Analysis
-
max time kernel
215s -
max time network
218s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
06-02-2023 19:43
Static task
static1
General
-
Target
LiquidLauncher_0.1.5_x64_en-US.msi
-
Size
5.9MB
-
MD5
48b7d0600a9ee279b4c41a1ffa3c020b
-
SHA1
58f59ef8aedda5702a9047c22de711e97511d415
-
SHA256
0f66e48e0a14769b4814d854bc38624e631210fa63a845717dbed9661fac8673
-
SHA512
501369190568e53177b1364d2750d848f92562ca5f28f5ee7a1807aa9773ffc9ff412e6c0f480ec25755cf9eb9c423ad15c2ba5d5046c5735afeb8aaf519c39f
-
SSDEEP
98304:t5ShYcBqMeETx9j3ZQY1refQKYNWlGLsI5LjOp+ZPR3XQiimt5Gb0COYzatwehIa:qlLtTjZh1reumGLsKSp+ZPxfIcajQe9u
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
LiquidLauncher.exepid process 4252 LiquidLauncher.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 1904 MsiExec.exe 1904 MsiExec.exe -
Processes:
LiquidLauncher.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LiquidLauncher.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Program Files directory 2 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\LiquidLauncher\Uninstall LiquidLauncher.lnk msiexec.exe File created C:\Program Files\LiquidLauncher\LiquidLauncher.exe msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e5881be.msi msiexec.exe File created C:\Windows\Installer\{833EECDC-F526-4056-91B3-65267E51B472}\ProductIcon msiexec.exe File created C:\Windows\Installer\e5881c0.msi msiexec.exe File opened for modification C:\Windows\Installer\{833EECDC-F526-4056-91B3-65267E51B472}\ProductIcon msiexec.exe File created C:\Windows\Installer\e5881be.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{833EECDC-F526-4056-91B3-65267E51B472} msiexec.exe File opened for modification C:\Windows\Installer\MSI8410.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedgewebview2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
msiexec.exemsedgewebview2.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedgewebview2.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133201899890094973" msedgewebview2.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe -
Modifies registry class 26 IoCs
Processes:
msiexec.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Version = "65541" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\ProductIcon = "C:\\Windows\\Installer\\{833EECDC-F526-4056-91B3-65267E51B472}\\ProductIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D01B919C891FCCB5FA884934BA03C7E8\CDCEE338625F6504193B5662E7154B27 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\ShortcutsFeature = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\Environment = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\External msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\PackageCode = "6BD38C21F730D1B4AB7811D7092B9F8A" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D01B919C891FCCB5FA884934BA03C7E8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\ProductName = "LiquidLauncher" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\PackageName = "LiquidLauncher_0.1.5_x64_en-US.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\MainProgram msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Clients = 3a0000000000 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid process 5072 msiexec.exe 5072 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs
Processes:
msedgewebview2.exepid process 4888 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 644 msiexec.exe Token: SeIncreaseQuotaPrivilege 644 msiexec.exe Token: SeSecurityPrivilege 5072 msiexec.exe Token: SeCreateTokenPrivilege 644 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 644 msiexec.exe Token: SeLockMemoryPrivilege 644 msiexec.exe Token: SeIncreaseQuotaPrivilege 644 msiexec.exe Token: SeMachineAccountPrivilege 644 msiexec.exe Token: SeTcbPrivilege 644 msiexec.exe Token: SeSecurityPrivilege 644 msiexec.exe Token: SeTakeOwnershipPrivilege 644 msiexec.exe Token: SeLoadDriverPrivilege 644 msiexec.exe Token: SeSystemProfilePrivilege 644 msiexec.exe Token: SeSystemtimePrivilege 644 msiexec.exe Token: SeProfSingleProcessPrivilege 644 msiexec.exe Token: SeIncBasePriorityPrivilege 644 msiexec.exe Token: SeCreatePagefilePrivilege 644 msiexec.exe Token: SeCreatePermanentPrivilege 644 msiexec.exe Token: SeBackupPrivilege 644 msiexec.exe Token: SeRestorePrivilege 644 msiexec.exe Token: SeShutdownPrivilege 644 msiexec.exe Token: SeDebugPrivilege 644 msiexec.exe Token: SeAuditPrivilege 644 msiexec.exe Token: SeSystemEnvironmentPrivilege 644 msiexec.exe Token: SeChangeNotifyPrivilege 644 msiexec.exe Token: SeRemoteShutdownPrivilege 644 msiexec.exe Token: SeUndockPrivilege 644 msiexec.exe Token: SeSyncAgentPrivilege 644 msiexec.exe Token: SeEnableDelegationPrivilege 644 msiexec.exe Token: SeManageVolumePrivilege 644 msiexec.exe Token: SeImpersonatePrivilege 644 msiexec.exe Token: SeCreateGlobalPrivilege 644 msiexec.exe Token: SeCreateTokenPrivilege 644 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 644 msiexec.exe Token: SeLockMemoryPrivilege 644 msiexec.exe Token: SeIncreaseQuotaPrivilege 644 msiexec.exe Token: SeMachineAccountPrivilege 644 msiexec.exe Token: SeTcbPrivilege 644 msiexec.exe Token: SeSecurityPrivilege 644 msiexec.exe Token: SeTakeOwnershipPrivilege 644 msiexec.exe Token: SeLoadDriverPrivilege 644 msiexec.exe Token: SeSystemProfilePrivilege 644 msiexec.exe Token: SeSystemtimePrivilege 644 msiexec.exe Token: SeProfSingleProcessPrivilege 644 msiexec.exe Token: SeIncBasePriorityPrivilege 644 msiexec.exe Token: SeCreatePagefilePrivilege 644 msiexec.exe Token: SeCreatePermanentPrivilege 644 msiexec.exe Token: SeBackupPrivilege 644 msiexec.exe Token: SeRestorePrivilege 644 msiexec.exe Token: SeShutdownPrivilege 644 msiexec.exe Token: SeDebugPrivilege 644 msiexec.exe Token: SeAuditPrivilege 644 msiexec.exe Token: SeSystemEnvironmentPrivilege 644 msiexec.exe Token: SeChangeNotifyPrivilege 644 msiexec.exe Token: SeRemoteShutdownPrivilege 644 msiexec.exe Token: SeUndockPrivilege 644 msiexec.exe Token: SeSyncAgentPrivilege 644 msiexec.exe Token: SeEnableDelegationPrivilege 644 msiexec.exe Token: SeManageVolumePrivilege 644 msiexec.exe Token: SeImpersonatePrivilege 644 msiexec.exe Token: SeCreateGlobalPrivilege 644 msiexec.exe Token: SeCreateTokenPrivilege 644 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 644 msiexec.exe Token: SeLockMemoryPrivilege 644 msiexec.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
msiexec.exeLiquidLauncher.exemsedgewebview2.exepid process 644 msiexec.exe 644 msiexec.exe 4252 LiquidLauncher.exe 644 msiexec.exe 4888 msedgewebview2.exe 4252 LiquidLauncher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exeLiquidLauncher.exemsedgewebview2.exedescription pid process target process PID 5072 wrote to memory of 1904 5072 msiexec.exe MsiExec.exe PID 5072 wrote to memory of 1904 5072 msiexec.exe MsiExec.exe PID 5072 wrote to memory of 1904 5072 msiexec.exe MsiExec.exe PID 5072 wrote to memory of 4368 5072 msiexec.exe srtasks.exe PID 5072 wrote to memory of 4368 5072 msiexec.exe srtasks.exe PID 1904 wrote to memory of 4252 1904 MsiExec.exe LiquidLauncher.exe PID 1904 wrote to memory of 4252 1904 MsiExec.exe LiquidLauncher.exe PID 4252 wrote to memory of 4888 4252 LiquidLauncher.exe msedgewebview2.exe PID 4252 wrote to memory of 4888 4252 LiquidLauncher.exe msedgewebview2.exe PID 4888 wrote to memory of 4088 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4088 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 4568 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 384 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 384 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe PID 4888 wrote to memory of 3532 4888 msedgewebview2.exe msedgewebview2.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LiquidLauncher_0.1.5_x64_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 01FA5804B91268D5612819AE85082CED C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Program Files\LiquidLauncher\LiquidLauncher.exe"C:\Program Files\LiquidLauncher\LiquidLauncher.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=4252.4836.35429001007566662104⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=104.0.5112.81 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=104.0.1293.47 --initial-client-data=0x100,0x104,0x108,0xdc,0x110,0x7ffd11888250,0x7ffd11888260,0x7ffd118882705⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2072 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2264 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=entity_extraction --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=4292 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=4048 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:85⤵
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\LiquidLauncher\LiquidLauncher.exeFilesize
14.8MB
MD55bab4c9c2f9dcc592091c3d38a5a1ddc
SHA1eeb42e4463849f2f4be4105efd9afb62c4a985fb
SHA2561ac7a2c296dcf73d971e6879c2e4b6d31ce4f6730be7ca9f27ec67ca04452ff1
SHA512740ade153912d05bf1a47a043b710d905149ecffa371b2bdb8947a14a72fc414a8c3e8563af7fa03ff64b4a07c86cae127747033b4b7abe8f33e63a83c9775d3
-
C:\Program Files\LiquidLauncher\LiquidLauncher.exeFilesize
14.8MB
MD55bab4c9c2f9dcc592091c3d38a5a1ddc
SHA1eeb42e4463849f2f4be4105efd9afb62c4a985fb
SHA2561ac7a2c296dcf73d971e6879c2e4b6d31ce4f6730be7ca9f27ec67ca04452ff1
SHA512740ade153912d05bf1a47a043b710d905149ecffa371b2bdb8947a14a72fc414a8c3e8563af7fa03ff64b4a07c86cae127747033b4b7abe8f33e63a83c9775d3
-
C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmpFilesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmpFilesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
C:\Users\Admin\AppData\Local\Temp\MSIBA15.tmpFilesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
C:\Users\Admin\AppData\Local\Temp\MSIBA15.tmpFilesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad\settings.datFilesize
216B
MD51826913d7777e20ed98ea9f3586c3266
SHA107d34020c55333c44ed20e758998d8fa9cb91c6b
SHA2562ba66d6a6b2cd475e413407282ad78985a51161c9be89db254b8a0f41cc7fd2d
SHA5120dd16abd3fcb2abd0ecf7ac74993ce868744687d9ec6a89c1a441679b514a8350d3ae26e201b58252c3f3ec33742750f32cf95f99e7620c28230c10c97d33612
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad\throttle_store.datFilesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD567e2b788432b243a7aaeeab90e7c4513
SHA1e74b9cc7b8bff52fde80d2a5f6a55820f0b579ca
SHA256689f0a883b61c8f84de7edfff5dff482fe7c3ad727ea09305b4b6f902fa0f919
SHA51291d877cbd613291dc2a72b8588ea4096b2e2b9b776ddca44ac55832abee86bcda8553976842134480c37fbd749f0cbbb042db610e1fc65c5a3a9d2405aa784e3
-
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{768987d5-9916-43ef-9940-65ca501da6a7}_OnDiskSnapshotPropFilesize
5KB
MD5a3ac128037fb8f77f69b8d5e9995b7f7
SHA174322d344bec09194c703edbf6a4e922076b7a54
SHA2564d7bbee380035bd6f6e1c8776409a1f48db5c125ce6c8820c1f4efc6d604e68d
SHA51285c700fb3cf2e736a07e67c6c94cd5eb5be063a2716d2d5b16e58e4ebd334de690a41721041a51fca683cce016443e9af238ad4f908e2910ba3d3ed43d38b164
-
\??\pipe\LOCAL\crashpad_4888_YBXSBBTSOOIBYVADMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/384-149-0x0000000000000000-mapping.dmp
-
memory/1888-156-0x0000000000000000-mapping.dmp
-
memory/1904-132-0x0000000000000000-mapping.dmp
-
memory/3532-152-0x0000000000000000-mapping.dmp
-
memory/4088-144-0x0000000000000000-mapping.dmp
-
memory/4216-154-0x0000000000000000-mapping.dmp
-
memory/4252-141-0x0000000000000000-mapping.dmp
-
memory/4368-135-0x0000000000000000-mapping.dmp
-
memory/4520-158-0x0000000000000000-mapping.dmp
-
memory/4568-148-0x0000000000000000-mapping.dmp
-
memory/4888-143-0x0000000000000000-mapping.dmp