hxxps://gofile[.]io/d/Zw3n3m

Analysis

max time kernel
140s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Zw3n3m

Score

8^/10

defense_evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
3212	powershell.exe

Loads dropped DLL 1 IoCs

pid	Process
3996	nigga.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Powershell = "\"powershell.exe\" -WindowStyle Hidden -ExecutionPolicy Bypass -File \"C:\\Users\\Admin\\AppData\\Roaming\\HXQdfCnZAOPTmho.ps1\""	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
4504	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
132	ipapi.co
139	ipapi.co

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
5296	cmd.exe
5992	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2124	tasklist.exe
2172	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
5388	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000534faf642ebcda01dd76090034bcda014bac335d20c3da0114000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4760	msedge.exe
4760	msedge.exe
1468	msedge.exe
1468	msedge.exe
1028	identity_helper.exe
1028	identity_helper.exe
856	msedge.exe
856	msedge.exe
5160	msedge.exe
5160	msedge.exe
5224	msedge.exe
5224	msedge.exe
3212	powershell.exe
3212	powershell.exe
3212	powershell.exe
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe
4948	powershell.exe
4948	powershell.exe
4948	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	tasklist.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	5388	taskkill.exe
Token: SeDebugPrivilege	2172	tasklist.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4948	powershell.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe
1468	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5160	msedge.exe
5224	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1148	1468	msedge.exe	82
PID 1468 wrote to memory of 1148	1468	msedge.exe	82
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4600	1468	msedge.exe	83
PID 1468 wrote to memory of 4760	1468	msedge.exe	84
PID 1468 wrote to memory of 4760	1468	msedge.exe	84
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85
PID 1468 wrote to memory of 1480	1468	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/Zw3n3m
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe11646f8,0x7fffe1164708,0x7fffe1164718
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1976,9279511015434011497,14610556380006241846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6076

C:\Users\Admin\Downloads\nigga.exe
"C:\Users\Admin\Downloads\nigga.exe"
1⤵
- Loads dropped DLL
PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1""
  2⤵
  - Hide Artifacts: Hidden Window
  PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\ProgramData\edge\Updater\Get-Clipboard.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dmlwjnqe\dmlwjnqe.cmdline"
      4⤵
      PID:5900
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES90D1.tmp" "c:\Users\Admin\AppData\Local\Temp\dmlwjnqe\CSCE84D71097C924E13A9B13C2BB42BCC4.TMP"
        5⤵
        
        PID:5540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  PID:4008
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2164
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,195,99,235,182,41,198,84,212,5,112,236,23,129,1,60,104,29,197,138,50,109,201,30,151,124,56,12,89,160,180,3,89,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,180,155,90,37,170,60,44,223,112,132,8,15,229,152,114,124,246,192,150,32,0,35,43,238,155,16,16,236,186,157,90,48,0,0,0,177,251,243,119,212,141,235,68,112,105,50,243,179,182,19,216,174,70,198,184,22,251,119,90,133,31,215,205,65,184,38,3,56,152,61,177,135,206,155,5,101,121,221,236,41,48,216,110,64,0,0,0,33,238,94,131,29,161,30,37,48,154,3,214,231,53,178,59,97,233,95,68,208,3,112,65,68,159,31,96,242,13,199,184,68,105,38,97,211,91,197,240,77,80,166,18,251,19,195,253,160,146,122,83,231,191,109,69,45,179,226,170,69,106,202,205), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:5296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,0,0,0,0,2,0,0,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,195,99,235,182,41,198,84,212,5,112,236,23,129,1,60,104,29,197,138,50,109,201,30,151,124,56,12,89,160,180,3,89,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,39,180,155,90,37,170,60,44,223,112,132,8,15,229,152,114,124,246,192,150,32,0,35,43,238,155,16,16,236,186,157,90,48,0,0,0,177,251,243,119,212,141,235,68,112,105,50,243,179,182,19,216,174,70,198,184,22,251,119,90,133,31,215,205,65,184,38,3,56,152,61,177,135,206,155,5,101,121,221,236,41,48,216,110,64,0,0,0,33,238,94,131,29,161,30,37,48,154,3,214,231,53,178,59,97,233,95,68,208,3,112,65,68,159,31,96,242,13,199,184,68,105,38,97,211,91,197,240,77,80,166,18,251,19,195,253,160,146,122,83,231,191,109,69,45,179,226,170,69,106,202,205), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,165,187,214,93,191,165,145,124,208,125,156,123,55,92,81,194,103,130,179,188,3,138,200,215,116,51,207,168,41,119,206,207,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,83,20,158,35,74,100,154,174,172,225,107,117,40,60,70,192,35,99,230,178,157,155,80,73,18,213,71,223,77,175,63,33,48,0,0,0,13,133,31,237,34,64,21,96,170,195,161,22,8,183,3,167,57,236,114,155,196,92,108,168,224,135,126,49,88,70,103,53,51,166,54,11,80,116,117,189,158,135,75,122,113,205,217,85,64,0,0,0,70,31,186,231,151,247,209,28,35,149,68,246,37,82,207,237,24,206,106,36,231,97,180,96,159,100,227,208,26,108,196,241,4,130,203,135,202,174,146,151,229,116,109,195,208,207,142,240,241,220,125,96,81,91,93,112,41,35,47,152,249,109,84,136), $null, 'CurrentUser')"
  2⤵
  - An obfuscated cmd.exe command-line is typically used to evade detection.
  PID:5992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,151,161,235,33,87,207,64,71,164,242,234,75,146,145,243,35,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,165,187,214,93,191,165,145,124,208,125,156,123,55,92,81,194,103,130,179,188,3,138,200,215,116,51,207,168,41,119,206,207,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,83,20,158,35,74,100,154,174,172,225,107,117,40,60,70,192,35,99,230,178,157,155,80,73,18,213,71,223,77,175,63,33,48,0,0,0,13,133,31,237,34,64,21,96,170,195,161,22,8,183,3,167,57,236,114,155,196,92,108,168,224,135,126,49,88,70,103,53,51,166,54,11,80,116,117,189,158,135,75,122,113,205,217,85,64,0,0,0,70,31,186,231,151,247,209,28,35,149,68,246,37,82,207,237,24,206,106,36,231,97,180,96,159,100,227,208,26,108,196,241,4,130,203,135,202,174,146,151,229,116,109,195,208,207,142,240,241,220,125,96,81,91,93,112,41,35,47,152,249,109,84,136), $null, 'CurrentUser')
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\edge\Updater\Get-Clipboard.ps1

Filesize
3KB

MD5
52cc110bb3777aa6bba7900630d4eb49

SHA1
3663dc658fd13d407e49781d1a5c2aa203c252fc

SHA256
892a9edb03db3fd88fecc1e1a2f56a7339f16f6734e8d77e6538ea2c8c9026d6

SHA512
89b80d2783e902d68ffd08b6f3fb1848ae6e6c4bf2d7a1e4afdac970b2ee6ffcc58116cdd6234e3d6278eb9413d36aafe62b5beca24a0846575d12af0c5112ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f48896adf9a23882050cdff97f610a7f

SHA1
4c5a610df62834d43f470cae7e851946530e3086

SHA256
3ae35c2828715a2f9a5531d334a0cfffc81396c2dc058ca42a9943f3cdc22e78

SHA512
16644246f2a35a186fcb5c2b6456ed6a16e8db65ad1383109e06547f9b1f9358f071c30cca541ca4cf7bae66cb534535e88f75f6296a4bfc6c7b22b0684a6ba9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0726cd1e-8031-4569-a730-c73226ced629.tmp

Filesize
11KB

MD5
f9882cf4c5e088130a3c2a54cc50646f

SHA1
65228ab059ac1d7b99e5586747eae7b4f40d323f

SHA256
73972098433eed1887336102ba597d3f94b5f95c6d496e2a67eef3d63b2e4277

SHA512
63c1ae2936928eb2c487b73642fdd857e4b83bd13a82eb5dc335c417ec979505bf561dee3a31f9c26193124f77f973664fdb52543ba7a07bedc029a4bf0be9d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
203KB

MD5
99916ce0720ed460e59d3fbd24d55be2

SHA1
d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

SHA256
07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

SHA512
8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
07e6366bfccaf90aeea09061c1a3fe75

SHA1
495771465dba114ef0ed6f479f8f99245a1c87a4

SHA256
0d5f6513b42f817d93a79267a110f92293ef34f27b81909fcafa269d63a228f0

SHA512
62970388b40e9968892dc2b1f52da6c63aa75117dd37416e9a3ed9ffb5330f95f016b6cd0548d0c7cd9a157e22bb9024961df1327466814ec17dfd7311506bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
a7780e6e26ebcd7d16d4924d2042f820

SHA1
adf4f5e5d4601a296228fffec26ce3a35445e210

SHA256
b949c80577841cd2ce428efab5668a48714a2dbae2e940ab0c5feeeb3cde9af3

SHA512
d6c5cbabf68f0a35712bde71db50f14d10e4daf4ac9437fe7d65c5737f7dc63544402099d78834d8480d092987f1d0e6d2da1daca9fb48ab360ec7d00308e216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
855B

MD5
79306736336a1c0e3f2215923751e15f

SHA1
aafd1cfa6e05b421ddd9c9903c3f4eadd95abd20

SHA256
63f862767e1942666d446ab47f02e342171c3580e2bc7ab7f2398be9759aee5f

SHA512
285334374b82b7d3602220eff34625a34f4788029e420f9067f0adb852cef58bc32653d1c3eb894fe05abf8ab65a90f76bc4b6acb0935f933c77d8a58586e6dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
44027a7aef2a4dbc1f26c028eef69b75

SHA1
ba9237d0cca14478b60317187d4d3ff105d9687a

SHA256
0e9ffd56bb0f6b5e2e95f8e11458aa03b0849ce2d34b5bf7e65dc311631245a7

SHA512
fb800c9bf4c343b462bce3ee631d4f5029cc74d40b03bb7183738b32ff94fc57ce7b94b5e96de8f6fe14c4405de0953fa6c77df55e2d707df31b6cee2ac1112f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2193bc989049a6f39d61f75ce4c5b4c

SHA1
83272fb46a655de3f98137784546d72e1ec37f72

SHA256
0bd7b5b8eee076f9eb5db0bcbd5ffe9ac12660037ddaadb3f72e2f54ff55e7d8

SHA512
b52b928cbdc55f684c6fca88129e50bb550d72f3ec095cf5a4fc7d8985759c36e367a6a95210c639b5461f3de77c3a16edcaeaa2a34d2398e3a699bb91c9f7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e3852545692cf81bd7299bebf1d8ed8c

SHA1
e5678db23c748a17d475809f99edacb4d17a3a54

SHA256
2f1b23cca488a6a6daf0060f28eaaa897b8b9ddefcbbd1fa3277cb3202b2568f

SHA512
df4c50c14a0834c2ca65b9d4e77e488b815376f02d91fd88376af7454f28740a46862898a45ef350afa4f11cdc6b5756e05f43203f0cb76b878c5870cfa32a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5346c18aeb7e0a67243de39cd15bcbca

SHA1
4fc8cbee174293494d626be7b9aeefa61d8b49e5

SHA256
0407b875b4f55194d6b9d2377383354ad2d7f470949a7bcb91d350187983a93a

SHA512
2e0f681655ec2f953eea3fe57f3a6bfcb7c292097561d9bcedd296557e3173d6477a0aab23bb19ae2fe225914f5f7add5acac262fbb596faa47030ffd354ca38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a058bde1920efcde188c5a44a618ea53

SHA1
009876f044b8791dd10274cc3797ea1094cfb8c2

SHA256
0a064aa98b6687cca0358dd9777af12d290dc1b465ba94ed05e6e56382d155a9

SHA512
4e9795c42af5c51058b8086ea47d83a6b4421e08817f482e6495f50947b5cfd76937c32291c6fcbdcab7bc038d0f6fcf757da65917e90b8d1c30573b8c3b0537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b5c3.TMP

Filesize
48B

MD5
3a3726c90dffe0a94b9e966697f7b2f8

SHA1
e3fa508d6d10b741a54893251e6f14c12ccb7804

SHA256
dc564cc30a56b3c2c165ec52278f3bb396b931fcf634b99896797be307f28610

SHA512
e65a7d7e0514d96bb7a4307eca57276eb1393eb45d08b5d093e5d090e09dea7f81f65ed917e4066a20fc1ae499e43ea60169fef59e297130c1a3af803e0a9e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
868B

MD5
e47e4992077a854b0cdd28bb58174b33

SHA1
e993bf3fc7940649e8d2890c28c74331c76d529f

SHA256
a78337a162efe2a2434e237adb05393a6de55ac982f1b927dcc784c460b7696d

SHA512
89692288974a68445a022e0d665b74d6315c0d77136e2e71ad99c38661b40b3a148ff96594589333842fa0dd7a22b358313bf02cd6e5fffca3c1320b128e127b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5786e3.TMP

Filesize
531B

MD5
a4693e00badbc45562116a91359f8fb1

SHA1
9e6d74b158cf4cc346d37a405f7a2d10c5aff7a7

SHA256
a24f81750575c499b2ea578cc14c77452ef4a81448a16cb95a6aae48aea0fde7

SHA512
f5039f7eaf7043059032bf8209e8ecf72d83e6f027b55e707123a452ec0b9ec9f235f104057dbdae091645a35b99e13afb326ca19b811bbadbaa373f0d952434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
2d6bb352c5dfb9600cd0c1bdd3929a41

SHA1
75e2c2aa9fb8e6b927257a927927d84f823756e0

SHA256
9fe84bca11fc2f78518a47554d56c24df5211d899bc4610abb9c9c1cf96e77f1

SHA512
d3ebe068acfa26d386d7817027d9926895bcf187916e1b6b6b840f586312f0eb7e5694c90d061d572b0ac1f9e9753c7cdbd196ca3d1d0a3ccacb62881105111d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92100fda236297b4bbceddf31feb122c

SHA1
df83bf81dc3b186bb924626c0e99405074ddc29f

SHA256
1ea4c5a203c7bbe4ef54d9847bc6d02ad33c31e3384a713ff7b3e773767088ec

SHA512
ba246febbea583835217d7622b5baede2f58b99b791d636101a2a2c44b9a81764e9997cd3ac9a1b5cf3a7554288934bcf6c11809e645abaf2b9d48f5bcdb6167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2df025d13d06552ec72ae4f2a9e30fc5

SHA1
30cb829ec4284d2f0dda91f869c00ce1feabc7c7

SHA256
c78de4e3d7517668c769dfe5055ad9594a27b25e4285b31578025b978b357a8c

SHA512
6f5839a5c9aaf87b4c6cd44b8cae69f8757b9d88d27ee1bb4e457f5a90c14dd8b82dc83dc868092c6ce098c147e57db5d315d88afa748fdb3b575212fd175300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES90D1.tmp

Filesize
1KB

MD5
8d0a38b385816feb68b43b06055d0619

SHA1
791095eaa71901737307e2d86dcac7ae48ab2be8

SHA256
16ceea56e97e898e6dc4a2815badc35c7db149e7c78077311d0522ce8368a1dd

SHA512
0c508213ca0d52d7e58e83a17ee824e3fdf9bb2cf1f185e0cc6904cc8537fb1e7d411d93edb3918b1a8c80dd735ec2c8299304292a868f9ca2a0e66ffdbf145f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tnf4mdcm.lzh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmlwjnqe\dmlwjnqe.dll

Filesize
3KB

MD5
a58c6c5df3720121b943136165020755

SHA1
318ba6135ae44b393fd783430593331acd9d31fc

SHA256
2c61d42cee0d97c21e52d96035ec4519a536c2b480233f16203d606adec38a74

SHA512
c5b84c078aa0de9aaf1ee680fe157e803cdc573d873c01999cebc4d4f14c54a58d8d0c91869cc3f8cff454d1adeb255092db4f2dd7dc96af83c0ff1326c4aa37

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\ed50b7a14738309152b04f29fd25167df6b1ec72e784ab890290cf3b2bf17d2f\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node

Filesize
1.7MB

MD5
9565f317f636bc179fbd18bc32cab579

SHA1
e9ee53b2b541e5e4a37468a09420d7b1d9ce0373

SHA256
ed50b7a14738309152b04f29fd25167df6b1ec72e784ab890290cf3b2bf17d2f

SHA512
298e0ce5f2b6d84bee0e831d617f960b975429b492050d1bea99b3b72736b5cc6f6e91da33a842e045947cecb567f4bd0bfadeb521a1b55e9c90842b2876f83f

Download Submit
C:\Users\Admin\Downloads\nigga.zip

Filesize
25.6MB

MD5
81219febfae39d75c72e9fbcbfd15709

SHA1
d98b6a70d742805bc9b0193352d185eb50a8605f

SHA256
50dfc1689e4f2abb85315e0d8e7516a080fa0183bf9fc6c528bafc3312fce2c8

SHA512
a26f96255be64c479f6d25c9f5de5c9fa47d793aa22269c5e49664b577ecc775efec21527390187309337542ec38c4458e6740a8b8508228006929a58c5229e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dmlwjnqe\CSCE84D71097C924E13A9B13C2BB42BCC4.TMP

Filesize
652B

MD5
4da306a856c18aa3422623c8d372fc18

SHA1
d2e3b3750be0d30b32ba3422383932508140ba6c

SHA256
6d3fafe10f9b37760507718b5489e6b6c1d8459087fc5c47f6f3d4a23cdd77a9

SHA512
ae0ce4d73e9c1c080a9fc1c06615af0e07894cd6dd5ef9ff2e4101c1984da63acc7b6b8128ab67be56c6671ffbc1d6885538c7f272129175a065b7cdf593bc3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dmlwjnqe\dmlwjnqe.0.cs

Filesize
426B

MD5
b462a7b0998b386a2047c941506f7c1b

SHA1
61e8aa007164305a51fa2f1cebaf3f8e60a6a59f

SHA256
a81f86cd4d33ebbf2b725df6702b8f6b3c31627bf52eb1cadc1e40b1c0c2bb35

SHA512
eb41b838cc5726f4d1601d3c68d455203d3c23f17469b3c8cbdd552f479f14829856d699f310dec05fe7504a2ae511d0b7ffff6b66ceadb5a225efe3e2f3a020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dmlwjnqe\dmlwjnqe.cmdline

Filesize
369B

MD5
5ba5c417a84270b0e3aab3cbd06dd84b

SHA1
656afb0d50c41b2e765a979f002a31466e7b62a1

SHA256
889d3038fc3fdb9f8000d23117fda2467bae5faa2b80a635ef3f54ee0c26232e

SHA512
7f4bd5884daeb850acb3eca0fb0b6b8f864b2aeb2928a10f7a821bcecd193695b2cb1a96713ac19cae6cf6fd75c0cead9b26e3727964e9ffd5721bdecbdfa151

Download Submit
memory/3212-424-0x000001C0EB430000-0x000001C0EB438000-memory.dmp

Filesize
32KB

Download
memory/3212-400-0x000001C0EB3C0000-0x000001C0EB3E2000-memory.dmp

Filesize
136KB

Download
memory/3744-438-0x000001EC7D9E0000-0x000001EC7DA30000-memory.dmp

Filesize
320KB

Download