Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
109s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2024, 00:55
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
quasar
1.4.1
SGVP
192.168.1.9:4782
150.129.206.176:4782
Ai-Sgvp-33452.portmap.host:33452
a35ec7b7-5a95-4207-8f25-7af0a7847fa5
-
encryption_key
09BBDA8FF0524296F02F8F81158F33C0AA74D487
-
install_name
User Application Data.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windowns Client Startup
-
subdirectory
Quasar
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x000400000000072f-978.dat family_quasar behavioral1/memory/10808-980-0x0000000000A60000-0x0000000000D84000-memory.dmp family_quasar -
Blocklisted process makes network request 1 IoCs
flow pid Process 76 1620 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 10808 SGVP%20Client%20Users.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 76 raw.githubusercontent.com 75 raw.githubusercontent.com -
pid Process 10556 powershell.exe 9168 powershell.exe 9644 powershell.exe 10028 powershell.exe 10376 powershell.exe 10572 powershell.exe 11172 powershell.exe 3604 powershell.exe 5540 powershell.exe 4424 powershell.exe 4556 powershell.exe 10052 powershell.exe 4736 powershell.exe 5160 powershell.exe 10632 powershell.exe 3648 powershell.exe 7388 powershell.exe 8408 powershell.exe 10364 powershell.exe 7892 powershell.exe 8672 powershell.exe 10672 powershell.exe 10360 powershell.exe 1396 powershell.exe 456 powershell.exe 6604 powershell.exe 7116 powershell.exe 8540 powershell.exe 10688 powershell.exe 5556 powershell.exe 6736 powershell.exe 6720 powershell.exe 8272 powershell.exe 9656 powershell.exe 10996 powershell.exe 11228 powershell.exe 10504 powershell.exe 5684 powershell.exe 1200 powershell.exe 8028 powershell.exe 8156 powershell.exe 7108 powershell.exe 7240 powershell.exe 7760 powershell.exe 924 powershell.exe 1576 powershell.exe 2672 powershell.exe 7124 powershell.exe 1136 powershell.exe 10848 powershell.exe 11248 powershell.exe 5300 powershell.exe 5912 powershell.exe 6336 powershell.exe 9920 powershell.exe 9392 powershell.exe 9524 powershell.exe 9792 powershell.exe 10432 powershell.exe 1624 powershell.exe 6464 powershell.exe 6864 powershell.exe 9064 powershell.exe 6124 powershell.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 98061.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5064 msedge.exe 5064 msedge.exe 4796 msedge.exe 4796 msedge.exe 2256 identity_helper.exe 2256 identity_helper.exe 4128 msedge.exe 4128 msedge.exe 3152 powershell_ise.exe 3152 powershell_ise.exe 1620 powershell.exe 1620 powershell.exe 1620 powershell.exe 4704 powershell.exe 4704 powershell.exe 4704 powershell.exe 5060 powershell.exe 5060 powershell.exe 5060 powershell.exe 1396 powershell.exe 1396 powershell.exe 1396 powershell.exe 924 powershell.exe 924 powershell.exe 924 powershell.exe 1576 powershell.exe 1576 powershell.exe 1576 powershell.exe 4736 powershell.exe 4736 powershell.exe 4736 powershell.exe 3900 powershell.exe 3900 powershell.exe 3900 powershell.exe 2672 powershell.exe 2672 powershell.exe 2672 powershell.exe 1000 powershell.exe 1000 powershell.exe 1000 powershell.exe 1624 powershell.exe 1624 powershell.exe 1624 powershell.exe 456 powershell.exe 456 powershell.exe 456 powershell.exe 5160 powershell.exe 5160 powershell.exe 5160 powershell.exe 5300 powershell.exe 5300 powershell.exe 5300 powershell.exe 5428 powershell.exe 5428 powershell.exe 5428 powershell.exe 5556 powershell.exe 5556 powershell.exe 5556 powershell.exe 5684 powershell.exe 5684 powershell.exe 5684 powershell.exe 5816 powershell.exe 5816 powershell.exe 5816 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3152 powershell_ise.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 4704 powershell.exe Token: SeDebugPrivilege 5060 powershell.exe Token: SeDebugPrivilege 1396 powershell.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 3900 powershell.exe Token: SeDebugPrivilege 2672 powershell.exe Token: SeDebugPrivilege 1000 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 456 powershell.exe Token: SeDebugPrivilege 5160 powershell.exe Token: SeDebugPrivilege 5300 powershell.exe Token: SeDebugPrivilege 5428 powershell.exe Token: SeDebugPrivilege 5556 powershell.exe Token: SeDebugPrivilege 5684 powershell.exe Token: SeDebugPrivilege 5816 powershell.exe Token: SeDebugPrivilege 5944 powershell.exe Token: SeDebugPrivilege 6076 powershell.exe Token: SeDebugPrivilege 5540 powershell.exe Token: SeDebugPrivilege 5912 powershell.exe Token: SeDebugPrivilege 5628 powershell.exe Token: SeDebugPrivilege 3648 powershell.exe Token: SeDebugPrivilege 1200 powershell.exe Token: SeDebugPrivilege 4424 powershell.exe Token: SeDebugPrivilege 6200 powershell.exe Token: SeDebugPrivilege 6336 powershell.exe Token: SeDebugPrivilege 6464 powershell.exe Token: SeDebugPrivilege 6604 powershell.exe Token: SeDebugPrivilege 6736 powershell.exe Token: SeDebugPrivilege 6864 powershell.exe Token: SeDebugPrivilege 6996 powershell.exe Token: SeDebugPrivilege 7124 powershell.exe Token: SeDebugPrivilege 6420 powershell.exe Token: SeDebugPrivilege 6720 powershell.exe Token: SeDebugPrivilege 7108 powershell.exe Token: SeDebugPrivilege 7116 powershell.exe Token: SeDebugPrivilege 7240 powershell.exe Token: SeDebugPrivilege 7368 powershell.exe Token: SeDebugPrivilege 7500 powershell.exe Token: SeDebugPrivilege 7632 powershell.exe Token: SeDebugPrivilege 7760 powershell.exe Token: SeDebugPrivilege 7892 powershell.exe Token: SeDebugPrivilege 8028 powershell.exe Token: SeDebugPrivilege 8160 powershell.exe Token: SeDebugPrivilege 7388 powershell.exe Token: SeDebugPrivilege 7772 powershell.exe Token: SeDebugPrivilege 8156 powershell.exe Token: SeDebugPrivilege 8136 powershell.exe Token: SeDebugPrivilege 8272 powershell.exe Token: SeDebugPrivilege 8408 powershell.exe Token: SeDebugPrivilege 8540 powershell.exe Token: SeDebugPrivilege 8672 powershell.exe Token: SeDebugPrivilege 8804 powershell.exe Token: SeDebugPrivilege 8932 powershell.exe Token: SeDebugPrivilege 9064 powershell.exe Token: SeDebugPrivilege 9192 powershell.exe Token: SeDebugPrivilege 8520 powershell.exe Token: SeDebugPrivilege 4556 powershell.exe Token: SeDebugPrivilege 9168 powershell.exe Token: SeDebugPrivilege 9044 powershell.exe Token: SeDebugPrivilege 9260 powershell.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe 4796 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4796 wrote to memory of 1120 4796 msedge.exe 82 PID 4796 wrote to memory of 1120 4796 msedge.exe 82 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 4416 4796 msedge.exe 83 PID 4796 wrote to memory of 5064 4796 msedge.exe 84 PID 4796 wrote to memory of 5064 4796 msedge.exe 84 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85 PID 4796 wrote to memory of 4580 4796 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://buzzheavier.com/rysp7yi980jm1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8885846f8,0x7ff888584708,0x7ff8885847182⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:4580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵PID:2792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:12⤵PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:82⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:12⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵PID:4648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:12⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵PID:1264
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:12⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5732 /prefetch:82⤵PID:4608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵PID:1556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12238212837345736554,1709920309401168130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4128
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4508
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4276
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5028
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Downloads\take3.ps1"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620 -
C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"C:\Users\Admin\Downloads\UrlHausFiles\SGVP%20Client%20Users.exe"3⤵
- Executes dropped EXE
PID:10808
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6076
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:7388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:7772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:8672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8804
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:9192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:8520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:9168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:9044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Suspicious use of AdjustPrivilegeToken
PID:9260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:9392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:9524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:9656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:9792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:9920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:9644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:9516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:6124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:11052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:11112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:11172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:11228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10308
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:3604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:11148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:11248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵PID:10336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile2⤵
- Command and Scripting Interpreter: PowerShell
PID:10504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ac35fb389d0b8018ad3e7f0442fd3a18
SHA1e0c38eec1a908717e233ae0119a9f623cefaa55b
SHA256625c09887b5da4f9fdc71f04dc3a49d19f365e879b492a788b2cd46d526168cc
SHA5121f25a509ce6fadf13a0db84318d48d652619b576d824b2423acefb1e13461c98d116f135823b2730a9ed6edf339b3ea85953e35a844117c9b46d8908194422e7
-
Filesize
10KB
MD5ff5d944bc3f2f26ca43018ed516a33d8
SHA1f05c9e12262134e0abba58e27950383d29647a69
SHA25668217cd6e09804fde3ac7674044219cfcb4e39efd65e79c306cfcbc11c966777
SHA512c5d5baa8eab26ab0a16363843a876ab9ad7eb03cd9b60e3525189bc7fd4da53abd19ca3aff2dafe6154182f2c05acc38feb14f2ae5fba62fd3a17c9cad7f1c22
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5219fb2cd45f7664f59dd5740fc1a90eb
SHA1f21ac629e7a4478f966d603ac7a910b024729e29
SHA2566d5d9ab67fbadde169d3567cdffae24d82236594c46aa7ea27baf1130a73f21b
SHA5123a4968ed9ba0b02a30769821199f1c72bf51a5939357fb1803c01287056823104954e866eee4ccc94e47bf2123f06b48df3ddfb8159cdf30e9d4044e1504043e
-
Filesize
565B
MD5ed3ac215cce646ea0c18249bc7b7f996
SHA154cb64db2bf6dfe98cb238d59e0dd4b3b560ec46
SHA2567da847cdd5d0b468d31815dad8ac25a5b27d693d9337a2b689da50f77dae757f
SHA512d813c7f5028551a4b35c3066b5f520877faf34121e777c12c0b7bd70944a698b9c4d92a862c8815d45b993e7a536c6d279c8ac2fbcdf63286ba96047719dd78b
-
Filesize
6KB
MD54cc11d898fca70f2c280e367036c0a2c
SHA1339b7f1b74709a00d34a7d9e0731716db8324fbb
SHA256c10b78884b86a40164787150806e24d926eac82b07eec97903be69adaccf8ca9
SHA512f480e4e6272d5ae5e43bd8d00f0bc7b37d14f032fcda43120d61bfe1b8437dd1f21db255561bb593e35ab6f9a1b13c3ddc84452d1970b528cdf202e03ae54c0e
-
Filesize
6KB
MD532328d237f91c0127ee28dcf5be20c12
SHA16efa94406df5022ae316cbbe52f01db3227a6b97
SHA256f0ec260a0140e92686949bd18dc8fb435bfc01cf6ade39485e918748c8088035
SHA512864b1cf456dfd0c53361fb893786510c1a560d11d577c63bc1ac8f336ab48f45e125f25e2976bc36d2949c6a6236e983065a44eb46001e3667aa028351db4fd1
-
Filesize
7KB
MD527ee20d55dca4507cbf8d6879e4347d9
SHA1591f03012ff6ec859861d005e4cbaca28f011017
SHA25682dc6e959a4251994124ed78fab94b896f7052cd943fea2331f0c585861e9e76
SHA512aa355e1b51691217de1f9e6b0e1036b92498690a4a8be2bba8fb83664ee2125da94009ebd2c3c8e483461b2af1ab917635bedbbbf299eaf74fbcf629c52b5f50
-
Filesize
5KB
MD515fa9a596ab4aeeb4ebda75896a81875
SHA170170d9a8c6ac0bc8483a1ce82afe360e5bd66cc
SHA256531c6717c8d104354c98555df45cd1a87a0769c6201131b92f2105135b4bf3f3
SHA5126236672d020d6a503c16e510b18353c7f5d8001c7c72d956526df8230f6ac86ab78691d15368f34392b2996072fb1a9ad5c23882b348a33f6ce22a1ad9f1064c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5fc52b8edfa4db91e5d7bdf0669166f8f
SHA106fee1cd0f125bc079d3569111b5ce13910ac612
SHA256dbcf185ec544b7401205efabca91c30a33dec1b7e1967fbbd872c0334201b12d
SHA5121124a29f90c9cb387b812757f927a7633abdb4dbf630417eda2296e80e1e6bd5aba9e81e14c20850f3bbd2a24d0cc51aa64a9388c67f825b46e4842b1bb48a42
-
Filesize
10KB
MD5c01a5af8414ab7f11b08ac5ab73e1f6d
SHA1834c0e23d132b051b9bc3d10bf2d4d7adbaab3c8
SHA2563a804e5bcdb734ecfccbfaa3d8dab6412c6335c578010f283539a359bdf1b431
SHA5128499d4750dcc328e023fdc86b49b93e99dafd1e17df1947a681cbe4ee0a234cb390028df74e53b44e0b663b9cabeed465b295f0cdbb60ccc1ca15b2b5e2aba54
-
Filesize
54KB
MD5ede459d5a4b51bcdd4086ebd796e54ac
SHA1d99025c07af9587c9962f6ff27ac4b73f79ca997
SHA256865832a889e1131ebd5af36b2972fc56347c75f9147c6539b2ce534bb561206d
SHA5129294cfcb95ae51aeed55a8318de83e4588ca7281f3b768b345ab6a0bfecc3c2bfe6ead90aadef2dcc8360c56a2ab88a159eadd883bc0875ec8cd9326e3142486
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5038d6cce7742e32e140f7c72a4a45fc9
SHA1cbe5dc7b761aaf8916b0554027e4bd8382bb6fae
SHA2562449f7a205c8929df41325920bce155e59e43f9f85d9aa6e98aebda95013ea31
SHA5124b1aa5856b4ac3a67197d370839e655e756d0f7fa8cb1a79f88e873151b7c0eca0ee373428bd4d71060d917ce7579c3149bd0271a8a20d65a55b2f4271110018
-
Filesize
3.1MB
MD52fcfe990de818ff742c6723b8c6e0d33
SHA19d42cce564dcfa27b2c99450f54ba36d4b6eecaf
SHA256cb731802d3cd29da2c01ffbb8c8ed4ef7de9d91c133b69b974583bede6bfd740
SHA5124f20a27817de94a07071960abe0123277c0607a26de709e2ade201597df71d8c2eec7da353efba94dc6a8369b89db4caeaf9505d02b90dc30c37010a885c3613