Analysis Overview
SHA256
637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69
Threat Level: Known bad
The file Runtime Broker.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Contains code to disable Windows Defender
Xworm family
UAC bypass
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
StormKitty
Xworm
Modifies Windows Defender Real-time Protection settings
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Adds Run key to start application
Looks up external IP address via web service
Drops desktop.ini file(s)
Sets desktop wallpaper using registry
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
System policy modification
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 22:02
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 22:02
Reported
2024-06-22 22:02
Platform
win7-20240508-en
Max time kernel
0s
Max time network
0s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
Network
Files
memory/1244-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp
memory/1244-1-0x00000000009A0000-0x00000000009B8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 22:02
Reported
2024-06-22 22:10
Platform
win10v2004-20240508-en
Max time kernel
437s
Max time network
439s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1892 created 5112 | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | C:\Windows\servicing\TrustedInstaller.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Runtime Broker.exe | N/A |
| N/A | N/A | C:\ProgramData\Runtime Broker.exe | N/A |
| N/A | N/A | C:\ProgramData\Runtime Broker.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635676035940172" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{69BCD917-86F8-4904-9E23-D373D7E88F71} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Runtime Broker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\whoami.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe | N/A |
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe
"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1020,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5052,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5060,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4680,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5496,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5504,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5992,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7fff6bb1ceb8,0x7fff6bb1cec4,0x7fff6bb1ced0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1896,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4168,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4164,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3412,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8
C:\ProgramData\Runtime Broker.exe
"C:\ProgramData\Runtime Broker.exe"
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" start TrustedInstaller
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" qc windefend
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
C:\Windows\system32\whoami.exe
"C:\Windows\system32\whoami.exe" /groups
C:\Windows\system32\net1.exe
"C:\Windows\system32\net1.exe" stop windefend
C:\Windows\system32\sc.exe
"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4748,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4188,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:8
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | medical-m.gl.at.ply.gg | udp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 104.90.25.175:443 | www.microsoft.com | tcp |
| US | 2.20.12.87:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | 175.25.90.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | update.googleapis.com | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-mobile-static.azureedge.net | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 13.107.246.64:443 | edge-mobile-static.azureedge.net | tcp |
| GB | 216.58.204.67:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 8.8.8.8:53 | edge-consumer-static.azureedge.net | udp |
| US | 13.107.246.64:443 | edge-consumer-static.azureedge.net | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 147.185.221.16:28857 | medical-m.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
Files
memory/1892-0-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp
memory/1892-1-0x0000000000D50000-0x0000000000D68000-memory.dmp
memory/1892-2-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp
memory/1892-3-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp
memory/1624-10-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i24mp0pt.z0d.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1624-4-0x00000245746B0000-0x00000245746D2000-memory.dmp
memory/1624-15-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp
memory/1624-16-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp
memory/1624-19-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2b453e11296c30377ad61a79aaaa8028 |
| SHA1 | d24b574a09a27eafae2cb1f424152889c0626c50 |
| SHA256 | ecb67197af6883787011beb002c314c2cc8131bf324246e18bf9fc00a25cb29d |
| SHA512 | 5f6eb836692c95454f89b1f723a737a51554ca49dfd8e2b8b377a09bb36cb40c99b89f0d261e990a8a0a1011c816d22f25083b746a5030a2863cf9a8d87491fe |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 51cf8df21f531e31f7740b4ec487a48a |
| SHA1 | 40c6a73b22d71625a62df109aefc92a5f9b9d13e |
| SHA256 | 263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d |
| SHA512 | 57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368 |
C:\ProgramData\Runtime Broker.exe
| MD5 | 89af2aaffc3ddda07a0fc977c8bb2236 |
| SHA1 | 412bd5812599d5729a51d0350df48030b0d04e1a |
| SHA256 | 637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69 |
| SHA512 | 8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae |
memory/1892-60-0x000000001BFF0000-0x000000001C0F2000-memory.dmp
memory/1892-62-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp
memory/1892-74-0x0000000001520000-0x000000000152A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/1892-104-0x0000000001640000-0x000000000164C000-memory.dmp
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
| MD5 | 501fbe06fcba4ced4f744f475dc4c7d2 |
| SHA1 | be1b6bd6267a332fe2ae535e3c290d2e899e215e |
| SHA256 | cde3d2832d11e8382ace0cd53be2fa954f30221d6e8cf614caf2efe9034eed88 |
| SHA512 | 3768b2837da91b90840852caa469c8075ce635520fef97d15d112b294153a318f6cc420861348c4769241663673f26ab997e389dab7e6603fbd5a3993155bf98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 117988eb2b31d0c2015a483bf61588b7 |
| SHA1 | 1aa6bf0e0209bf6f4288c08be12d69b448d0ecb6 |
| SHA256 | 4932d61d7c23514f5c7a74743dafaa9ee5db0eaece3107530dd834653b86f047 |
| SHA512 | 2e6a8abc59957395eb94c2bacb43c09bc1c13f6ed4b0a80764de894b85dff76f9ffb6afc5ca01ba0fdb0a8f02b30c43300bec11515069485508986f85ec5c5cb |
\??\pipe\crashpad_4692_IVAVNKZJCYKMRLAS
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
| MD5 | 99914b932bd37a50b983c5e7c90ae93b |
| SHA1 | bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f |
| SHA256 | 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a |
| SHA512 | 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b54b80cccd9e3b25fde218a7b5313f14 |
| SHA1 | 7571c576ebb3f1b182a905bdafa0d0d2274549d1 |
| SHA256 | 846bad830a6dafa0a8cbcaaef67b7d74ec160ef114478ad9571a6b795faa980f |
| SHA512 | 622f8aa11dbb7893dfaed457231a3092d5981dc419fc37f96112f0b4730f6e4468f3119e21392c439b06fc5147bb5f921303ecddc3d2eda478230ade558ba5ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9a0c2787a91d39480bef18a05cd50b53 |
| SHA1 | dc3604bb685d15eaffd20127694fba9ef9a2dff0 |
| SHA256 | 85b6b7c2bdba24ee39a00399e75ffdab660509b7b686273add96766ce63fc692 |
| SHA512 | 5d3722e6a26a1c72838fa1e800db2daf9aadd5eb075686ef822ed97a552595a4eaf68a2856b8f5f657d53f350e30d6be39ec93c273d2983b439cb035d6fb83c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 53d7e1dcc5a398139f220a06802a9850 |
| SHA1 | 7a06bb479fbd7b6fcb145278cf149410edc34053 |
| SHA256 | b50b8ae9c37d6a6afaec1a8baec6dd694a1b433aa97bcde428bb9e37b097e922 |
| SHA512 | 379088324b6c35f13436c08679c5d5560c6b860041408cdd05136e83fb5d0089709c008b1b74a789286f101752555ad91ebf38ec5794851e228b168803d729c4 |
memory/1892-861-0x0000000002FF0000-0x0000000002FFE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 756d83c73e203dd0d3630514fe4e6a35 |
| SHA1 | a2c0acac3820c54514e784549e879a5b32bdda93 |
| SHA256 | 73856d651faa39a92084b974fa5c01efc7285c0e9569ddff9f997a9268bdec90 |
| SHA512 | 7c3f3e7eefe00545f41946c437091e88817db70bdeeaaf292a6af0b098ffc82777b320e7f65631b1e469dcc5b088cccf5f252f05703f306e9f9e70696337256b |
memory/1892-896-0x000000001C560000-0x000000001C56C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | fd98baf5a9c30d41317663898985593b |
| SHA1 | ea300b99f723d2429d75a6c40e0838bf60f17aad |
| SHA256 | 9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96 |
| SHA512 | bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0 |
C:\Users\Admin\Desktop\desktop.ini
| MD5 | 9e36cc3537ee9ee1e3b10fa4e761045b |
| SHA1 | 7726f55012e1e26cc762c9982e7c6c54ca7bb303 |
| SHA256 | 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026 |
| SHA512 | 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790 |
memory/1892-944-0x000000001CD00000-0x000000001CD0A000-memory.dmp
memory/1892-950-0x000000001C730000-0x000000001C73A000-memory.dmp
memory/1892-952-0x000000001D6F0000-0x000000001D6FA000-memory.dmp
memory/1892-954-0x000000001D700000-0x000000001D70C000-memory.dmp
memory/1892-956-0x000000001C440000-0x000000001C47A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpEE2.tmp
| MD5 | 1b942faa8e8b1008a8c3c1004ba57349 |
| SHA1 | cd99977f6c1819b12b33240b784ca816dfe2cb91 |
| SHA256 | 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc |
| SHA512 | 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43 |
memory/1892-963-0x00000000202B0000-0x00000000203CE000-memory.dmp