Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
106s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
25/10/2024, 21:57
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00280000000451f9-415.dat family_redline behavioral1/memory/1568-418-0x0000000000DF0000-0x0000000000E3A000-memory.dmp family_redline -
Redline family
-
Xmrig family
-
XMRig Miner payload 9 IoCs
resource yara_rule behavioral1/memory/652-619-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-618-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-624-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-621-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-625-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-623-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-622-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-626-0x0000000140000000-0x0000000140835000-memory.dmp xmrig behavioral1/memory/652-628-0x0000000140000000-0x0000000140835000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3284 powershell.exe 968 powershell.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts 7y8.exe File created C:\Windows\system32\drivers\etc\hosts mrsokkcqisuu.exe -
Executes dropped EXE 5 IoCs
pid Process 4240 Deushack.exe 2140 downloadedFile.exe 2256 7y8.exe 1568 loasder.exe 1848 mrsokkcqisuu.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 205 pastebin.com 206 pastebin.com -
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 4720 powercfg.exe 1900 powercfg.exe 3328 powercfg.exe 1876 powercfg.exe 688 powercfg.exe 4288 powercfg.exe 3212 powercfg.exe 4032 powercfg.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe 7y8.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe mrsokkcqisuu.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1848 set thread context of 2184 1848 mrsokkcqisuu.exe 190 PID 1848 set thread context of 652 1848 mrsokkcqisuu.exe 191 -
resource yara_rule behavioral1/memory/652-614-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-615-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-616-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-619-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-618-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-624-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-621-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-625-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-623-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-622-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-617-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-613-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-626-0x0000000140000000-0x0000000140835000-memory.dmp upx behavioral1/memory/652-628-0x0000000140000000-0x0000000140835000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1d77e301-947f-4338-99af-ff782a6cb2cf.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241025215804.pma setup.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5084 sc.exe 3660 sc.exe 652 sc.exe 2100 sc.exe 448 sc.exe 2608 sc.exe 3164 sc.exe 2140 sc.exe 2348 sc.exe 4548 sc.exe 1252 sc.exe 688 sc.exe 4588 sc.exe 2664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language downloadedFile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language loasder.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 50 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs conhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates conhost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4248 msedge.exe 4248 msedge.exe 236 msedge.exe 236 msedge.exe 968 identity_helper.exe 968 identity_helper.exe 888 msedge.exe 888 msedge.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe 1568 loasder.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
pid Process 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe 4784 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3528 taskmgr.exe Token: SeSystemProfilePrivilege 3528 taskmgr.exe Token: SeCreateGlobalPrivilege 3528 taskmgr.exe Token: SeRestorePrivilege 4492 7zFM.exe Token: 35 4492 7zFM.exe Token: SeSecurityPrivilege 4492 7zFM.exe Token: 33 3528 taskmgr.exe Token: SeIncBasePriorityPrivilege 3528 taskmgr.exe Token: SeDebugPrivilege 1568 loasder.exe Token: SeBackupPrivilege 1568 loasder.exe Token: SeSecurityPrivilege 1568 loasder.exe Token: SeSecurityPrivilege 1568 loasder.exe Token: SeSecurityPrivilege 1568 loasder.exe Token: SeSecurityPrivilege 1568 loasder.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeIncreaseQuotaPrivilege 3284 powershell.exe Token: SeSecurityPrivilege 3284 powershell.exe Token: SeTakeOwnershipPrivilege 3284 powershell.exe Token: SeLoadDriverPrivilege 3284 powershell.exe Token: SeSystemProfilePrivilege 3284 powershell.exe Token: SeSystemtimePrivilege 3284 powershell.exe Token: SeProfSingleProcessPrivilege 3284 powershell.exe Token: SeIncBasePriorityPrivilege 3284 powershell.exe Token: SeCreatePagefilePrivilege 3284 powershell.exe Token: SeBackupPrivilege 3284 powershell.exe Token: SeRestorePrivilege 3284 powershell.exe Token: SeShutdownPrivilege 3284 powershell.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeSystemEnvironmentPrivilege 3284 powershell.exe Token: SeRemoteShutdownPrivilege 3284 powershell.exe Token: SeUndockPrivilege 3284 powershell.exe Token: SeManageVolumePrivilege 3284 powershell.exe Token: 33 3284 powershell.exe Token: 34 3284 powershell.exe Token: 35 3284 powershell.exe Token: 36 3284 powershell.exe Token: SeShutdownPrivilege 1876 powercfg.exe Token: SeCreatePagefilePrivilege 1876 powercfg.exe Token: SeShutdownPrivilege 1900 powercfg.exe Token: SeCreatePagefilePrivilege 1900 powercfg.exe Token: SeShutdownPrivilege 4720 powercfg.exe Token: SeCreatePagefilePrivilege 4720 powercfg.exe Token: SeShutdownPrivilege 3328 powercfg.exe Token: SeCreatePagefilePrivilege 3328 powercfg.exe Token: SeDebugPrivilege 968 powershell.exe Token: SeAssignPrimaryTokenPrivilege 968 powershell.exe Token: SeIncreaseQuotaPrivilege 968 powershell.exe Token: SeSecurityPrivilege 968 powershell.exe Token: SeTakeOwnershipPrivilege 968 powershell.exe Token: SeLoadDriverPrivilege 968 powershell.exe Token: SeSystemtimePrivilege 968 powershell.exe Token: SeBackupPrivilege 968 powershell.exe Token: SeRestorePrivilege 968 powershell.exe Token: SeShutdownPrivilege 968 powershell.exe Token: SeSystemEnvironmentPrivilege 968 powershell.exe Token: SeUndockPrivilege 968 powershell.exe Token: SeManageVolumePrivilege 968 powershell.exe Token: SeShutdownPrivilege 3212 powercfg.exe Token: SeCreatePagefilePrivilege 3212 powercfg.exe Token: SeShutdownPrivilege 4288 powercfg.exe Token: SeCreatePagefilePrivilege 4288 powercfg.exe Token: SeShutdownPrivilege 4032 powercfg.exe Token: SeCreatePagefilePrivilege 4032 powercfg.exe Token: SeShutdownPrivilege 688 powercfg.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 236 msedge.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe 3528 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 236 wrote to memory of 4640 236 msedge.exe 82 PID 236 wrote to memory of 4640 236 msedge.exe 82 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 2436 236 msedge.exe 83 PID 236 wrote to memory of 4248 236 msedge.exe 84 PID 236 wrote to memory of 4248 236 msedge.exe 84 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 PID 236 wrote to memory of 4772 236 msedge.exe 85 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.deushack.site/1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffea25346f8,0x7ffea2534708,0x7ffea25347182⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵PID:4772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:12⤵PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:4700 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff70d655460,0x7ff70d655470,0x7ff70d6554803⤵PID:4504
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:3304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6648 /prefetch:82⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:12⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵PID:3744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:12⤵PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:12⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:12⤵PID:4732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:12⤵PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1916 /prefetch:12⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,5816881355852410639,8203205002604771671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵PID:1084
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4164
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3296
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3528
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3264
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Deushаck.rar"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
C:\Users\Admin\Desktop\Deushack.exe"C:\Users\Admin\Desktop\Deushack.exe"1⤵
- Executes dropped EXE
PID:4240 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "C:\GoogleUpdater\downloadedFile.exe"2⤵PID:4176
-
C:\GoogleUpdater\downloadedFile.exeC:\GoogleUpdater\downloadedFile.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Users\Admin\AppData\Roaming\7y8.exeC:\Users\Admin\AppData\Roaming\7y8.exe4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:3176
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵PID:2168
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:3164
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:5084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:1252
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:652
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:3660
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "PRLFGWLL"5⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "PRLFGWLL" binpath= "C:\ProgramData\rueaofxgkvha\mrsokkcqisuu.exe" start= "auto"5⤵
- Launches sc.exe
PID:688
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:448
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "PRLFGWLL"5⤵
- Launches sc.exe
PID:2100
-
-
-
C:\Users\Admin\AppData\Roaming\loasder.exeC:\Users\Admin\AppData\Roaming\loasder.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
-
-
C:\ProgramData\rueaofxgkvha\mrsokkcqisuu.exeC:\ProgramData\rueaofxgkvha\mrsokkcqisuu.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1848 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:968
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:3660
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4248
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:4588
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2664
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4548
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2608
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3212
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:688
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2184
-
-
C:\Windows\system32\conhost.execonhost.exe2⤵
- Modifies data under HKEY_USERS
PID:652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:4784 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffea25346f8,0x7ffea2534708,0x7ffea25347182⤵PID:3180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:2596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵PID:4320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3884 /prefetch:12⤵PID:2460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:12⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:12⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:12⤵PID:2948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:5128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:12⤵PID:5412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:5516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:82⤵PID:5524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,1334066609397228759,14514991188139983103,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:12⤵PID:5764
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2400
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2948
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.1MB
MD5d559b3c90972d311fa737089620420e6
SHA14c1ff09b0d36286560a16bc05e948f3c220707eb
SHA256177f740198afcbbbecc5ccb674109149d27465f71e6c4cc71877985d69cc4f76
SHA512ab030da56b36227d2c3dd66edb6bb53f0352e626587e7e0dd181f46c48c1233b42642fd296a89b004ebb83e36dbb69d757a536c089ae9cc8a4530a1d60951ee9
-
Filesize
152B
MD53ee478f7c4d2926598847a63b220a6ef
SHA1fea53168560635616d2056895ee7425121fd0c46
SHA256f2af168c642988d69fe11a5aa64ba9a926cf64abb7784d138f2b5611705eb64c
SHA512ee2de378f48994411795d4be064f1ecdace8d8fee9df49de89adc1bea70d0d2883bc599c60fe7af43c065aa7594242bd6ccbd8ad08748edb40fc370721547f28
-
Filesize
152B
MD52905b2a304443857a2afa4fc0b12fa24
SHA16266f131d70f5555e996420f20fa99c425074ec3
SHA2565298bdb27d48c2c2b5e67bdd435445ef5b06d9b36c11394705b413ff3d0f51f3
SHA512df85de0c817350d8ca3346def1db8653aaee51705822b4c4484c97e7d31282a2936fa516d68c298dcbbb293b044aa7101b3de0c7852c26e98ac6c91415162b53
-
Filesize
152B
MD5f5391bd7b113cd90892553d8e903382f
SHA12a164e328c5ce2fc41f3225c65ec7e88c8be68a5
SHA256fd9710650fc6774ce452b01fb37799cd64d3cdc282ac693e918e38322349fe79
SHA51241957bea3e09c2f69487592df334edc6e3e6de3ab71beb64d9b6d9ce015e02a801b4215344d5d99765abe8ab2396394ac4664fced9f871204453a79463cc7825
-
Filesize
152B
MD5a1fba4d8d68e0c7224a6edfb3c9a88d4
SHA16583c4f642031061bf8758e9346ef29750d08267
SHA256396858084220b274149d1b6513adf7b1fa83ee05c48e4ca4599d2f4d181f6327
SHA5126d96e8646c9fb7510ec282d3a7542a3885de6fda8f932492a08bb98681389fd6b9f25e0c5f6bda60051b14f6e0aaaff54a39a5c3f259d99443db8aa597fdcc7b
-
Filesize
152B
MD5ebf4e8f7179369a96435cdafbb270596
SHA150efe8d38c7099e403f1eedb59879d78f8c5f46f
SHA25619ef1b5c40b1bdbbb7a7642ed738e666a0dff762507620f7b460c3a8bdffe7bd
SHA5129d69ac02542b8cfd60b746eda508cdbce3ed4d7dd32a143b10f74cefeffc0a17de1af0bf1d0ceb5fe3a8b7c84711b55bb186952110c848634cd33e1905656146
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD5d04bca040bfd5a50ac2e9e5877e0744f
SHA14fdacd37c60985cbdd20b57db31f8ddfedc93fe9
SHA2560e24ee7d8c6f3e98c460b2c3a8d806b00562df0224bc47fdb5e1c27e02582a77
SHA512008d656f179a0f8778fa0dd57ef1afee11088ef3579f2a9d31b71cb51d94b13df749a7aba090d021dd0d8db4d2be4e31e1156ffc6ee076141f98fa212025f8ea
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5d741fa8623245d0fe5c6b027ce6936a6
SHA17cb3979a948582ed7cfbce3cd61e8bde247644d6
SHA256055a2aa340f17ec59f0cd3ff0cad65c672de5a9794bcc4cffe324be611f3277c
SHA512bb287f975a5640aee2e2acb8dde9f87d3a7744e03eb286308033ab7fe1d0f13fae05e2a4f4b78d1bd94e47355d486ee55926b8a6cb783bef722f84fccff105d4
-
Filesize
28KB
MD5db08b2b1d48630a3260ff542435353eb
SHA11bdaff791eb5732e53d13233a547605d18b04150
SHA2569c819cc9e55e5ddea3eba31d7286521215aa36a1256323d18147608faa3106ff
SHA512994b1cad525fa90292bb76a38469b108d2ac5522607ee6b0652597f51694d12bbdb26a76e80d19390e4fc41b9728a0c13d9d0996fa3827db03e147af1fc95c71
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
20KB
MD52d9aaa195a068184866c263e91079992
SHA1e803572c6b55c3b99688f32d5e6d3c09e52f46f0
SHA256eb2a589298a8e07dda1b7db4816984c9bf37c706baaebefef9aabb15333cd268
SHA512b00c0106c4c5e5a2898465ee16b3a920c8d2438a8e7cb1da46c74f34fd54db5df9b7e4efcf91bc0a2acd3cf3b08a7dc5b51f924990bbc7237b40a22e19357eca
-
Filesize
16KB
MD57a5b65e002e6d3c1d2b484e6af8be446
SHA17b430507a16b361b697a70147bb6bc5a37b0bfa8
SHA2562d720d78bd59faa8d9dfbb495268781fa60265800e8cfe7228ea758b1d9df6df
SHA512112b6fb4df40169b80a44e7ea82b262878f373f6388ceac8681719ecfa7216589ef28e8561e2c697504b274ab0e576f8c1b24d2a7f9f110e56e4a58000f57639
-
Filesize
132KB
MD55258cff539f9d032261e3c4f223445bb
SHA11ee83bf54957886a853be59d0497475ba9c3c597
SHA2560aa3fdc44a61f8aba876f99c902522acf7b1afa65fa187c60bb7821c80909493
SHA5125c5b3f49aa851b9ed79c64cd7a347dbe8f0294f5c49e06bd42e2ed23c6c54a70566ca20ebe8010d19f2197a559c07567e45ff0933b288d26d570b3886d1539d2
-
Filesize
52KB
MD507eb33d20eb4cc66d89f144ca37496df
SHA1c2a87aa3b8bcdfbce91173cae1e230edc912afdd
SHA256356ce63bd39d2a534092abfc1a3c7ac76cbe0e1d4a63ea6263bb71040add671e
SHA5129e553392564323e0200ff15a0a2ee4ffe78062528608792c4b53ebab3c75b25f10012ee567ffc1bbaec404fab27b8c3b09cdd62488d9890bb55b6ea9225c0fb1
-
Filesize
896B
MD59578740aeb7f1dbe5f3dbd56dc518381
SHA1eaeb9a93fb25580b24fd673185e522d7de52046f
SHA256fad50e585aeb145b095fc7df2f103fecfc891cdf6ee21086b66128715cecd46f
SHA5128a04d4b94ad0ace37245fd8a545849780b76ce2ba1725471d61842d657e01b6cbab9338a555054d8cf6ae976d080a406157b07e62945d08c1bc953e62ec08171
-
Filesize
293B
MD534acc58095d7ee5e2bffe355c907e7db
SHA1136fe809a7fa6ac2ba6a4fe7654e7f254710f109
SHA256d6dcef101f72f3c4fae7dc42f4d2fd6bf01cbd2f228ca25a1b7225839fc8fa35
SHA5125b511e019dde6d6bb910cd5362a02cf47dd532df78e4d30bb51b77bb02df1401b27ecb8a0289619570eb6ee1c8a4e72daac10024a46b164836d482ee702006a6
-
Filesize
4KB
MD557a6b09bec8205e519cd6781eddea929
SHA19f32d77e68a28efc143b65652cd6a028342f51e1
SHA256fb9bd14d0fce3b33a48b7db721332da81b864037a6b60d6c1cc977e332371a43
SHA51214bb774c91907445cc541304e3835c64f559b4ca77fc31f508db09471e9e7a74f3aa0d28e6c7e33baca9a6b105730b6f811c105527e5443ceddf3995179d42ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe5f4465.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
8KB
MD5d78ab36f4314bad38b1b59827577d163
SHA18affff09a5251a498dd4592565b0fb5be53113f5
SHA2568a934fc63f88d80347e78c583402b06cb11bec79c1097a3201a7f97dab5afc42
SHA512955e65daeb709f1b9921129a01e3fdf38be6d74d3c5e2e88186ab415504db8439310f9ffaf39beca23d1187ddb95d8f25c84a63ac51b4eed5292e4126e000b20
-
Filesize
8KB
MD5fcaa085e2c3c4f8fc96fa3c9916b036f
SHA14206fdce81060a005f08a7f52895d6f2ab36674d
SHA2561ea478646c84cdc5ae028d08f01c04e3312e8805f06eb69096cd2294daa36cf5
SHA512209f76c66253e935775808246711469caa90f7b047769b4bbb3feb2bc6cb2679db39ddb6f7885ee86b0deafa75862281d020599aa559b606cc5d6dab23f5674d
-
Filesize
5KB
MD50e80df8e8021093a289dfece83ae6034
SHA116046f8354383c5494b3d12aa1f3ffae3784f440
SHA256b51a7226ea45916ced2c52ed8d845db8cb28523e6f590857bf07d58f4604607b
SHA51261de9d19a82b398bec60c291ff989806707f8140579eafa9feb501c31b8a920a1a179aae19fde90b9a3c17b961dc8acf5af97fac426c3b6924ddf548f59c82e7
-
Filesize
8KB
MD51c08a4c8ce0c3c620f422ea2d2f4359d
SHA114b03540b4a4894ac4a18aaa545eecab8eee1699
SHA256feaea0b03d8f2aa582aac91a66dc8695f5fe5c6acb7c2540323824f2a9bc1bba
SHA51207bdec38bfeee3ef35a483711fa86e4e5434d1fb8848a2b257c3a0ddcf48ab964ee083fc7d74af3346f97e2074e050a1f64869e1ba356df6ec02456259b3d71d
-
Filesize
8KB
MD5d0955a87569b75b50f045dc512fd9d8b
SHA10b63345ba311e6ca5dcb650999a1bb0e597adb37
SHA256cc586ce72618287c63c8ca3c6ea0c61ee13e0581f44eab8e6aadca59453f8eef
SHA5127eb57f274727e11459195c6486e1657b8fb55e024e8aaa0a511061646df2499c3d646c4beb6c6b1eae47a03795c849d40bb11548c5f1bad306f291f3bc9ebc88
-
Filesize
8KB
MD59c6b0f4badcc2d642724f76cc22b507d
SHA14bfc92a7c1d982a2fd4b12e1f85235e3007c1408
SHA2569db8377616ccae5865be13b05bef8e519a70a6d768b364216bfa03d5280b6fcf
SHA5124e0146212d73f1026ef2765f823b8cb9a2546630c19e4d984ccde51a8df9c56402bb17392f7f42bcf34883e645c62625c37749b8762f0bfd4e4d8e7ae4dc6c8b
-
Filesize
24KB
MD57ad9709100fb43b77314ee7765b27828
SHA15cd0c406c08c9c1073b0c08169ccaffbd4ef6b98
SHA25604b61824ffce6fdbae4e6a527ae58b85813226ee28fe4d631feb76b5f936a1a9
SHA512fc55ee34b1107e298f2cfcb20dce42b5dbc98a7b68e72ed80a6ea594f66dff6f9e9cb70ad5ccbf5ad2171275f375abac1defd8dad4118afa280cd9c1d9f6a538
-
Filesize
24KB
MD5e122fc93c0ad25d45d09ba51a3e86421
SHA1bb52a7be91075de9d85f4a4d7baeecc3167c871b
SHA256a277c1c6fafd7a44b47d94e4bc3c0337a64a34d252e58722855aab09e6f52bee
SHA51212787aebefd6a5e4584ec8747a78538f948a16b214bdf81302036ae89e2c4563027847236a4770c4f780a9ca0ed03f29b1577bfb6f11feffad85b7a625324bf5
-
Filesize
47KB
MD5328bc922d59d8e8b3cdb4467f90803c7
SHA1d081454b7f310d4a291bb5e5b76e24f29bfcac3a
SHA256277a8180fe4101f51eac07067c07e1ffac5f75d745edc162796c6fba687800f8
SHA5129c07507109222892b2b24b57dec2476a558ce377ca18cd9c46e63c53b32a1302b299c9f170e0623cfc2d0288c92849c3c0fb3a5041b1da86d7674cf98071b185
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize100B
MD56f5c5e935dd4dfb113c91ac0d488d3b3
SHA1b4f1fc84949d4ef54c4200cb46478cb9178e60df
SHA2561642516e48fffa1fca4cbe7e5f9f463412a5634fb18a4ce3001e83c59a47762d
SHA51280caa41eac93b203a02893001240d3acf306640f5d3aa86cd8079dd0b4a92efee1f9de3070963f54870a8918aa18c479c865e38ceb549392ced06050e8580b1d
-
Filesize
347B
MD5d8d1e33fd43989811d0dfc6f4e5199c6
SHA1319d5899b74a92b64c0c7d7c8e56d51a293904b4
SHA2569015f94aa7110ac210450fe28117d4b1d75bc683cfc06ae9b5184f234f4154c4
SHA512e4852da671bcb4da0e4fa124719ae411c0418e7ac4bb671e351be77ca4dba5a0b3ea9581ba188ebc0701c14a67d83840062e8de44d84fcb54589bcfbd297edfd
-
Filesize
323B
MD5a5ab9cb175df313b243a81dec19fae1f
SHA17d480cd0acac4c7864ff0e50ca5751b580f233cf
SHA2564786053ed9719b7ce22486ac46c6b92692cce97ce423f65865c5ffd551a29823
SHA51276f9c2220cfb8bb69d16787b58ba5d47a750a5c0fc2aed1dacdce96f993d57f14873696cdb8f45a8a955e265b70372b6f053a789e3e1ee9c9ce1999dcbf4b99e
-
Filesize
20KB
MD5f44dc73f9788d3313e3e25140002587c
SHA15aec4edc356bc673cba64ff31148b934a41d44c4
SHA2562002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983
SHA512e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7
-
Filesize
128KB
MD53688316aab5f7d33dfd1a4b289fe33d9
SHA157c9afec18bc343063381a806604399bbd41b005
SHA256c712cfb3c9df67bfb33ba975228364b38678d1a1bc8cd80c460b3c7aef141895
SHA512ceebc6d792f281ca0682b263a657805543bb0da4412e0478ae23c1d604c00406b1d612a2fb0cfd76af2147c420bd19a478202ed7657a47af477375b87d356c79
-
Filesize
116KB
MD5caea33ac19a5200d2e0afb0ebbc96da8
SHA15adcb6bf1b4690a907c39e4888c7127696ce250d
SHA2564e64c5f46a0dacb048e1cf732983f5bc61bcf6a338431926607f38b02de0453b
SHA5125ee935703fead33967dcc97c72786c70c6de75610980e30ab732bc23c10c9883e0451e0a66e7b912998d78d69811ea5872426b979ae9211562bd389c4d04113d
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11B
MD5838a7b32aefb618130392bc7d006aa2e
SHA15159e0f18c9e68f0e75e2239875aa994847b8290
SHA256ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA5129e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9
-
Filesize
8KB
MD564c07c2a1a48c105a51c05b021f8e0d5
SHA1a49dd45160718118ae5017960084f3016e51bd95
SHA25655b862008d0fb995e09268f567c712fd3fda98b01608091193ea29d7d729a044
SHA512f717f3fd461c5f11d10892fc40637a5bbec4c7eec640ede475850df6d23cc543f9a8ca81a01c9cee3ca6ce457f3d09b7cafa4771bb963c56ee437e4b6ce21950
-
Filesize
10KB
MD5227e5ea46c2fd4c4bf52496a0d5d2049
SHA110ee686362ca0861d594284188d43c4b69fab2c5
SHA256a24a961864183c75ea26c5c5abe5be641a83afd3f91ae91be43e7bbf5b80666d
SHA512a71432145ab795cb3fb539b9ed6ff702f360574c09b22d3b5a9bb709e77ba45411df5f1c3f0f6aec525f6038516bb439cc5222562a424c19cc285c3eea0371b6
-
Filesize
10KB
MD5229cd7cba1ef3c782daa643d49158633
SHA19f4b458faf24e24bbe346d2cdef5885b0831d3d0
SHA256ab289d638af99727f5cc11b1c505c12110aeabaa6251bf6c5b4c2804b598c80e
SHA51265a1497e94940404694332f162a3ae421cd9f17ca6d2becf3498cbfd1a77ecf808dc95f39b697fb7d021e9620f6cae61075c4eaa5f631cb2b9162a2c9674e664
-
Filesize
10KB
MD556a81174a49144859d08c9a12a216aec
SHA17808fff5d748ceaf42ebe33be6c59c02cb36682b
SHA256d17981d037fa3ff9c16e0dd1d859991463236666c4d48ffc16b657803f80d48f
SHA5128d9f589408a9c41b6d47b5ecb85db6d33fab05dba5273c697592959a2a506f918ac65ec09e8df4b6d7b8753d2be66e149c9f33529679db6e5a6a817261c52064
-
Filesize
11KB
MD5f88607651c083f2ae11be79c1a487a84
SHA1427d1e483af0616c6fad0fa5d3ee87bde30f2c0c
SHA256545ce3406b9448919b465c0b3f464dd4e1e6e51aea54b7aaeef8a3604f9a8fdf
SHA512461e8b417a3f6db2098584941656663cc494864b7297635482be11f6f48028ee0685b639b5b3d14fb5fe0697f6defd335594e9f6c11d7cf3268bd66693030ec1
-
Filesize
81B
MD5f222079e71469c4d129b335b7c91355e
SHA10056c3003874efef229a5875742559c8c59887dc
SHA256e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00
SHA512e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
Filesize126KB
MD56698422bea0359f6d385a4d059c47301
SHA1b1107d1f8cc1ef600531ed87cea1c41b7be474f6
SHA2562f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
SHA512d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d
-
Filesize
40B
MD56a3a60a3f78299444aacaa89710a64b6
SHA12a052bf5cf54f980475085eef459d94c3ce5ef55
SHA25661597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f
SHA512c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468
Filesize57B
MD53a05eaea94307f8c57bac69c3df64e59
SHA19b852b902b72b9d5f7b9158e306e1a2c5f6112c8
SHA256a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e
SHA5126080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0
-
Filesize
29B
MD552e2839549e67ce774547c9f07740500
SHA1b172e16d7756483df0ca0a8d4f7640dd5d557201
SHA256f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32
SHA512d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982
Filesize450KB
MD5e9c502db957cdb977e7f5745b34c32e6
SHA1dbd72b0d3f46fa35a9fe2527c25271aec08e3933
SHA2565a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4
SHA512b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5.0MB
MD5bd082d20b0d503af6189f01893bf278f
SHA1d86c3fc675b89f6b896f4e33febdfe758932e855
SHA2565829af5f5c25d300c253d1655935bb8ea7c18068e4a76536a2ddc71c011fc9e8
SHA5126f012e4b6db007394192287b7bf72eb3318ea2e8ee478fbacb139dd2b8ed6fd3fdebb10a1e580b2c935d5f1c72fa2d7773f0d77a71f4831f60e6330c806932ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD55d468a3c2d89045a6d3f228e7345c191
SHA1f76b3db110836c48f1866ba591dd7bf67de70bf6
SHA2568432c5dc2c5d01b661fdb532340c42bc0d254ecaab9d3f710e31a8579a359534
SHA51284b58cefc37a139606db9f266c0b3ec0b3d97aea2c375e5287744f393f7a51ef90701c7866e08fcdadc2fff0004b105c29cfc5edd4a2f1481834aa63a71abcca
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD58337e1df3bc7e8333bc3a4d0f551efe3
SHA151abd2a2f21615e4c676d9e541750faa292c2af5
SHA2562b16b9a6eaeff48cc9b004b825a1334796d3e742514a2358c3ad8a545483803b
SHA5125141f32f46f711f40356f197e9a812e70595a430ca40299c19b230f048d158fa10f5e9f535fcf618c1029b0f349118dfd67fdeb434e8efbcb7565fb0d4b50aa8
-
Filesize
275KB
MD57186bce1f86503fe86e67c46defd400a
SHA1737eb7becd01fd21b9db5c94e6fb20c9ba4dd960
SHA2561aeec278d38b426366a13214ce235f939c5f8cefc5cd3745408459d032edd07a
SHA512897ec3536dfc6e20718af45d327798d32205ea565be8b2ec4fa502424a833d5fcbd542b924ebd2983d117e3049627e8bc320f65c78b1617a97ee58096943496c
-
Filesize
30.1MB
MD5c1e69734163765fda325daccd1739a98
SHA13eca28110d3a3066b4b8eb6c4bf3a9db34d5c06c
SHA2569ea04c533440e357e0502fb2de65317e40f09d597873ef5eb3066810dee1fa40
SHA512d5982364a289023c4dec4ddac283a277048dea73b614287c2a16d3efb462b81f92daa88afc8ac7659b84808af2ecde215323b738beac791839b506a14723c895
-
Filesize
11B
MD5b85cea940bcf4f1db5bba3dbcc82ddab
SHA18b01016b7961486fa2b5a87629e8b8aa7495d4fd
SHA256aa033ecc9fcad4b608962281cf28bcf94faa7e0ed80241ca5fb6f6199c2fcdba
SHA512bad64cd8543edf91a3b1718619f6f881dbe21e895b9cc293dd2358c0732b08c6c196c250b7d781640c53d37b98de7f895b86c2faf66eb52a1b97ddd493dab62b
-
Filesize
9.0MB
MD539dc8c924bb4f9d5b69629ef1289e0e3
SHA12aed3f40c335aaf663f0f7eeb83322818e69fbc0
SHA256d0d840228a4bd41d414084909c10a888be1a4571d206c72b60c93ef7fc559f51
SHA512d6025e9b1f6e9caab561b71446bc2559e806e6fb4ed4d30f4d712ebc1386430006c3f6d42c8c3451ef43c5b0416922634817883d3483ad9b0a5f203705d17bd7
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68