Analysis
-
max time kernel
71s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
21/08/2024, 10:20
General
-
Target
http://exitlagf
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Drops file in System32 directory 26 IoCs
-
Probable phishing domain 1 TTPs 1 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 26 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 41 IoCs
-
Modifies registry class 2 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 56 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://exitlagf1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdeab346f8,0x7ffdeab34708,0x7ffdeab347182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5780 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6804 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2240,3603561433961773531,17532664653965647121,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x240 0x5081⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\SetupExitLag-5.7.4-x64.exe"C:\Users\Admin\Downloads\SetupExitLag-5.7.4-x64.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\is-6IJ3C.tmp\SetupExitLag-5.7.4-x64.tmp"C:\Users\Admin\AppData\Local\Temp\is-6IJ3C.tmp\SetupExitLag-5.7.4-x64.tmp" /SL5="$3027A,75552511,799744,C:\Users\Admin\Downloads\SetupExitLag-5.7.4-x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SYSTEM32\sc.exe"sc.exe" query ExitLagPmService3⤵
- Launches sc.exe
-
-
C:\Users\Admin\AppData\Local\Temp\is-3VOPO.tmp\DriverCacheCleaner.exe"C:\Users\Admin\AppData\Local\Temp\is-3VOPO.tmp\DriverCacheCleaner.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\is-3VOPO.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe"C:\Users\Admin\AppData\Local\Temp\is-3VOPO.tmp\WinpkFilter\lwf\win10\amd64\snetcfg.exe" -v -l ndextlag_lwf.inf -c s -i nt_ndextlag3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\release\" -ad -an -ai#7zMap24746:76:7zEvent293041⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{48bb64cc-14ff-1f47-b04e-e21cd1a45b19}\ndextlag_lwf.inf" "9" "4e40e94b7" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Users\Admin\AppData\Local\Temp\is-3VOPO.tmp\WinpkFilter\lwf\win10\amd64"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
67KB
MD54bb360ae7e6ad48f41e6e661dc509bc9
SHA1e6b8d6b2466d7c701dd2a651d7336a41c079d998
SHA25639d340184c17611060bc98bdb9e79f805a4ac94299a957850e25a709c50236b3
SHA512adce176f426c1e1908bb707d3a608bbaa40fbbf69bf0d104bf3f0db0b2f567cc4e5ecb274459023b1918d93df6a4a78198308f3de609c73b006ced2e280ee56b
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
43KB
MD5e352d970a4f70796e375f56686933101
SHA120638161142277687374c446440c3239840362b4
SHA2568a346ccc26d3ae6ded2665b27b443d6f17580650d3fdd44ef1bb6305bee37d52
SHA512b2c95bc6a7bd4cc5ef1d7ea17d839219a1aa5eba6baeb5eab6a57ec0a7adbc341eb7c4d328bcc03476d73fd4d70f3a4bdec471a22f9eb3e42eb2cae94eeb1ccc
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
1.2MB
MD5ae79a3e945e45f571fdf9ab94bcab4ee
SHA1eac343e9f3660f78ea5e2f1bd634c8123f207642
SHA256039c61c90725ad5a7422c5f00cc6d85ff2c57e3f7697b75ec57668e62fc209f7
SHA5120bfd27261eae0cc6462b71fce73461639fd1b6071797b29e047b16940ce25e79bb50032c289401fef4a10d22f0b1afd801dc9d29e0dbc085486d5fdeb88cb814
-
Filesize
5KB
MD50834283d02a4e9ad62dc3eb28ecd322a
SHA1e41be74d2161bd8bc1d9eea1d5e199df9a8d16ea
SHA25645379e7399b173d766b7b2e993e699ea3136d89d1abd5051101a6396063f5e4e
SHA512f766b346dec9791e5cf963b68e3601ed59cebc3602b0936eedac62c8b03c4acee784503a4789b775d3ff5fc83f9d98ce4ff14fa750cc2996474b5d394588d275
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD56cbce12c70e8dc086aaf311a7574db19
SHA1bfe0e91450aefdcc798a8718e4f45b084c97a7b0
SHA25676048916e711f7d776228c27215a31b33ed8031089073a5a67988987034c12c9
SHA5121f54aecbe0a11603ea043c3b3468ffa672235d81c1f231e5221fd19c3df9f40cd0263c7a7ec6f21d06ed4885429f87c4827bc48b48397db6f74cb9bd6f0ebc1a
-
Filesize
5KB
MD596955872eadec84d5ea4d31353a7ed36
SHA118457970a67a836a5c985aeddc20fe623a2fd301
SHA2565986cd20f8f37c30141c4e07befcdcda59cebd35037cabffd4f3785e56bba79d
SHA512895cee1ab21c811fc36f83a12eca96510b5204d6c46e226e48e0e1e3c08b396629745d2560efe1283311319a99c824997b225e9ecba1a9d53727d3ba2ff2e71f
-
Filesize
9KB
MD5a81f008a9cf5aa24603dd2ea57f2f4f4
SHA1f24a8030720c4a586b0e98215fd534d0e99b3a67
SHA2566af27bfbf8935c8ff4ccfdc6bec4841fca4bfac6af197fbc91f190604f8a4450
SHA5122100c0bae67c7f10fefb0bbde11e329523e32ff024b0f08e71c701a866ab55ad9ea8dcae5de6c7b292761ed7abbb278de69e53835ff7cebf55e3549016e481f9
-
Filesize
6KB
MD536feed773a2e26bd1c1e6188273d53a1
SHA1a0d9f49c545baf071eb4d6c8b5424e774e9a1c85
SHA2563db3e3a6f1f66f6f09dfbd4c76fe0713cb6ab32f5395f7594a33c6f38cbdeb74
SHA512bac69466d8fd3b986d01a89bc3784af4114ea2187bd53fab0acaffed24e2a4b9f43245f47d4536287f6f9621940fe0be057dedbe9b661e821c09b168ff1747e5
-
Filesize
3KB
MD50204e1323e78563a0b09172705e4eb43
SHA190121592434037e2bcb9f57c09075a316c7224d4
SHA256baa3d1e31aec1812a8779664cf9ea061aa20c1b44a1dddacbe0a5a52a566be13
SHA512fba11b860244df3681fe471c39dbd13e4b9ce56d3a7ed625695e5fb4b4850e88928538c9df2cf28c8fa0dc103374a337d76f97b57bc6da506ffa6ddf2ff881f6
-
Filesize
2KB
MD5df46049ea5945083a2e11bc9e267b4df
SHA1e29d955761e9bf34ba61d073121f44ed2de3ac39
SHA256a42a0bcc21019920747c51711b2f3042b095e438ed78c8a606e0d7d2b7e8ec4a
SHA512983bbbe680d41f75ad64566ae2fe0a036ca1ab9cf6026ec2ab4434031074889d97f4c247ad3215f06d33fe635586acd4db9d6a62086b7aef4823bb84339874b8
-
Filesize
3KB
MD53a897aae5ed9e5d82fa20d2214d6d324
SHA1132f99a3ae33228ac3aec7f01a9e809ecc39fd8e
SHA2562d751bf8e58a3b822a885121d5d0167a54d1916b3b75cc7759314a15323bb5fd
SHA5124c20d017d7b85bf49935a722b62a7d8b7002b79758b7829c8b19dd4744cdc7d396aef408eb882f5ba257befb4e14bae5251e7f52a1a60743194d31873d784ac0
-
Filesize
3KB
MD5d1ada7a681db3da06c2e8b6053dcb5ca
SHA129ffe0c4d2eb404d858a3fd328f49d7bc2566bfd
SHA256134429fda68d6b0ca75ce6a083c6e3c24d7c75e4e1c31184e02b4731c80c3cc2
SHA512bda8c3e38cb17bcdf1c1c6f56786510c0c6eb87ac4d137aa83a3298b92e204fbc392a43740e7ed695326106bbb868443fd938216eaa77a7c90987a42df55fd09
-
Filesize
2KB
MD5310766be4b656f0102552350f136bcbc
SHA130592b7a4e132d92ef2d10756c5ea233d229ebb7
SHA2566b052912064b76288159a4fce4314b95ad0732a4526dd1fbc240e24ad3c60530
SHA5120e9b108e4036b18de988fa85c5e208990335024b9ed8fbace2213c99d00e4f42884ceeea31cd23133fec22b5581501e555d3c424ba8dfb85d7a5d37a21de3920
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5cb52a85cb5bce9898825feed550e0ffc
SHA130a8767e28ea646b442c52c36c2e6fbc5510f0b1
SHA256a3e01d6c4a5656ea2744bb195a3e690d915cfabd52cac4923f73ed7afdadf161
SHA5121c251efaf6ae6ca09eba051538790dcd4dafac6c1f35be762a59c78d2816e0fb9dc0f7ae1b688237b2cc54c11b08420cc9b458401da8f7e54c7e11b35652d23e
-
Filesize
11KB
MD5c58e18fcd227873cb80a832cf88b5209
SHA1c27a49efc8192ed04899d1bf836769f2e7b203ea
SHA2563ec6d3e9fe5df39e0bd8962f05a738eca939be13d60b5ed92b057db68ec97b4f
SHA5123c754f4b4621e85868125d711a67e5d4d7b6f961f28e467b2f6da2460f685c80872eead3910aa82e9fde832b1aaf5f2ffd0a4f502b9bc34d58e39ee880621631
-
Filesize
240KB
MD5907d4a9e5556a0b4fff5e94221cb8746
SHA10bf9d4e34a181141ceca059d2a2c4f68ab0a580f
SHA25656458d743cd8eb53f903ff3de41e4ea025ded1f7b7b01820a8a18c7e557815c4
SHA5127c2131dfaf587d953fc9ddd58f022e83f379994aaa1284a5d04e0d5a50b9655e89dc45bea14820ba557508840fbd5bdc8263faba756ecf55fff72ae73a13b7b8
-
Filesize
11KB
MD541ce1b9d8fb8432898d8b086753139a9
SHA188fa6a06942242d3f05ff316e444efa4734bcb47
SHA256476005d1e2be816c06cf62fa18715dd50d9a09bc7984d0ae33cf917288174917
SHA51273bb5d2893cea2f421cf32245a822728f7bd42924bb0f78099c0893fd67d6be868932848d77c1edb0e1f9992a6ea3703788e9ceeccbbe9152b6137d7d3e1ffc6
-
Filesize
58KB
MD54bbbac5d7cb5e2e65ac400f01bf267fd
SHA1318a2b1dfb4871c72ec27fffafe8488b7f0453a5
SHA25670013fcd32f4745347cbd45c1cc911c0d6939048727f1c8dbcc1da36edf20fa9
SHA51286aa1a9ff8f0df4feec57f4d2d1572a4e0fbea0de5cafc88c728a5737c77d80ad98926ab9d3c5cd5817dbf9f49e63179895fd1d6199a72996783b65505f1b6b0
-
Filesize
2KB
MD5f37e8cc0eabac5e065277ba82818bd44
SHA14b0d23da6f357406ed21187a99462fde36e36b40
SHA256b75793dc1c6665778a2371e2c5ee57052d61a94ce6163103fb3867b710f9b12a
SHA512c31a5c2c4bae9e07fbf4de18c94196c1f81969d4e46dd03a35db948fad2f287ae4528f051a3f1ab1639093076e983795ace8a19475d65cb049706bf8aa4c7467
-
Filesize
15KB
MD558266a610bbc7c7eb924c6918edea151
SHA1d247099c5f3c9ad0b16f6ecbebcd8b1e54bcdd5f
SHA256516c5643cf378bdbc28191db75f85aed6988f21fe176c6d198ec21e76540c944
SHA51299bfe3856e27afe1c966342ec05fb4f59941207fb6c3235d95095cf340fd31f9fc8f9999585c512f2afa1c6cf57a9416d2b835dc121b5dd44001d465a26a216c
-
Filesize
3.0MB
MD54c8bed9ac667b64fa434ccd16a3a0828
SHA126ab6e26ef108dd25844b8d523dab36aa8046634
SHA256864fb02a9635476c8a31e3e57fdfe01380b9cce006fb07f4e7f438455178e4c2
SHA5120bdbfc49dcf18ae91f3caf9b65f1e870d2a0f1d4d34b80a3238e530d400f74e67c45b9ddb8fa1bf3eb0640da4f62113b5388ee3f47e11ea16d8bfb45524a92a5
-
Filesize
97KB
MD5132c4a0a1efe997bbc33d3cf4ab1134d
SHA1ead2f657eb32316f91a98f9891e530fa230583b1
SHA256b16048a37c4e5e7cbe23a02ae21ac8140cbbb7575edfcd7de23b11664b9a507d
SHA512c6a49295317a1a3be480fa0d8045095039caea9b01f13bc894e778579aff37cea18fd48f7a65e8d82f2a9b4ed0df8d76790faa0961f863fd9c684fa7c67da48f
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
3.0MB
-
Filesize
3.0MB