hxxps://cdn[.]discordapp[.]com/attachments/799790525317906503/1129544817416872036/MaritasGame[.]rar

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/799790525317906503/1129544817416872036/MaritasGame.rar

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
212	MaritasGame_Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2636	msedge.exe
2636	msedge.exe
4564	msedge.exe
4564	msedge.exe
3420	identity_helper.exe
3420	identity_helper.exe
2224	msedge.exe
2224	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
244	powershell.exe
244	powershell.exe
244	powershell.exe
3868	powershell.exe
3868	powershell.exe
3868	powershell.exe
3676	powershell.exe
3676	powershell.exe
3676	powershell.exe
1476	powershell.exe
1476	powershell.exe
1476	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3324	7zG.exe
Token: 35	3324	7zG.exe
Token: SeSecurityPrivilege	3324	7zG.exe
Token: SeSecurityPrivilege	3324	7zG.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeIncreaseQuotaPrivilege	244	powershell.exe
Token: SeSecurityPrivilege	244	powershell.exe
Token: SeTakeOwnershipPrivilege	244	powershell.exe
Token: SeLoadDriverPrivilege	244	powershell.exe
Token: SeSystemProfilePrivilege	244	powershell.exe
Token: SeSystemtimePrivilege	244	powershell.exe
Token: SeProfSingleProcessPrivilege	244	powershell.exe
Token: SeIncBasePriorityPrivilege	244	powershell.exe
Token: SeCreatePagefilePrivilege	244	powershell.exe
Token: SeBackupPrivilege	244	powershell.exe
Token: SeRestorePrivilege	244	powershell.exe
Token: SeShutdownPrivilege	244	powershell.exe
Token: SeDebugPrivilege	244	powershell.exe
Token: SeSystemEnvironmentPrivilege	244	powershell.exe
Token: SeRemoteShutdownPrivilege	244	powershell.exe
Token: SeUndockPrivilege	244	powershell.exe
Token: SeManageVolumePrivilege	244	powershell.exe
Token: 33	244	powershell.exe
Token: 34	244	powershell.exe
Token: 35	244	powershell.exe
Token: 36	244	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeIncreaseQuotaPrivilege	3676	powershell.exe
Token: SeSecurityPrivilege	3676	powershell.exe
Token: SeTakeOwnershipPrivilege	3676	powershell.exe
Token: SeLoadDriverPrivilege	3676	powershell.exe
Token: SeSystemProfilePrivilege	3676	powershell.exe
Token: SeSystemtimePrivilege	3676	powershell.exe
Token: SeProfSingleProcessPrivilege	3676	powershell.exe
Token: SeIncBasePriorityPrivilege	3676	powershell.exe
Token: SeCreatePagefilePrivilege	3676	powershell.exe
Token: SeBackupPrivilege	3676	powershell.exe
Token: SeRestorePrivilege	3676	powershell.exe
Token: SeShutdownPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeSystemEnvironmentPrivilege	3676	powershell.exe
Token: SeRemoteShutdownPrivilege	3676	powershell.exe
Token: SeUndockPrivilege	3676	powershell.exe
Token: SeManageVolumePrivilege	3676	powershell.exe
Token: 33	3676	powershell.exe
Token: 34	3676	powershell.exe
Token: 35	3676	powershell.exe
Token: 36	3676	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeIncreaseQuotaPrivilege	1476	powershell.exe
Token: SeSecurityPrivilege	1476	powershell.exe
Token: SeTakeOwnershipPrivilege	1476	powershell.exe
Token: SeLoadDriverPrivilege	1476	powershell.exe
Token: SeSystemProfilePrivilege	1476	powershell.exe
Token: SeSystemtimePrivilege	1476	powershell.exe
Token: SeProfSingleProcessPrivilege	1476	powershell.exe
Token: SeIncBasePriorityPrivilege	1476	powershell.exe
Token: SeCreatePagefilePrivilege	1476	powershell.exe
Token: SeBackupPrivilege	1476	powershell.exe
Token: SeRestorePrivilege	1476	powershell.exe
Token: SeShutdownPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeSystemEnvironmentPrivilege	1476	powershell.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
3324	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2552	OpenWith.exe
2552	OpenWith.exe
2552	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 3596	4564	msedge.exe	53
PID 4564 wrote to memory of 3596	4564	msedge.exe	53
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2304	4564	msedge.exe	87
PID 4564 wrote to memory of 2636	4564	msedge.exe	86
PID 4564 wrote to memory of 2636	4564	msedge.exe	86
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88
PID 4564 wrote to memory of 2176	4564	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/799790525317906503/1129544817416872036/MaritasGame.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5f0946f8,0x7ffb5f094708,0x7ffb5f094718
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,2795210533152184102,15284645917289670659,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4604 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\MaritasGame\" -spe -an -ai#7zMap17806:84:7zEvent28237
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2552

C:\Users\Admin\Downloads\MaritasGame\MaritasGame_Setup.exe
"C:\Users\Admin\Downloads\MaritasGame\MaritasGame_Setup.exe"
1⤵
- Executes dropped EXE
PID:212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "chcp"
  2⤵
  PID:4620
- - C:\Windows\system32\chcp.com
    chcp
    3⤵
    PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -c "Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); ' $consolePtr = [Console.Window]::GetConsoleWindow() #0 hide [Console.Window]::ShowWindow($consolePtr, 0) "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3868
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbnjvkvw\bbnjvkvw.cmdline"
    3⤵
    PID:748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9E0B.tmp" "c:\Users\Admin\AppData\Local\Temp\bbnjvkvw\CSC44BE2AD05A0347849818A29C4EE55DD.TMP"
      4⤵
      PID:852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
  2⤵
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:3340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
  2⤵
  PID:2060
- - C:\Windows\system32\findstr.exe
    findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
    3⤵
    PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
  2⤵
  PID:4004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f6f47b83c67fe32ee32811d6611d269c

SHA1
b32353d1d0ed26e0dd5b5f1f402ffd41a105d025

SHA256
ac1866f15ff34d1df4dafa761dbb7dc2c712fe01ac0e171706ef29e205549cbc

SHA512
6ee068efa9fbd3c972169427be2f6377a1204bf99b61579e4d78643e89e729ad65f2abcc70007fd0dd38428e7cd39010a253d6f9cd5e90409e207ddaf5d6720d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3f6855eca86e67b05d7ddc7c05b626a9

SHA1
d6f88da0d3463c3f609a411fe527825380d733a9

SHA256
e209d6030ed360fa30b2afe99e5f93cd7f9c24fcde0c70e1825ff16eae092e95

SHA512
1704887c923b61c69c8cc3370ad36018ab1968e8eac87b552e41ae5676b4fc8028863cd888ee757f2bdd78b99a3cfe5bce84eb5108b95f5fe0efa78765a08f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d50c42714ebaa39ad3732d8c2a20892

SHA1
a5af0f2d3d66fad4bf6adccf9deeed4e1040c95d

SHA256
aaad368ce5c2aae6eabdb977fc5b03c3714b55b4ecd4064731f599f8c5372026

SHA512
83b5be240f88f60d19bc619ce3b66bf3ff0d89fec9eb531ebb28b9d9f5461d103a54ef1ee6f3dcda60fd4f363f7d9be65922a3a0af7695ae795aaadb224b39fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5544c64f2a8f49dabc19eb84267b1c9b

SHA1
c5b78d63a8bab1c7b985f7ea2f268d0d7809071e

SHA256
a1fcfee2974a77e76a7431a2069db301861ab42dd41769cead8697f41f5a497f

SHA512
38c80d7c810441fc87beff38929473088cf426b0a25a30820d8a060f493350d99bb8521b314afe00578ea54648fce2aa4e55880a83a4f1048c56307991726565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e9ffd7a04136fc73f7d7828ab8e6e619

SHA1
486244a878a8577b1470911d36537904e4a1ef69

SHA256
595264ca8fe7b9ad5f7f6b7dc2e97457d0c71074dd879bf004ec0e16695d2861

SHA512
8b6ac670b3391fc004ee3d6ddb2b4e8cdef365ecded6962e5cf788fc493bd949e3017f2dff378ac7a594ef0aa2b9c798c3d0da2c7e5a19b46ecbdfc79fef55c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2f87410b0d834a14ceff69e18946d066

SHA1
f2ec80550202d493db61806693439a57b76634f3

SHA256
5422bc17b852ad463110de0db9b59ffa4219e065d3e2843618d6ebbd14273c65

SHA512
a313702f22450ceff0a1d7f890b0c16cf667dbcd668dbafa6dbecd0791236c0bc68e834d12113cc75352365c2a2b6cfcf30b6ef7c97ea53ed135da50de389db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
89d11a7813cf995cd2035d4e220f52e1

SHA1
029462d9cf5807b74cbbbb5ed0b41ab19f8f6d76

SHA256
8a7def414d593524f6c948b713bfbe3630bf48b46d3132d342e44b1bcd10a12e

SHA512
b275513bba2b7cb6eac20a9a88631cf82ac815874a76845c018e69e85e406d68f13f4ccfc03b26b3887ca11e5cb5dfc151279cb2c795b19689f3d05fa663dec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
d60ca779b1c98ee468527ef758b79098

SHA1
9acc7c908a0cc3599e7a29420b9aa8d78ac3da25

SHA256
7fce5a2c07d190f22550881ca406e5b6406e7f4fb7e0255a481f4afdf3269fa8

SHA512
a8af05d02f36edc1c4869966dc0d74bb2a6467322a6485c17639a13d35fc4ba123b33d1d040505928a49851468e9245896b5b451172a0f7e2904f08da3888dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
a863b5735138ae34fa45179ca0d5eee7

SHA1
132adfb4c69d0d8379dcaef067d9d373b20f4b81

SHA256
020997ff91c513f1d5c683067a93fd4e70c3fa51465bb9c5d53a6721aaee1b5a

SHA512
6570bce02f3d2f1e27a1cf4350712d2654b41cbb6e9e2501d97c556c7cc681e31c074a7ed2144d69a91853d2eb170643c8630d098f42bf22811281906ce4c721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9aa47623dbe2ca239aafc27edc553c82

SHA1
0c05e229265a7329fd81d5a2dd61f812edb8c487

SHA256
8af7c05cde7d463bf7e5439328b7b1ff0fb85c84217761fa526f709a8b4df032

SHA512
59ff28653a77d038672ebc2eeba29e9ab9216cf34eef97f82728e0fd5c4573e108a51936c3167becdf7cbe4a70138bce52fadf60b62302094c7a933f6ea09299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
9aa47623dbe2ca239aafc27edc553c82

SHA1
0c05e229265a7329fd81d5a2dd61f812edb8c487

SHA256
8af7c05cde7d463bf7e5439328b7b1ff0fb85c84217761fa526f709a8b4df032

SHA512
59ff28653a77d038672ebc2eeba29e9ab9216cf34eef97f82728e0fd5c4573e108a51936c3167becdf7cbe4a70138bce52fadf60b62302094c7a933f6ea09299

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9E0B.tmp

Filesize
1KB

MD5
32c4a03453f539609505af9ecfa89b8b

SHA1
74487eb4358fc910d79277093e4fe7d4bf86dd9f

SHA256
4c8d66b1a8228eaf2f9656ee39bdf487ba8e30cf9e168e1f2ff459b277eeab43

SHA512
fa5a64649a113356cf4f86d5b4ba4e2e6d2631fed69d6e9fdad2503c17668a9ed1d6cb9bdb840e7b7bb8097c7c6fc5b325c34752706374892acd64be3c21274a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ihiyjb2.bef.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbnjvkvw\bbnjvkvw.dll

Filesize
3KB

MD5
36f39c3f89943676238704eeb86a2931

SHA1
6b342768e1eb21afb606398ffa412b03de96f081

SHA256
6ec65ed4c6495429d32d74d2a1183670d8d52178865b5cae261516af02ad353c

SHA512
52ffa0f5cb62791454e06297c5e9b4da5880409b2cec1be4acd0d72940df7b5d9ff6371c28ea67219a48868ddcd49e94b2200142cf43eb78c038ea11993b7fa5

Download Submit
C:\Users\Admin\Downloads\MaritasGame.rar

Filesize
16.7MB

MD5
f0824d57d9a27d65d13ebfd39220fdf0

SHA1
be7bcd7140b988a7c6db6bf56d48c7e588e9f39b

SHA256
395fc29242883baeae36e91a240568b5271d0b7ec1f919b3489c33945ab01291

SHA512
ec96c4ec638fdd2e504ebff94a90f4aa4ff664bd99e87104305da5e4fd3a539fad80884f5b2ddbdcc96d66c7b4ed572b112b4c102ccdb7330aa8537fb0850ed9

Download Submit
C:\Users\Admin\Downloads\MaritasGame.rar

Filesize
16.7MB

MD5
f0824d57d9a27d65d13ebfd39220fdf0

SHA1
be7bcd7140b988a7c6db6bf56d48c7e588e9f39b

SHA256
395fc29242883baeae36e91a240568b5271d0b7ec1f919b3489c33945ab01291

SHA512
ec96c4ec638fdd2e504ebff94a90f4aa4ff664bd99e87104305da5e4fd3a539fad80884f5b2ddbdcc96d66c7b4ed572b112b4c102ccdb7330aa8537fb0850ed9

Download Submit
C:\Users\Admin\Downloads\MaritasGame\MaritasGame_Setup.exe

Filesize
47.7MB

MD5
92dc812bc68c09fb9ac19ab77224909c

SHA1
576c1df5dcfa548ccee781bbc11054215c4a8a9d

SHA256
57bf7198acb87d68430c057b571ebe16ed72c7baa3181e62c0f3bcb2aa20e1cd

SHA512
a21259e1a7e31154d3f659d4709b58d3c5f70c8618065153aaee8e2fa9fc291790e1a16ae504d5eb044cf0f8a70a5fd40f77c2f4029fbd8c4e29fefad5add7a5

Download Submit
C:\Users\Admin\Downloads\MaritasGame\MaritasGame_Setup.exe

Filesize
47.7MB

MD5
92dc812bc68c09fb9ac19ab77224909c

SHA1
576c1df5dcfa548ccee781bbc11054215c4a8a9d

SHA256
57bf7198acb87d68430c057b571ebe16ed72c7baa3181e62c0f3bcb2aa20e1cd

SHA512
a21259e1a7e31154d3f659d4709b58d3c5f70c8618065153aaee8e2fa9fc291790e1a16ae504d5eb044cf0f8a70a5fd40f77c2f4029fbd8c4e29fefad5add7a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbnjvkvw\CSC44BE2AD05A0347849818A29C4EE55DD.TMP

Filesize
652B

MD5
0f5d7de95ddf40ca48525efd73c3d755

SHA1
c75326969ccc0245b1456ef2647bc6e4b3254720

SHA256
41c68fe55d038ad9f3e596ee55ddcf7d84a855f218a4a1f2d0e39286906770bb

SHA512
f2233abeb190a8f9aa7c76cb4305e5e53e776ec3b31134824ac8c2e24224b4425cecd9e958280c97dabf735349b545271a73d9400e278fdea79487708d83f541

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbnjvkvw\bbnjvkvw.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbnjvkvw\bbnjvkvw.cmdline

Filesize
369B

MD5
03077881a9d19fdc054e2f3fb3e19f94

SHA1
0cceef62c67841e81bbb9d51f10e0089659c623d

SHA256
2432857f7acad73c382eb40d88f86309f821959ad402e7234e6b264171159c46

SHA512
d5c6d1eef2d531c21642f7ccd85d2cd92c5261a571b73182c243f236d5348042313bd0d44339bffbfabdc99633ab589c715255e41a68768807318784b8e7b2d2

Download Submit
memory/244-320-0x000001F14CF60000-0x000001F14CF84000-memory.dmp

Filesize
144KB

Download
memory/244-325-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/244-276-0x000001F1348B0000-0x000001F1348D2000-memory.dmp

Filesize
136KB

Download
memory/244-291-0x000001F134290000-0x000001F1342A0000-memory.dmp

Filesize
64KB

Download
memory/244-297-0x000001F134290000-0x000001F1342A0000-memory.dmp

Filesize
64KB

Download
memory/244-319-0x000001F14CF60000-0x000001F14CF8A000-memory.dmp

Filesize
168KB

Download
memory/244-290-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/244-294-0x000001F14CF10000-0x000001F14CF54000-memory.dmp

Filesize
272KB

Download
memory/244-292-0x000001F134290000-0x000001F1342A0000-memory.dmp

Filesize
64KB

Download
memory/244-299-0x000001F14CFE0000-0x000001F14D056000-memory.dmp

Filesize
472KB

Download
memory/748-311-0x000002206F0D0000-0x000002206FB91000-memory.dmp

Filesize
10.8MB

Download
memory/1476-361-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/1476-355-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/1476-356-0x000001C674E00000-0x000001C674E10000-memory.dmp

Filesize
64KB

Download
memory/1476-357-0x000001C674E00000-0x000001C674E10000-memory.dmp

Filesize
64KB

Download
memory/1532-397-0x000001EC5C310000-0x000001EC5C320000-memory.dmp

Filesize
64KB

Download
memory/1532-390-0x000001EC5C310000-0x000001EC5C320000-memory.dmp

Filesize
64KB

Download
memory/1532-409-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/1532-364-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3340-404-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3340-395-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3340-396-0x0000015F083D0000-0x0000015F083E0000-memory.dmp

Filesize
64KB

Download
memory/3584-423-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3584-389-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3584-398-0x000001CBAC210000-0x000001CBAC220000-memory.dmp

Filesize
64KB

Download
memory/3676-337-0x000001DE12A30000-0x000001DE12A40000-memory.dmp

Filesize
64KB

Download
memory/3676-343-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3676-338-0x000001DE12A30000-0x000001DE12A40000-memory.dmp

Filesize
64KB

Download
memory/3676-336-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/3868-295-0x0000017D6A6D0000-0x0000017D6A6E0000-memory.dmp

Filesize
64KB

Download
memory/3868-318-0x0000017D51860000-0x0000017D52321000-memory.dmp

Filesize
10.8MB

Download
memory/3868-296-0x0000017D6A6D0000-0x0000017D6A6E0000-memory.dmp

Filesize
64KB

Download
memory/3868-293-0x0000017D51860000-0x0000017D52321000-memory.dmp

Filesize
10.8MB

Download
memory/3868-298-0x0000017D6A6D0000-0x0000017D6A6E0000-memory.dmp

Filesize
64KB

Download
memory/4004-431-0x00007FFB49E70000-0x00007FFB4A931000-memory.dmp

Filesize
10.8MB

Download
memory/4004-433-0x000002A46A6A0000-0x000002A46A6B0000-memory.dmp

Filesize
64KB

Download
memory/4004-437-0x000002A46A6A0000-0x000002A46A6B0000-memory.dmp

Filesize
64KB

Download
memory/4004-439-0x000002A46A6A0000-0x000002A46A6B0000-memory.dmp

Filesize
64KB

Download