                                                                                152B

                                                                                                                                MD5

                                                                                                                                53bc70ecb115bdbabe67620c416fe9b3

                                                                                                                                SHA1

                                                                                                                                af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                                                                                                                                SHA256

                                                                                                                                b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                                                                                                                                SHA512

                                                                                                                                cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                                                                Filesize

                                                                                                                                152B

                                                                                                                                MD5

                                                                                                                                e765f3d75e6b0e4a7119c8b14d47d8da

                                                                                                                                SHA1

                                                                                                                                cc9f7c7826c2e1a129e7d98884926076c3714fc0

                                                                                                                                SHA256

                                                                                                                                986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                                                                                                                                SHA512

                                                                                                                                a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                                                                                Filesize

                                                                                                                                1KB

                                                                                                                                MD5

                                                                                                                                38eee15d1c3fdd729a925b1a157041d1

                                                                                                                                SHA1

                                                                                                                                39078d51e025ec13d635011a77bd73e4bd7e7471

                                                                                                                                SHA256

                                                                                                                                9c4be1f4c7baa0f287b99b1efbb62396dcda5e4f17b33c5c6dc7bc7819d443bd

                                                                                                                                SHA512

                                                                                                                                5a237e8434164b7328b9141755850210a242a1ecf9c11dcbff327647d408f24e37806bf2db65a7285759509ec68506d7b0c4273045992fc27bc95a696a33d9c3

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                                                                                Filesize

                                                                                                                                3KB

                                                                                                                                MD5

                                                                                                                                8bfa480b5d9531f72b958969a0e82892

                                                                                                                                SHA1

                                                                                                                                893bff608cd425dd71243e7bda1c01cd5ede4dc2

                                                                                                                                SHA256

                                                                                                                                490fd771546a4094e9df819fd3df2fbcc95dc07ab801c232a835152a6d82bc61

                                                                                                                                SHA512

                                                                                                                                744a18983f4f3bc0c892e7a3951120e564b38efbcd4de2ded2f698fef5945fc1999b7f78f8a99ec0747b04eca1da10a410258f4b83b5b25fee8ef35b185c7b4d

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                Filesize

                                                                                                                                5KB

                                                                                                                                MD5

                                                                                                                                b35cbc965e4f07d421ccb82b67a4a28e

                                                                                                                                SHA1

                                                                                                                                25a80dc20954f3927b9678a39c362c582e358d4f

                                                                                                                                SHA256

                                                                                                                                e5f2d3e9ec31bda3afcc645a0e361c4bfb91eabf673355523f5aa250d9ee3595

                                                                                                                                SHA512

                                                                                                                                9cd02d238bb0c4d6e9ffea8d2941af5f1bf91f7ab775c65f9bacdd08395a92eece28f019701bfb8acc0b80a90800f13411513d7d06c3e75a216bff961505f73f

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                Filesize

                                                                                                                                6KB

                                                                                                                                MD5

                                                                                                                                c8616be8e1ca2e05949af11d41a50bd2

                                                                                                                                SHA1

                                                                                                                                687b80c476241045c806e45b2761e7ddd7b5bd5c

                                                                                                                                SHA256

                                                                                                                                ea8f14d45027a444c79c9fbee51b3a4a08f7b5d5442e962eee3b85012e25530e

                                                                                                                                SHA512

                                                                                                                                0d1d31b660652e84661f863892dd05559d0bf53b2e993dcf3820e7b42d40d7e15cdc6d112134dd527f3248ac468bfd527d33a03de193bb5b154e4d448b7f5b61

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                Filesize

                                                                                                                                6KB

                                                                                                                                MD5

                                                                                                                                311571294a0fbf6b1cd17267b1d60d52

                                                                                                                                SHA1

                                                                                                                                db81b0fe157225f5380d19fac21bf00ebbc89f74

                                                                                                                                SHA256

                                                                                                                                fec2e6f275bacc666936794203a41ba7a928fa3f47574810f06ce0a8bf42e4fd

                                                                                                                                SHA512

                                                                                                                                0226d05400b2e1e8700e87528e025d47752a73299fc8e0a842f7daaf3be04651b3d27ea584cabc4a28b3e1e62fdd34fd4cead7c4697c3127248171a56bcd945d

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                                                                Filesize

                                                                                                                                6KB

                                                                                                                                MD5

                                                                                                                                2cf3ab7b898dbdb3589f149b771a6a61

                                                                                                                                SHA1

                                                                                                                                cf150066ed4bcbb973c7fdd8d678f82e5ba95f62

                                                                                                                                SHA256

                                                                                                                                0db45600e9b586366c7900adaa74ad79a5ce274ad95b4e2585b54c4b4b81c297

                                                                                                                                SHA512

                                                                                                                                413fde57f0d3bcb51e67e99d285939ea37251a80bb5575ae36b7e0e8ad64c1e3b6b93cf3578537dc2d1229076b3626d46a7be9604107cd16aee050894afd5fe0

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                                                                Filesize

                                                                                                                                16B

                                                                                                                                MD5

                                                                                                                                6752a1d65b201c13b62ea44016eb221f

                                                                                                                                SHA1

                                                                                                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                                SHA256

                                                                                                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                                SHA512

                                                                                                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                                                                Filesize

                                                                                                                                10KB

                                                                                                                                MD5

                                                                                                                                17964cb0444cacbe47d1533d505a4aa5

                                                                                                                                SHA1

                                                                                                                                6862a19902a34671e4f1415193e44aaf0705b024

                                                                                                                                SHA256

                                                                                                                                47868dbf84aff651caa98d7e1bbbe811b76e2686d881ded8b6a983267b89c66c

                                                                                                                                SHA512

                                                                                                                                be11292ae185cc7f55ff222790b9cfacd64c16d09f85616b7a4f894b0c143a4f0093d47f080bee99dacc2b0dbabb81280f52797911c3dc20c5f58f1ea4540e50

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a39d9e17-bb6b-49f7-a79d-2ebcaf6d5567.tmp

                                                                                                                                Filesize

                                                                                                                                10KB

                                                                                                                                MD5

                                                                                                                                265f38b3adb707362f02c1a9361ad9ee

                                                                                                                                SHA1

                                                                                                                                5018b1b85b1b475fe8fe5c4c86fcf114cb138da3

                                                                                                                                SHA256

                                                                                                                                98f7c519d4a0e6f1d447e342fc0f42415dd8cd64a057bc4d183f01da68319510

                                                                                                                                SHA512

                                                                                                                                2c8119928d751b11b285ce71b25bd26960501a9742b7e398ab8b3d152286b0a8968350c555bd4ecaad48de6df245ac2412b8ccacf06f0f869294b4651863c08a

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                Filesize

                                                                                                                                64B

                                                                                                                                MD5

                                                                                                                                1a11402783a8686e08f8fa987dd07bca

                                                                                                                                SHA1

                                                                                                                                580df3865059f4e2d8be10644590317336d146ce

                                                                                                                                SHA256

                                                                                                                                9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

                                                                                                                                SHA512

                                                                                                                                5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                Filesize

                                                                                                                                64B

                                                                                                                                MD5

                                                                                                                                446dd1cf97eaba21cf14d03aebc79f27

                                                                                                                                SHA1

                                                                                                                                36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                                                                                                SHA256

                                                                                                                                a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                                                                                                SHA512

                                                                                                                                a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                Filesize

                                                                                                                                1KB

                                                                                                                                MD5

                                                                                                                                224dcf4c17389871fa59fe45c7acd94a

                                                                                                                                SHA1

                                                                                                                                d02998277a18745bc5a5209d80a4d5c5077772ff

                                                                                                                                SHA256

                                                                                                                                c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

                                                                                                                                SHA512

                                                                                                                                8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ofuyyh5b.gty.ps1

                                                                                                                                Filesize

                                                                                                                                60B

                                                                                                                                MD5

                                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                SHA1

                                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                SHA256

                                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                SHA512

                                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                              • C:\Users\Admin\Downloads\TW\EXM Free Network Utility V1.bat

                                                                                                                                Filesize

                                                                                                                                45KB

                                                                                                                                MD5

                                                                                                                                c0128d6e156dbba416016d167c75a4c7

                                                                                                                                SHA1

                                                                                                                                b623eab4e043e29be80207fa9cd389f4f810c8c1

                                                                                                                                SHA256

                                                                                                                                29f7f33a89e1100705054ba4ebcd520850eebd6a101b8c9158c019eb677ff380

                                                                                                                                SHA512

                                                                                                                                3cb0141f96976f49ea3f891f4ec79a7d82bc9cf7843ae15d5eb1ed7598472f7a86e98c36f02f2060b9666c9b6b875d65dd58c37da6393780d7ffd31bf3bd510c

                                                                                                                              • C:\Users\Admin\Downloads\TW\EXM Free Network Utility V1.zip

                                                                                                                                Filesize

                                                                                                                                11KB

                                                                                                                                MD5

                                                                                                                                15757b5ce3829feeea2fb7cf6d8f46ca

                                                                                                                                SHA1

                                                                                                                                8b334814bc54ac9ad0518b9a089af29cb54f8d72

                                                                                                                                SHA256

                                                                                                                                355b6083f0395ff040b2b02b3a8ea12f23730daef9e002f4c82cdfebc7bcc60c

                                                                                                                                SHA512

                                                                                                                                c2015498fc82c055aaaa8fba83f20c5c828bc536e1041bd1a650734612314b47bb328fa8663c82243cee9e480a06eec1e00054a9a856bc13ac97668d77976ff1

                                                                                                                              • memory/4660-314-0x000001E7C0360000-0x000001E7C0382000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                136KB