Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
600s -
max time network
441s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07/09/2024, 13:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8
Resource
win10v2004-20240802-en
General
-
Target
https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp8
Malware Config
Signatures
-
pid Process 1516 powershell.exe 4660 powershell.exe 2384 powershell.exe 3620 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 drive.google.com 7 drive.google.com -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a54fc9f1d525247c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a54fc9f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a54fc9f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da54fc9f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a54fc9f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2304 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 464 msedge.exe 464 msedge.exe 3472 msedge.exe 3472 msedge.exe 4924 identity_helper.exe 4924 identity_helper.exe 4436 msedge.exe 4436 msedge.exe 4660 powershell.exe 4660 powershell.exe 1516 powershell.exe 1516 powershell.exe 2384 powershell.exe 2384 powershell.exe 2384 powershell.exe 3620 powershell.exe 3620 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 3596 7zG.exe Token: 35 3596 7zG.exe Token: SeSecurityPrivilege 3596 7zG.exe Token: SeSecurityPrivilege 3596 7zG.exe Token: SeDebugPrivilege 4660 powershell.exe Token: SeDebugPrivilege 1516 powershell.exe Token: SeBackupPrivilege 388 vssvc.exe Token: SeRestorePrivilege 388 vssvc.exe Token: SeAuditPrivilege 388 vssvc.exe Token: SeDebugPrivilege 2384 powershell.exe Token: SeBackupPrivilege 1232 srtasks.exe Token: SeRestorePrivilege 1232 srtasks.exe Token: SeSecurityPrivilege 1232 srtasks.exe Token: SeTakeOwnershipPrivilege 1232 srtasks.exe Token: SeBackupPrivilege 1232 srtasks.exe Token: SeRestorePrivilege 1232 srtasks.exe Token: SeSecurityPrivilege 1232 srtasks.exe Token: SeTakeOwnershipPrivilege 1232 srtasks.exe Token: SeIncreaseQuotaPrivilege 2016 WMIC.exe Token: SeSecurityPrivilege 2016 WMIC.exe Token: SeTakeOwnershipPrivilege 2016 WMIC.exe Token: SeLoadDriverPrivilege 2016 WMIC.exe Token: SeSystemProfilePrivilege 2016 WMIC.exe Token: SeSystemtimePrivilege 2016 WMIC.exe Token: SeProfSingleProcessPrivilege 2016 WMIC.exe Token: SeIncBasePriorityPrivilege 2016 WMIC.exe Token: SeCreatePagefilePrivilege 2016 WMIC.exe Token: SeBackupPrivilege 2016 WMIC.exe Token: SeRestorePrivilege 2016 WMIC.exe Token: SeShutdownPrivilege 2016 WMIC.exe Token: SeDebugPrivilege 2016 WMIC.exe Token: SeSystemEnvironmentPrivilege 2016 WMIC.exe Token: SeRemoteShutdownPrivilege 2016 WMIC.exe Token: SeUndockPrivilege 2016 WMIC.exe Token: SeManageVolumePrivilege 2016 WMIC.exe Token: 33 2016 WMIC.exe Token: 34 2016 WMIC.exe Token: 35 2016 WMIC.exe Token: 36 2016 WMIC.exe Token: SeIncreaseQuotaPrivilege 2016 WMIC.exe Token: SeSecurityPrivilege 2016 WMIC.exe Token: SeTakeOwnershipPrivilege 2016 WMIC.exe Token: SeLoadDriverPrivilege 2016 WMIC.exe Token: SeSystemProfilePrivilege 2016 WMIC.exe Token: SeSystemtimePrivilege 2016 WMIC.exe Token: SeProfSingleProcessPrivilege 2016 WMIC.exe Token: SeIncBasePriorityPrivilege 2016 WMIC.exe Token: SeCreatePagefilePrivilege 2016 WMIC.exe Token: SeBackupPrivilege 2016 WMIC.exe Token: SeRestorePrivilege 2016 WMIC.exe Token: SeShutdownPrivilege 2016 WMIC.exe Token: SeDebugPrivilege 2016 WMIC.exe Token: SeSystemEnvironmentPrivilege 2016 WMIC.exe Token: SeRemoteShutdownPrivilege 2016 WMIC.exe Token: SeUndockPrivilege 2016 WMIC.exe Token: SeManageVolumePrivilege 2016 WMIC.exe Token: 33 2016 WMIC.exe Token: 34 2016 WMIC.exe Token: 35 2016 WMIC.exe Token: 36 2016 WMIC.exe Token: SeIncreaseQuotaPrivilege 1644 WMIC.exe Token: SeSecurityPrivilege 1644 WMIC.exe Token: SeTakeOwnershipPrivilege 1644 WMIC.exe Token: SeLoadDriverPrivilege 1644 WMIC.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3596 7zG.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe 3472 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3472 wrote to memory of 2448 3472 msedge.exe 83 PID 3472 wrote to memory of 2448 3472 msedge.exe 83 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 5108 3472 msedge.exe 84 PID 3472 wrote to memory of 464 3472 msedge.exe 85 PID 3472 wrote to memory of 464 3472 msedge.exe 85 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 PID 3472 wrote to memory of 5052 3472 msedge.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1bhBRHEc1pstswyQzyw513K1TM4C0jDp81⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82b1346f8,0x7ff82b134708,0x7ff82b1347182⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:22⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:82⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:2408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵PID:3928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:82⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,4843971988509924836,8075433039239173540,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:4160
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1220
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2384
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\TW\" -an -ai#7zMap19908:122:7zEvent214611⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3596
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\TW\EXM Free Network Utility V1.bat"1⤵PID:1448
-
C:\Windows\system32\reg.exeReg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f2⤵PID:2952
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:5060
-
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak2⤵
- Delays execution with timeout.exe
PID:2304
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:1880
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile Enable-ComputerRestore -Drive 'C:\'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4660
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f2⤵PID:3132
-
-
C:\Windows\system32\reg.exeReg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f2⤵PID:2372
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f2⤵PID:3544
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:3484
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Checkpoint-Computer -Description 'Exm Restore Point' -RestorePointType 'MODIFY_SETTINGS'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Restore point completed successfully', 'Exm Restore Point', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4984
-
-
C:\Windows\system32\netsh.exenetsh int tcp set heuristics disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3160
-
-
C:\Windows\system32\netsh.exenetsh int ip set global taskoffload=disabled2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4600
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f2⤵PID:3524
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "DisableTaskOffload" /t REG_DWORD /d "0" /f2⤵PID:1064
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Multimedia\SystemProfile" /v "NetworkThrottlingIndex" /t REG_DWORD /d "4294967295" /f2⤵PID:320
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_NetworkAdapter get PNPDeviceID2⤵PID:2296
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_NetworkAdapter get PNPDeviceID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵PID:2760
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PNPDeviceID\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵PID:4416
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵PID:2380
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\ROOT\KDNIC\0000\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵PID:1856
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵PID:1968
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\PCI\VEN_10EC&DEV_8139&SUBSYS_11001AF4&REV_20\3&11583659&0&18\Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵PID:4612
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\Affinity Policy" /v "DevicePriority" /f2⤵PID:3632
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\System\CurrentControlSet\Enum\ \Device Parameters\Interrupt Management\MessageSignaledInterruptProperties" /v "MSISupported" /t REG_DWORD /d "1" /f2⤵PID:2968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:3664
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:1408
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v InterfaceMetric /t REG_DWORD /d "55" /f2⤵PID:3340
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:4456
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵PID:4084
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:2864
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v TCPNoDelay /t REG_DWORD /d "1" /f2⤵PID:4124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:4968
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵PID:4920
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:1088
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v TcpAckFrequency /t REG_DWORD /d "1" /f2⤵PID:3544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"2⤵PID:3484
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID3⤵PID:1120
-
-
C:\Windows\system32\findstr.exefindstr "{"3⤵PID:1660
-
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87AF8963-20B4-412E-8DD6-BD13B96C73FB}" /v TcpDelAckTicks /t REG_DWORD /d "0" /f2⤵PID:1004
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "LocalPriority" /t REG_DWORD /d "4" /f2⤵PID:1508
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "HostsPriority" /t REG_DWORD /d "5" /f2⤵PID:1688
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "DnsPriority" /t REG_DWORD /d "6" /f2⤵PID:1868
-
-
C:\Windows\system32\reg.exeReg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider" /v "NetbtPriority" /t REG_DWORD /d "7" /f2⤵PID:4848
-
-
C:\Windows\system32\chcp.comchcp 4372⤵PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show(' You can only use this if you are on ethernet, if you are on wifi, press "N" on the next page', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3620
-
-
C:\Windows\system32\chcp.comchcp 650012⤵PID:4368
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Reg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /v "*SpeedDuplex" /s | findstr "HKEY"2⤵PID:404
-
C:\Windows\system32\reg.exeReg query "HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}" /v "*SpeedDuplex" /s3⤵PID:324
-
-
C:\Windows\system32\findstr.exefindstr "HKEY"3⤵PID:4284
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:388
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
10KB
MD567acedfa24cc54ef4fcf2bc2c532b4ca
SHA1b382bce354101a72fb29b8f9ed503d72dddafcf3
SHA256bc49018037cc51cdb8f71f4f3250046f0b6fbe141b42c27e146a86df8daaaf57
SHA512f6ccf87817fa6def0659baae20f5e8d02782a38758b7d9baf769474907af7de83fd2577cc8dd82221ab571ba16c553fa5887a41b6b1a2c933c065940cfcbfb74
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD538eee15d1c3fdd729a925b1a157041d1
SHA139078d51e025ec13d635011a77bd73e4bd7e7471
SHA2569c4be1f4c7baa0f287b99b1efbb62396dcda5e4f17b33c5c6dc7bc7819d443bd
SHA5125a237e8434164b7328b9141755850210a242a1ecf9c11dcbff327647d408f24e37806bf2db65a7285759509ec68506d7b0c4273045992fc27bc95a696a33d9c3
-
Filesize
3KB
MD58bfa480b5d9531f72b958969a0e82892
SHA1893bff608cd425dd71243e7bda1c01cd5ede4dc2
SHA256490fd771546a4094e9df819fd3df2fbcc95dc07ab801c232a835152a6d82bc61
SHA512744a18983f4f3bc0c892e7a3951120e564b38efbcd4de2ded2f698fef5945fc1999b7f78f8a99ec0747b04eca1da10a410258f4b83b5b25fee8ef35b185c7b4d
-
Filesize
5KB
MD5b35cbc965e4f07d421ccb82b67a4a28e
SHA125a80dc20954f3927b9678a39c362c582e358d4f
SHA256e5f2d3e9ec31bda3afcc645a0e361c4bfb91eabf673355523f5aa250d9ee3595
SHA5129cd02d238bb0c4d6e9ffea8d2941af5f1bf91f7ab775c65f9bacdd08395a92eece28f019701bfb8acc0b80a90800f13411513d7d06c3e75a216bff961505f73f
-
Filesize
6KB
MD5c8616be8e1ca2e05949af11d41a50bd2
SHA1687b80c476241045c806e45b2761e7ddd7b5bd5c
SHA256ea8f14d45027a444c79c9fbee51b3a4a08f7b5d5442e962eee3b85012e25530e
SHA5120d1d31b660652e84661f863892dd05559d0bf53b2e993dcf3820e7b42d40d7e15cdc6d112134dd527f3248ac468bfd527d33a03de193bb5b154e4d448b7f5b61
-
Filesize
6KB
MD5311571294a0fbf6b1cd17267b1d60d52
SHA1db81b0fe157225f5380d19fac21bf00ebbc89f74
SHA256fec2e6f275bacc666936794203a41ba7a928fa3f47574810f06ce0a8bf42e4fd
SHA5120226d05400b2e1e8700e87528e025d47752a73299fc8e0a842f7daaf3be04651b3d27ea584cabc4a28b3e1e62fdd34fd4cead7c4697c3127248171a56bcd945d
-
Filesize
6KB
MD52cf3ab7b898dbdb3589f149b771a6a61
SHA1cf150066ed4bcbb973c7fdd8d678f82e5ba95f62
SHA2560db45600e9b586366c7900adaa74ad79a5ce274ad95b4e2585b54c4b4b81c297
SHA512413fde57f0d3bcb51e67e99d285939ea37251a80bb5575ae36b7e0e8ad64c1e3b6b93cf3578537dc2d1229076b3626d46a7be9604107cd16aee050894afd5fe0
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD517964cb0444cacbe47d1533d505a4aa5
SHA16862a19902a34671e4f1415193e44aaf0705b024
SHA25647868dbf84aff651caa98d7e1bbbe811b76e2686d881ded8b6a983267b89c66c
SHA512be11292ae185cc7f55ff222790b9cfacd64c16d09f85616b7a4f894b0c143a4f0093d47f080bee99dacc2b0dbabb81280f52797911c3dc20c5f58f1ea4540e50
-
Filesize
10KB
MD5265f38b3adb707362f02c1a9361ad9ee
SHA15018b1b85b1b475fe8fe5c4c86fcf114cb138da3
SHA25698f7c519d4a0e6f1d447e342fc0f42415dd8cd64a057bc4d183f01da68319510
SHA5122c8119928d751b11b285ce71b25bd26960501a9742b7e398ab8b3d152286b0a8968350c555bd4ecaad48de6df245ac2412b8ccacf06f0f869294b4651863c08a
-
Filesize
64B
MD51a11402783a8686e08f8fa987dd07bca
SHA1580df3865059f4e2d8be10644590317336d146ce
SHA2569b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0
SHA5125f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD5224dcf4c17389871fa59fe45c7acd94a
SHA1d02998277a18745bc5a5209d80a4d5c5077772ff
SHA256c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e
SHA5128e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
45KB
MD5c0128d6e156dbba416016d167c75a4c7
SHA1b623eab4e043e29be80207fa9cd389f4f810c8c1
SHA25629f7f33a89e1100705054ba4ebcd520850eebd6a101b8c9158c019eb677ff380
SHA5123cb0141f96976f49ea3f891f4ec79a7d82bc9cf7843ae15d5eb1ed7598472f7a86e98c36f02f2060b9666c9b6b875d65dd58c37da6393780d7ffd31bf3bd510c
-
Filesize
11KB
MD515757b5ce3829feeea2fb7cf6d8f46ca
SHA18b334814bc54ac9ad0518b9a089af29cb54f8d72
SHA256355b6083f0395ff040b2b02b3a8ea12f23730daef9e002f4c82cdfebc7bcc60c
SHA512c2015498fc82c055aaaa8fba83f20c5c828bc536e1041bd1a650734612314b47bb328fa8663c82243cee9e480a06eec1e00054a9a856bc13ac97668d77976ff1