hxxps://drive[.]google[.]com/file/d/1sDKMqlQn3jrjAGLDMjB-vJcCkpemNzy-/view

Analysis

max time kernel
155s
max time network
159s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
13-09-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1sDKMqlQn3jrjAGLDMjB-vJcCkpemNzy-/view

Score

10^/10

discovery evasion execution

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 3588 created 3312	3588	WaweCrack_2024.exe	52
PID 3588 created 3312	3588	WaweCrack_2024.exe	52
PID 3588 created 3312	3588	WaweCrack_2024.exe	52
PID 3588 created 3312	3588	WaweCrack_2024.exe	52
PID 3588 created 3312	3588	WaweCrack_2024.exe	52
PID 3588 created 3312	3588	WaweCrack_2024.exe	52
PID 2144 created 3312	2144	updater.exe	52

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3580	powershell.exe
1264	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
3588	WaweCrack_2024.exe
1544	WaweCrack_2024.exe
2144	updater.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\a:	SearchIndexer.exe
File opened (read-only)	\??\N:	SearchIndexer.exe
File opened (read-only)	\??\i:	SearchIndexer.exe
File opened (read-only)	\??\J:	SearchIndexer.exe
File opened (read-only)	\??\L:	SearchIndexer.exe
File opened (read-only)	\??\o:	SearchIndexer.exe
File opened (read-only)	\??\b:	SearchIndexer.exe
File opened (read-only)	\??\D:	SearchIndexer.exe
File opened (read-only)	\??\F:	SearchIndexer.exe
File opened (read-only)	\??\G:	SearchIndexer.exe
File opened (read-only)	\??\Q:	SearchIndexer.exe
File opened (read-only)	\??\T:	SearchIndexer.exe
File opened (read-only)	\??\w:	SearchIndexer.exe
File opened (read-only)	\??\Z:	SearchIndexer.exe
File opened (read-only)	\??\t:	SearchIndexer.exe
File opened (read-only)	\??\W:	SearchIndexer.exe
File opened (read-only)	\??\Y:	SearchIndexer.exe
File opened (read-only)	\??\e:	SearchIndexer.exe
File opened (read-only)	\??\r:	SearchIndexer.exe
File opened (read-only)	\??\R:	SearchIndexer.exe
File opened (read-only)	\??\S:	SearchIndexer.exe
File opened (read-only)	\??\E:	SearchIndexer.exe
File opened (read-only)	\??\h:	SearchIndexer.exe
File opened (read-only)	\??\P:	SearchIndexer.exe
File opened (read-only)	\??\X:	SearchIndexer.exe
File opened (read-only)	\??\y:	SearchIndexer.exe
File opened (read-only)	\??\z:	SearchIndexer.exe
File opened (read-only)	\??\M:	SearchIndexer.exe
File opened (read-only)	\??\n:	SearchIndexer.exe
File opened (read-only)	\??\q:	SearchIndexer.exe
File opened (read-only)	\??\u:	SearchIndexer.exe
File opened (read-only)	\??\l:	SearchIndexer.exe
File opened (read-only)	\??\m:	SearchIndexer.exe
File opened (read-only)	\??\O:	SearchIndexer.exe
File opened (read-only)	\??\v:	SearchIndexer.exe
File opened (read-only)	\??\B:	SearchIndexer.exe
File opened (read-only)	\??\g:	SearchIndexer.exe
File opened (read-only)	\??\I:	SearchIndexer.exe
File opened (read-only)	\??\K:	SearchIndexer.exe
File opened (read-only)	\??\x:	SearchIndexer.exe
File opened (read-only)	\??\p:	SearchIndexer.exe
File opened (read-only)	\??\s:	SearchIndexer.exe
File opened (read-only)	\??\U:	SearchIndexer.exe
File opened (read-only)	\??\V:	SearchIndexer.exe
File opened (read-only)	\??\A:	SearchIndexer.exe
File opened (read-only)	\??\H:	SearchIndexer.exe
File opened (read-only)	\??\j:	SearchIndexer.exe
File opened (read-only)	\??\k:	SearchIndexer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	WaweCrack_2024.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3296	sc.exe
4112	sc.exe
968	sc.exe
2252	sc.exe
4032	sc.exe
3336	sc.exe
4616	sc.exe
5000	sc.exe
4528	sc.exe
768	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.AAC	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000975e13bbba05db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da553099ba05db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpeg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.TS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007fef1baba05db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.3g2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9643dbcba05db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.crw	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WaweCrack_2024.rar:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1004	schtasks.exe
3352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
716	msedge.exe
716	msedge.exe
4612	msedge.exe
4612	msedge.exe
4620	msedge.exe
4620	msedge.exe
3460	identity_helper.exe
3460	identity_helper.exe
856	msedge.exe
856	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
2768	msedge.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
3588	WaweCrack_2024.exe
2144	updater.exe
2144	updater.exe
1264	powershell.exe
1264	powershell.exe
1264	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	4480	7zG.exe
Token: 35	4480	7zG.exe
Token: SeSecurityPrivilege	4480	7zG.exe
Token: SeRestorePrivilege	1444	7zG.exe
Token: 35	1444	7zG.exe
Token: SeSecurityPrivilege	1444	7zG.exe
Token: SeSecurityPrivilege	1444	7zG.exe
Token: 33	1420	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1420	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1420	SearchIndexer.exe
Token: SeRestorePrivilege	2424	7zG.exe
Token: 35	2424	7zG.exe
Token: SeSecurityPrivilege	2424	7zG.exe
Token: SeSecurityPrivilege	2424	7zG.exe
Token: SeDebugPrivilege	3580	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4480	7zG.exe
1444	7zG.exe
2424	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4616	OpenWith.exe
4616	OpenWith.exe
4616	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 2980	4612	msedge.exe	78
PID 4612 wrote to memory of 2980	4612	msedge.exe	78
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 4776	4612	msedge.exe	79
PID 4612 wrote to memory of 716	4612	msedge.exe	80
PID 4612 wrote to memory of 716	4612	msedge.exe	80
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81
PID 4612 wrote to memory of 2648	4612	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1sDKMqlQn3jrjAGLDMjB-vJcCkpemNzy-/view
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffbb0f3cb8,0x7fffbb0f3cc8,0x7fffbb0f3cd8
    3⤵
    PID:2980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
    3⤵
    PID:2648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:2804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
    3⤵
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
    3⤵
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
    3⤵
    PID:1884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:3036
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
    3⤵
    PID:3492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
    3⤵
    PID:4836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,11772557792062297701,15804780476710961755,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2508 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2768
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WaweCrack_2024\" -ad -an -ai#7zMap26776:90:7zEvent7395
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4480
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29113:90:7zEvent12795
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1444
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap7022:90:7zEvent18087
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2424
- C:\Users\Admin\Downloads\WaweCrack_2024.exe
  "C:\Users\Admin\Downloads\WaweCrack_2024.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3588
- C:\Users\Admin\Downloads\WaweCrack_2024.exe
  "C:\Users\Admin\Downloads\WaweCrack_2024.exe"
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3580
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1652
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4112
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4528
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:768
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:2252
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4032
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:3028
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\smrzblnxvpbs.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1004
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:5092
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\WaweCrack_2024.exe"
  2⤵
  PID:3592
- - C:\Windows\System32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:1604
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:968
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3336
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3296
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:5000
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:4616
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\smrzblnxvpbs.xml"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3352
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3756
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:484

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1420
- C:\Windows\System32\SearchProtocolHost.exe
  "C:\Windows\System32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1984
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 2996 2992 812 {0E5DCEC5-7795-4E38-9621-94DFD9F9A421}
  2⤵
  - Modifies data under HKEY_USERS
  PID:4992
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 828 3020 1584 812 {85EE815A-7738-4808-A14A-3AD87E32A3BF}
  2⤵
  PID:1840

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
1cb02b2ccc48497bf2fce41b170dbb34

SHA1
5d760331b7a975d590bf26c2ebf74a7bb95f46f1

SHA256
5428e90f13e16e6ef84c933b7e91d834922512a8d061d22ff690b6864938362e

SHA512
40487588f2831b551417838a4b920b3c6797d305693d76028625d63e0fbe7144a00b9d305947be6ccccf30f00dbddf420addcdc13bfa0b0e6e2d398f2b70c10c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a2cbd3b7f17b8cdc8970e4b2a40255a1

SHA1
93119700ace89db29993872392ddf6040ed776f2

SHA256
ff66a5a738c2435209fdbda7a36c78cced438b4080efa303f093d0c8b83e041e

SHA512
58eeae1db15c9f266eab9f4101fcf2f363dec417ad905ed27f70f0b022ed341268037093593184ba7fa8073c68013b66e18e59f034cc7e00a86c89335a444ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e2b249463d96bb7a7f56062502f9552c

SHA1
7f02bdb1ebbb90afae94bab3dc75b5036d4e2ee0

SHA256
6e0da034214d839dd52638b48cf3dc3ef48ef8dab5d1661f36383182d8909cb6

SHA512
806efc0fce4e416689fd27454506fa62486e40b391602725af35ae4b782ef7f525cb74f819055553a12b756cca98f2f4486b143179059c1106a1e169dcb51882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9719ed3a49aebe332d4414b45603a9b

SHA1
8d22688021acb398e22a877d41f44aa62c8d352f

SHA256
fed7ec3aa75fee74480e33139613a5c2875fcdf1bef67e4132eec16257ecf5aa

SHA512
aa458c8b376c7b9be2878d40e6ca449d62daf23e37034e8aab846bc81c63d66868359c9460c09973542c33247e9e65aca8b5a8373641fd389ea9bdf615899594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
127fc45a48888cf2c57f5b3054a48786

SHA1
e035dcdb87180fa00b848b3623b4400c7921b376

SHA256
1b789f94920ad5bf6fa72854237485664c3949f27836ae80519a9ffddc732c10

SHA512
ba1aa05501a904b577c4896001d487c8fdcf6535dc640713e854445d773042ba02598d845b123608b7df070278a0c7ca61943a52005738c324e8c6d7e2ee7b79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65de6d7d4a266bef4e570f18cda3b22b

SHA1
f4698b5a7f037a7dcdd25736ee9c98d27f1e52bf

SHA256
98f23efabbbefed84de6d14bd86fe656f750b594d68ec341ddf58573c371a4da

SHA512
72137bf6d510fef9d03ca1d25e003c520d07cad8fcde257838055b0647a877f4129c4dc5cf9d5ab7e806d7f3580c7460b0a95bfe323b09ad77374be6bdec05da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f672eba5b389f7f77452aa549297c6e9

SHA1
493752cb745d598043b9b6d01b186bd4820daca8

SHA256
1b340b269f45e146c1314760f2016e04e7bfc4473428e455ca9c6d8a30b62a62

SHA512
ebf14844904ef8e6788ca4e0a8c073d473fba7f76af05e6dd91fe39f442b6efaaebf4b4a5505bf3fb5fefa982b83c1f1e0c0d2bb4913b4df599cfab0811f93c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed6f9225534795e05435d0d5e5f8dc6c

SHA1
e09478187b5e5db2171f2eab8be28dda1e1adf91

SHA256
d21b2b5f1e2278f5d32d08f39602272e1aab387247141c030dfd09d36694d404

SHA512
41241deceedbd6e6f400fad3e71c5194068b6997422c32ee43dccc8b15d2cd3f8b94243ace6f4d79244a78bea8169fe12d99680218a977676275cf8ed37a3b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xin4zc05.rtl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\smrzblnxvpbs.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 237670.crdownload

Filesize
16.3MB

MD5
3b56bb3442138510ed495e4145047c4a

SHA1
6bb909aa383668b82839be8ec68ac5b51a67ac87

SHA256
b46b3344734749a06a60c3370a9a3349f1879e127be218ec35a6a789a5114002

SHA512
3dd8c995c32950dabfd6880d947d6f78c953971ddbc93e6133135b82c526797acea083c6d0f026edd54ee03ab723997df4963263705f0a6223f6ca7a293d1edb

Download Submit
C:\Users\Admin\Downloads\WaweCrack_2024.exe

Filesize
44.2MB

MD5
4c9b229fb7ee6fc73f53b42c2ac5c001

SHA1
870462a27f92264fded9e900232e4324b75de110

SHA256
e79f1b96d9b040916b4e2b53debc00a0558dc5989a9a2e228ca36376be2b41fa

SHA512
aa2cb18b7758bc5e1336fb40b0bdd8725c53a597e4aa4f7ef937b9f191b285f2058f5b1bf7ad970aafd76e44e1086087e7131415b00accb7b6eeddb538b7a27a

Download Submit
C:\Users\Admin\Downloads\WaweCrack_2024.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/1264-387-0x0000024DCBE30000-0x0000024DCBE4C000-memory.dmp

Filesize
112KB

Download
memory/1264-397-0x0000024DCBF20000-0x0000024DCBF2A000-memory.dmp

Filesize
40KB

Download
memory/1264-390-0x0000024DCC1A0000-0x0000024DCC1BC000-memory.dmp

Filesize
112KB

Download
memory/1264-389-0x0000024DCBF10000-0x0000024DCBF1A000-memory.dmp

Filesize
40KB

Download
memory/1264-422-0x0000024DCC1C0000-0x0000024DCC1DA000-memory.dmp

Filesize
104KB

Download
memory/1264-388-0x0000024DCBE50000-0x0000024DCBF03000-memory.dmp

Filesize
716KB

Download
memory/1264-428-0x0000024DCC1E0000-0x0000024DCC1EA000-memory.dmp

Filesize
40KB

Download
memory/1264-426-0x0000024DCC180000-0x0000024DCC188000-memory.dmp

Filesize
32KB

Download
memory/1264-427-0x0000024DCC190000-0x0000024DCC196000-memory.dmp

Filesize
24KB

Download
memory/1420-226-0x0000018211B70000-0x0000018211B78000-memory.dmp

Filesize
32KB

Download
memory/1420-222-0x0000018210FE0000-0x0000018210FE8000-memory.dmp

Filesize
32KB

Download
memory/1420-206-0x000001820C8F0000-0x000001820C900000-memory.dmp

Filesize
64KB

Download
memory/1420-190-0x000001820C7F0000-0x000001820C800000-memory.dmp

Filesize
64KB

Download
memory/1544-236-0x00007FF621BD0000-0x00007FF624813000-memory.dmp

Filesize
44.3MB

Download
memory/2144-274-0x00007FF6B39E0000-0x00007FF6B6623000-memory.dmp

Filesize
44.3MB

Download
memory/3580-249-0x0000021FFE7A0000-0x0000021FFE7C2000-memory.dmp

Filesize
136KB

Download
memory/3588-263-0x00007FF621BD0000-0x00007FF624813000-memory.dmp

Filesize
44.3MB

Download
memory/3588-246-0x00007FF621BD0000-0x00007FF624813000-memory.dmp

Filesize
44.3MB

Download
memory/4992-279-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-288-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-290-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-289-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-287-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-283-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-282-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-291-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-292-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-293-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-294-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-296-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-295-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-297-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-299-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-300-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-298-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-284-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-285-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-286-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-281-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-280-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-278-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-277-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-276-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download
memory/4992-275-0x0000019F47230000-0x0000019F47240000-memory.dmp

Filesize
64KB

Download