Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 15:00
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://goo.su/xQHo
Resource
win10v2004-20240709-en
General
-
Target
https://goo.su/xQHo
Malware Config
Extracted
redline
6951125327
https://t.me/+7Lir0e4Gw381MDhi*https://steamcommunity.com/profiles/76561199038841443
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/3240-472-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
Command and Scripting Interpreter: PowerShell 1 TTPs 42 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2220 powershell.exe 4056 Powershell.exe 1520 powershell.exe 3536 Powershell.exe 220 powershell.exe 4368 Powershell.exe 972 powershell.exe 4608 Powershell.exe 2632 powershell.exe 4900 powershell.exe 692 powershell.exe 3344 powershell.exe 2772 powershell.exe 4916 powershell.exe 3464 powershell.exe 2408 powershell.exe 1988 powershell.exe 4224 powershell.exe 1236 powershell.exe 632 powershell.exe 1364 Powershell.exe 3536 Powershell.exe 436 Powershell.exe 4012 Powershell.exe 4608 Powershell.exe 4600 Powershell.exe 2456 Powershell.exe 2772 Powershell.exe 4468 Powershell.exe 2600 Powershell.exe 5068 Powershell.exe 4240 Powershell.exe 1896 Powershell.exe 4056 Powershell.exe 3788 Powershell.exe 4368 Powershell.exe 5004 Powershell.exe 1120 Powershell.exe 856 Powershell.exe 1652 powershell.exe 4512 powershell.exe 3304 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 2172 1720969296877.exe 4104 1720969335043.exe 4164 1720969336975.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2172 set thread context of 3240 2172 1720969296877.exe 135 PID 4104 set thread context of 864 4104 1720969335043.exe 183 PID 4164 set thread context of 4200 4164 1720969336975.exe 187 -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4824 msedge.exe 4824 msedge.exe 1920 msedge.exe 1920 msedge.exe 3472 identity_helper.exe 3472 identity_helper.exe 3104 msedge.exe 3104 msedge.exe 5004 Powershell.exe 5004 Powershell.exe 4608 Powershell.exe 4608 Powershell.exe 1896 Powershell.exe 1896 Powershell.exe 4600 Powershell.exe 4600 Powershell.exe 4600 Powershell.exe 4608 Powershell.exe 1896 Powershell.exe 5004 Powershell.exe 2220 powershell.exe 2220 powershell.exe 3344 powershell.exe 3344 powershell.exe 2772 powershell.exe 2772 powershell.exe 1236 powershell.exe 1236 powershell.exe 1236 powershell.exe 3344 powershell.exe 2220 powershell.exe 2772 powershell.exe 2456 Powershell.exe 2456 Powershell.exe 1652 powershell.exe 1652 powershell.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 3240 RegAsm.exe 1120 Powershell.exe 1120 Powershell.exe 1364 Powershell.exe 1364 Powershell.exe 4056 Powershell.exe 4056 Powershell.exe 3788 Powershell.exe 3788 Powershell.exe 1120 Powershell.exe 1364 Powershell.exe 4056 Powershell.exe 3788 Powershell.exe 1520 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 4608 Powershell.exe Token: SeDebugPrivilege 4600 Powershell.exe Token: SeDebugPrivilege 5004 Powershell.exe Token: SeDebugPrivilege 1896 Powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 1236 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 3344 powershell.exe Token: SeDebugPrivilege 2456 Powershell.exe Token: SeDebugPrivilege 1652 powershell.exe Token: SeDebugPrivilege 3240 RegAsm.exe Token: SeDebugPrivilege 1120 Powershell.exe Token: SeDebugPrivilege 1364 Powershell.exe Token: SeDebugPrivilege 4056 Powershell.exe Token: SeDebugPrivilege 3788 Powershell.exe Token: SeDebugPrivilege 4916 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 632 powershell.exe Token: SeDebugPrivilege 2632 powershell.exe Token: SeDebugPrivilege 856 Powershell.exe Token: SeDebugPrivilege 436 Powershell.exe Token: SeDebugPrivilege 2772 Powershell.exe Token: SeDebugPrivilege 3536 Powershell.exe Token: SeDebugPrivilege 3464 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: SeDebugPrivilege 1988 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 2600 Powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 4012 Powershell.exe Token: SeDebugPrivilege 864 RegAsm.exe Token: SeDebugPrivilege 3304 powershell.exe Token: SeDebugPrivilege 4200 RegAsm.exe Token: SeDebugPrivilege 4368 Powershell.exe Token: SeDebugPrivilege 5068 Powershell.exe Token: SeDebugPrivilege 4240 Powershell.exe Token: SeDebugPrivilege 4468 Powershell.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe 1920 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 4764 javaw.exe 2768 javaw.exe 4204 javaw.exe 3540 javaw.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1920 wrote to memory of 3420 1920 msedge.exe 83 PID 1920 wrote to memory of 3420 1920 msedge.exe 83 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 2736 1920 msedge.exe 84 PID 1920 wrote to memory of 4824 1920 msedge.exe 85 PID 1920 wrote to memory of 4824 1920 msedge.exe 85 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86 PID 1920 wrote to memory of 1528 1920 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://goo.su/xQHo1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4c4c46f8,0x7fff4c4c4708,0x7fff4c4c47182⤵PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:2736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:82⤵PID:1528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵PID:4328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵PID:1216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:4400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:4360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:2624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:2508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:82⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:632
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4400
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"1⤵PID:3344
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
PID:4764 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1236
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720969296877.exe"'}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720969296877.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Users\Admin\AppData\Local\Temp\1720969296877.exe"C:\Users\Admin\AppData\Local\Temp\1720969296877.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2172 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
-
-
-
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"1⤵PID:2688
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
PID:2768 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4916
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720969335043.exe"'}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2600 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720969335043.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4512 -
C:\Users\Admin\AppData\Local\Temp\1720969335043.exe"C:\Users\Admin\AppData\Local\Temp\1720969335043.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4104 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:2128
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵PID:1444
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
-
-
-
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"1⤵PID:1832
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
PID:4204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2772 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720969336975.exe"'}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720969336975.exe4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3304 -
C:\Users\Admin\AppData\Local\Temp\1720969336975.exe"C:\Users\Admin\AppData\Local\Temp\1720969336975.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200
-
-
-
-
-
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"1⤵PID:4296
-
C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
PID:3540 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4368 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
PID:972
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
PID:4900
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
PID:692
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
PID:4224
-
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMerge.jfif" /ForceBootstrapPaint3D1⤵PID:3184
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵PID:2976
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:2372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67B
MD574e354b69585b87adebc263d86cb7673
SHA192a5b64966c372e7ed2b348623ba8e9fa84fdcb9
SHA2561675788753244a7d170017019f28fcc833d49995589fa34fd1e3184f4727c0b0
SHA5128f9832488cffb17a2ce07b29de9266796d5e9a88919fe5dc25f87046711bbf6e5ab51413028a703a73d0ceed2a247bd39b704023ac4740f0a4d19cbe25179b21
-
Filesize
67B
MD5f0fe7f95c45aad1cdb55c9be1a16a5e0
SHA1a145ef6d4a02438983a43b6efd0274a965af52ec
SHA2565e6e7a86598d0c1f611e042ff5ce1b174343407468036b587df632aa1d64b8bd
SHA5122831e7b78454e1d3286d9de8df93556fb020417dc053bb68dad8f3cd3b20c6a4b1054bf05200a9b30840d77d1a0c00cfe951314d85d34ab4abfb3a7cf6d6b9c8
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
2KB
MD520c0948d38ba44dd4c8c568b1d698784
SHA122cc5a382f63c25a3638abc7c76facddda5b0407
SHA25699fe0596d2cbb8e5acda213928a3b1a1d54d48fb622c2fd7f832e82f413e08c3
SHA512b8b0819e10d81f66f30e3375932d7e8c44bab5eaefdf6232930efe1cda306b7811b4c44616c96622d995ae77788ad8f3a2b78f4d45090adfdb122af368deeb98
-
Filesize
152B
MD5eaaad45aced1889a90a8aa4c39f92659
SHA15c0130d9e8d1a64c97924090d9a5258b8a31b83c
SHA2565e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b
SHA5120db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4
-
Filesize
152B
MD53ee50fb26a9d3f096c47ff8696c24321
SHA1a8c83e798d2a8b31fec0820560525e80dfa4fe66
SHA256d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f
SHA512479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5
-
Filesize
20KB
MD5a469d26ac021d18b583a61619d1119e8
SHA1e9413fa89c5508ebc9add8423086284d22666043
SHA2562651e4f91e993b0583e77837c652718ab749a42cb559743e91d5f6c002f008a7
SHA512a546c8968f3adf636163b276ae107a20958eac28231a069cce7452a4fa74064f7345f0a05d865aaeb88a9fedbb7b606ec7bd5e90a8b3d463634f4228df3a08bf
-
Filesize
250B
MD5f59173bd6bae4225216d91afe48b6017
SHA19231eee8b25e96dcc0d58267cab3cc12130b82d9
SHA25600f46a4416df2f1d9af4fdf0fe9765ae0fa62fa34c590243b002da927d1ba9dc
SHA512c17a4d40f409dc874fd77b0e9fff36602fb7cc640868ee877a12819e01169fac3a15fdf21a9d06a128c2352046c6d9545b51544b7997c2123a9d2c8bac88cc7b
-
Filesize
6KB
MD581dc5d88ce89ba3042806366bb90dd73
SHA15480a69d2c0cd74cd9d1874dbcae8e58750ae3e7
SHA256f1aa6054bf855f6cc3b317020b74d93833cabb0641f48c65eede4e72f6d7c187
SHA5123b4b68d205bf58a7d4efd5a8916476a50252e6924571eac81b7095feb32576085ea321e94af1938df822f8e1f3433d0272c5fea7c80e979f52cc386e2cee1a08
-
Filesize
6KB
MD5b4dc20e873401fa648069e1329adf510
SHA1b997e893fd9ab08f2863d6b680d20ea9c0020662
SHA256e1406c84954726bb14c9a6c6a0c5298c0a30c2a32ac67d800b05f1b22431c0c0
SHA51220cac4934df329423cb0135c1e54ddc8b5205ec5df8dec16133f445872d3a9244789337983c4fdfcb08b5f76dd27b9a01a988480689f6b8ed3e57bcd62586e79
-
Filesize
6KB
MD5c4b7cf02010c591b5b999dccf0bc7201
SHA150f8c6b6977fa3c1c964e222fae45b58a40c704b
SHA2566b5268dd2c91335b45492d142fc7dc0fda8f76e0c12470a2209e8df74e6ddd0e
SHA512b64e0743ea9284e7d24954f1bd442bbac08be387f7d61cfab754fb0254f9506e3b5a81fd3a0aeb5cb2af6dde3245a7931c2f17b3e5b19ee386bf94443fe82d3a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5b6624e80eeba3a193a4e44d7093519ee
SHA10929c0becbb91932d32539c7819fd0225ad24776
SHA256dba36219eaaa6f531184f0247b860c8309ebe0f3b188a3e6ba8c079ec6048c50
SHA5120e0d882f6cd6a2eb2617fad43103d255b648d05c8a2296f0bf63388627e227bc814e16a6d9794ca343bf8f059a34ef54b513b46a2393c4edbf55053c8c710bf8
-
Filesize
11KB
MD5c7710f53ad2471796642f4bdfdcd2796
SHA1747c7219363ec879699e25cf04fe42cbb10f3715
SHA256410f23b373d28bf40b8d279c5a72f57d3494455c9288c370eda5e1083ca685e4
SHA512a4d52fc989b1c84c1b6b385f2602ebfd4f22c7114e7aba19b5db0e734a10a9263b0abeacb5cac00e07424b5b3e3d1dfd49ae7fb2e31f61196be9da2db789dac6
-
Filesize
15KB
MD5ad926630b47d59c0f6ad9f56e6db904d
SHA178809111dd6c407cfe6616f4a74cc9233c016771
SHA25661122eaec7ef6320a7b9174a605a21ac3102bff1979708c5f710014bb844b57e
SHA512d2d9c1cd06467e87a4ae4c2690def36763d3538f38b0561ed185115dc34e6d167c418bffe393f7bfcf2227c7de570f794e1e30f4d5ac9027f1c70f4412f10cd2
-
Filesize
15KB
MD5ac205228ff27771704fa68d2836395cb
SHA1f3b6d12f39158df843bced074e82d7a1fbebb8e1
SHA25617df09115c93658609603b5a7ee68acdebf5ed98b44b2e3a6c9e7193b83c1d4f
SHA512c6c48f58537c3e5a318a6a31d8d4faa9f418733da7af5c41a60b16fdf173a12822d09032ca3d1495c9022987898ae9f8196c22eca6139869bba9c4bef57fa344
-
Filesize
15KB
MD5a7e8b8c587c5023316d6298595112f28
SHA1f80f4121b2e3edd2414df31a3e3096d7f9b44394
SHA256d4f54f8a84c61c5e30110d61bd29b605c29f6d0a8f35a9bd2340e7dca3ae062c
SHA512666fc1216dd59ffde10dfb3b3f732b79f73e3014ebb21d693f09d5fa6c4e932bc8443f8f6b0589df5629b5d70927dc9c278764c0e23148e4015222efacf41c5a
-
Filesize
15KB
MD5134eb7500985101cfe276e162ccf4f05
SHA1eba60bfb7fbfaede090648f24632a13ff6320c00
SHA25647d1fc7d2056a57e16e267bae8afa259cb3a28dc2db2ce865047b326338ccc79
SHA512de23c9d7f7c3d19570d822bd39866c999a1efc9e6f470e3f65a1c38cc0031d1d0081233fbef0270734983adf55ea10535629f96916090efe446c174ab8f29c1a
-
Filesize
15KB
MD51417aab1b82a6865ee2c65a5a44e0aa6
SHA1fb36091d46d582f2502f9aff9c41435a7adf974b
SHA256e825a54cfc1db3490f9ffac942a07536a10bf5984685fa305bfe27b9c38104c7
SHA51237dbb8c0ad47e5888bc84bd03486ae08654c5f0996e950528ffb60518efcaccdc9a458265fffaf0ee09a47e196ecc18766d0c9dca139bd9530e63e61da16d358
-
Filesize
15KB
MD54e8c2298774e417b75f0df595a4e1377
SHA14142b0609a073026e55cab0f1241446bf256146d
SHA25652d03681c670313e96984f86811c6715c4f13b0173bd04311d367469c9964a5a
SHA512dddcc805152fd8d64b3591c1c01cc193ae3840632d5500253b6f741365d9ca4b1b6426ded6f6d7fe3ddd6fa38ee350ff3dca692cce41671283075b64557bd5a8
-
Filesize
18KB
MD5d780609e2825f5b27b654f2b97564988
SHA17013d9066b9e8b0d67143d59f16e57242941f652
SHA25692c2459b457084788cd2abd0a5722b525f62c0ceffe8b8ec158024891608a914
SHA51213385f2aed8dd1bd12f073e5ace1199a2cb9c3dfc80c6dbe32ba4ca6f3c75651d260c1f958f62e9caa8419a0276465ea3a05c1beccee7a85c303579c7c85e644
-
Filesize
18KB
MD511e4bc429dec74ebeba7bbbeee799cfc
SHA1521049b2bf36718d887a2e917fad688709a90e79
SHA2561389ca2afe34accb47ab28b64b287d2dde18341693d5f4bfef361876b8931745
SHA512bbd2fe9b90d29b36fd039f5fee2e0cb24ad4690d62f44b7259d344250f7152c72d77c3d31c459bae152d30359242d2f08bc63a237c9179367a28455ecb1c7da7
-
Filesize
18KB
MD5812c94ef4c31f67e44b6854bf1cb07be
SHA147e88a947082d9d5eedcd530b4936cbe6acf785f
SHA256bd6e2f6aea65ca57b2dc22130b71b0f5c92dd88c778424fb621c63ea4653ecb8
SHA512209a0a6f1bbe8182511e5d1bcec0c705165291da1546636dce57e3a094612129e6523e132354dca9e06b5a12df72ed8e4a1bd60ef53a37df79de679ba822cccb
-
Filesize
15KB
MD5d0fd0b0a406b490c179b2dc8947dcdd8
SHA1887e28e0a29a1fca64a99b70989bc06ca33120ef
SHA256916d7a4f0183030a875d33f84c8b1f1965eae6cd7c80656b531b1258bcef7a51
SHA512419a4ce4ea8bf238d701377721e8044ff529323e105c5ba2059fa4d206ca5290f74ef134989268cd6edad2db546a3a8ee9390be72e9badcdcb0f59149298f7d3
-
Filesize
15KB
MD5fcb59689520be3a3fea58203ed6419aa
SHA114eec3cfccc86da3ac8218b9290dd248c4a23e9d
SHA2566fe1b88053c6a4b7f0f296340e56e370131f6517dfd8f37ecb2a1bae3f546781
SHA512e5fa60e1119fb860d383c123b2b58e75744308c4450ff07f316e21f3d91241f41486d779c407ca20e781d5b21ba877af3bf69b9fe60fb139fe2c4d762369c975
-
Filesize
18KB
MD52d2d458b0ebcfe582c0bd628b82c054c
SHA112cb67d1ba9558716226509901a8704c297f7e16
SHA25613950741a6cedee1cb8159f3af5e997982d11c69d2af24d0cc6da33b94680cc8
SHA512d6ce6eb18f87626adef0db48f429136746627a8db1521ec8e957e92fec276d8eaa1039322c6d42c0ab42b45cb9f69e5a1a876d598abb9d3b2fa91f845b1aa898
-
Filesize
18KB
MD5ee348cca93335ce22852a494cc41f5c2
SHA126280227f1945782b68820cd23652cd3ea0a46a4
SHA256a7f4e550665b98acf0dc0eb51127f9ac22139ffb7274265309828ba6880911e9
SHA51294f7e5850c65aa8fc402e9ee7fbeacca2b09f35cb6f131cb405436aee47d2ad2cfda9a591a81b33e297a9f2ac50414b42df0ed159b72cbea703307735744f344
-
Filesize
15KB
MD57555ef0e94c6356f90dfc1f4d4524035
SHA1a3aac11a93ea6cb8be013dd21a9abb2eac7c15eb
SHA2561532fcf5c40d09222335fc981bf53bef2ee0468e66b1ae4256d6a01b84dda8ee
SHA512d0bbc9a5db796e3e2681b06434fa9664d768bf9ab6306617bca88a0e81b8853c780b2e3cad7478928fb7c3612510012bcffe9b58b1c5506a0e1bf38bdb319b0c
-
Filesize
15KB
MD5f00632cb2871b48bb79250a924c15b03
SHA13758d64981b2fc0d0570587c45d4362f5434986c
SHA2568497ceab64c9d3005986ccae6c442eac7e2f028e1110f4afa996f48bcfc6ff2c
SHA512cea52d13b0210d351ce3ec15f0100d6e7080cecf02a8653b0f19f9dca550f7a6a069cdbdc703098b5e7df1c7e99206081bc78c85f15304832c7109177a4534f2
-
Filesize
15KB
MD5ee8cd641b888fdc2a2dcb9ca50adfcab
SHA15792b9f7683f4fed066a96104434f2b099cd19eb
SHA256e82f7a04c1ce2df82a992458a5ccd744cbb07ae3960f07c32e2d205f9af1131a
SHA512e685188026891bfbb7b86af6f88c12f58f49a53b69e7064598072ef06d71746427d4cdcbc7f18a9de0b05fa8429c1052381f51fe37f484abd593d464f18b4a0c
-
Filesize
15KB
MD5d23b6335dcae01037ef8eee388583703
SHA15cab90881ee2a97844af263bfabf2e85c5396f08
SHA256e40604d89e24023bb2f8f3b0594eb09ffd63fc5a5777aa61077234a0c5d61eeb
SHA512b9cb1f8a856a2acfdb9b1f6865085f4fbdc77393bbd2d447b394ff13e6b664353296a0c3c8a9b26d2580da90545e5344cc506c80949c2f65c457eb4806e5a317
-
Filesize
15KB
MD5c399299e2553b07817aa324448b1b9b7
SHA1a54073d3d005d03f57911a8e5c16476c935bb47e
SHA256712373c2e957487a86848b469bed242dd7d0d28645128e97fa8dd38de232086f
SHA5129060dadd492593e01bfa0f8bf0f4b770f048f24f997be223d744fb1c9c8f859859cf1bb5c55dc78a7d1d4eb12292f09b7a3c4e98321ffd11a455bdd960394b71
-
Filesize
18KB
MD527e9fbe27df6a5f315d3fd10e4504202
SHA1f645d2e665935aa1f383162a1e6d69ebd7996f5b
SHA25601c8d49108fdac83ce6ec1a6c27e6a508be798cf572c584f18b1a5c413704940
SHA512d4f19346bfec1a80765c2f387e03a8888cdc97fc1a2a4067c194cda9105449684d52cc426ed99b90aba9555416ac0615a656fc7b3955a911d889040fe8177692
-
Filesize
18KB
MD54c6f42e273b5e7a65ca985cf17633354
SHA198436baa4e0e6087641328792e8e34e01a204f93
SHA2560a61e1c8946ead134c36c2fe936ca8d919117c35f5f4db49de2e520e7f8dee84
SHA512a6a9e4b34cce2c77195a29d1d7a44a21f7a1f2f9a1298bcc76bd959cc12be30043ad6526c436173e3be44f4f56f5453af25be4f6966f2c58c20d9b88a0db61a9
-
Filesize
18KB
MD54de34b6b19fcae256730c3675f5b5544
SHA1a1060ea4096b34dba57f56b0e0e91dc018137019
SHA25697fee8a95e79c5d6481f0d5de8691e0b67dae66c216e49223c22b3841c2ab59a
SHA51241cd62b59e97f01c70d521c20f24e86ca2bf9488bfb1366832d60aa16470ecd0d5c8b4fc48d1f1d75e2081985a2630abeb1f25fb7d477cc375c312a61ea72abe
-
Filesize
15KB
MD58039cd7b5592f907789a89a9956fdc76
SHA178607b646f248e673dda5cb51222e2115fadd88d
SHA2561840a01fed94335cca518b1e8ccbb50ab10d76bf9ae423588cb054a13b6b18b2
SHA512e4fc4dc6b4b81afc77ec07637f115347a1c045b70a8112d0d7ae945f63905726145ca9bdb13d5597148924310c9567392be684618d0f4ed8ed47045d6e381a61
-
Filesize
15KB
MD5dfa402004de638549590737dc8fe07fc
SHA1ba75392a2bd81bf22da1b0c59c3fadbb864867f4
SHA25640a77ff89c4e39958e4682716af81249737a723297c31c28bb7500cd40c4a6ef
SHA5122cd29f9cc96a6d207c929ba5392beacaa79d7060605c24825fcc7b30a8f84c09c183c7dfb566a6ff61e5c76885086b654638e40045708ca37047a4a699adf110
-
Filesize
18KB
MD519845e2fb89596837818897a09cd9655
SHA1158fbba7a8ad20b781938a2715c7874c94685041
SHA256777024f399be5c318dd87c89ae544c1e8f1a435dcf6ecb199792a70d3328c4f1
SHA512385e663a37ff2d0eae3da9c0602286fdb136c66112c9430221cbc6675359ae29d08cb13ed1ae34964d52d2fd4f822ca4509239af6479b08b30c5d8b209b7a17e
-
Filesize
18KB
MD50a6c5296afdced8a7c675feaf2e34ec8
SHA131eb203040898055af077d5738e4368989ccdda5
SHA25649c708a48dd658c83442a2c12dde6c051429cd3f7b1bdc6eb3dbacaa0bbddbd4
SHA5121d5169ac1afe33af0105277349503ddd012561df5ce7c9adba75ac59230296e3dbbf1fc582e89c058ffdefda18d781cc8e7aa76e0936ef561681b195e6306258
-
Filesize
18KB
MD50de988dd2cff63669d0cadf8823e87d1
SHA16777924d209c9e39927cd4e1a8904c59dd9a5b37
SHA256d6c55d99a97dc1a832c4a2b2240fdf5886d8dfe3aef1ebabf5662a1bfe32efb8
SHA5126d32c4b4bf01784f37b458c0416a152378d97c54f52bd7314db7f834e1702af877db3592c0c22070a0be91b0439831d080dc91c6945dac036f41cc70330bc911
-
Filesize
765KB
MD59b27531814c84d9891474794ba3f880f
SHA113c2fe6e1189d6f5ffac8d67ab6c9c6f2ea61a99
SHA25692682078977a588ba4cc3dfe7ce9d744bf752a635ab73c027cdbae68ff8e749f
SHA51253034ff4716d2a29fa4cde440d29741c09a8f5493c5bcf0564e01921afd1344bf24c53fb97ecb3fabb215be69c3ea7b98a565c24b8f237d2069159666fc1906d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-384068567-2943195810-3631207890-1000\83aa4cc77f591dfc2374580bbd95f6ba_89cda556-130e-4f17-88ab-af18fe5b92e6
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd