Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
332s -
max time network
337s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/01/2025, 18:31
Static task
static1
URLScan task
urlscan1
Malware Config
Signatures
-
Drops file in Drivers directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\myfault.sys notmyfault.exe File created C:\Windows\SysWOW64\drivers\myfault.sys notmyfault.exe File opened for modification C:\Windows\system32\drivers\myfault.sys notmyfault64.exe File created C:\Windows\SysWOW64\drivers\myfault.sys notmyfaultc.exe File created C:\Windows\SysWOW64\drivers\myfault.sys notmyfault.exe File created C:\Windows\system32\drivers\myfault.sys notmyfault64.exe File opened for modification C:\Windows\system32\drivers\myfault.sys notmyfault64.exe File created C:\Windows\system32\drivers\myfault.sys notmyfault64.exe File opened for modification C:\Windows\SysWOW64\drivers\myfault.sys notmyfaultc.exe File created C:\Windows\SysWOW64\drivers\myfault.sys notmyfaultc.exe File opened for modification C:\Windows\SysWOW64\drivers\myfault.sys notmyfaultc.exe File opened for modification C:\Windows\SysWOW64\drivers\myfault.sys notmyfault.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfault.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfaultc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfaultc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfaultc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfaultc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfaultc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notmyfault.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 1308 msedge.exe 1308 msedge.exe 756 msedge.exe 756 msedge.exe 1528 identity_helper.exe 1528 identity_helper.exe 2108 msedge.exe 2108 msedge.exe 5828 msedge.exe 5828 msedge.exe 5828 msedge.exe 5828 msedge.exe 5268 powershell.exe 5268 powershell.exe 5268 powershell.exe -
Suspicious behavior: LoadsDriver 15 IoCs
pid Process 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found 664 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5268 powershell.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 1456 notmyfault.exe 5332 notmyfault.exe 5400 notmyfaultc.exe 5500 notmyfaultc.exe 5564 notmyfault64.exe 5664 notmyfaultc64.exe 5728 notmyfaultc64.exe 5792 notmyfaultc64.exe 5856 notmyfaultc64.exe 5928 notmyfaultc64.exe 6096 notmyfault64.exe 1416 notmyfaultc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 756 wrote to memory of 536 756 msedge.exe 84 PID 756 wrote to memory of 536 756 msedge.exe 84 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1136 756 msedge.exe 85 PID 756 wrote to memory of 1308 756 msedge.exe 86 PID 756 wrote to memory of 1308 756 msedge.exe 86 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87 PID 756 wrote to memory of 4748 756 msedge.exe 87
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://duckduckgo.com1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffaa68646f8,0x7ffaa6864708,0x7ffaa68647182⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:1136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:12⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:12⤵PID:780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:12⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵PID:3068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:12⤵PID:2656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4912 /prefetch:82⤵PID:2312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:12⤵PID:3536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:82⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:3856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5412 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:12⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:12⤵PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3120 /prefetch:12⤵PID:2944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:5688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:12⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:12⤵PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,10952531396333118398,18160995233960019355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:2132
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4576
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3384
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4740
-
C:\Users\Admin\Downloads\NotMyFault\notmyfault.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfault.exe"1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1456
-
C:\Users\Admin\Downloads\NotMyFault\notmyfault.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfault.exe"1⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5332
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5400
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5500
-
C:\Users\Admin\Downloads\NotMyFault\notmyfault64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfault64.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
PID:5564
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5664
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5728
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5792
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5856
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc64.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5928
-
C:\Users\Admin\Downloads\NotMyFault\notmyfault64.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfault64.exe"1⤵
- Drops file in Drivers directory
- Suspicious use of SetWindowsHookEx
PID:6096
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exe"C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1416
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:5604
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exenotmyfaultc.exe crash 0x012⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
PID:6004
-
-
C:\Users\Admin\Downloads\NotMyFault\notmyfaultc.exenotmyfaultc.exe /crash 0x012⤵
- Drops file in Drivers directory
- System Location Discovery: System Language Discovery
PID:2416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5268 -
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"2⤵PID:4052
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD599afa4934d1e3c56bbce114b356e8a99
SHA13f0e7a1a28d9d9c06b6663df5d83a65c84d52581
SHA25608e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8
SHA51276686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da
-
Filesize
152B
MD5443a627d539ca4eab732bad0cbe7332b
SHA186b18b906a1acd2a22f4b2c78ac3564c394a9569
SHA2561e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9
SHA512923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD554990d16badc61ad4591ded1bf77ce59
SHA12179973cd91840fe33d89094da27dbfceef7fc8f
SHA2567ee7b5aff2fdcbd5175b770bb54623344f94cb5ecb20e21ea20adab510606125
SHA512c1a6342b8b27c72ea17aedbfae88c26f2aa51339dd4d9d7147f1bbb7e28231272a477fc74ad70750416b78d6d1b131ce6a4043f6ff8ee3f8d6464091570ec463
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize912B
MD53d5d97b340e6fa870d9d2410b0827333
SHA1ea368777d7832f91947a936e704a1fbda7800e9c
SHA256641604cb39211792df98e91a9a4cfe6ae605ff551908b4eaa0a488f42ca94308
SHA5126b23c72e8e4db62ffa7bb601d19015f3c8d5c601e6dce1d34668a4763a3bf6a329cf8df23ede6a9075ed9bddfcd5baed13c25d0ec7d799ff3e401fe96b38c1cc
-
Filesize
759B
MD537ddc75c595e3c77eddfcba4e39294c8
SHA128249395141ade77d1f08bf563e5401551712951
SHA25623ccd6dfeb868584f9222f55e5a6bf01495f4eb4cde3dfbada3e08930bf661e7
SHA512e4814c86e50a75473f003ddd9dda100b296d8a2a6c80833bcb4fff396b258b78404fa52b361ee3bf4c37f0677484d7204b20a59b5609c862bef17faf4b437582
-
Filesize
6KB
MD58a74bff9deae9dc47dc850cf5b1980df
SHA1f3baa4045b6b320b992c69b6bc5cfafaf332cfd7
SHA256af457e1fe3e06d0821698cbe57ac47c20365ee84318af975b0ad5e2e2890e9f1
SHA51272138f0a094dfa234e72972feaf6bea477ae70fb300b474cf731ae72212927b1412fffa6e3c766246f8a598e5f3a72160294f075ea667d586ea04383c7faf254
-
Filesize
6KB
MD5b5ad9f7fec4ed7464df8644b5f30fde0
SHA1bcbb9fd3c18e06f8d074da5ba435be3594c446be
SHA2563a206ffff3f3b32a305452ecb3509beb8f86e222d73dba455e26368fa77a4e13
SHA512ef633243a6a31269b06ed0485154a1c014119d3115e53cd8c70e044521f558b8d4c02735f1d1a53464e3161842a6821e462c844619d0f3ecf240805abf74edc2
-
Filesize
7KB
MD591b25dfd3d1f0f4ec92182412b61a705
SHA17a4cfc732a343299b1e75fd8a0a59454809df23c
SHA256f80698d68ee517851b250c60a6f0890fc7db07a868b6d88eeb4caf826aa9e506
SHA512dcf0d40c140f07f7a36338f756b6cb520c9d54b59c7673a12bdf3c96ae521adf34da8c4df6803916c6795d653c8dc4c5849a5fec23596000a741f77a4c533ee4
-
Filesize
5KB
MD584c61014f2b0c9d89ba6619f68a390f8
SHA175f65e0d743e6d21bea2e290f8384529cab81524
SHA256c471fc091a92845ab0a1372cc0dbed328ae72108aa9829aef213ec5759f58e21
SHA5128e8db744cf0cc9ea21eaf28261f26755661349f0552c2bbfaa3e7914f7392a1fb66777fb1d6b38d1573569c453be8aa17b6d6304d897bfb29abb0c2270ffb114
-
Filesize
6KB
MD5e3952d91146923212758b603fdfad9f0
SHA17c86fddeebed37bb511e47b55966f7c90fc2fb68
SHA2562a83c48e469da8b4f3b9bae8a8a747f193af0436775c9866e92fc1a2ea54e52c
SHA5126a75635bd040675d5bb835b4d54eab07ff85ce54d74bbd0bec3a26c7c8ca54f6398b681d0125589ae9cae4b74e9f6824b0f929a7b08b7f3c4d4cfb8f1bdc1637
-
Filesize
7KB
MD569df4d0f11a50b4189c790475d90fa50
SHA13a40afa104261426e51fc9785d842faeb28f80c3
SHA256dcc8a47854df04c5d155955803bb81bdd460bf89c3bee9fe4154e6a2f03d0d8d
SHA512d64dc37e279ae4e7b344b16b7b82b175ac29be6ad18e924edf1a7b9aa8fd8a3cb4ea1ff4d1a940bdcbacdb2f019deb4682563ff97db801783323f3f202ce148c
-
Filesize
1KB
MD5d4dd6970f2273771074058722fa11d15
SHA1bb36644077534c5510ba5d6f12d28034d63d3997
SHA256b035378a9207685510b51d057ef2309748d5c6b70f6c992586a690bec077690d
SHA512c930f51b8618e4997ecd830e20b031568de2c01e82d35e7a6117b3cbf42ca42d1438e62b7d056e80cfd51f27714c32634e064d4f7647c6088dbf82e3a9f677f3
-
Filesize
1KB
MD5c6f7511c6c5478c483191dcb7a007171
SHA1f6e20ae17c154b8bba3fbb509c78e3d59d83d097
SHA25628a5878a3f6627e6eda134b380267484a7cb3c74bf463006917f37a24a49999b
SHA512c619d72d061438300f14568ea1fa2591be550a5ccb69e9b9af95960fa461bf5926c4c81d0e3d3a4cf4a46c11eba098c9c7115e9fe56a29c2dd3bab32260e840b
-
Filesize
1KB
MD5b91fd1c6f14d75047e8fd1aacd7755c6
SHA155298fd9396b2d421e0e7617dfcc1192f3e6418b
SHA2562a5d448f9f2e97a81c0939cf963f9bc131268de3ba7decdf724bb38c6fddb21a
SHA5127c93eb44d1297d974ff3dc90b3c8f82e9d689a2ab0cb2eaf77ad9b98d6073ff03346906d014e375c8d1450044ab46e55d8c1f6ff7863a4bd7717979bc44bd303
-
Filesize
1KB
MD57de534812e255afe43ab7eb54bfc23e9
SHA1edbd3611054bf5e2e60452296c318f2938611702
SHA2563b47e188fb2177bc691db677f158ca6197e688c3e715698a0c3fd51b9aa5e693
SHA512359cfa13cd25f8c2f8183e510523ae0e84324f15b2df6b485f0127ce6e2d59d025bd12be7388aee9a0af9fb011eb3f70dc23b4173774f3e742dfae15e7850597
-
Filesize
1KB
MD5c1de6e992e93eababc2c8fe261da3cb9
SHA15a80337f86aad9bc2b97636baedafaa20c524757
SHA256d558490c90df9c03aa44fb173f40f21726753e98f9eb21107b4d265c83a747ff
SHA512c7518bb3e387aa40890278ee157ecfa19e6039518a444bb0738d95c875aa701987cd8cb95af3aceb34a9f96e2d70df0d3108a65b4de93edf4a08adf2077de059
-
Filesize
1KB
MD5bcde76061031e0f513ab7ad3b88e470b
SHA1ed1056cb9e19eed052ec938e390b52672a3d433c
SHA256fb643214a7954fe059e37c1d8dc86bf6dcde31948e95cea3b9025bd22c764025
SHA512052a4831d17d6f181953d7bf97e75c2b1088990db7c46dc9491053fd64df51df5b820d72dc9562711d677108fd1686e681955f98ad08287a022040de21d1fcd8
-
Filesize
372B
MD57b69f8f68ac73cee896f77a3a4d896e3
SHA128b69fbaa4260db3f2756bf484247a8cfcf6d98b
SHA256ce7b7275c322899114a85eb0ea6419b73f51dfd59439cdd59dfd241a988769e0
SHA5125a4bf37c6663a2ea08a92f2185e5cf445c86685fb639801c3e88c64b07c084be39f8ba8833f34e41653f264b3559f356920e7110cbce0c5d340780d362289f6f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD504df12b2783a0e684f8e882d002a0a7d
SHA12e7120df302e7f81837e58f0e35e8bb94acd3857
SHA256b847b9627534f86edfe52fea0f97dbb704c967bda019ec8d358b979dff80a499
SHA512ee19a14284bdab1bc025de93cefe1ee9f52ae53cabb84c829d013d09e25447dffed04639793bf9be1375228daa823219e78a73936ca4babe2510cfd512d62ced
-
Filesize
10KB
MD5beb4b36e9559d73ec32b66570b01937c
SHA16a9f56901228606070a0d63cc95287d8f78eb5a0
SHA25669cf00b843eefd9cd42b8fd290aca5be828cbc866f1c47c81a9303de260a8ebd
SHA5122775853cded3909fb6ab3485df50300745977e60f6a0e5acb978e0e8e15cdc5ef7a753b9c8a56406bd29a4a43bcf04cea517fe52d3dd540e117cd3bdf08b7ca6
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
1.4MB
MD53098d0f7a888949089cdfb9351904303
SHA1ca50aef1aff4b17be449ec7276b01ba728ca7c6f
SHA256e26db5a12a6e1f83085cc40446a0b8fb6e322b989c46f4cb649a955682c15de4
SHA5122a0972c2d7854c6b84a1f68dc437f99b7cbb4cd03a46f275c30d5f0c80f6140bceb33cdc29e7ec96e4ff76796e388090b46112e709e6736bb0fe388c64dacff2
-
Filesize
24KB
MD5c52966a7b415e208bfb17793576fd074
SHA12f2f3f31adcd9572a5e04eb79c93155ae4b1f143
SHA25667572c9a0bb9319d7904005e83676026a7b23489581040806a6aadd22d150185
SHA512a5b40941cf03007e69cb4317d2b9db8f2881c1a88c4970406e2126e19c9eb155d586643c4ce5e9a6bc8083e586d070b71fd1a5139ffb65bd093f56bb969657a8
-
Filesize
21KB
MD5d5adea32410f975ea943521da0f7f31f
SHA1835896d28dbe897fe11c8605f59588741389c152
SHA25649c93b06246d47522e1a9cb9b1f5e0513db736bc466983eebfbf4445479d9419
SHA5125f4814e3de3cfecaf3f4b2a9daea783e8d61a516b2ef3298205fca050a4674bdc5f38c2823b33e8aee24346efcd56a75a92409be9ee2414cc2b178b95322743a