Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-10-2024 16:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://wdfiles.ru/29J7Q
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
https://wdfiles.ru/29J7Q
Resource
win11-20241007-en
General
-
Target
https://wdfiles.ru/29J7Q
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe dllhost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\87078a174f1e0ed9d58afdf2d6d178c3.exe dllhost.exe -
Executes dropped EXE 4 IoCs
pid Process 832 SpeedHack666Cheat (no VM detected).exe 4620 dllhost.exe 3540 dllhost.exe 3960 dllhost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\87078a174f1e0ed9d58afdf2d6d178c3 = "\"C:\\ProgramData\\dllhost.exe\" .." dllhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\87078a174f1e0ed9d58afdf2d6d178c3 = "\"C:\\ProgramData\\dllhost.exe\" .." dllhost.exe -
pid Process 952 powershell.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2936 sc.exe 4524 sc.exe 5036 sc.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpeedHack666Cheat (no VM detected).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dllhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
pid Process 4100 taskkill.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3696 reg.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 185719.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe:Zone.Identifier msedge.exe File created C:\ClickMe.exe\:SmartScreen:$DATA SpeedHack666Cheat (no VM detected).exe File created C:\ClickMe.exe\:Zone.Identifier:$DATA SpeedHack666Cheat (no VM detected).exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3284 msedge.exe 3284 msedge.exe 1948 msedge.exe 1948 msedge.exe 1636 identity_helper.exe 1636 identity_helper.exe 2972 msedge.exe 2972 msedge.exe 4084 msedge.exe 4084 msedge.exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe 832 SpeedHack666Cheat (no VM detected).exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4620 dllhost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeDebugPrivilege 832 SpeedHack666Cheat (no VM detected).exe Token: SeDebugPrivilege 4620 dllhost.exe Token: SeDebugPrivilege 952 powershell.exe Token: SeDebugPrivilege 4100 taskkill.exe Token: SeDebugPrivilege 3540 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe Token: SeDebugPrivilege 3960 dllhost.exe Token: 33 4620 dllhost.exe Token: SeIncBasePriorityPrivilege 4620 dllhost.exe -
Suspicious use of FindShellTrayWindow 49 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe 1948 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2036 1948 msedge.exe 77 PID 1948 wrote to memory of 2036 1948 msedge.exe 77 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 1580 1948 msedge.exe 78 PID 1948 wrote to memory of 3284 1948 msedge.exe 79 PID 1948 wrote to memory of 3284 1948 msedge.exe 79 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 PID 1948 wrote to memory of 3324 1948 msedge.exe 80 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3016 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://wdfiles.ru/29J7Q1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9289e3cb8,0x7ff9289e3cc8,0x7ff9289e3cd82⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1840 /prefetch:22⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:82⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:12⤵PID:3764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:12⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:12⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:82⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,5365798145616735577,10283305019195185316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe"C:\Users\Admin\Downloads\SpeedHack666Cheat (no VM detected).exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832 -
C:\ProgramData\dllhost.exe"C:\ProgramData\dllhost.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Windows\SysWOW64\attrib.exeattrib +h "C:\ProgramData\dllhost.exe"4⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3016
-
-
C:\Windows\SysWOW64\cmd.execmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:952
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc query windefend4⤵
- System Location Discovery: System Language Discovery
PID:244 -
C:\Windows\SysWOW64\sc.exesc query windefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2936
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc stop windefend4⤵
- System Location Discovery: System Language Discovery
PID:1200 -
C:\Windows\SysWOW64\sc.exesc stop windefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4524
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c sc delete windefend4⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\sc.exesc delete windefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5036
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /delete /tn CleanSweepCheck /f4⤵
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 1 /tn CleanSweepCheck /tr C:\ProgramData\dllhost.exe4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1832
-
-
C:\Windows\SysWOW64\cmd.execmd /c reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
PID:3880 -
C:\Windows\SysWOW64\reg.exereg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f5⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3696
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c taskkill /f /im Wireshark.exe4⤵
- System Location Discovery: System Language Discovery
PID:4132 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Wireshark.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2952
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1612
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
C:\ProgramData\dllhost.exeC:\ProgramData\dllhost.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3960
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
319B
MD571093f2f2d8fd9daf6bc4bb6a72a5b23
SHA17f614257050d90b24ca0f7862724f3d7a9df93fd
SHA2565da30152f390d2e7e0a801e08502781427e0b499f1d40ae2a1ecf181ef35de8a
SHA51239e729c10af152d3fa3e382e3976be09074370369805a76b9c0f3dc063c2ce5184e93c1043a81ab82573f768ec0fb6c480ca6848190752b9d2b002c3e319ffa4
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1de2e563-14ff-4fff-8572-3a1b48d2d84f.tmp
Filesize1KB
MD5994279f58425885ca420972bb7be4c27
SHA16c062d68b875a4445e1039cd734b0e0246913caa
SHA256e63501185f42d1d46be16d95418ef8cda0afc221a960ace0cbb4386292ad1089
SHA512d932a9d40b989acd529afd47b3a25eaae8f533cd7d2c93f982b7ee10ec13a99f355d7daf3f21a103f96945cad1b6a5c647800eab56bc86e2091cfad972b8e702
-
Filesize
369KB
MD565c0f9249f64c65cda3e5ea32126fc1f
SHA1d567a001160109f58a4ec43db2abd9971e01afa7
SHA2567522fa6d0f83eac9662ae47af048f02ddfaab925738cec1280b0c5c7788d2d0a
SHA51208347609ba2b8ba7a69a147fe7c426baebed93f2a9db3137a9d9ebbc0bf87a775808e55d7c7b7e0b852e8f0065f0204b71fbbadf3cdffc84b1cbea21723e0308
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize960B
MD5ef8dcd422b9b3a4372a584c212722348
SHA17af4e4199804460c5f6c3e7cc1387d7f390c1626
SHA256f99b6411a34c9eb61a5c5fc854597fa21db56458ca30c1615ada178aa5358f13
SHA512558384629df830ad29350e69c50d5c61cc922a1070873dde96d50f2cf227ea1ac53182d5b8bc9f4e36a91e685ad155f12a6a0ff6fe20d5766987c556fe4a2683
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
6KB
MD533a72b334f9cbc6986f7cdee72b68031
SHA1678281a0240af9814894ae90e83fc007813b9ffd
SHA256829e7ab9dd7640a3261bcb6f42b887b3aadf27624568668a0f28ab1dacc2592f
SHA512e9d6ade424eadcc6fb3cf7bf2585e59207e1f2a328db0e22840476dea8814fc28fdc1faf9e77635837527d51fcfbe88a168a52e46e62105464a0e66f8895e9ff
-
Filesize
6KB
MD52114eabe4ce19496353d7613076f8d86
SHA1fb5fb141b8d77bfeadbf0aa61dffecd70b4ad542
SHA2567b1e167ddba319fa26d5d97f4fe0109f5dacffdc32d40324c5bbcfe06199dc26
SHA51271ced311a955b813f4d13a912af9b66bf85036337a9d16657c41aa66fdb1cf4505a2e11989ba467a33d84a9f384fd92a3fc239bbd465f48e7b49dcb99cb61e64
-
Filesize
6KB
MD57bf4df8a0d7d99ea4a39c1296c9d7535
SHA184b52fd0ba564ea943ee2523c52bf00c55c6adca
SHA25603ecfc58477be6d9e45b09f88aa1c8bb965e27d611f3cebb2dfd695d5a5dcecd
SHA512db6bf3d6b636b2dd8e8bbd9d0f933725d7e6d0267649a32a0a5d1a3b95d497085409d14848bdc86c0b3e94637a1a23946bcaa2ba478ebebce43c2a55504a4539
-
Filesize
7KB
MD53865c96d92a228486775d29d986d3b97
SHA15d8966fc7bd94deeff5716b432feafd6ae2ee64c
SHA256e1230ef9a3753b2e1fb755903893c7a7ce019e5d315f44fb2fd652ac01a54914
SHA5125ec35a204affc9fceef11b6df02adabc5a26e253ee8fc6032e272df0bb63237bc9b4077b133524607e4702de59693b8dc9593ce2879f380880ef7b3a775789b2
-
Filesize
1KB
MD5c9a67c924a7961168ff47a2818097342
SHA14708f73f3a088c314fb62f38328add33e1b135ff
SHA256b70826744d5a408a08fb8888c2825af0e170bc307e5fb050484fd432821fb7c0
SHA512bb29c53142d08e547d1839cc24c9d7e9c2d9f7627b0d8d9a8288103f5144e4adb66bad4910af64077bbc8fb990efb855c168e365dd224ff58530cc3818fa8df8
-
Filesize
1KB
MD57fca89f583adf48ac9df6650f1f3cbac
SHA16d2da8b4bfc6a4eae7ace75337df9cbd8c568b47
SHA2560ba3aaf5c4ceb7e8baa3c13eb02d6a4034a4182fb2ec524333ecc0e0c1691fc5
SHA512ce34f010dac17ff7d5727350ab418113d5318f5ce05f5932c0dcde5cc36e14849742624c34501aa50c373f6b1cb2f74b6bad5720b1a86eaec4af501732240f30
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD567c325960aaf0e164242eb1fa5fd642a
SHA1b14628336759c67d038ab1c2cb82398e449640f1
SHA2560d6c921c7d2807c512bd6178e519ad04d21e7dc61f1d38d6310d673c56548360
SHA5129939969d17bda5a7981531f604fb3681c6d2480516140aa3c76e3de7e0803e2c0b1f558755c760056f5455f7188a3354ae9344aa250a39a5c530fb4a4bcd4854
-
Filesize
11KB
MD50844a6ff4166289f8d5261d8cd3341ad
SHA1a53b7a461d836e0aaec275da3ff301a82c682ed3
SHA2560b7e4a5753231912e0258794e63806b803decdaa3cd7b311fff2e3af111c6bcd
SHA51203fc8671cd0f622f9c2e3edeabf936ade6742647b8b0bff92b01a9a5b8a3d289e94d2d3c27046764dcc9e71c662d9f1d8b16678284d626a0d40f8076d1e5340f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98