Analysis
-
max time kernel
125s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2024 03:18
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/file/d/1hXTJ3DvVeAAyR0qMejNpCnSwG3GA6zFT/view
Resource
win10v2004-20241007-en
General
-
Target
https://drive.google.com/file/d/1hXTJ3DvVeAAyR0qMejNpCnSwG3GA6zFT/view
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 7 drive.google.com 10 drive.google.com -
Delays execution with timeout.exe 2 IoCs
pid Process 4344 timeout.exe 6044 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2984 msedge.exe 2984 msedge.exe 1092 msedge.exe 1092 msedge.exe 1416 identity_helper.exe 1416 identity_helper.exe 5184 msedge.exe 5184 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 5200 NOTEPAD.EXE 1976 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 212 1092 msedge.exe 82 PID 1092 wrote to memory of 212 1092 msedge.exe 82 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 5040 1092 msedge.exe 83 PID 1092 wrote to memory of 2984 1092 msedge.exe 84 PID 1092 wrote to memory of 2984 1092 msedge.exe 84 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85 PID 1092 wrote to memory of 1004 1092 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1hXTJ3DvVeAAyR0qMejNpCnSwG3GA6zFT/view1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa586746f8,0x7ffa58674708,0x7ffa586747182⤵PID:212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:1004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:4796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:12⤵PID:3084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6088 /prefetch:82⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:12⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵PID:1496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10491030463236287732,7506511161124513750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:5420
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3180
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4872
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:832
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_my pain.zip\new business\Notice.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:5200
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Copyright 2024\4 reduce services\apply all.bat"1⤵PID:4972
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak2⤵
- Delays execution with timeout.exe
PID:4344
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:4248
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTAGService" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:632
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bthserv" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:3920
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lfsvc" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:2780
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DiagTrack" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5760
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HvHost" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:1372
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmickvpexchange" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5832
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicguestinterface" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5840
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicshutdown" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5864
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicheartbeat" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5880
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicvmsession" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5896
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicrdv" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5912
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmictimesync" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5932
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmicvss" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5984
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PhoneSvc" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5944
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:5956
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\QWAVE" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:6004
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SysMain" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:6032
-
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WSearch" /v "Start" /t REG_DWORD /d 4 /f2⤵PID:6024
-
-
C:\Windows\system32\timeout.exetimeout /t 152⤵
- Delays execution with timeout.exe
PID:6044
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Copyright 2024\7 reg tweaks\regs\dynamicPstate.txt1⤵
- Suspicious use of FindShellTrayWindow
PID:1976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize480B
MD5ba4498fe1930ef5016e3659fb88f0259
SHA10ab6965a27f85c123beddf61adc9994f0ad17ba5
SHA256642b158230d30894811a150dbafb3603db388acb50467af70d73d5646a1c5346
SHA51217aa72469e36415c22c6806a275412806e91bae1bb85435a0dbac189eab1448e3f534a68e84b8c65e1a8145faddc422ed21ca309e9fe1c2f86d08a151f45d789
-
Filesize
3KB
MD556b2aa102ad57c902cacbac9d93f95ab
SHA1800c74c5fe75240cabc0bd1b5087f2d6a104e1e7
SHA25646f99f3880a672e6fc90953a727310a9f37c7ba1e9e2176e6e4befa3304ca499
SHA51205cf005e2b467b0b5ac284165d58f4a6abb0228e315a862c768a330c22d54236bb8013dda23282a5dd2b654496f5bed7447a616a512994625a388d4ec8f0a28c
-
Filesize
6KB
MD5fe036c7f7176be51917f8969311dc391
SHA1d96c5f0378427549a73ad10ac1c86678b02444d2
SHA256e307535f22516aafa5839030de779ba603fbfae678e5850a4309be975bb111e7
SHA512543442981ec488f7e559afd9e17e154b310905f13a4d429a2289d82bc99b2f38a5804166db936532c8dc258bdb740686644de6daefb87aafedf48cb6adcbdbb0
-
Filesize
5KB
MD50d41ddc43a97f412675448753d144905
SHA17ec7df7f8f669a211e0fd85ee7c68aa70a968fa8
SHA256a624ff47e7fbb84469872da85b5dabf3e52f8a258723064c35a974c85199a275
SHA51247058f4dcd3af0452f06d20844c74db5e8da9252fb43688a9001fdf2489098280182141599267e235c0861483cd1e76853fe60db0adfe923307bf5d8851fdcd6
-
Filesize
7KB
MD547425c1339736d329f4825a155f33406
SHA144c9cc209081428f2ffdb7e0eefcb8508c74464b
SHA2567563a57d819eea0fbb40d09fdba6589f6d59de34ea3797ded910aafe8d1bea92
SHA5128c8e0c6a6f8fed466556fdd49c43f3be2f73b20f1014504e98dc1627902b948af420fb9c5ae6c336c084f0b14b9a18df58189346c0640552a1e200b8f9396edc
-
Filesize
6KB
MD527873501bf57ccea3ac1d17c42afc231
SHA1c024ee971d9894a6ffeae78b3a7631bc01776bb1
SHA256a3fbb63726512e0738e38f2e64d98dcf31d384fe60236b1240ffcd4ef0e4e610
SHA51275eabb9be2e4103abe9cb3b7176f571cfe288d2f2610168a39edf0be54d8f27dbc472900a2c456edf408594431f46ff906d19da503eaf04270dd9cfc5487b8af
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD56e9e59ce7d192a78e08367a860ff5974
SHA1d3812981418f81c6692bcbe83c04a07120dbc68c
SHA256543f7f7db3ab72f903c890bc67a248b4de81c095d8b5852e241c550b9c255198
SHA5127d10d6083d64c94aef7b82ecebb4edf824f8b4602c73a37c850aa072085730ed0178f9e19c7506804f1ecb60194e420a40cdc519db379d077f2852142b2c6e61
-
Filesize
10KB
MD59f8c52c4b225d9c83ab164dce6003b7e
SHA1eca162b6269ef3242a6920ab06cc40748f769540
SHA2567956a5a89b7e120d2fdc0f80dc36efc09ede1f84b90e6dcfb0d5c4069425360c
SHA51240411e3cb0d84a3eb523873e68379c2082584bba54728f95c1f1fb24722818411967e4f2da89702525aec597492a5e1aa57b28fb307cebd80d5393430d89c8d7
-
Filesize
10KB
MD5b81f2060821e492c972fc4184e081a9d
SHA12404d2414e532f0cf50bbb375a1398933974cc09
SHA256c5b6a2218432685bd3bc2a830584efca26c95ce7835f9e535454fa0b2a08206c
SHA5124c9eb7adb7d31e25d8ac4311ff91cbf72b03889db39c22ac430829494d158cc4afc1056c46fa4a1a716cda16cbd1a00e50822fca3ef4f339582a212fff39e5a8