daaa5f5d1b9f4a1967ef047387d739159eadf6e2950f1c7e11f9e1c5c39317e5

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2023, 07:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cs2legit.zip
Size

27.0MB
MD5

af6b9dbd331dc387e5cb5c2900e997d6
SHA1

6e0ff15a475424aae5c9a114ee9b3416462c4d92
SHA256

daaa5f5d1b9f4a1967ef047387d739159eadf6e2950f1c7e11f9e1c5c39317e5
SHA512

a55e839a850323a6223dedd137394460da45ce034f25c3e4bf447f15d43d6cd34e8adaabeae2bb1f4a098bff3e598759ed33e6b3f32849fe86be6f2dd9ce51ba
SSDEEP

786432:eC85JNQO/wdP3dvt9ypYXSae3K1A/emk5pOz:KQO/wdP5oOSd3+/5wz

Score

6^/10

spyware

Malware Config

Signatures

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
81	api.ipify.org
94	api.ipify.org

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5008	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
1544	tasklist.exe
1912	tasklist.exe
4108	tasklist.exe
212	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3768	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1052	msedge.exe
1052	msedge.exe
4800	msedge.exe
4800	msedge.exe
820	powershell.exe
820	powershell.exe
2560	powershell.exe
2560	powershell.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe
Token: SeSecurityPrivilege	2848	WMIC.exe
Token: SeTakeOwnershipPrivilege	2848	WMIC.exe
Token: SeLoadDriverPrivilege	2848	WMIC.exe
Token: SeSystemProfilePrivilege	2848	WMIC.exe
Token: SeSystemtimePrivilege	2848	WMIC.exe
Token: SeProfSingleProcessPrivilege	2848	WMIC.exe
Token: SeIncBasePriorityPrivilege	2848	WMIC.exe
Token: SeCreatePagefilePrivilege	2848	WMIC.exe
Token: SeBackupPrivilege	2848	WMIC.exe
Token: SeRestorePrivilege	2848	WMIC.exe
Token: SeShutdownPrivilege	2848	WMIC.exe
Token: SeDebugPrivilege	2848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2848	WMIC.exe
Token: SeRemoteShutdownPrivilege	2848	WMIC.exe
Token: SeUndockPrivilege	2848	WMIC.exe
Token: SeManageVolumePrivilege	2848	WMIC.exe
Token: 33	2848	WMIC.exe
Token: 34	2848	WMIC.exe
Token: 35	2848	WMIC.exe
Token: 36	2848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2848	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe
1612	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 2552	4800	msedge.exe	103
PID 4800 wrote to memory of 2552	4800	msedge.exe	103
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 4888	4800	msedge.exe	104
PID 4800 wrote to memory of 1052	4800	msedge.exe	105
PID 4800 wrote to memory of 1052	4800	msedge.exe	105
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106
PID 4800 wrote to memory of 4984	4800	msedge.exe	106

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\cs2legit.zip
1⤵
PID:1424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6c5346f8,0x7ffa6c534708,0x7ffa6c534718
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,5632485828100505823,12826914200921880973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

C:\Users\Admin\Desktop\cs2legit\LegitCS2.exe
"C:\Users\Admin\Desktop\cs2legit\LegitCS2.exe"
1⤵
PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "ver"
  2⤵
  PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "Uninstaller.exe"
  2⤵
  PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic os get Caption"
  2⤵
  PID:1800
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
  2⤵
  PID:2400
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:4484
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
  2⤵
  PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
  2⤵
  PID:732
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:4916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
  2⤵
  PID:1076
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:1544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
  2⤵
  PID:4180
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
  2⤵
  PID:5056
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2552"
  2⤵
  PID:4472
- - C:\Windows\system32\taskkill.exe
    taskkill /F /PID 2552
    3⤵
    - Kills process with taskkill
    PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
  2⤵
  PID:3544
- - C:\Windows\system32\tasklist.exe
    tasklist /FO LIST
    3⤵
    - Enumerates processes with tasklist
    PID:212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
  2⤵
  PID:1760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:1812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1222f8c867acd00b1fc43a44dacce158

SHA1
586ba251caf62b5012a03db9ba3a70890fc5af01

SHA256
1e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a

SHA512
ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad087906a18b034b317a5ca1b3a1f632

SHA1
46b7ae431d08def1d567bd97c3a719770a143a81

SHA256
65740e9cc68450a26c0064d8712be993db25c83c397b7690471f18d898fea3a6

SHA512
70ea6c683a9ec07cc7aa0b38a8e780c67453b3eadff6fed2d487e0e47b62dedf4019c281afd1e7d1c9438f81fdfe8da678abca79dd7f6c21ddb39f66ea36bd9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fbf7174db20ead1e7f991aab0fcf53c9

SHA1
48a0b5dd68a2b69f9bfd5a0571d84fd0c039d2a3

SHA256
bff4fb0b21b8e58b9d27ab9b9257c9f8a3a4bea89ff7b40c449396144d70c440

SHA512
2f33d0481b923108197278c41b7497389c1a7d6a8acb861714c003879e37ce7ba813a96e306e5ed5a346a2b63fcc9e10bf1697401c107b3357f34ba5410415b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6588c5d8aaf00d97b9ef97850f2762cc

SHA1
6794a544fd51475bfff0a7714c9ba968cbd6af64

SHA256
8d43f925685ec7ff2771dea2f2aaf06f829319498170d930bf838f67ee138d14

SHA512
5ca702362b0908e07dec475b683ec0f69700186b1837b1a081191a2097c54b6ebe7f1e943afae27b87403129a9699f7c98cc4b6bb98c326b6aa788050b052488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46c5701eaa58f791155c965b4c810780

SHA1
bc9ab422265d04a1417e4625c8179aaf20b53a0f

SHA256
48946caa83e3d6d1d2e129accdf2852b655e43d96f6b707603b5c7c179d30cc9

SHA512
7175257b39a85f0067866f90248013f49513d4f7049ddab201fd5296da6a477f68d1013a97f8242135480905710cc461c74ca287350470ff16b1f75c7316b7f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46c5701eaa58f791155c965b4c810780

SHA1
bc9ab422265d04a1417e4625c8179aaf20b53a0f

SHA256
48946caa83e3d6d1d2e129accdf2852b655e43d96f6b707603b5c7c179d30cc9

SHA512
7175257b39a85f0067866f90248013f49513d4f7049ddab201fd5296da6a477f68d1013a97f8242135480905710cc461c74ca287350470ff16b1f75c7316b7f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXWQDKSV\Files\tokenize_tests-latin1-coding-cookie-and-utf8-bom-sig.txt

Filesize
456B

MD5
2d393339c41b997146938349ad906374

SHA1
fb819f7d4265d62569f6c755b5f83b542c92b5f6

SHA256
da6136f1f6d227e30b9d741b059ab7e44bf78e5a851c8a37bd7f9904e5063756

SHA512
8e8ab7c6a3dfcf3add9d1cee5c5ea1948ff905366237384440c91f171e9412c55f2d6e64edca4b611471da0b9040000943c79ee2d078648d087c3a937173d23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXWQDKSV\Files\tokenize_tests-no-coding-cookie-and-utf8-bom-sig-only.txt

Filesize
313B

MD5
72f0c10353850c92fd5460153f7c2688

SHA1
7f4b94ef324c1f686d257973f3d513c2b36f2bcf

SHA256
b8caa98aecfd4114bb31818d9ab55e2f067899bae8c493d49d0c0a5507298455

SHA512
8c6fe6f837f30c2a74f02518e5aa7744763736f9698137231b6329d7647f1bf2b3474e4326f69cc622296d757307baff8bd80b35c7f4f1d2176044146025e1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXWQDKSV\Files\tokenize_tests-utf8-coding-cookie-and-no-utf8-bom-sig.txt

Filesize
434B

MD5
d32a6b30be39ab7165b79e8ff28f8353

SHA1
585ec4e47ae63e4633bf59115f6664df3dacee63

SHA256
cff7678394e58518901ebd65c066ac988666bfaf3152a0264db014a79f6eb609

SHA512
05964c38338496fce4ab9a9a36132273dae997bec64d81c23e30a91e39ff3c347846c67a03c1581dafe87fcc4b3ff5448440858c42c2e7051130595723f33092

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXWQDKSV\Files\tokenize_tests-utf8-coding-cookie-and-utf8-bom-sig.txt

Filesize
338B

MD5
8fa2bd60e630510363deaeab1995be8b

SHA1
385992e04fa9ab71a4ea13f750c6cc389bea82bc

SHA256
0a8c335c24e07d747d8658c5441aa0bdc0a41c4ed7690f083ab7cbe3817efee8

SHA512
b277e2db9d9a1237eff9e1b5add66f30ac6740c4805949b1e339b88fb64ee148fccccd7530278c9c7ba5b6b12db480453182452cfe82cb9810b95d2fdab16f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\OXWQDKSV\Files\tokenize_tests.txt

Filesize
2KB

MD5
52ffabe38cf008b2c5821edc45c326f2

SHA1
dc6a0dad696850ee63645dea780778174a77d0a6

SHA256
15f3eec6d2bd365daa8224c5ba9a6dbef00d8ef1ce5f2d8ff60a057492eda4e0

SHA512
341e3d1d7b5e0732dd4a810ccff25c2713521734c9008c72290b80aeecebcde5615d43a3a6874ec15869d9e511a1109a23855d337c5ad12e5146debe3533ba50

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khkv1uxf.bqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/820-127-0x00007FFA68B80000-0x00007FFA69641000-memory.dmp

Filesize
10.8MB

Download
memory/820-124-0x00000268B21B0000-0x00000268B21C0000-memory.dmp

Filesize
64KB

Download
memory/820-123-0x00000268B21B0000-0x00000268B21C0000-memory.dmp

Filesize
64KB

Download
memory/820-122-0x00007FFA68B80000-0x00007FFA69641000-memory.dmp

Filesize
10.8MB

Download
memory/820-121-0x00000268B2130000-0x00000268B2152000-memory.dmp

Filesize
136KB

Download
memory/1612-155-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-147-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-151-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-152-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-153-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-146-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-154-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-156-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-157-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/1612-145-0x00000209965F0000-0x00000209965F1000-memory.dmp

Filesize
4KB

Download
memory/2560-144-0x00007FFA69450000-0x00007FFA69F11000-memory.dmp

Filesize
10.8MB

Download
memory/2560-142-0x000001E0D0100000-0x000001E0D0110000-memory.dmp

Filesize
64KB

Download
memory/2560-140-0x000001E0D0100000-0x000001E0D0110000-memory.dmp

Filesize
64KB

Download
memory/2560-130-0x000001E0D0100000-0x000001E0D0110000-memory.dmp

Filesize
64KB

Download
memory/2560-129-0x00007FFA69450000-0x00007FFA69F11000-memory.dmp

Filesize
10.8MB

Download