1398040f2bc658281e60c22f07f6b27a57499f4692af547d56e360334efde22d

Analysis

max time kernel
135s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lifenz utility tweak private.bat
Size

243KB
MD5

a38c931542f83c5593b7db0ad318bb3e
SHA1

fde8e7f2d9e7423c08e2231e975b64403a4f40ea
SHA256

1398040f2bc658281e60c22f07f6b27a57499f4692af547d56e360334efde22d
SHA512

b7c29ca20e75ecd93d73085d83d23c422c44b7f378a226b6ebda8a6735a18d8ea2ea0d89a1c963f74f750e022e666c6d426f9c64b5e9334e1b7fe900ec22fe75
SSDEEP

1536:J8HHksY/fjXmamnUk01vmeAkEsDmnUk01tr1edkvC6cM/rwdrwbW+mEWm:WksTswZq6Y

Score

3^/10

discovery execution

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4792	powershell.exe
3100	powershell.exe
1308	powershell.exe
4472	powershell.exe
4412	powershell.exe
1912	powershell.exe
512	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4232	timeout.exe
1916	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3100	powershell.exe
3100	powershell.exe
1308	powershell.exe
1308	powershell.exe
4472	powershell.exe
4472	powershell.exe
4412	powershell.exe
4412	powershell.exe
1912	powershell.exe
1912	powershell.exe
512	powershell.exe
512	powershell.exe
4792	powershell.exe
4792	powershell.exe
4684	msedge.exe
4684	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2340	WMIC.exe
Token: SeSecurityPrivilege	2340	WMIC.exe
Token: SeTakeOwnershipPrivilege	2340	WMIC.exe
Token: SeLoadDriverPrivilege	2340	WMIC.exe
Token: SeSystemProfilePrivilege	2340	WMIC.exe
Token: SeSystemtimePrivilege	2340	WMIC.exe
Token: SeProfSingleProcessPrivilege	2340	WMIC.exe
Token: SeIncBasePriorityPrivilege	2340	WMIC.exe
Token: SeCreatePagefilePrivilege	2340	WMIC.exe
Token: SeBackupPrivilege	2340	WMIC.exe
Token: SeRestorePrivilege	2340	WMIC.exe
Token: SeShutdownPrivilege	2340	WMIC.exe
Token: SeDebugPrivilege	2340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2340	WMIC.exe
Token: SeRemoteShutdownPrivilege	2340	WMIC.exe
Token: SeUndockPrivilege	2340	WMIC.exe
Token: SeManageVolumePrivilege	2340	WMIC.exe
Token: 33	2340	WMIC.exe
Token: 34	2340	WMIC.exe
Token: 35	2340	WMIC.exe
Token: 36	2340	WMIC.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeIncreaseQuotaPrivilege	1912	powershell.exe
Token: SeSecurityPrivilege	1912	powershell.exe
Token: SeTakeOwnershipPrivilege	1912	powershell.exe
Token: SeLoadDriverPrivilege	1912	powershell.exe
Token: SeSystemProfilePrivilege	1912	powershell.exe
Token: SeSystemtimePrivilege	1912	powershell.exe
Token: SeProfSingleProcessPrivilege	1912	powershell.exe
Token: SeIncBasePriorityPrivilege	1912	powershell.exe
Token: SeCreatePagefilePrivilege	1912	powershell.exe
Token: SeBackupPrivilege	1912	powershell.exe
Token: SeRestorePrivilege	1912	powershell.exe
Token: SeShutdownPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeSystemEnvironmentPrivilege	1912	powershell.exe
Token: SeRemoteShutdownPrivilege	1912	powershell.exe
Token: SeUndockPrivilege	1912	powershell.exe
Token: SeManageVolumePrivilege	1912	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe
1300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3640	2412	cmd.exe	85
PID 2412 wrote to memory of 3640	2412	cmd.exe	85
PID 2412 wrote to memory of 4752	2412	cmd.exe	86
PID 2412 wrote to memory of 4752	2412	cmd.exe	86
PID 2412 wrote to memory of 4232	2412	cmd.exe	87
PID 2412 wrote to memory of 4232	2412	cmd.exe	87
PID 2412 wrote to memory of 2480	2412	cmd.exe	91
PID 2412 wrote to memory of 2480	2412	cmd.exe	91
PID 2412 wrote to memory of 2544	2412	cmd.exe	92
PID 2412 wrote to memory of 2544	2412	cmd.exe	92
PID 2544 wrote to memory of 2340	2544	cmd.exe	93
PID 2544 wrote to memory of 2340	2544	cmd.exe	93
PID 2544 wrote to memory of 5000	2544	cmd.exe	94
PID 2544 wrote to memory of 5000	2544	cmd.exe	94
PID 2412 wrote to memory of 1276	2412	cmd.exe	96
PID 2412 wrote to memory of 1276	2412	cmd.exe	96
PID 2412 wrote to memory of 3100	2412	cmd.exe	97
PID 2412 wrote to memory of 3100	2412	cmd.exe	97
PID 2412 wrote to memory of 4504	2412	cmd.exe	100
PID 2412 wrote to memory of 4504	2412	cmd.exe	100
PID 2412 wrote to memory of 1372	2412	cmd.exe	101
PID 2412 wrote to memory of 1372	2412	cmd.exe	101
PID 2412 wrote to memory of 1532	2412	cmd.exe	102
PID 2412 wrote to memory of 1532	2412	cmd.exe	102
PID 2412 wrote to memory of 3028	2412	cmd.exe	103
PID 2412 wrote to memory of 3028	2412	cmd.exe	103
PID 2412 wrote to memory of 4796	2412	cmd.exe	114
PID 2412 wrote to memory of 4796	2412	cmd.exe	114
PID 2412 wrote to memory of 1308	2412	cmd.exe	115
PID 2412 wrote to memory of 1308	2412	cmd.exe	115
PID 2412 wrote to memory of 1536	2412	cmd.exe	116
PID 2412 wrote to memory of 1536	2412	cmd.exe	116
PID 2412 wrote to memory of 4472	2412	cmd.exe	117
PID 2412 wrote to memory of 4472	2412	cmd.exe	117
PID 2412 wrote to memory of 4412	2412	cmd.exe	118
PID 2412 wrote to memory of 4412	2412	cmd.exe	118
PID 2412 wrote to memory of 1812	2412	cmd.exe	119
PID 2412 wrote to memory of 1812	2412	cmd.exe	119
PID 2412 wrote to memory of 4976	2412	cmd.exe	120
PID 2412 wrote to memory of 4976	2412	cmd.exe	120
PID 2412 wrote to memory of 2512	2412	cmd.exe	121
PID 2412 wrote to memory of 2512	2412	cmd.exe	121
PID 2412 wrote to memory of 4876	2412	cmd.exe	122
PID 2412 wrote to memory of 4876	2412	cmd.exe	122
PID 2412 wrote to memory of 1912	2412	cmd.exe	123
PID 2412 wrote to memory of 1912	2412	cmd.exe	123
PID 2412 wrote to memory of 4048	2412	cmd.exe	124
PID 2412 wrote to memory of 4048	2412	cmd.exe	124
PID 2412 wrote to memory of 2448	2412	cmd.exe	126
PID 2412 wrote to memory of 2448	2412	cmd.exe	126
PID 2412 wrote to memory of 512	2412	cmd.exe	127
PID 2412 wrote to memory of 512	2412	cmd.exe	127
PID 2412 wrote to memory of 1064	2412	cmd.exe	128
PID 2412 wrote to memory of 1064	2412	cmd.exe	128
PID 2412 wrote to memory of 5104	2412	cmd.exe	129
PID 2412 wrote to memory of 5104	2412	cmd.exe	129
PID 2412 wrote to memory of 2000	2412	cmd.exe	130
PID 2412 wrote to memory of 2000	2412	cmd.exe	130
PID 2412 wrote to memory of 4792	2412	cmd.exe	131
PID 2412 wrote to memory of 4792	2412	cmd.exe	131
PID 2412 wrote to memory of 992	2412	cmd.exe	132
PID 2412 wrote to memory of 992	2412	cmd.exe	132
PID 2412 wrote to memory of 1536	2412	cmd.exe	133
PID 2412 wrote to memory of 1536	2412	cmd.exe	133

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Lifenz utility tweak private.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:3640
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4752
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4232
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2340
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:5000
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:4504
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:1372
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:1532
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3028
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading rescourses (power plan, Nvidia profile inspector & more)', 'Lifenz Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\Lifenz.zip" "https://Lifenzapi.onrender.com/static/free/v5.0/v5.0_free_resources.zip"
  2⤵
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\Lifenz.zip' -DestinationPath 'C:\Lifenz'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded rescourses successfully', 'Lifenz Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4412
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1812
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4976
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2512
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:4876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Disable-MMAgent -MemoryCompression"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4048
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Disable-MMAgent -MemoryCompression"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1064
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:5104
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Note: If you want to revert anything, you can do it in our revert category on the main page of the utility', 'Lifenz Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:992
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Lifenzw
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ff9e75546f8,0x7ff9e7554708,0x7ff9e7554718
    3⤵
    PID:2308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
    3⤵
    PID:972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:2480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
    3⤵
    PID:1936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
    3⤵
    PID:5104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,10820415313308884157,4179090897752064731,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    PID:1640
- C:\Windows\system32\timeout.exe
  timeout 2
  2⤵
  - Delays execution with timeout.exe
  PID:1916
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc 0x41c
1⤵
PID:1392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
681688949850b95dd44cf81e9d70e373

SHA1
5b9b87aa6398a5809fde7f5bdfde983261ce8a0f

SHA256
e0a835a958d0c79b19e7ff052e2ab8926e74a4cd07727600dd86f7408ec5db8d

SHA512
d852e6383acedd3f40f7a868d3f35afab0dd13c767ef33eede59339afdaa883b9bc57c2b948d0ccea1371f63aa1ab96b58d18def4bd8b0edfd3a3a46268f7b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9f097a2500b1ba870ddd950b0a6cad71

SHA1
1493a0594eb7d4af2f5032a2c1069a949a48747d

SHA256
2bc18f6ef2c26c1f917779d775f3a0a1f29cbaca73dadb0ffa07dbf86e234c5e

SHA512
ee6c23ba618409db0d140cd5c098ec600e8f14e78fae508dccbf81273616cf18d1dd03b52d8edfb33c5dd586595f056319246bb9357489fd48cb89a5b152a68a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bf60b688b0f698f62c27c815e9682093

SHA1
88fcca999d445f229a636697aab89315511720d2

SHA256
d4c270325c5a00b1f4264cfc417bd414c816e3d021f234dda9902c7ed5efa08d

SHA512
620b56cc54ffa1d50cd61d8dec25d40a079fc94ed751b880b57ffdbb620df364eec4b2cfca4563f0df34ae4071a5eeffbb1f8f3422dc4ee43e5b0c076533510f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
801d7a3231d4676882dbfda82504e71c

SHA1
f98c1e0e12305ceb89c2e98d45c3dc2e4454b94a

SHA256
2bc4217bc729005ef3865abe7ffa325c67b11adf083c9bab9c5d8d290bdac937

SHA512
ddeb799264b90976e73dfc7aa29ee17a8dba2713e238271e2638099a1c0ac992f39de393680a56d6dd216f8d0727375624d33fe89801848f4ede46dff2f5df72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a0f6edf8-6f6a-49ce-9a4a-e358df0b3844\index-dir\the-real-index

Filesize
2KB

MD5
7f631db24649dfcf6e4e4aaef266cb38

SHA1
0dc201da0cade0acc0feecdb35ee3c954dd60539

SHA256
4bfab38670dbe609c9516b8d6e6a4d01515c18f9eb871cb42b10036cf3887e9d

SHA512
eaed92f8e6fe28cbf822c1b4dca773c1fb4ea3727b25ca2966f43454477c0b298dd9c5efbfbb58872697bb0eb16c7a4de998d5712bca72b2dc156f194e6a39e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a0f6edf8-6f6a-49ce-9a4a-e358df0b3844\index-dir\the-real-index~RFe58f690.TMP

Filesize
48B

MD5
e12bfb4ef18688a4b4c1529d07f1e9f3

SHA1
ef2460d0832f7d4b3296eb35a17a3c620ab8fd75

SHA256
0ff36b2ad192bccf647578b88b5b8d56ae01df40ca83b7c8e70ecd598d4cd62e

SHA512
671af85933fb50eef6239a63bab8aed218d4ae3be1ba391d45ae5d4e1b2b60477dda1ced14ddbd4a1d43202ee96cd8b98db34fdcf1aac24f3c567a1cf2fedd92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ddda5318-4740-4bb8-8ff5-0e88987b2029\index-dir\the-real-index

Filesize
336B

MD5
ba6f3f02d72229490a6886926e93063a

SHA1
2f40f16e7e41eb162e7a0938fa410a2312fbf383

SHA256
a3c7d3680ec102c29662dab0441fa307426e2abb85d976a88cfc7ec90e0268f0

SHA512
772ba5cf70e4b72dd4fcb653102e7d796ef6945a0abbf0c6621e94d4abd09ace9fd62f1b4466d9142fa2da39b275116ab7ae72be3c7539830c2fd80d86e8e6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\ddda5318-4740-4bb8-8ff5-0e88987b2029\index-dir\the-real-index~RFe58f690.TMP

Filesize
48B

MD5
186912bcd3e1d1cd22161ff742f33449

SHA1
7a799d034b7ec2c4cfd25ad75051623cf4792143

SHA256
55c346ddece75d9c11db683ed4e9b37d4501900633a852f4f3ff61024121388c

SHA512
2605df4cc7dfd2e03d717ac96fa28403008cfd8a48eb80bc63f7c829d1b1031d08594deb56097ed8ad7ba6ef139b4b82fa3e9626a2caeac97815ecf12083498e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
1f20d860b9840884864b4b072cd63a11

SHA1
a49c2e8ac2c26b08b5db578f11b099ed239d0599

SHA256
22bf58c2c884e5b3646b7d51629e1af50bbff24734879b6418369aba0f6e16ba

SHA512
ea24320d3778f36346340f0341d84abe97508de72876f5a747d974834fa5b02a3aa6cc519c0399be69bc85a7a5ff74613720b68b7b60ddf2ca7e9bb8991d75eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a992cd6636be1f6c1e912aa82088be34

SHA1
34a2ce7f50018660fe5bb42538a939a51680acbf

SHA256
051cdf03d1f069f51abe5c589703195bf6814d1e576675638513ba4132447b59

SHA512
c078dfa52ff5921e3736ec47c0d42e2c8f0acec7e1b1b92fd2125c6c80c216fed7c0868fe518f98226326bf758721576dcd4f74262502ddfeaf84de83898cb40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
f546d8a3b6890dfd2e990c5bb09d21f5

SHA1
18b0f613f1f3e2ab4599f3c908ba972b68593111

SHA256
c927351cbb728892a6a723130472dbe2fdc9712e5a18fd44afb07dbadeb4b690

SHA512
d78b397d1531627f00949faf565d3c32566aeba237028825e92e2eff59bfd87007432d50075abc421260c5465d24f7de8d6dfb94f0747d6ca913369a71c7f353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
6bf39f141944bb9151fb1b30ca76151a

SHA1
d4d6616cb5c74d59fed7023a134b024328127b21

SHA256
a0650c887f56cc54e21e8262f19dbde1ec597de367e3a3c46fc31bc3719cbec2

SHA512
278592ca0b866a6c24be4478dd5d77e866c966ef20933df87d610dd846234d4b8e0d371652a21844a63a6171674107484fe449deb39cfa29060d85b52bc2e48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
82B

MD5
07c75c78c056942622f5e4715f945c09

SHA1
faf5e553f88e650e1e6c4e79cac8c8a361abbe46

SHA256
f51e06dc099a2d145ba20204c7e191e5504b94150c29ec15f0d4ebd97c0836dc

SHA512
db9a2c228a38e88bf829c241895c8431f663084ede0b13cbe85a734ca66ddee54671d3755ff7281e600bf07c4230e43cc32c5c92ca2d978dc8331f8441838cdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
6147a656d3589b3f498f967592350a2c

SHA1
e8d497dcd585fdba339a545cc5c46eb0d1cb1dd5

SHA256
b0a558358a64c103e97be453be215e4e5a83d0f7bc6e032ba00f2b6698d0efe1

SHA512
c2ece08d427c1aeb68a705333ea537baa955edc66d40551361f8c6f3f2d21a08f8df569528b18740a15638ad7792edfcfc06c2184cbe28e59888253261ff17f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f680.TMP

Filesize
48B

MD5
bb904c3563a0a7368855bb3cc6f5938b

SHA1
95c4dda79bd12434642177df62396f05f14edfa6

SHA256
9aadb58abd70dae96013fdbe93172baa66f50f98a3512bc7e0bdd4c324dea0ab

SHA512
a543aa197b64c20ceeb4545ffa5d3e13742cc82f9cf3a0cb6676b87c2544240f955e2f805a2edd31a5c559792916ddd26722bb8209e294631a6836b4f92d4544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6077f327a02f7fa58bb2da29387689f0

SHA1
dbf5f0fa0ab38a5aaf5e3777fc5828226573676d

SHA256
ce401f8848a80abd36f62040a51da09f710d542cec9bf7e428689ac29301ddd3

SHA512
40ff40de033d2b8492fa9d8e79f1f9729244bd549091c39f9326b38d670a0bc97c723de96bdaaba7ba7f60bc2a0278d5228b3a7722380e91696dd3c3cb02fb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
224dcf4c17389871fa59fe45c7acd94a

SHA1
d02998277a18745bc5a5209d80a4d5c5077772ff

SHA256
c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

SHA512
8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4095d507ad690779f8118393e157033e

SHA1
e167e87f68f755977a5a00974043e3759978b58d

SHA256
b9a884c3c80d7b4d1043367a94d1dcb10b67717ebfca6fc57d3906625901fc6f

SHA512
223de644117c4667f428a1d9a6a510495b61915b0b55ef960e61af653e9c67f4f295eb210fd60b9201c0b6a927d91037991b1fe11b01a720a4f7fb184ab5f36b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
28340ec75f53c23d31aaa7674e7d15ac

SHA1
c932653f1daf05a300a3d0bb949070769b5ed2b1

SHA256
9d68ecb7732f485d1ffccebcbb50df967f78f8d849f1889b6cfbecf7877eb789

SHA512
16c43667109cda75fa291f90d45ff36622c66ae7879ea840edb30be7f7199e5ae45bea10f07810e5cf8fd7893c6dd48157ebcbe350507db8f8f35eece39b31c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4af23e22454e22f2a040af2dec4a07c1

SHA1
b3f9a9b5539aa64a68a59a39552ae1f735ccc6a5

SHA256
742897430c863942288ee85ec986cbd57efe0fbf872619cc5f8f5f2464cda285

SHA512
a8db0109ca233be94f7d3806c8e574eaa885518d3a4feeb7e854c299e42465c0aeee61885b52f3ef28a4d2e6b81261485cc5732acd5a783013f65c2ad01f5920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
982e424dd563e7d9fe31d6425686c18e

SHA1
3a5913c7a66a832ab4a6bf6b301744cf1759e32e

SHA256
60ad4e99ea0a3f0bf96989d3c669ab9af53ddfb440e333b3c4138e9d50cf4d3b

SHA512
b80d6509fb76dbb2b7666690a9a4005089c30d698c03c718077049ed081a59df1b06433a7671e069704a992f8b5d0b130f2898d4bfea19099ca4a6d3d849c9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lifenz.zip

Filesize
10B

MD5
ef81e41d11c9e7193ddd3d470dbb3eda

SHA1
0c15d12755a0be84e6403445c427231c274919c6

SHA256
7515bf959b73b956ceb967351c7e299cbb3668a53d35f9c770eb72e00d93ced6

SHA512
bf69c60fbb6d5ff50d81cd093cbabe59cd4eed439822e9ed02472245c3dae033cec143f1c4bbe6f702b7530f87c020442217ca1859da8f4b0f578a93b46cbdfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_neukxdqc.bxh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3100-15-0x00007FF9E6D30000-0x00007FF9E77F1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-0-0x00007FF9E6D33000-0x00007FF9E6D35000-memory.dmp

Filesize
8KB

Download
memory/3100-12-0x00007FF9E6D30000-0x00007FF9E77F1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-11-0x00007FF9E6D30000-0x00007FF9E77F1000-memory.dmp

Filesize
10.8MB

Download
memory/3100-7-0x000001E9D1390000-0x000001E9D13B2000-memory.dmp

Filesize
136KB

Download
memory/4472-39-0x0000027335780000-0x0000027335792000-memory.dmp

Filesize
72KB

Download
memory/4472-40-0x0000027333130000-0x000002733313A000-memory.dmp

Filesize
40KB

Download