Overview
overview
8Static
static
3Virus_Dest...rm1.js
windows7-x64
1Virus_Dest...rm1.js
windows10-2004-x64
1Virus_Dest...m1.vbs
windows7-x64
1Virus_Dest...m1.vbs
windows10-2004-x64
1Virus_Dest...er.vbs
windows7-x64
1Virus_Dest...er.vbs
windows10-2004-x64
1Virus_Dest...es.vbs
windows7-x64
1Virus_Dest...es.vbs
windows10-2004-x64
1Virus_Dest...ast.js
windows7-x64
1Virus_Dest...ast.js
windows10-2004-x64
1Virus_Dest...st.vbs
windows7-x64
1Virus_Dest...st.vbs
windows10-2004-x64
1Virus_Dest...oad.js
windows7-x64
1Virus_Dest...oad.js
windows10-2004-x64
1Virus_Dest...ad.vbs
windows7-x64
1Virus_Dest...ad.vbs
windows10-2004-x64
1Virus_Dest...und.js
windows7-x64
1Virus_Dest...und.js
windows10-2004-x64
1Virus_Dest...nd.vbs
windows7-x64
1Virus_Dest...nd.vbs
windows10-2004-x64
1Virus_Dest...ve.exe
windows7-x64
8Virus_Dest...ve.exe
windows10-2004-x64
8Virus_Dest...ve.exe
windows7-x64
8Virus_Dest...ve.exe
windows10-2004-x64
8Virus_Dest...ain.js
windows7-x64
1Virus_Dest...ain.js
windows10-2004-x64
1Virus_Dest...in.vbs
windows7-x64
1Virus_Dest...in.vbs
windows10-2004-x64
1Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 04:03
Static task
static1
Behavioral task
behavioral1
Sample
Virus_Destructive/Virus_Destructive/Form1.js
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Virus_Destructive/Virus_Destructive/Form1.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
Virus_Destructive/Virus_Destructive/Form1.vbs
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
Virus_Destructive/Virus_Destructive/Form1.vbs
Resource
win10v2004-20230915-en
Behavioral task
behavioral5
Sample
Virus_Destructive/Virus_Destructive/Properties/Resources.Designer.vbs
Resource
win7-20230831-en
Behavioral task
behavioral6
Sample
Virus_Destructive/Virus_Destructive/Properties/Resources.Designer.vbs
Resource
win10v2004-20230915-en
Behavioral task
behavioral7
Sample
Virus_Destructive/Virus_Destructive/Properties/Resources.vbs
Resource
win7-20230831-en
Behavioral task
behavioral8
Sample
Virus_Destructive/Virus_Destructive/Properties/Resources.vbs
Resource
win10v2004-20230915-en
Behavioral task
behavioral9
Sample
Virus_Destructive/Virus_Destructive/Virus_last.js
Resource
win7-20230831-en
Behavioral task
behavioral10
Sample
Virus_Destructive/Virus_Destructive/Virus_last.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral11
Sample
Virus_Destructive/Virus_Destructive/Virus_last.vbs
Resource
win7-20230831-en
Behavioral task
behavioral12
Sample
Virus_Destructive/Virus_Destructive/Virus_last.vbs
Resource
win10v2004-20230915-en
Behavioral task
behavioral13
Sample
Virus_Destructive/Virus_Destructive/Virus_payload.js
Resource
win7-20230831-en
Behavioral task
behavioral14
Sample
Virus_Destructive/Virus_Destructive/Virus_payload.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral15
Sample
Virus_Destructive/Virus_Destructive/Virus_payload.vbs
Resource
win7-20230831-en
Behavioral task
behavioral16
Sample
Virus_Destructive/Virus_Destructive/Virus_payload.vbs
Resource
win10v2004-20230915-en
Behavioral task
behavioral17
Sample
Virus_Destructive/Virus_Destructive/Virus_sound.js
Resource
win7-20230831-en
Behavioral task
behavioral18
Sample
Virus_Destructive/Virus_Destructive/Virus_sound.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral19
Sample
Virus_Destructive/Virus_Destructive/Virus_sound.vbs
Resource
win7-20230831-en
Behavioral task
behavioral20
Sample
Virus_Destructive/Virus_Destructive/Virus_sound.vbs
Resource
win10v2004-20230915-en
Behavioral task
behavioral21
Sample
Virus_Destructive/Virus_Destructive/bin/Debug/Virus_Destructive.exe
Resource
win7-20230831-en
Behavioral task
behavioral22
Sample
Virus_Destructive/Virus_Destructive/bin/Debug/Virus_Destructive.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral23
Sample
Virus_Destructive/Virus_Destructive/obj/Debug/Virus_Destructive.exe
Resource
win7-20230831-en
Behavioral task
behavioral24
Sample
Virus_Destructive/Virus_Destructive/obj/Debug/Virus_Destructive.exe
Resource
win10v2004-20230915-en
Behavioral task
behavioral25
Sample
Virus_Destructive/Virus_Destructive/virus_last_again.js
Resource
win7-20230831-en
Behavioral task
behavioral26
Sample
Virus_Destructive/Virus_Destructive/virus_last_again.js
Resource
win10v2004-20230915-en
Behavioral task
behavioral27
Sample
Virus_Destructive/Virus_Destructive/virus_last_again.vbs
Resource
win7-20230831-en
Behavioral task
behavioral28
Sample
Virus_Destructive/Virus_Destructive/virus_last_again.vbs
Resource
win10v2004-20230915-en
General
-
Target
Virus_Destructive/Virus_Destructive/obj/Debug/Virus_Destructive.exe
-
Size
249KB
-
MD5
1241c7fa483e828693d121d6933ccc19
-
SHA1
d766b6a14c9476aad4fb994fa06a24265f1eb24b
-
SHA256
4a132f5fca3763d8328c66ae447ac331e5bede35a63b6cac8bd845a3504d5bbb
-
SHA512
febb9519e5c63ea50d673c26a98fa675378c1d9205bd9bc878aeb3e0130c2cd877ad922df4a2c7dcea7a9815b6fae83becb896e38f59f3d7a7edf0e161cd28ff
-
SSDEEP
6144:I50tR/5gjbnI3OkLFxD5tKdHDunqIxynuzJ50tR15gjbnI3OkLFxD5tKdHDunkIs://5gjbnI3OkLFxD5tKZDunjxynuzu152
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Possible privilege escalation attempt 4 IoCs
pid Process 228 takeown.exe 3196 icacls.exe 2552 takeown.exe 1856 icacls.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation Virus_Destructive.exe -
Modifies file permissions 1 TTPs 4 IoCs
pid Process 1856 icacls.exe 228 takeown.exe 3196 icacls.exe 2552 takeown.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4292 msedge.exe 4292 msedge.exe 4196 msedge.exe 4196 msedge.exe 4868 identity_helper.exe 4868 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 5104 Virus_Destructive.exe Token: SeDebugPrivilege 5104 Virus_Destructive.exe Token: SeTakeOwnershipPrivilege 228 takeown.exe Token: 33 3980 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3980 AUDIODG.EXE Token: SeTakeOwnershipPrivilege 2552 takeown.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe 4196 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5104 wrote to memory of 1632 5104 Virus_Destructive.exe 95 PID 5104 wrote to memory of 1632 5104 Virus_Destructive.exe 95 PID 1632 wrote to memory of 228 1632 cmd.exe 97 PID 1632 wrote to memory of 228 1632 cmd.exe 97 PID 1632 wrote to memory of 3196 1632 cmd.exe 98 PID 1632 wrote to memory of 3196 1632 cmd.exe 98 PID 5104 wrote to memory of 4196 5104 Virus_Destructive.exe 102 PID 5104 wrote to memory of 4196 5104 Virus_Destructive.exe 102 PID 4196 wrote to memory of 2156 4196 msedge.exe 104 PID 4196 wrote to memory of 2156 4196 msedge.exe 104 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 2840 4196 msedge.exe 107 PID 4196 wrote to memory of 4292 4196 msedge.exe 105 PID 4196 wrote to memory of 4292 4196 msedge.exe 105 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106 PID 4196 wrote to memory of 812 4196 msedge.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\Virus_Destructive\Virus_Destructive\obj\Debug\Virus_Destructive.exe"C:\Users\Admin\AppData\Local\Temp\Virus_Destructive\Virus_Destructive\obj\Debug\Virus_Destructive.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k color 47 && takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant %username%:F && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant %username%:F && Exit2⤵
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System323⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3196
-
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\drivers3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2552
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\drivers /grant Admin:F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1856
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?sxsrf=ALeKk03p6_nh5gjKk_7WWWGDr0qYtnieXg%3A1605092222038&ei=fsOrX5rzAY63kwWYq56IDg&q=my+mum+is+gay&oq=my+mum+is+gay&gs_lcp=CgZwc3ktYWIQAzIKCAAQFhAKEB4QEzIKCAAQFhAKEB4QEzoJCCMQ6gIQJxATOgcIIxDqAhAnOgQIIxAnOgUIABCxAzoCCAA6CAgAELEDEIMBOgIILjoECAAQQzoHCC4QsQMQQzoECC4QQzoFCC4QsQM6CAguELEDEIMBOgUILhCTAjoECC4QCjoECAAQCjoFCC4QywE6BQgAEMsBOggILhDLARCTAjoGCAAQFhAeOggIABAWEAoQHlD_GliuO2D3PGgCcAB4AIABiwKIAeAOkgEGMS4xMi4xmAEAoAEBqgEHZ3dzLXdperABCsABAQ&sclient=psy-ab&ved=0ahUKEwiaque9qvrsAhWO26QKHZiVB-EQ4dUDCA0&uact=52⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd329a46f8,0x7ffd329a4708,0x7ffd329a47183⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:83⤵PID:812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:23⤵PID:2840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:13⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:13⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:83⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:13⤵PID:4100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:13⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:13⤵PID:4688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:13⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:13⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:13⤵PID:1184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,8093661662861447827,8421140808869383192,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:13⤵PID:4092
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC9keh4wDjXFyiRhHDE_h90Q?view_as=subscriber2⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffd329a46f8,0x7ffd329a4708,0x7ffd329a47183⤵PID:1240
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?sxsrf=ALeKk007atE4-A-mD40nsEcYaIJklYlv_g%3A1605092231197&ei=h8OrX5XEC4mdkwXO84XoAg&q=how+2+cut+leg&oq=how+2+cut+leg&gs_lcp=CgZwc3ktYWIQDDIICCEQFhAdEB4yCAghEBYQHRAeMggIIRAWEB0QHjIICCEQFhAdEB4yCAghEBYQHRAeMggIIRAWEB0QHjIICCEQFhAdEB4yCAghEBYQHRAeMggIIRAWEB0QHjoJCCMQ6gIQJxATOgcIIxDqAhAnOgQIIxAnOgQIABBDOgUIABCxAzoKCAAQsQMQgwEQQzoCCC46CAguELEDEIMBOgIIADoFCC4QsQM6BQguEMsBOgUIABDLAToGCAAQFhAeOggIABAWEAoQHlDzaFiDigFg86UBaANwAHgAgAHzAYgB7w2SAQYwLjEyLjGYAQCgAQGqAQdnd3Mtd2l6sAEKwAEB&sclient=psy-ab&ved=0ahUKEwjVo5bCqvrsAhWJzqQKHc55AS0Q4dUDCA02⤵PID:820
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd329a46f8,0x7ffd329a4708,0x7ffd329a47183⤵PID:3748
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC9keh4wDjXFyiRhHDE_h90Q?view_as=subscriber2⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd329a46f8,0x7ffd329a4708,0x7ffd329a47183⤵PID:2376
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UC9keh4wDjXFyiRhHDE_h90Q?view_as=subscriber2⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd329a46f8,0x7ffd329a4708,0x7ffd329a47183⤵PID:4060
-
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e4 0x4c01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3780
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD5960c36c6c12d9afe9b8de9556d91c00b
SHA18da19d1dc14484488428d6997cfbc15b69cb4b83
SHA2566b71a6d7dd67c9b8f32997c656ecd09e2fc6359e3cbde21c2ceba00866276ecd
SHA512c324adc4d004d2274bbe10ffce35d9f2780d29ce1dcc94d3d1b23ead5b27444106fd5f75960f43814435fdbb0e78605cb1c964a331f3b49a07620f59ef9e2141
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD59f2e013289c78d40bf7c4e0c0d6bbfc1
SHA1afef614e8c571a7a3c6a3aac57c336bbfb14e5a1
SHA256a01df4d3be3334f401a050613d66b6072f1b88708e3042464cdf7725cd13b48a
SHA5125477063183960151ff2e20c2d5729593444e131628f40020950ed96f09ab19d081bfb74936193b9034a7c7264426b7d044cd202ff2c6d5ebfdf1b56d9ca72edb
-
Filesize
5KB
MD51bb555ebf5837961213c401222ae8d25
SHA16b3271178738e1bf59464e96c45b8dd93aa428ea
SHA256a463b3900c8ee4112b3b1f2659f0d48b71b07efc7a19a71149fb606cf617a717
SHA51217ed054b75a0f6c249d5442f6d157bc99588a8ad9b5d46818d2d4bfb97cca21d7b8b35af9655d4140c53c54f00ef72c16942d62c140bb3efa43c3bbf205eb164
-
Filesize
5KB
MD51cc447caa896ae8143158215c87a100c
SHA182dfd9b5b1b2e3d824a8db319216992be792e797
SHA256b979ad2d9e1e7c42b1e4a78e2fc3d85afc5c8323b11b33c93744cbaef300b36f
SHA512d6f8fc17d3e585ed6ef74b33ca453fb38a9a2cdaf297a6204d13d2489a9567e98553db134218ea4d76df096ef845a39fd8896dc7280afaf41d0ea0ea16644053
-
Filesize
24KB
MD515ad31a14e9a92d2937174141e80c28d
SHA1b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ed6024c0a374c92855ee4ffbd7d6271a
SHA147bcc5e57ebef29a2ae4b9bf00d4a1516dac9183
SHA25695286303afcdf9cd9695c69332581b4c79234d6fde8c74aa85e8174927f09705
SHA51298d3e775efb4fa383d51e9079fc2f759d07dd09a50f69dd01f300e3ee902807544f53f93eee11fffd2fde228de93418b435474388aef049bb760f794f629cf3c