0f66e48e0a14769b4814d854bc38624e631210fa63a845717dbed9661fac8673

Analysis

max time kernel
215s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2023 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LiquidLauncher_0.1.5_x64_en-US.msi
Size

5.9MB
MD5

48b7d0600a9ee279b4c41a1ffa3c020b
SHA1

58f59ef8aedda5702a9047c22de711e97511d415
SHA256

0f66e48e0a14769b4814d854bc38624e631210fa63a845717dbed9661fac8673
SHA512

501369190568e53177b1364d2750d848f92562ca5f28f5ee7a1807aa9773ffc9ff412e6c0f480ec25755cf9eb9c423ad15c2ba5d5046c5735afeb8aaf519c39f
SSDEEP

98304:t5ShYcBqMeETx9j3ZQY1refQKYNWlGLsI5LjOp+ZPR3XQiimt5Gb0COYzatwehIa:qlLtTjZh1reumGLsKSp+ZPxfIcajQe9u

Score

7^/10

evasion trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

LiquidLauncher.exe

pid process

4252 LiquidLauncher.exe
Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

1904 MsiExec.exe
1904 MsiExec.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

LiquidLauncher.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LiquidLauncher.exe

pid	process
4252	LiquidLauncher.exe

pid	process
1904	MsiExec.exe
1904	MsiExec.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LiquidLauncher.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 2 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\LiquidLauncher\Uninstall LiquidLauncher.lnk	msiexec.exe
File created	C:\Program Files\LiquidLauncher\LiquidLauncher.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\e5881be.msi	msiexec.exe
File created	C:\Windows\Installer\{833EECDC-F526-4056-91B3-65267E51B472}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e5881c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{833EECDC-F526-4056-91B3-65267E51B472}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\e5881be.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{833EECDC-F526-4056-91B3-65267E51B472}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8410.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exemsedgewebview2.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133201899890094973"	msedgewebview2.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 26 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Version = "65541"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\ProductIcon = "C:\\Windows\\Installer\\{833EECDC-F526-4056-91B3-65267E51B472}\\ProductIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D01B919C891FCCB5FA884934BA03C7E8\CDCEE338625F6504193B5662E7154B27	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\PackageCode = "6BD38C21F730D1B4AB7811D7092B9F8A"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D01B919C891FCCB5FA884934BA03C7E8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\ProductName = "LiquidLauncher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\PackageName = "LiquidLauncher_0.1.5_x64_en-US.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CDCEE338625F6504193B5662E7154B27\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CDCEE338625F6504193B5662E7154B27\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

5072 msiexec.exe
5072 msiexec.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

4888 msedgewebview2.exe

pid	process
5072	msiexec.exe
5072	msiexec.exe

pid	process
4888	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	5072	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeMachineAccountPrivilege	644	msiexec.exe
Token: SeTcbPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeLoadDriverPrivilege	644	msiexec.exe
Token: SeSystemProfilePrivilege	644	msiexec.exe
Token: SeSystemtimePrivilege	644	msiexec.exe
Token: SeProfSingleProcessPrivilege	644	msiexec.exe
Token: SeIncBasePriorityPrivilege	644	msiexec.exe
Token: SeCreatePagefilePrivilege	644	msiexec.exe
Token: SeCreatePermanentPrivilege	644	msiexec.exe
Token: SeBackupPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeDebugPrivilege	644	msiexec.exe
Token: SeAuditPrivilege	644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	644	msiexec.exe
Token: SeChangeNotifyPrivilege	644	msiexec.exe
Token: SeRemoteShutdownPrivilege	644	msiexec.exe
Token: SeUndockPrivilege	644	msiexec.exe
Token: SeSyncAgentPrivilege	644	msiexec.exe
Token: SeEnableDelegationPrivilege	644	msiexec.exe
Token: SeManageVolumePrivilege	644	msiexec.exe
Token: SeImpersonatePrivilege	644	msiexec.exe
Token: SeCreateGlobalPrivilege	644	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeMachineAccountPrivilege	644	msiexec.exe
Token: SeTcbPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeLoadDriverPrivilege	644	msiexec.exe
Token: SeSystemProfilePrivilege	644	msiexec.exe
Token: SeSystemtimePrivilege	644	msiexec.exe
Token: SeProfSingleProcessPrivilege	644	msiexec.exe
Token: SeIncBasePriorityPrivilege	644	msiexec.exe
Token: SeCreatePagefilePrivilege	644	msiexec.exe
Token: SeCreatePermanentPrivilege	644	msiexec.exe
Token: SeBackupPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeDebugPrivilege	644	msiexec.exe
Token: SeAuditPrivilege	644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	644	msiexec.exe
Token: SeChangeNotifyPrivilege	644	msiexec.exe
Token: SeRemoteShutdownPrivilege	644	msiexec.exe
Token: SeUndockPrivilege	644	msiexec.exe
Token: SeSyncAgentPrivilege	644	msiexec.exe
Token: SeEnableDelegationPrivilege	644	msiexec.exe
Token: SeManageVolumePrivilege	644	msiexec.exe
Token: SeImpersonatePrivilege	644	msiexec.exe
Token: SeCreateGlobalPrivilege	644	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

msiexec.exeLiquidLauncher.exemsedgewebview2.exe

pid process

644 msiexec.exe
644 msiexec.exe
4252 LiquidLauncher.exe
644 msiexec.exe
4888 msedgewebview2.exe
4252 LiquidLauncher.exe

pid	process
644	msiexec.exe
644	msiexec.exe
4252	LiquidLauncher.exe
644	msiexec.exe
4888	msedgewebview2.exe
4252	LiquidLauncher.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeLiquidLauncher.exemsedgewebview2.exe

description	pid	process	target process
PID 5072 wrote to memory of 1904	5072	msiexec.exe	MsiExec.exe
PID 5072 wrote to memory of 1904	5072	msiexec.exe	MsiExec.exe
PID 5072 wrote to memory of 1904	5072	msiexec.exe	MsiExec.exe
PID 5072 wrote to memory of 4368	5072	msiexec.exe	srtasks.exe
PID 5072 wrote to memory of 4368	5072	msiexec.exe	srtasks.exe
PID 1904 wrote to memory of 4252	1904	MsiExec.exe	LiquidLauncher.exe
PID 1904 wrote to memory of 4252	1904	MsiExec.exe	LiquidLauncher.exe
PID 4252 wrote to memory of 4888	4252	LiquidLauncher.exe	msedgewebview2.exe
PID 4252 wrote to memory of 4888	4252	LiquidLauncher.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4088	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4088	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 4568	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 384	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 384	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe
PID 4888 wrote to memory of 3532	4888	msedgewebview2.exe	msedgewebview2.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LiquidLauncher_0.1.5_x64_en-US.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 01FA5804B91268D5612819AE85082CED C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904

C:\Program Files\LiquidLauncher\LiquidLauncher.exe
"C:\Program Files\LiquidLauncher\LiquidLauncher.exe"
3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4252

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=4252.4836.3542900100756666210
4⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4888

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=104.0.5112.81 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=104.0.1293.47 --initial-client-data=0x100,0x104,0x108,0xdc,0x110,0x7ffd11888250,0x7ffd11888260,0x7ffd11888270
5⤵
PID:4088

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:2
5⤵
PID:4568

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2072 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:3
5⤵
PID:384

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2264 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:8
5⤵
PID:3532

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --display-capture-permissions-policy-allowed --js-flags=--ms-user-locale= --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:1
5⤵
PID:4216

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=entity_extraction --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=4292 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:8
5⤵
PID:1888

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\104.0.1293.47\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=LiquidLauncher.exe --webview-exe-version=0.1.5 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=4048 --field-trial-handle=1864,i,5454617421675674327,1034577395533676421,131072 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI /prefetch:8
5⤵
PID:4520

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:4368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\LiquidLauncher\LiquidLauncher.exe
Filesize
14.8MB

MD5
5bab4c9c2f9dcc592091c3d38a5a1ddc

SHA1
eeb42e4463849f2f4be4105efd9afb62c4a985fb

SHA256
1ac7a2c296dcf73d971e6879c2e4b6d31ce4f6730be7ca9f27ec67ca04452ff1

SHA512
740ade153912d05bf1a47a043b710d905149ecffa371b2bdb8947a14a72fc414a8c3e8563af7fa03ff64b4a07c86cae127747033b4b7abe8f33e63a83c9775d3

Download Submit
C:\Program Files\LiquidLauncher\LiquidLauncher.exe
Filesize
14.8MB

MD5
5bab4c9c2f9dcc592091c3d38a5a1ddc

SHA1
eeb42e4463849f2f4be4105efd9afb62c4a985fb

SHA256
1ac7a2c296dcf73d971e6879c2e4b6d31ce4f6730be7ca9f27ec67ca04452ff1

SHA512
740ade153912d05bf1a47a043b710d905149ecffa371b2bdb8947a14a72fc414a8c3e8563af7fa03ff64b4a07c86cae127747033b4b7abe8f33e63a83c9775d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp
Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C7E.tmp
Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBA15.tmp
Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBA15.tmp
Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad\settings.dat
Filesize
216B

MD5
1826913d7777e20ed98ea9f3586c3266

SHA1
07d34020c55333c44ed20e758998d8fa9cb91c6b

SHA256
2ba66d6a6b2cd475e413407282ad78985a51161c9be89db254b8a0f41cc7fd2d

SHA512
0dd16abd3fcb2abd0ecf7ac74993ce868744687d9ec6a89c1a441679b514a8350d3ae26e201b58252c3f3ec33742750f32cf95f99e7620c28230c10c97d33612

Download Submit
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad\throttle_store.dat
Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
67e2b788432b243a7aaeeab90e7c4513

SHA1
e74b9cc7b8bff52fde80d2a5f6a55820f0b579ca

SHA256
689f0a883b61c8f84de7edfff5dff482fe7c3ad727ea09305b4b6f902fa0f919

SHA512
91d877cbd613291dc2a72b8588ea4096b2e2b9b776ddca44ac55832abee86bcda8553976842134480c37fbd749f0cbbb042db610e1fc65c5a3a9d2405aa784e3

Download Submit
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{768987d5-9916-43ef-9940-65ca501da6a7}_OnDiskSnapshotProp
Filesize
5KB

MD5
a3ac128037fb8f77f69b8d5e9995b7f7

SHA1
74322d344bec09194c703edbf6a4e922076b7a54

SHA256
4d7bbee380035bd6f6e1c8776409a1f48db5c125ce6c8820c1f4efc6d604e68d

SHA512
85c700fb3cf2e736a07e67c6c94cd5eb5be063a2716d2d5b16e58e4ebd334de690a41721041a51fca683cce016443e9af238ad4f908e2910ba3d3ed43d38b164

Download Submit
\??\pipe\LOCAL\crashpad_4888_YBXSBBTSOOIBYVAD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/384-149-0x0000000000000000-mapping.dmp

Download
memory/1888-156-0x0000000000000000-mapping.dmp

Download
memory/1904-132-0x0000000000000000-mapping.dmp

Download
memory/3532-152-0x0000000000000000-mapping.dmp

Download
memory/4088-144-0x0000000000000000-mapping.dmp

Download
memory/4216-154-0x0000000000000000-mapping.dmp

Download
memory/4252-141-0x0000000000000000-mapping.dmp

Download
memory/4368-135-0x0000000000000000-mapping.dmp

Download
memory/4520-158-0x0000000000000000-mapping.dmp

Download
memory/4568-148-0x0000000000000000-mapping.dmp

Download
memory/4888-143-0x0000000000000000-mapping.dmp

Download