Analysis
-
max time kernel
86s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-03-2024 19:26
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1149469239963562126/1179827307142197278/H.UNBAN.rar?ex=65fc65ce&is=65e9f0ce&hm=25656e5edaecf764bb1819fa455683eccc742089880b3aa5d5b45fef24f0e52d&
Resource
win10v2004-20240226-en
General
-
Target
https://cdn.discordapp.com/attachments/1149469239963562126/1179827307142197278/H.UNBAN.rar?ex=65fc65ce&is=65e9f0ce&hm=25656e5edaecf764bb1819fa455683eccc742089880b3aa5d5b45fef24f0e52d&
Malware Config
Signatures
-
Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
-
Nirsoft 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exe Nirsoft -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 20 IoCs
Processes:
AMIDEWINx64.EXEAMIDEWINx64.EXEdevcon.exedevcon.exeDeviceCleanupCmd.exeVolumeid64.exeDevManView.exeDeviceCleanupCmd.exeDriveCleanup.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exepid process 1948 AMIDEWINx64.EXE 5400 AMIDEWINx64.EXE 4016 devcon.exe 2916 devcon.exe 1028 DeviceCleanupCmd.exe 1228 Volumeid64.exe 1964 DevManView.exe 3224 DeviceCleanupCmd.exe 2088 DriveCleanup.exe 2344 DevManView.exe 5804 DevManView.exe 5068 DevManView.exe 3412 DevManView.exe 3724 DevManView.exe 4088 DevManView.exe 1244 DevManView.exe 3348 DevManView.exe 3344 DevManView.exe 3644 DevManView.exe 2684 DevManView.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDriveCleanup.exeDevManView.exeDevManView.exedescription ioc process File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\E: DriveCleanup.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\D: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe File opened (read-only) \??\F: DevManView.exe -
Maps connected drives based on registry 3 TTPs 48 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\NextInstance = "0" DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count = "0" DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\Count DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 DevManView.exe -
Drops file in Windows directory 3 IoCs
Processes:
DeviceCleanupCmd.exeDriveCleanup.exeDevManView.exedescription ioc process File opened for modification C:\Windows\INF\setupapi.dev.log DeviceCleanupCmd.exe File opened for modification C:\Windows\INF\setupapi.dev.log DriveCleanup.exe File opened for modification C:\Windows\INF\setupapi.dev.log DevManView.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3512 sc.exe 5352 sc.exe 2016 sc.exe 5004 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DevManView.exeDevManView.exeDeviceCleanupCmd.exeDriveCleanup.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e} DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0009 DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DeviceCleanupCmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A DriveCleanup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DriveCleanup.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM DriveCleanup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0003 DriveCleanup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\RemovalPolicy DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation DevManView.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 DeviceCleanupCmd.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\InstallFlags DriveCleanup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A DevManView.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI DevManView.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066 DeviceCleanupCmd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 DeviceCleanupCmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DriveCleanup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName DevManView.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LocationInformation DeviceCleanupCmd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName DeviceCleanupCmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004 DeviceCleanupCmd.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 DeviceCleanupCmd.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Driver DeviceCleanupCmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0007 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000D DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000067\00000000 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E DeviceCleanupCmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e}\0006 DriveCleanup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceType DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceCharacteristics DeviceCleanupCmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0004 DriveCleanup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29} DevManView.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0003 DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DeviceCleanupCmd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80497100-8c73-48b9-aad9-ce387e19c56e} DeviceCleanupCmd.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UINumberDescFormat DeviceCleanupCmd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064 DriveCleanup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\000E DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ClassGuid DevManView.exe Delete value \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities DeviceCleanupCmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065 DriveCleanup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0065\ DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\00000065\00000000 DevManView.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2} DriveCleanup.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 DevManView.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ClassGUID DevManView.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc DevManView.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912} DeviceCleanupCmd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005 DeviceCleanupCmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 20 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1576 taskkill.exe 2028 taskkill.exe 1928 taskkill.exe 1664 taskkill.exe 4892 taskkill.exe 3568 taskkill.exe 1656 taskkill.exe 5612 taskkill.exe 2544 taskkill.exe 5836 taskkill.exe 220 taskkill.exe 2812 taskkill.exe 4936 taskkill.exe 4692 taskkill.exe 2428 taskkill.exe 3344 taskkill.exe 5348 taskkill.exe 3952 taskkill.exe 532 taskkill.exe 812 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings OpenWith.exe -
Runs ping.exe 1 TTPs 4 IoCs
Processes:
PING.EXEPING.EXEPING.EXEPING.EXEpid process 712 PING.EXE 5636 PING.EXE 1672 PING.EXE 1596 PING.EXE -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeDevManView.exeDriveCleanup.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exeDevManView.exepid process 4796 msedge.exe 4796 msedge.exe 1708 msedge.exe 1708 msedge.exe 3912 identity_helper.exe 3912 identity_helper.exe 3060 msedge.exe 3060 msedge.exe 1964 DevManView.exe 1964 DevManView.exe 2088 DriveCleanup.exe 2088 DriveCleanup.exe 2088 DriveCleanup.exe 2088 DriveCleanup.exe 2344 DevManView.exe 2344 DevManView.exe 5804 DevManView.exe 5804 DevManView.exe 5068 DevManView.exe 5068 DevManView.exe 3412 DevManView.exe 3412 DevManView.exe 3724 DevManView.exe 3724 DevManView.exe 4088 DevManView.exe 4088 DevManView.exe 1244 DevManView.exe 1244 DevManView.exe 3348 DevManView.exe 3348 DevManView.exe 3344 DevManView.exe 3344 DevManView.exe 3644 DevManView.exe 3644 DevManView.exe 2684 DevManView.exe 2684 DevManView.exe -
Suspicious behavior: LoadsDriver 2 IoCs
Processes:
pid process 660 660 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid process 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zG.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeRestorePrivilege 6076 7zG.exe Token: 35 6076 7zG.exe Token: SeSecurityPrivilege 6076 7zG.exe Token: SeSecurityPrivilege 6076 7zG.exe Token: SeDebugPrivilege 4936 taskkill.exe Token: SeDebugPrivilege 3568 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 1656 taskkill.exe Token: SeDebugPrivilege 4692 taskkill.exe Token: SeDebugPrivilege 2428 taskkill.exe Token: SeDebugPrivilege 3344 taskkill.exe Token: SeDebugPrivilege 5348 taskkill.exe Token: SeDebugPrivilege 1664 taskkill.exe Token: SeIncreaseQuotaPrivilege 1788 WMIC.exe Token: SeSecurityPrivilege 1788 WMIC.exe Token: SeTakeOwnershipPrivilege 1788 WMIC.exe Token: SeLoadDriverPrivilege 1788 WMIC.exe Token: SeSystemProfilePrivilege 1788 WMIC.exe Token: SeSystemtimePrivilege 1788 WMIC.exe Token: SeProfSingleProcessPrivilege 1788 WMIC.exe Token: SeIncBasePriorityPrivilege 1788 WMIC.exe Token: SeCreatePagefilePrivilege 1788 WMIC.exe Token: SeBackupPrivilege 1788 WMIC.exe Token: SeRestorePrivilege 1788 WMIC.exe Token: SeShutdownPrivilege 1788 WMIC.exe Token: SeDebugPrivilege 1788 WMIC.exe Token: SeSystemEnvironmentPrivilege 1788 WMIC.exe Token: SeRemoteShutdownPrivilege 1788 WMIC.exe Token: SeUndockPrivilege 1788 WMIC.exe Token: SeManageVolumePrivilege 1788 WMIC.exe Token: 33 1788 WMIC.exe Token: 34 1788 WMIC.exe Token: 35 1788 WMIC.exe Token: 36 1788 WMIC.exe Token: SeIncreaseQuotaPrivilege 1788 WMIC.exe Token: SeSecurityPrivilege 1788 WMIC.exe Token: SeTakeOwnershipPrivilege 1788 WMIC.exe Token: SeLoadDriverPrivilege 1788 WMIC.exe Token: SeSystemProfilePrivilege 1788 WMIC.exe Token: SeSystemtimePrivilege 1788 WMIC.exe Token: SeProfSingleProcessPrivilege 1788 WMIC.exe Token: SeIncBasePriorityPrivilege 1788 WMIC.exe Token: SeCreatePagefilePrivilege 1788 WMIC.exe Token: SeBackupPrivilege 1788 WMIC.exe Token: SeRestorePrivilege 1788 WMIC.exe Token: SeShutdownPrivilege 1788 WMIC.exe Token: SeDebugPrivilege 1788 WMIC.exe Token: SeSystemEnvironmentPrivilege 1788 WMIC.exe Token: SeRemoteShutdownPrivilege 1788 WMIC.exe Token: SeUndockPrivilege 1788 WMIC.exe Token: SeManageVolumePrivilege 1788 WMIC.exe Token: 33 1788 WMIC.exe Token: 34 1788 WMIC.exe Token: 35 1788 WMIC.exe Token: 36 1788 WMIC.exe Token: SeDebugPrivilege 5836 taskkill.exe Token: SeDebugPrivilege 5612 taskkill.exe Token: SeDebugPrivilege 1576 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 220 taskkill.exe Token: SeDebugPrivilege 2812 taskkill.exe Token: SeDebugPrivilege 3952 taskkill.exe Token: SeDebugPrivilege 532 taskkill.exe Token: SeDebugPrivilege 812 taskkill.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exe7zG.exepid process 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 6076 7zG.exe 1708 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
AMIDEWINx64.EXEAMIDEWINx64.EXEOpenWith.exepid process 1948 AMIDEWINx64.EXE 5400 AMIDEWINx64.EXE 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe 1436 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1708 wrote to memory of 436 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 436 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 5252 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4796 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4796 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 4896 1708 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1149469239963562126/1179827307142197278/H.UNBAN.rar?ex=65fc65ce&is=65e9f0ce&hm=25656e5edaecf764bb1819fa455683eccc742089880b3aa5d5b45fef24f0e52d&1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe08dc46f8,0x7ffe08dc4708,0x7ffe08dc47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17783500941788052965,9395716803341790671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\H.UNBAN\" -ad -an -ai#7zMap15510:76:7zEvent26781⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\H.UNBAN\hassoon\activate.bat" "1⤵
-
C:\Windows\System32\findstr.exefindstr /rxc:".*" "activate.bat"2⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXE"1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\H.UNBAN\hassoon\Taskkill_clean.bat" "1⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat_Setup.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService_x64.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop BEService2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat2⤵
- Launches sc.exe
-
C:\Windows\system32\PING.EXEping www.google.com -n 12⤵
- Runs ping.exe
-
C:\Windows\system32\find.exefind "Reply"2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v EpicGamesLauncher /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\ControlSet001\Services\BEService" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\BEService" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" /v "ComputerName" /t REG_SZ /d 2451 /f2⤵
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName" /v "ComputerName" /t REG_SZ /d 8848 /f2⤵
-
C:\Windows\system32\reg.exereg delete "HKEY_CURRENT_USER\Software\Epic Games" /f2⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Volumeid64.exe"C:\Users\Admin\Downloads\H.UNBAN\hassoon\Volumeid64.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\H.UNBAN\hassoon\woofr.bat" "1⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tzautoupdate" /v Start /t reg_dword /d 4 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" /v Type /t reg_sz /d NoSync /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /v HiberbootEnabled /t reg_dword /d 0 /f2⤵
-
C:\Windows\system32\choice.exeCHOICE /C 123 /M "Enter your choice:"2⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "Spoofer.bat"2⤵
-
C:\Windows\system32\PING.EXEping www.google.com -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\find.exefind "="3⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat_Setup.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicWebHelper.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EasyAntiCheat.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im BEService_x64.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im EpicGamesLauncher.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_BE.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /im FortniteClient-Win64-Shipping_EAC.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exesc stop BEService3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop EasyAntiCheat3⤵
- Launches sc.exe
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "SWD\MS*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exeDeviceCleanupCmd.exe * -s3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Checks SCSI registry key(s)
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DriveCleanup.exeDriveCleanup.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "C:\"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "F:\"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "C:\"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Disk drive*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Disk"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "disk"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Disk&*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "SWD\WPDBUSENUM*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "USBSTOR*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "SCSI\Disk*" /use_wildcard3⤵
- Executes dropped EXE
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "STORAGE*" /use_wildcard3⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Motherboard*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Volume*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Microsoft*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "System*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "ACPI\*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Remote*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeDevManView.exe /uninstall "Standard*" /use_wildcard3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /SU AUTO3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /BS 2507277313889267243⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /CS 296551409231918323063⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /SS 1686081741777994463⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /PSN 104881592316415173303⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /IVN 2928531160108593803⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEAMIDEWINx64.EXE /IV 18754127221292166893⤵
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\taskkill.exeTASKKILL /F /IM WmiPrvSE.exe3⤵
- Kills process with taskkill
-
C:\Windows\system32\PING.EXEPING localhost -n 153⤵
- Runs ping.exe
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exedevcon rescan3⤵
-
C:\Windows\system32\PING.EXEping www.google.com -n 13⤵
- Runs ping.exe
-
C:\Windows\system32\find.exefind "="3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "MAC_change.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid5⤵
-
C:\Windows\system32\findstr.exefindstr [0-9]5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00014⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v NetworkAddress /t REG_SZ /d 067E41BCDB35 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic nic where physicaladapter=true get deviceid | findstr [0-9]4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where physicaladapter=true get deviceid5⤵
-
C:\Windows\system32\findstr.exefindstr [0-9]5⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0014⤵
-
C:\Windows\system32\reg.exeREG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\00014⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0001 /v PnPCapabilities /t REG_DWORD /d 24 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic nic where (netconnectionid like '%') get netconnectionid,netconnectionstatus /format:csv5⤵
-
C:\Windows\system32\netsh.exenetsh interface set interface name="Ethernet" disable4⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d4 0x2f41⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD547b2c6613360b818825d076d14c051f7
SHA17df7304568313a06540f490bf3305cb89bc03e5c
SHA25647a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac
SHA51208d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e0811105475d528ab174dfdb69f935f3
SHA1dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA5128374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
186B
MD5094ab275342c45551894b7940ae9ad0d
SHA12e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA51219d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56163b0fa2d4ff6d705b9fea8ebcf4adc
SHA1aa7c018318e76d1bffcd711142c1f3b6f74959b3
SHA256b366a67c1a98b53698a1fd36c2f4127bd8da12ff8fcc504e8a7f8cfde6b8c83f
SHA5126f3194ab8c92229cca1b79c0c8d26db296798c44eb72c708ac1b347ede5d42a92614a51fbf950a94b42340083faad96b2444fc4df9b7f2c8f95c8124c3ae648b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5365c64268d9fab36de5a116b253332bf
SHA17bee9eb7e3e338d768551626ea6c6691440f0c0c
SHA256f58c90592de3eb71e15b11984ac5f52829406e34987794c93f37b2ab2b0d2219
SHA512e69d56d7cbacfa7e2b61987de69e0edf2d1bb2c266e631cfbaf58212b3a16af69c0de15da12850cf678202536b5df774b1be5871506069c5e20b95f85b197d1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5cb849447fb6a531ac79ba9c9f0d9cc4b
SHA115be358a435c6e3948111c3f564ac5b2f276f55e
SHA256d62cfc577d595cdb546651848c51a519c908a50b17dd544fcddc9ab3b2fd4a32
SHA512abf4e9b2b947b8c2d345996ba0b0c4f011cd6fdbbbfdb55190eccecd65e39857f2e82e9ed4418679568026f324d9dd6af1f4f8b56c5a0f2677855f7c7a425cd8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59e89acc9a04a2c40727c18cfc10195c7
SHA1860cbb87d5d3fa5c44c7cf4df48b2755f8747070
SHA2564efe6f784c1eae8321ee81be82de06eb40be44e47fd0da62be35888d614d97a2
SHA512886de5983d898e96af8eedc2e3fca83be3e8c8c831e8029ba7461e79d3fb7db44634e2479fa2b25e549329acd4030a11c60309d4c84b15efdbd28af6cf0f51b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e5e615d3e470581f7b365a5b2c05ff37
SHA19c97fa79fb354eb3f4c87e527aebf35098b5709d
SHA256613431ce766de22fd0be8ab30d62766536f40d88eba415e3420df9370f80ba12
SHA51217efe8611b8aa35978075287d8c3c1b0661740d506bb942ca2e337f9794e2f861ce105fd242a23e9aa467abeb7de0b76ce9302d9fd1fbe8447fc336e18314aab
-
C:\Users\Admin\Downloads\H.UNBAN.rarFilesize
1.4MB
MD52cb4bd68a80f76e8f52291ea89fd102e
SHA1f5de6e6b1f03e4578c2abb83809ce4df359b5bf7
SHA256f104186d24b5a10262a656778faf81cd17c13f43f29b9bc51a98fffc587a95c9
SHA51246a8c21ae490b5670b3daad1a397e207cd46983e03384bd1e6734e522205c8335f029cd9879af5318922bcebf1b260a94428e66e4b1c9131d8657b306fe2e3d1
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\AMIDEWINx64.EXEFilesize
451KB
MD5f17ecf761e70feb98c7f628857eedfe7
SHA1b2c1263c641bdaee8266a05a0afbb455e29e240d
SHA256311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf
SHA512e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DevManView.exeFilesize
163KB
MD5d22ceb6b43f721fe4e892fea6c8990e6
SHA13ad25b431280a0056579aeaacdf687bd8c3aa901
SHA2569abdc7cdc19548ada451aee6caabe296957c050062991892e7d9787ff6e0bdef
SHA5128c37d941c108172340697887529f3fdc430cdee31d1ff7501d4da7fa21183e8f02832651a99daa30908820b935798ae85e046374e70c1ea4802763edbe47ebc1
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DeviceCleanupCmd.exeFilesize
47KB
MD58eae1aec5f34e4a8e04a60075bcfb0f8
SHA1a9af1c4eb6fb61a17a813b3bc788fce10c920007
SHA2565ad34a00b0e6d471e4e0684f9ac996aa82cf837735053de0da72c1137c18115d
SHA512a7ff2c81eb0cd757885bf767a1dcaef6681180cdabe0d477c680bef77312c25f102964931e8d3708d85cbca92a02b00eb0e35203a25b0ce4a16712e455fc68ff
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\DriveCleanup.exeFilesize
52KB
MD5e7d7c120c21de434eb123392b515edd7
SHA1bc54596c75064dd02ec95987075c0cc896cfbc73
SHA256dfd1f048cf9eefe96a1266139d3683de86ed25346300a0392eb5b2c10f4c78d1
SHA512a7c4e493f2aa08aec76ed0797664d9e2ae0f7d263f53d459b5561f0cec7f8d79ea309beac3c8c15638afd3027368da78497660e6b14794619719bdb377186148
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\MAC_change.batFilesize
1KB
MD5707c798832f76eb383a0501b2773ec32
SHA13ebd0413af9929109ea0eb0045a2d26a256e771f
SHA256940f3e68e62ad73c0668e854d821d88eacc8ea8fb8e130e42a34368ae9f5852e
SHA51213e92ef958cfcc5686a2886b4a011f2287ec261028db0c6816d738eb715490d69ca37f8232e7bb3bebd5d49ce65bf4b9f55ae12d4af056bf569e5a1dba2f3da9
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Spoofer.batFilesize
3KB
MD5f0b3b45759aca115f31f2aa16a942b6d
SHA15b0dbbfee935549167f2c89bdf8877ec61fb403d
SHA25648ecb46f509169a6ab5a4c967fa8d9955b026478f3ab124c494b4eca1f79078b
SHA5124f2a480c531385da8bf761ebc6c82b82ba9e293e770558c353b931009ba9bf57af184bb5b8de3df23fb1e707c06d431e0ada447c92b04214f5d6c92b3173089d
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Taskkill_clean.batFilesize
5KB
MD56393a0289b9433f86d7662aed91d5530
SHA171ccdaa7bc095221413dbe0ecdf6b91cee266f9c
SHA256acfdb643c84ba2c9f95eb5e19690f3167a435b6500ca7d1abfc31b69a292e468
SHA512f657c7dd117100b223d79f644e0dc19ead310bfb17cc7bbde218029792df3013a041c1aaaa82e20b51b5afcdee3db05a0925cd819d991f3872263f24b5065569
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\Volumeid64.exeFilesize
165KB
MD581a45f1a91448313b76d2e6d5308aa7a
SHA10d615343d5de03da03bce52e11b233093b404083
SHA256fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd
SHA512675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\activate.batFilesize
48KB
MD57247693f4236683d94e7d5b867f69972
SHA16a290acb81301bf84b39558cb1abd84e196dc8fe
SHA256477d70fbb9351a6aeea658c73ef35a4a53e09cb671d7b759e116a450239eaa87
SHA512f8cbcfc1c5bad08bd99a27fdf2a643c846b82eef600da63e6279026d68e3c31b8ade9e5ee2faf6ba029874c05c6357f4514b2faf49b6ea3208e1b708374e9d64
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\amifldrv64.sysFilesize
29KB
MD5f22740ba54a400fd2be7690bb204aa08
SHA15812387783d61c6ab5702213bb968590a18065e3
SHA25665c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9
SHA512ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\devcon.exeFilesize
80KB
MD5d153a0bc6f0476457b56fc38795dea01
SHA1eb3c25afab996b84c52619c6f676d0663c241e01
SHA256df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7
SHA5126322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\doh.txtFilesize
117B
MD5a627a5d62c1262e703458c27e542d4af
SHA1354d900ca41e86e593c0706df4667b1db7da4c0b
SHA2562d3a93ac80bad2c26b372ce26ff2877b6c877cce76cf8b97304717881d73dedd
SHA51207ca857337c04364128c0ad4fc10b629c0352da2a52e1a064b5657586a844957b4383289596eb92396ca40fda82b80202a41107e4f3edcc3916822983fe053a8
-
C:\Users\Admin\Downloads\H.UNBAN\hassoon\woofr.batFilesize
3KB
MD50c3caee233fca2588514c1af719fa577
SHA10c3436441e3c9e42e5aeb112143a20d14655dbf4
SHA2569c8d13731f3d75c8762e188a6980f72580fdba7109e7db22cf3bd300dd6c88fa
SHA5129dfc9c9c6cac8f1651168d60d8acf5b8850ea60f65fa86b29ee455498ae9dc7547461b6f1006b89fa7ce5afabe1aaaedfdad923fb8b4c7c3c566d46de2d2a26f
-
\??\pipe\LOCAL\crashpad_1708_OJWIROKEWAAONCYLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e