Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1097s -
max time network
1099s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
21/01/2025, 12:17
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.56.1:4782
0cd982cc-54f2-43ee-b31f-dcc762e7f4e7
-
encryption_key
1FB7EC82DA3E1ED569E80A26F272CD754A3A5B8A
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 2 IoCs
resource yara_rule behavioral1/files/0x0029000000046396-775.dat family_quasar behavioral1/memory/5088-813-0x00000000004F0000-0x0000000000814000-memory.dmp family_quasar -
Executes dropped EXE 16 IoCs
pid Process 5088 fortnitevbucks.exe 1324 Client.exe 960 fortnitevbucks.exe 1508 fortnitevbucks.exe 3332 fortnitevbucks.exe 4576 fortnitevbucks.exe 1620 fortnitevbucks.exe 1160 fortnitevbucks (1).exe 1852 fortnitevbucks.exe 1076 fortnitevbucks (1).exe 5084 fortnitevbucks.exe 2496 fortnitevbucks (1).exe 380 fortnitevbucks.exe 2136 fortnitevbucks (1).exe 2008 fortnitevbucks.exe 3744 fortnitevbucks.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 119 pastebin.com 124 pastebin.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e5abac7e-3fd4-418b-8a5c-588de258624a.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250121121810.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 693811.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\SubDir\Client.exe\:SmartScreen:$DATA fortnitevbucks.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 226950.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2060 msedge.exe 2060 msedge.exe 1428 msedge.exe 1428 msedge.exe 876 identity_helper.exe 876 identity_helper.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 4104 msedge.exe 4104 msedge.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2400 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
pid Process 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: 33 4136 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4136 AUDIODG.EXE Token: SeDebugPrivilege 5088 fortnitevbucks.exe Token: SeDebugPrivilege 1324 Client.exe Token: SeDebugPrivilege 960 fortnitevbucks.exe Token: SeDebugPrivilege 1508 fortnitevbucks.exe Token: SeDebugPrivilege 2400 taskmgr.exe Token: SeSystemProfilePrivilege 2400 taskmgr.exe Token: SeCreateGlobalPrivilege 2400 taskmgr.exe Token: 33 2400 taskmgr.exe Token: SeIncBasePriorityPrivilege 2400 taskmgr.exe Token: SeDebugPrivilege 3332 fortnitevbucks.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: 35 868 svchost.exe Token: SeDebugPrivilege 4576 fortnitevbucks.exe Token: SeDebugPrivilege 1620 fortnitevbucks.exe Token: SeDebugPrivilege 1160 fortnitevbucks (1).exe Token: SeDebugPrivilege 1852 fortnitevbucks.exe Token: SeDebugPrivilege 1076 fortnitevbucks (1).exe Token: SeDebugPrivilege 5084 fortnitevbucks.exe Token: SeDebugPrivilege 2496 fortnitevbucks (1).exe Token: SeDebugPrivilege 380 fortnitevbucks.exe Token: SeDebugPrivilege 2136 fortnitevbucks (1).exe Token: SeDebugPrivilege 2008 fortnitevbucks.exe Token: SeDebugPrivilege 3744 fortnitevbucks.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1324 Client.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1428 msedge.exe 1324 Client.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe 2400 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2052 SecHealthUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1428 wrote to memory of 3864 1428 msedge.exe 84 PID 1428 wrote to memory of 3864 1428 msedge.exe 84 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 3516 1428 msedge.exe 86 PID 1428 wrote to memory of 2060 1428 msedge.exe 87 PID 1428 wrote to memory of 2060 1428 msedge.exe 87 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 PID 1428 wrote to memory of 4044 1428 msedge.exe 88 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://asd1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff9aaa46f8,0x7fff9aaa4708,0x7fff9aaa47182⤵PID:3864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵PID:4044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:12⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:3440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:82⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:1540 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff71d615460,0x7ff71d615470,0x7ff71d6154803⤵PID:2700
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:3060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵PID:3092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:12⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2744 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:2432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=220 /prefetch:12⤵PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4312 /prefetch:82⤵PID:2416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:12⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:12⤵PID:556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:1944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵PID:1588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:12⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6312 /prefetch:82⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:12⤵PID:4596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7188 /prefetch:82⤵PID:2980
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:5088 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1324
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1244 /prefetch:12⤵PID:3224
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 /prefetch:82⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,2869459386277606729,5323398894752416200,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7364 /prefetch:82⤵PID:116
-
-
C:\Users\Admin\Downloads\fortnitevbucks (1).exe"C:\Users\Admin\Downloads\fortnitevbucks (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Users\Admin\Downloads\fortnitevbucks (1).exe"C:\Users\Admin\Downloads\fortnitevbucks (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084
-
-
C:\Users\Admin\Downloads\fortnitevbucks (1).exe"C:\Users\Admin\Downloads\fortnitevbucks (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Users\Admin\Downloads\fortnitevbucks (1).exe"C:\Users\Admin\Downloads\fortnitevbucks (1).exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3588
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x310 0x3f01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:400
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:960
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3332
-
C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:2052
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:3772
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:1132
-
C:\Windows\System32\SecurityHealthHost.exeC:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding1⤵PID:4240
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868
-
C:\Users\Admin\Downloads\fortnitevbucks.exe"C:\Users\Admin\Downloads\fortnitevbucks.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b08c36ce99a5ed11891ef6fc6d8647e9
SHA1db95af417857221948eb1882e60f98ab2914bf1d
SHA256cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674
SHA51207e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea
-
Filesize
152B
MD5ce3b1f686fe1099f127abf8bb0a6ebd1
SHA10d73154910ba712114a54da4a70e1f2fd6af7911
SHA256ba6fb4f1587708c5b12d41d181d5c0bd794a0a0acdca7b70c7538398ed3f07df
SHA512aa39919330e2261df585ab526c1dee495a7404f361f0f8f6856c18d38cb5468d463d5135b339d379bfbe39e789a8d994064f845f690cd9ed2c29c780e4aab622
-
Filesize
152B
MD52dbb5524aa1aa51fb09065a1fffbc8eb
SHA1931698f70968b05802e3f1caf59ef833cb49717c
SHA25698be2d6ca5623fbc27ef9701448face11d39e85297489d63569b40f38ad07404
SHA5122e80c69ebdb363d3deb8ce8a36f4f582450e932b039f71fb1a2b0a94458add2c978e122b98633430db51125be2e60d746aa88e1fbd0be38434de0784cd685316
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4ba5ca8e-abfb-4234-8c66-42fd8ee5996f.tmp
Filesize5KB
MD55d608016995c9e13a6c4ab87879124f4
SHA1efccb1443570ac234416fb6ab2299038f8425d26
SHA25666c872bba811a97fd807b6b81ca7a118154abaa2802dd2e5a982560fa8b649b9
SHA51205fc8d3665ca3deddec82d525ba57231144aa9ee2e91e27413e9f498877286f345ecdad396a988028b3e711038844a7d94422d5b4fcd1dc780058b07d16ffa62
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize504B
MD59393d7f810ebb4f1b26b14552e900f86
SHA125dd03eb6372d9c9688c853141eb4aee8114c7e8
SHA256d49069742e8d18fec9cdae960c4f45213d6b522bbca0b5622691a22891ba88f7
SHA512c83aa2ef3aedbff115bbd7fdb9c05646d3f0ad384367e32baa390bc3cbceea7723d7765b4b6499eef3976c8d2ac6513bfd9be908d20a2c0993cc45d57bf83269
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize288B
MD5db338d6c7b0ced71f2fb43cc28a14e88
SHA1596497a6a4d971e9e394c7cceb26d6189cb9d5a6
SHA2569b609adffa2e0781d1e20d47826414c3cfa4dc131b12407322ed9dd70b4f6953
SHA512e61e1816133a09f11a506ccf546bf26afa8b3ec38cc87ce739ca32a4d06b68fb783d84e6d20e9a80940f9423204e86486dcbf37b32c1f26246405d6b6ccd2b89
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD563beecfb81e34c3902f14b582c4d96c9
SHA1c1fe4ef00ac96fbd0da4c60feab18d1a22870d86
SHA256efa976460365ca16e20aafb8196395e406a8400a700b80e9cbc69fa188aa0bc0
SHA51258637239c93dfe766d96abd3268c6459b9eab87a3f349c471b1d9c055810eeb8aaa603bf103c1ddc3daa66318551758ed353fc3e0814bf32f96af3b4d143c329
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize504B
MD537650f89e3ab57ca295249849aa61b0c
SHA168cec0be349973bae70e313f14466904fdcfe0ae
SHA256f6aa5f818cf2a2a45b2551387fc38e8924432743b3608ebf10b2f0d67e58af68
SHA512080f4a5630b9a355aa2de0b8b80d2cab8468aa7c38544145b3468d068e658549efeb575cc96d989db01e137e575564d5d26138949612e8c1bc9d1ce2d6f82489
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD51e4fc5b2caee9420fbe21770d6dac1f8
SHA131ec5f89621e1d9b028d315f5ee7d5fe83756500
SHA256369e7c6f85553e7323c34987ba91c19debf4d26c797233ea9b233cdd55f75167
SHA512eaad46f35b276421325658151d66750287616d50a29823764cae922a93c0c151155eacc3589140cf4bdeb5b1c387c980a99e1e4b366a1e07154762c211299e2e
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize23B
MD53fd11ff447c1ee23538dc4d9724427a3
SHA11335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA51210a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824
-
Filesize
955B
MD58f24c9f2aa485af244438a472750539b
SHA1176bff3efe7f6a9dd7ffc160c5f23ccc4d7d03ba
SHA25605c331fa603a40aedfefe6fdce61608782c201b48aca072fd055ae66ee7c28c6
SHA512c89fcd125cd670b69e8ea31697463a41f36f1062a28226ef799bcc9415f760bf1f6ee193d8f76159ba70af6eb666937d6bd7970c1a2a1cd4e532d8c51a8458be
-
Filesize
808B
MD56638e7ff45c734661330462a931db8c9
SHA194c534fa560cec457de4e32907fdbdcf75ed7ca7
SHA256a865a1051d5867273cedff81947e52de41a6e11828758c7f2da35a4dec0db515
SHA5123f03625f9236aff8a4798dfc01780e574bfe366ca8b9f637660cbb073e8634bc177990f2a4ce44f46f9717f80ae6454c1992b454b48afaca9ba4f580ad638460
-
Filesize
245B
MD5d61d1337b12cec6925a81697b591829f
SHA128e59bb7ffac8ad7f698a93167052f61d8069de0
SHA256ae345b4fe7d274cdea9233bb3ee46b9de85bfb96236eaaff5e3eba841ed538c6
SHA5124bd1639a5d5b9b75953bdeb62b471ba82d3049c70b290638f802fad8cf7866b1e37471932b3aa6a7e55d58200d75ad8de3985eccee158c1b19e5c7ed66fc31f2
-
Filesize
180B
MD500a455d9d155394bfb4b52258c97c5e5
SHA12761d0c955353e1982a588a3df78f2744cfaa9df
SHA25645a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed
SHA5129553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58dc03.TMP
Filesize59B
MD52800881c775077e1c4b6e06bf4676de4
SHA12873631068c8b3b9495638c865915be822442c8b
SHA256226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b
-
Filesize
7KB
MD51d374778707ca9c38d115b7c01775827
SHA1fe5f8e46dc260251228aac14e1d2f25854b1d5b8
SHA256a87a054f30ae80b16908db820816f76ef6f0d6f1b84fe9dd3713db1b2a54112a
SHA512aa0eac9e6892cc1b0580aa2a7938654153c58d4fa3228869ffc49b9c894c3872cc4c93f574b0045a1c4b927d08879bd6374815520d5dc5b50e9cdad9ab9e0795
-
Filesize
5KB
MD57cd031ed8b362fe7d9393b97e86c1a71
SHA1d14d1eca7a48d0de26d95695750d771e4c5e26db
SHA256f3ecfd39da06c6ea70ca719265d5d1fe43b953a6d2a22e45a538ac6dee4af0e7
SHA512e858cebe24abae83ac838e7fbc000a9bbb9bfc36a7aa74c13b6767c9bb1787b9ec6d69e139ff2028df38d19ef341a3b54fc83663eebf62032d0c29cc222f6297
-
Filesize
7KB
MD5e16be001523643215211fbd7864a1cf5
SHA18b53774ab88584c9d8cce4c29bbe1d6e95ba8b44
SHA256b5701dba49ccfed0912fee1387984636ba4d4f6503762b8a0d135437d04cccb9
SHA512dda5c1cac1937fe9797c93eed904b41479c15872e7645814919d7607a4c54e244d326ba605b5a0089fc3d8a855dd82849ba824ea6809a779dad68e229eed6c69
-
Filesize
5KB
MD55ac653cc13886fb918203b35c6434085
SHA180e8edd8416454d681f8e1c80fb22724f2e2d6d0
SHA25685b02050ffd9d90451905613a4b88b48439d12d812ccc9bdb7c5fac42ff9f416
SHA51299f007932f13cd52fdd19d7533800a952015bfcd8293618089061c1ba5a7ac667ad9b56f7f035498ea288f160c07fcf720d9c8259612d801727312e500030328
-
Filesize
6KB
MD53ed36cf864baf0be581d2af1b56f320a
SHA10369a0db469677566cb1e15eea4fbd785d274044
SHA2565562b1e1f8e0c504a6e7407f06757773df30ff8550e60ec3531107e06e9f3b40
SHA512ca9bb47cc7d393db29ad7570374f94034fd45b2c564d36c27a33c6f9ba0ffd79b2642be4da2e81bbe6152bfbcde3cbdaeece2c8b9dab65b56989f41b74707b1f
-
Filesize
7KB
MD50907f74984b2c91c2b229c73d0e7ba77
SHA15eba91bdf70a131100def40444f8617f515b71eb
SHA2566ef988f9bdf8f22163b79320e7ebb301fb0a288611b784445cdce61a38eff4c7
SHA512bb7fcd72cf6bfe3f631749eca81503375e61d08e8e6916e5aba00369b6e806af9fc523009ca5a3d6ec0eab7037f5caad35b8dc6cc21b92ea9f42cab0320c3740
-
Filesize
5KB
MD55f6ef383c78cbab905f8e01a8928ec08
SHA1f72b586b8dcc44f7451fb6bceb82c5ac7dc1dea4
SHA2563c802b284f43235076008b63bcb1360c7df29dbbe603744c9a03e62aa8e6db4c
SHA51297a22e8b50d6f82d38d6b424e2daf2bad200aa24e36f574588e02804fe337061abb0e59af4f46589f62b833eeeb6c3e9c2ba04f43fe964476ab1f72172528b41
-
Filesize
7KB
MD588a5bab7be033191762d4bd1ca178895
SHA1cd2023fa1bccb227e0eae4dce1f039f07ff2e5ce
SHA2560e9d83c52c11727449801ac8983b12810ca5575a550113c42ffb6e654e563e56
SHA5124fd421eeaf14d8c633a8c92e891d4097f8db525f2b2eefb1a09f857ff7986f488e18477effff7377f4b5e24d5a04230ca45cfa1bc3aa5c14e6f3dd896fe3355f
-
Filesize
24KB
MD5b34b4baff340a3f6eefe8505fc27e7e7
SHA14d1b936588dd1eb659511606f7ae37b4b788bd8d
SHA256333804cf5fe67abc2dcbfc59e065200af4843e64bf4e6b2cd3fe0ec93fff182d
SHA5124821914745f500999afc00a979cb251ee9bb08b96501ab8eade9f75565565d568b24422661c81a1b136017151ded5192fc5575990215d1c8f7783e1a9be45257
-
Filesize
24KB
MD55614b3ff8da92c0262de324b43eb81b9
SHA1d313dd6760e336a522ba05f3918e9aa4d8bb0a11
SHA2564f9380552bf22ef4ed93687f44b76aee52c56dcb373c6c3fe5613f6370100275
SHA51261957fa440c545bc3c83e2579f14fbc4945377c2df935bfb1ff2a71361ca8effd821418b3d6a64005038741837ed4fbf0a55101d9d1f69ed0881d9ed28a57954
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD59168ac0fd40f2774c3c473d9b3636118
SHA1fab0432acd634a2d16e64d9daca79c583d56b443
SHA2569e2aefbb2c8dee0a0a6454bf2840d411b77f4c53e20a6f15440e5bf007c2e755
SHA5125ac1308568874b735dde1e0988e60ca0a5ff1a7b8c24aa8c7a8068d7921901587e998e7549f2bf6f635653671acdd3e41423e32ced1a502b6d0426915c6a7297
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5ee165.TMP
Filesize48B
MD561da7872a1a5d7591cb77363b819aa41
SHA12bdbb9e0c9899714d78473e3d73b5670a64499fc
SHA2569b7db582a6716b800001e89cdce7b34485f0c3a67f717f4cd23b1df7eff8e387
SHA5121339e0f51e447dcc80ac5bf65820abf1d21106e97b54d50f4f56a6c91d990f8962e308615f36142946fc1d42181de063d319bca2fa61bd02c3928004fb39a3a5
-
Filesize
538B
MD50452a3de5dc1132341e7b93d990d43f2
SHA140f447d82d22009d9c96c05c29fd25bbe25a0c05
SHA256135afa900a4f32466ae5ba52c24a2b3e532ccec19f9001182ed810c947a32cff
SHA5120e90303ee4e2419aee93d4a692bbc3a7b24ad9c1dfab4aad53751585e08e6dcef4045951ec6ad1bf3e4c87f9ea45b9b2136e0b913536d2e7bbe15d47da3cd0c0
-
Filesize
538B
MD5027ae27fef66bb22aa7902450cd4142d
SHA1d8fe5f85a8d1b9b73a31e7209bcdff45c652cdc9
SHA256fbc013e66cd30167ff7001e0637bc7ec66acbbd0ba9f5a2230edd06f4e8e6273
SHA5126aee3c8f7424947033c292b1fed51e020d4cf12db63173d53b28bfae43bb8c387ff732518a83b0546bdfea47347052a02a66b1112c55b050ddf84e2f789a43b9
-
Filesize
538B
MD552263d7eca7247d56d2646d0457c182f
SHA16b37cb7d74985dd4e345e1da06abbcea6018b11a
SHA25604b5a3ba8e73564237413c497dcec6d816ee738eb4c3e4ef9a6c9795d343c08f
SHA5124b0088d41dd2d8976bc3bde7199a4df3371d67db11e9dd97cf568a3763bb5e1e4f9869c311d3fe23d7526bf730583408bc14521fc1c99de0e1a8c3b56f35f6c1
-
Filesize
371B
MD503fd2a65182c59540b6c2143dbb70628
SHA1be61fe3ca0139b991e7f89945722f79bd7755039
SHA25671890a6f943fc497ed13291c90334ea2180c2851320010d9e0ae6f51580e1873
SHA512018da9675514ad26abefa02367ce547d0d1f498d8f324c8028f271d28b09f3db31ff2e5bba7469dd278bcf3556378373548494dbb0abfa2e1e74761961dfdee0
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5be269162014e95679c538634bdc1033c
SHA1fb8cf4ef84f582c049c3f7a60c5653c9f671237d
SHA256e04bb623f4486d627a0263e497def786cae9ffd8d252b3b9d1b4980021b68f87
SHA512c9a6e9aab8927cec44bbdaacde408f5b8846fac0ad8cf43e7e687c8f327f7047eebbe20b74f7adb204058319abb0aa4f266eecd0f67a2f788761676f49dc8537
-
Filesize
8KB
MD5d36d3b21e1e913f6edcc718edd6536d7
SHA17f505e66671dc7f94de2dbdf071712bc7bbdb6fe
SHA2560a5468626d3a1fb485f146ded7f78105233ab2b2ac1c6f8e250da1fd661972e8
SHA5124b39f46c883331fb1caa80b25590e4907af7fd1e1562ae9ccc38d5766e3df37d7588d64c31af4842d3534a44ffc014381605886d9639560a1a9bb2c435f80fbc
-
Filesize
11KB
MD5e7337c687b34db7c5e6029bd07eef040
SHA16dc6cb80425b8a04eee41cbb9154eccd4fa32218
SHA2567f21d361ec634e919c2057baaf52585311795d457f284243628b208506823c88
SHA5121b5c7fb766a664b207a34f70cb8ed93a8f76ae22c60020dbac5a8eb79675e686d2065c51fa6a9771238d2e4cc761b3667cddc4953a697c31325179e8a077f129
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5ce5fde5746d325539e323f6873e4895c
SHA10d8c2823c428c77cc7858aee68303579228eec13
SHA25690efa6fc501284c641506edbbefad4cbf3734575addeee34d5f00e668460a3cc
SHA512d6e6295da5d94f4e5a667b075a47aa194518196f9c0f976d12101bd8eded85939ad60122d611bd5afd096923e0850e63a8a55641037c473783248110cb7db77c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD58031ccf5c0a0492e3ef141a45ee785ee
SHA1fa5df1002e3479c1065c17803c0dd66ca40068d7
SHA2563ee9f03fc5818de546d0e4145aec0a78a9373f539d4d97cb391ede1a24605af0
SHA512efab5bcabb688f0bfac02e63e82fddbb9ebc8a90b326a0b4d5e8b9065284fb6b86a3985b2ba8547b4b6f818d4776d97c8976899daf88c1dcb461dc94a6ca3dac
-
Filesize
3.1MB
MD5ec732255821a1a773ea1e05057029fb1
SHA178f1503853d06c66f8aebf9ba7c2c072abf6956e
SHA256befc205737580baf9bd8c54eca5867f5a10dac471ce9f10980e3db5a91a94e02
SHA512609a8e65b794ff3130bbcf3a41d6a60cb5510f18f9b3c35df0e66703b471b2dfcf9c01a52280b22bf1f86fb693a6772511060f515bfe664ab015130551129d66