e64696fd2027f8611c05f177df114846e24f194eb7b40bce87b3c7b94ea26135

Analysis

max time kernel
301s
max time network
304s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PC ZONE FREE UTILITY V1.exe
Size

276KB
MD5

038b650ea8fa86341904193436dae791
SHA1

204a4cd4258c9db5e9ab4ae038e25d9c288791ed
SHA256

e64696fd2027f8611c05f177df114846e24f194eb7b40bce87b3c7b94ea26135
SHA512

14d465d0962ab554f876e8dde65f58a74ec57b44c847821e4ee42263cd8bd423a8394ebbafba9b5465ef6059382eac41e2c5609b0d7542b4c805fae0196f8256
SSDEEP

6144:htzsb5Uh28+V1WW69B9VjMdxPedN9ug0z9TB9S0JQaGVRA+vIX7lcjqqBynHWQMB:htzE5elwLz9TrDJA/0hyiWdl/

Score

10^/10

discovery evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	discord.com
15	discord.com

Launches sc.exe 22 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4652	sc.exe
4736	sc.exe
2300	sc.exe
4184	sc.exe
1360	sc.exe
2240	sc.exe
2276	sc.exe
2188	sc.exe
1164	sc.exe
3224	sc.exe
4504	sc.exe
2260	sc.exe
4720	sc.exe
4828	sc.exe
1252	sc.exe
3952	sc.exe
2528	sc.exe
1392	sc.exe
1796	sc.exe
1856	sc.exe
2772	sc.exe
440	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{0E141DBD-05E3-4AA7-B7E9-732D5ACDBA6B}	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4248	msedge.exe
4248	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
2156	msedge.exe
2156	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe
4044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4080	3688	PC ZONE FREE UTILITY V1.exe	83
PID 3688 wrote to memory of 4080	3688	PC ZONE FREE UTILITY V1.exe	83
PID 4080 wrote to memory of 4984	4080	cmd.exe	84
PID 4080 wrote to memory of 4984	4080	cmd.exe	84
PID 4080 wrote to memory of 4044	4080	cmd.exe	85
PID 4080 wrote to memory of 4044	4080	cmd.exe	85
PID 4044 wrote to memory of 4768	4044	msedge.exe	87
PID 4044 wrote to memory of 4768	4044	msedge.exe	87
PID 4080 wrote to memory of 5048	4080	cmd.exe	88
PID 4080 wrote to memory of 5048	4080	cmd.exe	88
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4876	4044	msedge.exe	89
PID 4044 wrote to memory of 4248	4044	msedge.exe	90
PID 4044 wrote to memory of 4248	4044	msedge.exe	90
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91
PID 4044 wrote to memory of 3824	4044	msedge.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PC ZONE FREE UTILITY V1.exe
"C:\Users\Admin\AppData\Local\Temp\PC ZONE FREE UTILITY V1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A1ED.tmp\A1EE.tmp\A1EF.bat "C:\Users\Admin\AppData\Local\Temp\PC ZONE FREE UTILITY V1.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/pczone
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeadab46f8,0x7ffeadab4708,0x7ffeadab4718
      4⤵
      PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
      4⤵
      PID:4876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
      4⤵
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:4708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
      4⤵
      PID:1496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3668 /prefetch:8
      4⤵
      PID:4152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,17298276948934552250,9922621413323483162,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3680 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt $H &echo on &for %B in (1) do rem"
    3⤵
    PID:5048
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:1404
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:1068
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:2472
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:4600
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
    3⤵
    PID:5024
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
    3⤵
    PID:3708
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
    3⤵
    PID:4424
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
    3⤵
    PID:5016
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
    3⤵
    PID:5020
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
    3⤵
    PID:2096
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:4872
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:5084
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:2364
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:3692
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:3648
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:2392
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:1516
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:4504
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:4936
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:4412
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem"
    3⤵
    PID:2636
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable
    3⤵
    PID:4832
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:1248
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:4148
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:3952
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:2328
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:5080
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:1420
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:1668
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:2240
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
    3⤵
    PID:3336
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Maintenance\WinSAT" /disable
    3⤵
    PID:4016
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:2772
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:2760
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting"
    3⤵
    PID:4716
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable
    3⤵
    PID:1736
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask"
    3⤵
    PID:1552
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable
    3⤵
    PID:4848
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskFootprint\Diagnostics"
    3⤵
    PID:2600
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskFootprint\Diagnostics" /disable
    3⤵
    PID:3860
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\PI\Sqm-Tasks"
    3⤵
    PID:4112
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\PI\Sqm-Tasks" /disable
    3⤵
    PID:1144
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:3588
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:1512
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\AppID\SmartScreenSpecific"
    3⤵
    PID:2292
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\AppID\SmartScreenSpecific" /disable
    3⤵
    PID:4948
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
    3⤵
    PID:2376
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
    3⤵
    PID:5056
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
    3⤵
    PID:2832
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
    3⤵
    PID:780
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
    3⤵
    PID:4064
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
    3⤵
    PID:1632
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoftd\Office\OfficeTelemetryAgentFallBack"
    3⤵
    PID:208
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoftd\Office\OfficeTelemetryAgentFallBack" /disable
    3⤵
    PID:2544
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\Office 15 Subscription Heartbeat"
    3⤵
    PID:3468
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Office\Office 15 Subscription Heartbeat" /disable
    3⤵
    PID:4076
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime"
    3⤵
    PID:3608
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\Time Synchronization\ForceSynchronizeTime" /disable
    3⤵
    PID:4924
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Time Synchronization\SynchronizeTime"
    3⤵
    PID:3256
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\Time Synchronization\SynchronizeTime" /disable
    3⤵
    PID:1744
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update"
    3⤵
    PID:4368
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /disable
    3⤵
    PID:3716
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Device Information\Device"
    3⤵
    PID:2916
- - C:\Windows\system32\schtasks.exe
    schtasks /change /TN "\Microsoft\Windows\Device Information\Device" /disable
    3⤵
    PID:4128
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
    3⤵
    PID:2024
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
    3⤵
    PID:3560
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:60
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:4556
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:1972
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:2852
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClient"
    3⤵
    PID:3616
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClient" /disable
    3⤵
    PID:3532
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload"
    3⤵
    PID:4840
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Feedback\Siuf\DmClientOnScenarioDownload" /disable
    3⤵
    PID:4700
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Autochk\Proxy"
    3⤵
    PID:3024
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Autochk\Proxy" /disable
    3⤵
    PID:392
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
    3⤵
    PID:4640
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
    3⤵
    PID:3992
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
    3⤵
    PID:1928
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
    3⤵
    PID:1404
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
    3⤵
    PID:4600
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
    3⤵
    PID:5024
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016"
    3⤵
    PID:3708
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentFallBack2016" /disable
    3⤵
    PID:3996
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016"
    3⤵
    PID:3604
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn2016" /disable
    3⤵
    PID:2460
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn"
    3⤵
    PID:4192
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Office\OfficeTelemetryAgentLogOn" /disable
    3⤵
    PID:4376
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:5084
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable
    3⤵
    PID:2364
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector"
    3⤵
    PID:3692
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable
    3⤵
    PID:3648
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver"
    3⤵
    PID:2392
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticResolver" /disable
    3⤵
    PID:1516
- - C:\Windows\system32\sc.exe
    sc stop DiagTrack
    3⤵
    - Launches sc.exe
    PID:4504
- - C:\Windows\system32\sc.exe
    sc config DiagTrack start= disabled
    3⤵
    - Launches sc.exe
    PID:4652
- - C:\Windows\system32\sc.exe
    sc stop dmwappushservice
    3⤵
    - Launches sc.exe
    PID:2260
- - C:\Windows\system32\sc.exe
    sc config dmwappushservice start= disabled
    3⤵
    - Launches sc.exe
    PID:4736
- - C:\Windows\system32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2300
- - C:\Windows\system32\sc.exe
    sc config WaaSMedicSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4184
- - C:\Windows\system32\sc.exe
    sc stop DPS
    3⤵
    - Launches sc.exe
    PID:1360
- - C:\Windows\system32\sc.exe
    sc config DPS start= disabled
    3⤵
    - Launches sc.exe
    PID:2188
- - C:\Windows\system32\sc.exe
    sc stop wscsvc
    3⤵
    - Launches sc.exe
    PID:3952
- - C:\Windows\system32\sc.exe
    sc config wscsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:2528
- - C:\Windows\system32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4720
- - C:\Windows\system32\sc.exe
    sc config UsoSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1392
- - C:\Windows\system32\sc.exe
    sc stop WinRM
    3⤵
    - Launches sc.exe
    PID:1796
- - C:\Windows\system32\sc.exe
    sc config WinRM start= disabled
    3⤵
    - Launches sc.exe
    PID:4828
- - C:\Windows\system32\sc.exe
    sc stop BITS
    3⤵
    - Launches sc.exe
    PID:2240
- - C:\Windows\system32\sc.exe
    sc config BITS start= disabled
    3⤵
    - Launches sc.exe
    PID:1856
- - C:\Windows\system32\sc.exe
    sc stop pla
    3⤵
    - Launches sc.exe
    PID:440
- - C:\Windows\system32\sc.exe
    sc config pla start= disabled
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\system32\sc.exe
    sc stop PcaSvc
    3⤵
    - Launches sc.exe
    PID:2772
- - C:\Windows\system32\sc.exe
    sc config PcaSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1164
- - C:\Windows\system32\sc.exe
    sc stop WSearch
    3⤵
    - Launches sc.exe
    PID:3224
- - C:\Windows\system32\sc.exe
    sc config WSearch start= disabled
    3⤵
    - Launches sc.exe
    PID:1252
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
    3⤵
    PID:3284
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
    3⤵
    PID:2892
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
    3⤵
    PID:2168
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
    3⤵
    PID:3712
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan"
    3⤵
    PID:2984
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /disable
    3⤵
    PID:2296
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance"
    3⤵
    PID:3588
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /disable
    3⤵
    PID:4948
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup"
    3⤵
    PID:1888
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /disable
    3⤵
    PID:2804
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification"
    3⤵
    PID:208
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" /disable
    3⤵
    PID:4420
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\AitAgent"
    3⤵
    PID:3968
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\AitAgent" /disable
    3⤵
    PID:3728
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
    3⤵
    PID:4628
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
    3⤵
    PID:32
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Speech\SpeechModelDownload"
    3⤵
    PID:2900
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Speech\SpeechModelDownload" /disable
    3⤵
    PID:4792
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Speech\SpeechRuntime"
    3⤵
    PID:4332
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Speech\SpeechRuntime" /disable
    3⤵
    PID:3568
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
    3⤵
    PID:4144
- - C:\Windows\system32\schtasks.exe
    schtasks /change /tn "\Microsoft\Windows\Application Experience\StartupAppTask" /disable
    3⤵
    PID:5008
- - C:\Windows\system32\schtasks.exe
    schtasks /end /tn "\Microsoft\Windows\NetTrace\GatherNetworkInfo"
    3⤵
    PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
b20e9f0efb6c515cf205af9cfa36db6b

SHA1
305d9383f794689b071763948cd83c08a4be358e

SHA256
239d9f6ecba5d0fa19977843610f6fd570e65d52ae39dc913551b583f1129d5d

SHA512
cf706db677d37355ba8a1471246155fff7687c4c31b9d7d24d02fd14888f464c614f9485476d7789f819d0a2e871d9c2c71b96762b1ffe42f3c1acf79a3db628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
325B

MD5
ccb7ee17541dac4ca0be9d8061c7d774

SHA1
0e1fc7c317be73e8b1d243d47a91b99419bb5e28

SHA256
d53ff16f6ba98a2206a3e15e511189bc7dce8dc2ba387f96f9b2290391b8111a

SHA512
698e11d80eac8d447f97d8c6b90c5d772c336a5778b3c3bfc6753a19cbfb9633dad948dd1d47fe77aa7996398ca90006728ee59b257c87b7e7aaa09402771ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b8004d2da4ed2379b653321ada96895

SHA1
96c0cc84aac26b468c4bdcc77ff7a9f09bbec4f4

SHA256
d4bbc46122fb0e28a1871d1cc4f90792ea86de6851f262189e189ce44fb2f3e7

SHA512
1e14c7706c24b3062ab9431e7b98c3fb5ac6fe7452f726033e264c06197303bbae95e15285d7434a44f10f95556b9b4fee35d2ed761ad5349aaa35c3f17067d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8df4bd8802e4ff3b0799aa31dfda3f8c

SHA1
f293b5237dc99f37c70e399758f9741503aa28a2

SHA256
ba97425cc5c0a761b2bc5ea9445f4ee1b945dc29218e1bdc81a80c5635451425

SHA512
3c5ba52e57f6dfecaee457c31c4d7066d6deef352b3eed09490cd4db63c076293966013bd1dfcd4c7eda00c75992657d3d9c16195e3c20668d6adece6d70b5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d034b5f9d20de27ecd4feea7c1b670e3

SHA1
45e0c9ee753cf7336c4993d27746eeb920b7fce1

SHA256
da4a75621ec47dc567f488d13294c269fda82aba820fa3e430a45f033a72bd12

SHA512
b9180e6e3425c203c7d6f7b7a462cc1cb215b256c1ff1a1c8b9d8362ba4ca3ff6e90f446648e5f8fdec282123d93149d145170d1d03dc5098b3e45fc712caaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1ED.tmp\A1EE.tmp\A1EF.bat

Filesize
94KB

MD5
0342deb32350aad69aee10ed785cf081

SHA1
be5788c25ca3a0a42311eb52e6755ad2df5f4700

SHA256
eaf43b3644a3624e3560f4cc538fdffab9d8461a5626968972172c4443ec04aa

SHA512
8d1842eedc87f8b0d49fe01b127dc1ab8dfbf5ee33dd5920ee4e6ee428ffb6130922951d20a25067a37bac58891aa06e83d97f51763c93cb10748c0b46b79507

Download Submit