Resubmissions
19-03-2022 08:22
220319-j9qwraech8 1019-03-2022 08:21
220319-j84ffseebn 616-03-2022 15:34
220316-sz9qjsfba4 1017-02-2022 18:50
220217-xhdn1aedap 1017-02-2022 13:21
220217-ql2rnsbbf7 1017-02-2022 13:20
220217-qljwvscdar 117-02-2022 13:20
220217-qlb61sbbf6 117-02-2022 13:19
220217-qkv8hacdap 117-02-2022 12:49
220217-p2gwrscchl 1017-02-2022 08:03
220217-jxx5ascaan 1Analysis
-
max time kernel
451s -
max time network
447s -
platform
windows11_x64 -
resource
win11 -
submitted
17-02-2022 13:21
Static task
static1
Behavioral task
behavioral1
Sample
important.exe
Resource
win11
General
-
Target
important.exe
-
Size
3.4MB
-
MD5
84c82835a5d21bbcf75a61706d8ab549
-
SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
-
SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
-
SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
Registers COM server for autorun 1 TTPs
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Executes dropped EXE 60 IoCs
pid Process 1104 taskdl.exe 1200 @[email protected] 3564 @[email protected] 3672 @[email protected] 1836 taskhsvc.exe 1972 taskse.exe 3104 @[email protected] 3632 taskdl.exe 3556 taskdl.exe 3044 taskse.exe 5128 @[email protected] 5916 taskse.exe 5924 @[email protected] 5932 taskdl.exe 3940 taskse.exe 4548 @[email protected] 5672 taskdl.exe 5436 taskse.exe 5464 @[email protected] 5620 taskdl.exe 2192 taskse.exe 4340 @[email protected] 4156 taskdl.exe 5724 taskse.exe 3540 @[email protected] 1320 taskdl.exe 1104 taskse.exe 6020 @[email protected] 5596 taskdl.exe 3272 taskse.exe 1032 @[email protected] 5284 taskdl.exe 580 taskse.exe 5744 @[email protected] 1568 taskdl.exe 5848 msedgerecovery.exe 4872 MicrosoftEdgeUpdateSetup.exe 4196 taskse.exe 1356 @[email protected] 3572 MicrosoftEdgeUpdate.exe 1704 taskdl.exe 5676 MicrosoftEdgeUpdateComRegisterShell64.exe 1256 MicrosoftEdgeUpdateComRegisterShell64.exe 5552 MicrosoftEdgeUpdateComRegisterShell64.exe 5076 taskse.exe 2688 @[email protected] 5732 taskdl.exe 5316 MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe 4664 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdateComRegisterShell64.exe 5544 MicrosoftEdgeUpdateComRegisterShell64.exe 2512 MicrosoftEdgeUpdateComRegisterShell64.exe 3780 taskse.exe 440 @[email protected] 1212 taskdl.exe 1516 taskse.exe 6032 @[email protected] 5468 taskdl.exe 6096 MicrosoftEdge_X64_98.0.1108.55.exe 5400 setup.exe -
Sets file execution options in registry 2 TTPs
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA9BE.tmp important.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA9E4.tmp important.exe -
Loads dropped DLL 41 IoCs
pid Process 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 3572 MicrosoftEdgeUpdate.exe 6048 MicrosoftEdgeUpdate.exe 6112 MicrosoftEdgeUpdate.exe 5676 MicrosoftEdgeUpdateComRegisterShell64.exe 6112 MicrosoftEdgeUpdate.exe 1256 MicrosoftEdgeUpdateComRegisterShell64.exe 6112 MicrosoftEdgeUpdate.exe 5552 MicrosoftEdgeUpdateComRegisterShell64.exe 6112 MicrosoftEdgeUpdate.exe 5356 MicrosoftEdgeUpdate.exe 676 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdate.exe 2112 MicrosoftEdgeUpdate.exe 2932 MicrosoftEdgeUpdate.exe 4912 MicrosoftEdgeUpdate.exe 4912 MicrosoftEdgeUpdate.exe 2112 MicrosoftEdgeUpdate.exe 4652 MicrosoftEdgeUpdate.exe 4664 MicrosoftEdgeUpdate.exe 6072 MicrosoftEdgeUpdate.exe 5744 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdateComRegisterShell64.exe 5744 MicrosoftEdgeUpdate.exe 5544 MicrosoftEdgeUpdateComRegisterShell64.exe 5744 MicrosoftEdgeUpdate.exe 2512 MicrosoftEdgeUpdateComRegisterShell64.exe 5744 MicrosoftEdgeUpdate.exe 5996 MicrosoftEdgeUpdate.exe 5616 MicrosoftEdgeUpdate.exe 4028 MicrosoftEdgeUpdate.exe 5940 MicrosoftEdgeUpdate.exe 5304 MicrosoftEdgeUpdate.exe 5304 MicrosoftEdgeUpdate.exe 5940 MicrosoftEdgeUpdate.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1688 icacls.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kovazmlfyf099 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysdel.bat D3STR0Y3R.exe File created C:\Windows\SysWOW64\ramcrash.bat D3STR0Y3R.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" important.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_bg.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\MicrosoftEdgeUpdateSetup.exe MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_et.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_ml.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_ur.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_mt.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_sr-Cyrl-RS.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_te.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_gd.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_kk.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_cs.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_sl.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_as.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_de.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_ru.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_ms.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_ro.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_zh-CN.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_eu.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_fa.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_nb.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\MicrosoftEdgeUpdateBroker.exe MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_fil.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_sl.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_zh-TW.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\MicrosoftEdgeComRegisterShellARM64.exe MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_ta.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_af.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\psuser_64.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_hr.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_hu.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_fi.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_pl.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\psmachine_arm64.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_af.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdate.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_ru.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{29EB77E4-C962-4E36-9CE4-398B9B5F65EA}\EDGEMITMP_25334.tmp\MSEDGE.PACKED.7Z MicrosoftEdge_X64_98.0.1108.55.exe File created C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\recovery-component-inner.crx elevation_service.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_et.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_bn-IN.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_nn.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\MicrosoftEdgeUpdateSetup.exe elevation_service.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_es.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Edge\Temp\source5400_1315391323\MSEDGE.7z setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\EdgeUpdate.dat MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_lo.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_hr.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_kk.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_pa.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\MicrosoftEdgeUpdateSetup.exe elevation_service.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_fr.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_zh-CN.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_lb.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_pt-PT.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_ca.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_sr.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_fr-CA.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_eu.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_or.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\msedgeupdateres_bn.dll MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\psmachine.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_am.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\msedgeupdateres_en-GB.dll MicrosoftEdgeUpdateSetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{09F4E6FE-F1D3-4E5C-B4CF-25D9C378961D}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09F4E6FE-F1D3-4E5C-B4CF-25D9C378961D}\ = "PSFactoryBuffer" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.155.77\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{09F4E6FE-F1D3-4E5C-B4CF-25D9C378961D}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B532B342-0E34-448B-9EDF-1D55C04041F8}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.155.77\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ABD63202-F52F-4225-9C85-19DD88589B66} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{09F4E6FE-F1D3-4E5C-B4CF-25D9C378961D}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{09F4E6FE-F1D3-4E5C-B4CF-25D9C378961D}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3628 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\MBR-Kill-master.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\malware-master.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 5012 msedge.exe 5012 msedge.exe 1788 msedge.exe 1788 msedge.exe 5220 identity_helper.exe 5220 identity_helper.exe 3092 msedge.exe 3092 msedge.exe 1836 taskhsvc.exe 1836 taskhsvc.exe 1404 msedge.exe 1404 msedge.exe 1404 msedge.exe 1404 msedge.exe 3520 msedge.exe 3520 msedge.exe 3572 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdate.exe 2932 MicrosoftEdgeUpdate.exe 2932 MicrosoftEdgeUpdate.exe 2112 MicrosoftEdgeUpdate.exe 2112 MicrosoftEdgeUpdate.exe 4912 MicrosoftEdgeUpdate.exe 4912 MicrosoftEdgeUpdate.exe 4652 MicrosoftEdgeUpdate.exe 4652 MicrosoftEdgeUpdate.exe 4664 MicrosoftEdgeUpdate.exe 4664 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
pid Process 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeTcbPrivilege 1972 taskse.exe Token: SeTcbPrivilege 1972 taskse.exe Token: SeIncreaseQuotaPrivilege 3204 WMIC.exe Token: SeSecurityPrivilege 3204 WMIC.exe Token: SeTakeOwnershipPrivilege 3204 WMIC.exe Token: SeLoadDriverPrivilege 3204 WMIC.exe Token: SeSystemProfilePrivilege 3204 WMIC.exe Token: SeSystemtimePrivilege 3204 WMIC.exe Token: SeProfSingleProcessPrivilege 3204 WMIC.exe Token: SeIncBasePriorityPrivilege 3204 WMIC.exe Token: SeCreatePagefilePrivilege 3204 WMIC.exe Token: SeBackupPrivilege 3204 WMIC.exe Token: SeRestorePrivilege 3204 WMIC.exe Token: SeShutdownPrivilege 3204 WMIC.exe Token: SeDebugPrivilege 3204 WMIC.exe Token: SeSystemEnvironmentPrivilege 3204 WMIC.exe Token: SeRemoteShutdownPrivilege 3204 WMIC.exe Token: SeUndockPrivilege 3204 WMIC.exe Token: SeManageVolumePrivilege 3204 WMIC.exe Token: 33 3204 WMIC.exe Token: 34 3204 WMIC.exe Token: 35 3204 WMIC.exe Token: 36 3204 WMIC.exe Token: SeIncreaseQuotaPrivilege 3204 WMIC.exe Token: SeSecurityPrivilege 3204 WMIC.exe Token: SeTakeOwnershipPrivilege 3204 WMIC.exe Token: SeLoadDriverPrivilege 3204 WMIC.exe Token: SeSystemProfilePrivilege 3204 WMIC.exe Token: SeSystemtimePrivilege 3204 WMIC.exe Token: SeProfSingleProcessPrivilege 3204 WMIC.exe Token: SeIncBasePriorityPrivilege 3204 WMIC.exe Token: SeCreatePagefilePrivilege 3204 WMIC.exe Token: SeBackupPrivilege 3204 WMIC.exe Token: SeRestorePrivilege 3204 WMIC.exe Token: SeShutdownPrivilege 3204 WMIC.exe Token: SeDebugPrivilege 3204 WMIC.exe Token: SeSystemEnvironmentPrivilege 3204 WMIC.exe Token: SeRemoteShutdownPrivilege 3204 WMIC.exe Token: SeUndockPrivilege 3204 WMIC.exe Token: SeManageVolumePrivilege 3204 WMIC.exe Token: 33 3204 WMIC.exe Token: 34 3204 WMIC.exe Token: 35 3204 WMIC.exe Token: 36 3204 WMIC.exe Token: SeBackupPrivilege 1048 vssvc.exe Token: SeRestorePrivilege 1048 vssvc.exe Token: SeAuditPrivilege 1048 vssvc.exe Token: SeTcbPrivilege 3044 taskse.exe Token: SeTcbPrivilege 3044 taskse.exe Token: SeTcbPrivilege 5184 svchost.exe Token: SeTcbPrivilege 5184 svchost.exe Token: SeTcbPrivilege 5184 svchost.exe Token: SeTcbPrivilege 5184 svchost.exe Token: SeTcbPrivilege 5184 svchost.exe Token: SeTcbPrivilege 5184 svchost.exe Token: SeTcbPrivilege 5916 taskse.exe Token: SeTcbPrivilege 5916 taskse.exe Token: SeTcbPrivilege 3940 taskse.exe Token: SeTcbPrivilege 3940 taskse.exe Token: SeTcbPrivilege 5436 taskse.exe Token: SeTcbPrivilege 5436 taskse.exe Token: SeTcbPrivilege 2192 taskse.exe Token: SeTcbPrivilege 2192 taskse.exe Token: SeTcbPrivilege 5724 taskse.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe 1788 msedge.exe -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 1200 @[email protected] 3564 @[email protected] 1200 @[email protected] 3564 @[email protected] 3672 @[email protected] 3672 @[email protected] 3104 @[email protected] 4784 MiniSearchHost.exe 5128 @[email protected] 5924 @[email protected] 4548 @[email protected] 5464 @[email protected] 4340 @[email protected] 3540 @[email protected] 6020 @[email protected] 1032 @[email protected] 5584 CHXSmartScreen.exe 5744 @[email protected] 1356 @[email protected] 1900 CHXSmartScreen.exe 2688 @[email protected] 440 @[email protected] 6032 @[email protected] 5264 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1120 wrote to memory of 1672 1120 important.exe 87 PID 1120 wrote to memory of 1672 1120 important.exe 87 PID 1120 wrote to memory of 1672 1120 important.exe 87 PID 1120 wrote to memory of 1688 1120 important.exe 88 PID 1120 wrote to memory of 1688 1120 important.exe 88 PID 1120 wrote to memory of 1688 1120 important.exe 88 PID 1120 wrote to memory of 1104 1120 important.exe 91 PID 1120 wrote to memory of 1104 1120 important.exe 91 PID 1120 wrote to memory of 1104 1120 important.exe 91 PID 1120 wrote to memory of 4624 1120 important.exe 92 PID 1120 wrote to memory of 4624 1120 important.exe 92 PID 1120 wrote to memory of 4624 1120 important.exe 92 PID 4624 wrote to memory of 2192 4624 cmd.exe 94 PID 4624 wrote to memory of 2192 4624 cmd.exe 94 PID 4624 wrote to memory of 2192 4624 cmd.exe 94 PID 1120 wrote to memory of 3564 1120 important.exe 109 PID 1120 wrote to memory of 3564 1120 important.exe 109 PID 1120 wrote to memory of 3564 1120 important.exe 109 PID 1120 wrote to memory of 1824 1120 important.exe 110 PID 1120 wrote to memory of 1824 1120 important.exe 110 PID 1120 wrote to memory of 1824 1120 important.exe 110 PID 1824 wrote to memory of 3672 1824 cmd.exe 112 PID 1824 wrote to memory of 3672 1824 cmd.exe 112 PID 1824 wrote to memory of 3672 1824 cmd.exe 112 PID 3564 wrote to memory of 1836 3564 @[email protected] 113 PID 3564 wrote to memory of 1836 3564 @[email protected] 113 PID 3564 wrote to memory of 1836 3564 @[email protected] 113 PID 1120 wrote to memory of 1972 1120 important.exe 120 PID 1120 wrote to memory of 1972 1120 important.exe 120 PID 1120 wrote to memory of 1972 1120 important.exe 120 PID 1120 wrote to memory of 3104 1120 important.exe 119 PID 1120 wrote to memory of 3104 1120 important.exe 119 PID 1120 wrote to memory of 3104 1120 important.exe 119 PID 1120 wrote to memory of 2356 1120 important.exe 116 PID 1120 wrote to memory of 2356 1120 important.exe 116 PID 1120 wrote to memory of 2356 1120 important.exe 116 PID 1120 wrote to memory of 3632 1120 important.exe 117 PID 1120 wrote to memory of 3632 1120 important.exe 117 PID 1120 wrote to memory of 3632 1120 important.exe 117 PID 2356 wrote to memory of 3628 2356 cmd.exe 121 PID 2356 wrote to memory of 3628 2356 cmd.exe 121 PID 2356 wrote to memory of 3628 2356 cmd.exe 121 PID 3672 wrote to memory of 3312 3672 @[email protected] 122 PID 3672 wrote to memory of 3312 3672 @[email protected] 122 PID 3672 wrote to memory of 3312 3672 @[email protected] 122 PID 3312 wrote to memory of 3204 3312 cmd.exe 124 PID 3312 wrote to memory of 3204 3312 cmd.exe 124 PID 3312 wrote to memory of 3204 3312 cmd.exe 124 PID 1788 wrote to memory of 2108 1788 msedge.exe 132 PID 1788 wrote to memory of 2108 1788 msedge.exe 132 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 PID 1788 wrote to memory of 1936 1788 msedge.exe 133 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1672 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\important.exe"C:\Users\Admin\AppData\Local\Temp\important.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:1672
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:1688
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1104
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 186531645104116.bat2⤵
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:2192
-
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1836
-
-
-
C:\Windows\SysWOW64\cmd.exePID:1824
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kovazmlfyf099" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f2⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kovazmlfyf099" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:3628
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3632
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3104
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3556
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5128
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5916
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5924
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5932
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4548
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5672
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5436
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5464
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5620
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:4340
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4156
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5724
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:3540
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1320
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1104
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:6020
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5596
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3272
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1032
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5284
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:580
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:5744
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1568
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:4196
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:1356
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1704
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:5076
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:2688
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:3780
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:440
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\@[email protected]PID:6032
-
-
C:\Users\Admin\AppData\Local\Temp\taskse.exePID:1516
-
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:5468
-
-
"C:\@[email protected]"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1200
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1048
-
C:\Windows\system32\NOTEPAD.EXEPID:1644
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4784
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ff8edc046f8,0x7ff8edc04708,0x7ff8edc047182⤵PID:2108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:22⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:82⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:12⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:12⤵PID:3568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5500 /prefetch:82⤵PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:82⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:5324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:5476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:12⤵PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2628 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6732 /prefetch:82⤵PID:5748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7132 /prefetch:82⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:12⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6104 /prefetch:82⤵PID:5768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 /prefetch:82⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:12⤵PID:1256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:12⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6188 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:12⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:12⤵PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:3644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:82⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1852 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:12⤵PID:812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:12⤵PID:6056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:12⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6720 /prefetch:82⤵PID:6048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:12⤵PID:5960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:12⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:12⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:12⤵PID:1828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7848 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5248 /prefetch:82⤵PID:1048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:82⤵PID:5568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2104,11381641314870524211,6175103762426346944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6380 /prefetch:82⤵PID:4172
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5184
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2284
-
C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" -ServerName:App.AppXk7vvv12h4qrkhkbvf6j86ja45mzj5km9.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5584
-
C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"1⤵
- Drops file in System32 directory
PID:3780 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Welcome!2⤵PID:5936
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5388
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title D3STR0Y3R T00L2⤵PID:4372
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5400
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Page 12⤵PID:5164
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1404
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sysdel.bat2⤵PID:4028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"1⤵
- Drops file in Program Files directory
PID:6072 -
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\msedgerecovery.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.62 --sessionid={2e7a25d6-93d4-4825-9b8f-090add4ca265} --system2⤵
- Executes dropped EXE
PID:5848 -
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\MicrosoftEdgeUpdateSetup.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir6072_1122703294\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4872 -
C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU90B4.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3572 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Loads dropped DLL
- Modifies registry class
PID:6048
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Loads dropped DLL
- Modifies registry class
PID:6112 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5676
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1256
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5552
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjJBRERCQzEtODVFNy00OTA3LTlBQkYtMEUyNDcxODc4MzdGfSIgdXNlcmlkPSJ7OEFCNTc1RUMtRDg1OC00OTA5LUJFRjAtRENEOEQ4MjA1RDkzfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0U3MDY2NTBDLUQzODYtNDhEMi05QTgwLUM3MjQ4NzZEMzIwMX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE1MS4yNyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMjg2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5332
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe"C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\CHXSmartScreen.exe" -ServerName:App.AppXk7vvv12h4qrkhkbvf6j86ja45mzj5km9.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:1900
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
PID:5356 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c2⤵
- Loads dropped DLL
PID:676 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2932
-
-
-
C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_malware-master.zip\malware-master\D3STR0Y3R (test)\D3STR0Y3R.exe"1⤵
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Welcome!2⤵PID:2360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:440
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title D3STR0Y3R T00L2⤵PID:2436
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5716
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c title Page 12⤵PID:708
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4676
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ramcrash.bat2⤵PID:3024
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:4648
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4912 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4283F5A5-8CFD-495F-8C05-132349575053}\MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4283F5A5-8CFD-495F-8C05-132349575053}\MicrosoftEdgeUpdateSetup_X86_1.3.155.77.exe" /update /sessionid "{C462E3A9-E187-4E9A-B905-47EC7CD4F48F}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5316 -
C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU1A76.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{C462E3A9-E187-4E9A-B905-47EC7CD4F48F}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4664 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Loads dropped DLL
- Modifies registry class
PID:6072
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Loads dropped DLL
- Modifies registry class
PID:5744 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.77\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.77\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5332
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.77\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.77\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5544
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.77\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.155.77\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2512
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTUuNzciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzQ2MkUzQTktRTE4Ny00RTlBLUI5MDUtNDdFQzdDRDRGNDhGfSIgdXNlcmlkPSJ7OEFCNTc1RUMtRDg1OC00OTA5LUJFRjAtRENEOEQ4MjA1RDkzfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7Qjc1ODNCNDQtQjU4MS00NzExLUE3MjEtNTAzOEFFNTMxMTkzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUxLjI3IiBuZXh0dmVyc2lvbj0iMS4zLjE1NS43NyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjIwN1IiIGluc3RhbGxhZ2U9IjE5NiIgaW5zdGFsbGRhdGV0aW1lPSIxNjI4MTIxMzE2IiBjb2hvcnQ9InJyZkAwLjA5Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg4⤵
- Loads dropped DLL
PID:4028
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzQ2MkUzQTktRTE4Ny00RTlBLUI5MDUtNDdFQzdDRDRGNDhGfSIgdXNlcmlkPSJ7OEFCNTc1RUMtRDg1OC00OTA5LUJFRjAtRENEOEQ4MjA1RDkzfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezA2NDA5NjQzLUMyOTUtNENGRi1CMUFELUQyQTVBMzZGRkQ3N30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE1MS4yNyIgbmV4dHZlcnNpb249IjEuMy4xNTUuNzciIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIyMDdSIiBpbnN0YWxsYWdlPSIxOTYiIGNvaG9ydD0icnJmQDAuMDkiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9jYjFjYmQxMi0xNWNhLTRmZTktOTk0Yi01N2ZkZTVmNTRlNWQ_UDE9MTY0NTcwOTI4MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1HVWZXcDRSSmVBY3dUdkRId0Z0VENwN1pneThRUEltVGN6VHJENVFuazhiWThIak1kJTJmc3gxSHolMmY1Wmx0a3FFY3Zub0tSdERqdkZYb2NmclptUkYweWclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGRvd25sb2FkZWQ9IjE4MTM0NDgiIHRvdGFsPSIxODEzNDQ4IiBkb3dubG9hZF90aW1lX21zPSIyMzQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PHBpbmcgcj0iMTk3IiByZD0iNTMyOSIgcGluZ19mcmVzaG5lc3M9IntCQkVDNDVDQS1BNkNBLTRBMzYtOTg0RS00NUU4QjY1NEMxRjF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjYyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyODcxNjIyOTQzOTYxODYiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyMDYiIHI9IjE5NyIgYWQ9IjUzMjAiIHJkPSI1MzI5IiBwaW5nX2ZyZXNobmVzcz0iezA2Qjc4ODhBLUM3MDEtNDJDMi05OURBLTVGRkY4RTQ1NDcxNH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iOTIuMC45MDIuNjIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBjb2hvcnQ9InJyZkAwLjQyIiBsYXN0X2xhdW5jaF90aW1lPSIxMzI3MTc0NTkxNTA4OTU2MiI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjAiIHI9IjE5NyIgcmQ9IjUzMjkiIHBpbmdfZnJlc2huZXNzPSJ7RTg2NURDQzEtQkQyNS00Mjg2LTg2RTUtMTcxQzY3NjI5MjBFfSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
PID:5996 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c2⤵
- Loads dropped DLL
PID:5616 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core3⤵
- Loads dropped DLL
PID:5940
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5304 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{29EB77E4-C962-4E36-9CE4-398B9B5F65EA}\MicrosoftEdge_X64_98.0.1108.55.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{29EB77E4-C962-4E36-9CE4-398B9B5F65EA}\MicrosoftEdge_X64_98.0.1108.55.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:6096 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{29EB77E4-C962-4E36-9CE4-398B9B5F65EA}\EDGEMITMP_25334.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{29EB77E4-C962-4E36-9CE4-398B9B5F65EA}\EDGEMITMP_25334.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{29EB77E4-C962-4E36-9CE4-398B9B5F65EA}\EDGEMITMP_25334.tmp\MSEDGE.PACKED.7Z" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5400
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3990055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5264