Analysis
-
max time kernel
593s -
max time network
604s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 01:28
Behavioral task
behavioral1
Sample
MW3_Chair.exe
Resource
win10v2004-20240611-en
General
-
Target
MW3_Chair.exe
-
Size
15.6MB
-
MD5
ce8f99f5b92137f00ef50f08d80c0dba
-
SHA1
daefb55e55e243f0734a9ccd4ecdaba9043ee505
-
SHA256
da3ac98fe7c18ae61e732c9cee9d7ed8a5808d678d4f934b3bbb434b19b2e7e4
-
SHA512
b83c9bd35dfae276d3d2940c153246c98aa2c53e4b1e77db2083e66ad4bcb63b179b1d6699e0f4cd808e201a79f2c1af36955bd1f22ef37cc830b91ef3df0e09
-
SSDEEP
393216:fyvPl1A8LtIzbhAuqTkOOqtc2BeX5N+Xy28bpa+2BIX7+k5LyCMYvK:crZtobqjkOOqq2BVXSbpaX6NRytX
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MW3_Chair.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MW3_Chair.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ MW3_Chair.exe -
Creates new service(s) 2 TTPs
-
Drops file in Drivers directory 3 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process File created C:\Windows\System32\drivers\winhb.sys MW3_Chair.exe File opened for modification C:\Windows\System32\drivers\winhb.sys MW3_Chair.exe File opened for modification C:\Windows\System32\drivers\winhb.sys MW3_Chair.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MW3_Chair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MW3_Chair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MW3_Chair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MW3_Chair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MW3_Chair.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MW3_Chair.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation MW3_Chair.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation MW3_Chair.exe Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation MW3_Chair.exe -
Processes:
resource yara_rule behavioral1/memory/724-0-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/724-1-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/724-2-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/724-3-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/724-14-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/724-15-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/3728-17-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/3728-16-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/3728-18-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/3728-28-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/2476-30-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/2476-31-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/2476-32-0x0000000140000000-0x0000000142290000-memory.dmp themida behavioral1/memory/2476-38-0x0000000140000000-0x0000000142290000-memory.dmp themida -
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MW3_Chair.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MW3_Chair.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA MW3_Chair.exe -
Drops file in System32 directory 6 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} MW3_Chair.exe File opened for modification C:\Windows\System32\IME\SHARED\namef.ini MW3_Chair.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} MW3_Chair.exe File opened for modification C:\Windows\System32\IME\SHARED\namef.ini MW3_Chair.exe File opened for modification C:\Windows\System32\config\RegBack\{69CD1F2D-DF68-4E23-9108-1B70783F2444} MW3_Chair.exe File opened for modification C:\Windows\System32\IME\SHARED\namef.ini MW3_Chair.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exepid process 724 MW3_Chair.exe 3728 MW3_Chair.exe 2476 MW3_Chair.exe -
Drops file in Windows directory 3 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription ioc process File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} MW3_Chair.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} MW3_Chair.exe File opened for modification C:\Windows\schemas\Provisioning\{69CD1F2D-DF68-4E23-9108-UPDATE} MW3_Chair.exe -
Launches sc.exe 12 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4492 sc.exe 1576 sc.exe 3824 sc.exe 3572 sc.exe 4232 sc.exe 4068 sc.exe 4968 sc.exe 1560 sc.exe 5068 sc.exe 836 sc.exe 5024 sc.exe 3056 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exepid process 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 724 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe 3728 MW3_Chair.exe -
Suspicious behavior: LoadsDriver 3 IoCs
Processes:
pid process 664 664 664 -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exeMW3_Chair.exedescription pid process Token: SeBackupPrivilege 724 MW3_Chair.exe Token: SeSecurityPrivilege 724 MW3_Chair.exe Token: SeBackupPrivilege 724 MW3_Chair.exe Token: SeSecurityPrivilege 724 MW3_Chair.exe Token: SeBackupPrivilege 724 MW3_Chair.exe Token: SeSecurityPrivilege 724 MW3_Chair.exe Token: SeBackupPrivilege 724 MW3_Chair.exe Token: SeSecurityPrivilege 724 MW3_Chair.exe Token: SeBackupPrivilege 3728 MW3_Chair.exe Token: SeSecurityPrivilege 3728 MW3_Chair.exe Token: SeBackupPrivilege 3728 MW3_Chair.exe Token: SeSecurityPrivilege 3728 MW3_Chair.exe Token: SeBackupPrivilege 3728 MW3_Chair.exe Token: SeSecurityPrivilege 3728 MW3_Chair.exe Token: SeBackupPrivilege 3728 MW3_Chair.exe Token: SeSecurityPrivilege 3728 MW3_Chair.exe Token: SeBackupPrivilege 2476 MW3_Chair.exe Token: SeSecurityPrivilege 2476 MW3_Chair.exe Token: SeBackupPrivilege 2476 MW3_Chair.exe Token: SeSecurityPrivilege 2476 MW3_Chair.exe Token: SeBackupPrivilege 2476 MW3_Chair.exe Token: SeSecurityPrivilege 2476 MW3_Chair.exe Token: SeBackupPrivilege 2476 MW3_Chair.exe Token: SeSecurityPrivilege 2476 MW3_Chair.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
MW3_Chair.exeMW3_Chair.exepid process 3728 MW3_Chair.exe 2476 MW3_Chair.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
MW3_Chair.execmd.execmd.execmd.execmd.exeMW3_Chair.execmd.execmd.execmd.execmd.exeMW3_Chair.execmd.execmd.exedescription pid process target process PID 724 wrote to memory of 2276 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 2276 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 2736 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 2736 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 4364 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 4364 724 MW3_Chair.exe cmd.exe PID 2276 wrote to memory of 5068 2276 cmd.exe sc.exe PID 2276 wrote to memory of 5068 2276 cmd.exe sc.exe PID 2736 wrote to memory of 836 2736 cmd.exe sc.exe PID 2736 wrote to memory of 836 2736 cmd.exe sc.exe PID 724 wrote to memory of 5060 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 5060 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 3660 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 3660 724 MW3_Chair.exe cmd.exe PID 3660 wrote to memory of 5024 3660 cmd.exe sc.exe PID 3660 wrote to memory of 5024 3660 cmd.exe sc.exe PID 724 wrote to memory of 4892 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 4892 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 1996 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 1996 724 MW3_Chair.exe cmd.exe PID 1996 wrote to memory of 3056 1996 cmd.exe sc.exe PID 1996 wrote to memory of 3056 1996 cmd.exe sc.exe PID 724 wrote to memory of 4908 724 MW3_Chair.exe cmd.exe PID 724 wrote to memory of 4908 724 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 1200 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 1200 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 3364 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 3364 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 4900 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 4900 3728 MW3_Chair.exe cmd.exe PID 1200 wrote to memory of 4232 1200 cmd.exe sc.exe PID 1200 wrote to memory of 4232 1200 cmd.exe sc.exe PID 3364 wrote to memory of 4068 3364 cmd.exe sc.exe PID 3364 wrote to memory of 4068 3364 cmd.exe sc.exe PID 3728 wrote to memory of 4072 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 4072 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 2744 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 2744 3728 MW3_Chair.exe cmd.exe PID 2744 wrote to memory of 4492 2744 cmd.exe sc.exe PID 2744 wrote to memory of 4492 2744 cmd.exe sc.exe PID 3728 wrote to memory of 2976 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 2976 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 1864 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 1864 3728 MW3_Chair.exe cmd.exe PID 1864 wrote to memory of 4968 1864 cmd.exe sc.exe PID 1864 wrote to memory of 4968 1864 cmd.exe sc.exe PID 3728 wrote to memory of 4552 3728 MW3_Chair.exe cmd.exe PID 3728 wrote to memory of 4552 3728 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 3228 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 3228 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 1176 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 1176 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 2384 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 2384 2476 MW3_Chair.exe cmd.exe PID 3228 wrote to memory of 1576 3228 cmd.exe sc.exe PID 3228 wrote to memory of 1576 3228 cmd.exe sc.exe PID 1176 wrote to memory of 1560 1176 cmd.exe sc.exe PID 1176 wrote to memory of 1560 1176 cmd.exe sc.exe PID 2476 wrote to memory of 4944 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 4944 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 4420 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 4420 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 1136 2476 MW3_Chair.exe cmd.exe PID 2476 wrote to memory of 1136 2476 MW3_Chair.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop iqvw64e.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete iqvw64e.sys3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop iqvw64e.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete iqvw64e.sys3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"C:\Users\Admin\AppData\Local\Temp\MW3_Chair.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc stop iqvw64e.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop iqvw64e.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc delete iqvw64e.sys2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc delete iqvw64e.sys3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys2⤵
-
C:\Windows\system32\sc.exesc create windowsproc type=kernel binpath=C:\Windows\System32\drivers\winhb.sys3⤵
- Launches sc.exe
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C sc start windowsproc2⤵
-
C:\Windows\system32\sc.exesc start windowsproc3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4040 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5ad7539b4b104e367e1c98cb63cf79d49
SHA102e181db0df0c6c06e09fa1f9332d335f4e33661
SHA2566f8208f7a51de1b3736787dff5f3f4d40d454c3de60bf5ce0fe4b219b1b8e810
SHA512782d12e61bc1e7cb9484e93a297822011cf868c151aac4ec403750027da2e1016e72e5d178a3ec8d8dd18b3de0e29a8b532c16576ca21dd1c889bd9a55a00328
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
724B
MD58202a1cd02e7d69597995cabbe881a12
SHA18858d9d934b7aa9330ee73de6c476acf19929ff6
SHA25658f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA51297ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD578d91717bc3c4cad84c0c4c22d8492c8
SHA1774e1ce34d245d546f62d340d58408024d2e216c
SHA256b6e7d543684131b038717c688fddcd69109fa7a2264f3ddbcc77b48cce1cc0c8
SHA51222508b913df2a17336580a668911fd83d9a0a9b071269934cc1be7408f4220a0bad8d2f39ddd48de85d4f478b7366a09a657af0fee2914ce63b3342a5ec38b11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464Filesize
392B
MD5615f25b3620243490fc82cbb6d9acdf7
SHA1d53d7d65d00ad691cb751429390cbb8cf572f243
SHA2567c46c91ddcb433ae3a285668ad6cc7c346f8779923ebe1c31204a2b66532f55a
SHA51273e1bb2b077472a3aafdc2367e687b68df11fc08a11362ea17a23d2e0f7fb59188aa31a474b1897488f10264d98071407c960e432e28e6aef593784c2d2d98e0
-
C:\Windows\System32\IME\SHARED\namef.iniFilesize
13B
MD554839c81584f6efe68ac87fa422cb2a5
SHA1a56297c174ea3a5161b029f6991d3e4ab1e19136
SHA25605019a76302524104b38bea81561801802fb157d65eee032c59d69415e73dd7f
SHA5128d647bab273408b8a3fd9590957412056846b5561a5a01d4bc8bc9ae4fff9e6618ef962aff783ecfd0d46d9a1b41e28f8371ed33892e851f88a767b0ad81667e
-
C:\Windows\System32\drivers\winhb.sysFilesize
2.6MB
MD5607fa999176aff89978996e3a9cb27e3
SHA1f3b2422c7a4742069ecf4a9eaab742cbcb1f5f21
SHA256ee1700af169adab64827080f604e9818cdd7d4672e7d66da137f00681e4e0c38
SHA512841469b4364d4120252b52162c80060eb145857c87373fb41d4558d2ed9e78d0ecd54e5b80670aa548e120cb70db1710992d9c32b5db5a39ba9d0a3855403b93
-
memory/724-0-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/724-1-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/724-15-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/724-3-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/724-14-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/724-4-0x00007FFD5A570000-0x00007FFD5A572000-memory.dmpFilesize
8KB
-
memory/724-2-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/2476-30-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/2476-31-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/2476-32-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/2476-38-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/3728-17-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/3728-18-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/3728-16-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB
-
memory/3728-28-0x0000000140000000-0x0000000142290000-memory.dmpFilesize
34.6MB