Analysis
-
max time kernel
55s -
max time network
58s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 10:57
Behavioral task
behavioral1
Sample
sv.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
sv.exe
Resource
win7-20231129-en
Behavioral task
behavioral3
Sample
sv.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
sv.exe
Resource
win11-20240419-en
Errors
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral4/memory/724-1-0x0000000000E20000-0x0000000000E36000-memory.dmp family_xworm C:\ProgramData\svhost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1320 powershell.exe 780 powershell.exe 3936 powershell.exe 3588 powershell.exe -
Drops startup file 2 IoCs
Processes:
sv.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk sv.exe -
Executes dropped EXE 1 IoCs
Processes:
svhost.exepid process 4392 svhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sv.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
sv.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings sv.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 972 NOTEPAD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exemsedge.exeidentity_helper.exepid process 1320 powershell.exe 1320 powershell.exe 780 powershell.exe 780 powershell.exe 3936 powershell.exe 3936 powershell.exe 3588 powershell.exe 3588 powershell.exe 2180 msedge.exe 2180 msedge.exe 1508 msedge.exe 1508 msedge.exe 3108 msedge.exe 3108 msedge.exe 1848 identity_helper.exe 1848 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
sv.exepowershell.exepowershell.exepowershell.exepowershell.exeshutdown.exeAUDIODG.EXEsvhost.exedescription pid process Token: SeDebugPrivilege 724 sv.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeDebugPrivilege 780 powershell.exe Token: SeDebugPrivilege 3936 powershell.exe Token: SeDebugPrivilege 3588 powershell.exe Token: SeDebugPrivilege 724 sv.exe Token: SeShutdownPrivilege 4664 shutdown.exe Token: SeRemoteShutdownPrivilege 4664 shutdown.exe Token: 33 3004 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3004 AUDIODG.EXE Token: SeDebugPrivilege 4392 svhost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe 1508 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
PickerHost.exeLogonUI.exepid process 2880 PickerHost.exe 4608 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
sv.exemsedge.exedescription pid process target process PID 724 wrote to memory of 1320 724 sv.exe powershell.exe PID 724 wrote to memory of 1320 724 sv.exe powershell.exe PID 724 wrote to memory of 780 724 sv.exe powershell.exe PID 724 wrote to memory of 780 724 sv.exe powershell.exe PID 724 wrote to memory of 3936 724 sv.exe powershell.exe PID 724 wrote to memory of 3936 724 sv.exe powershell.exe PID 724 wrote to memory of 3588 724 sv.exe powershell.exe PID 724 wrote to memory of 3588 724 sv.exe powershell.exe PID 724 wrote to memory of 4452 724 sv.exe schtasks.exe PID 724 wrote to memory of 4452 724 sv.exe schtasks.exe PID 724 wrote to memory of 1508 724 sv.exe msedge.exe PID 724 wrote to memory of 1508 724 sv.exe msedge.exe PID 1508 wrote to memory of 820 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 820 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 1708 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2180 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2180 1508 msedge.exe msedge.exe PID 724 wrote to memory of 4660 724 sv.exe cmd.exe PID 724 wrote to memory of 4660 724 sv.exe cmd.exe PID 1508 wrote to memory of 2328 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2328 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2328 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2328 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2328 1508 msedge.exe msedge.exe PID 1508 wrote to memory of 2328 1508 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youtu.be/dQw4w9WgXcQ?si=L4P9OdVIObe1WQhT2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffe6b3b3cb8,0x7ffe6b3b3cc8,0x7ffe6b3b3cd83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5328 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,5607554273344863653,4473218239566720412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qiygww.bat" "2⤵
-
C:\Windows\system32\shutdown.exeshutdown -r -t 30 -c "Stop using this!"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dbxcjp.txt2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C81⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a24055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5437395ef86850fbff98c12dff89eb621
SHA19cec41e230fa9839de1e5c42b7dbc8b31df0d69c
SHA2569c39f3e1ee674a289926fddddfc5549740c488686ec6513f53848a225c192ba6
SHA512bc669893f5c97e80a62fc3d15383ed7c62ffc86bc986401735903019bb96a5f13e4d0f6356baa2021267503a4eb62681e58e28fcff435350e83aa425fa76cd64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d0f84c55517d34a91f12cccf1d3af583
SHA152bd01e6ab1037d31106f8bf6e2552617c201cea
SHA2569a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c
SHA51294764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ade01a8cdbbf61f66497f88012a684d1
SHA19ff2e8985d9a101a77c85b37c4ac9d4df2525a1f
SHA256f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5
SHA512fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
528B
MD5d4a6da4efdf279db427efab83c477dda
SHA151d6c2b11ba5db6c9f4ada33f181b7ab625f3c01
SHA2565811c896bf0c2624178d0ada35694f6956efd2856126d82aa19c3d6159d8b943
SHA5129b7bb7bb1a9206f35971a3507e64fe16bc640025226f509a71bb20f1e5aabf3848d7b84e080aad9be4f05ee68bc144d2b2a223275b7bf89cdaa1d05217051c37
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD556f8b893cbb10c956aefe6400c4fc9bc
SHA18f8e8d745786150de150dc831fbaf1499e287e5b
SHA256392a6c3c627b48beae677726dd2401315fa594e87b51ab1f51d0a49d0d76e94e
SHA512290891b0084b226ad41521b522c16da253aac1acbba02ef1f92ec30a29dacf7dd7595409a61eae51df092b9063fee1a5fffc20acff9833facf42d8143160cd6c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57de3786c188f767d534d3081f92c2599
SHA16baa7dcd838b44f7430e2e0d9fe93b94d2008e7c
SHA2560cc7fe1712cb01e2871bfe2723463f37db867ad7c6ed2caca7e5b4d490b99298
SHA512e6146b7664508b7eee99d7d650f0203933596e32fe952186fcc08f30caf99691681ca31566cc0200faf69fac1d60849f40af2365e2ec8b2ed045ca9ead06b964
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
89B
MD5ef151689385bb7eb943076d83080d7d1
SHA13aabb62722958045ee59fb2b1efe4bcd13beb64c
SHA256b60731427a4dfba783069a5eb2d6b91ef2017050a7d8e26e67338fa9a69ee994
SHA512e57636f480bfa75de07abe197025fd11085c1412f2a4fb1e355afd1c503e5709f8f9e00395feb80f3795d4acb8269da40fde1313c9c8a823c3cc2cdf1e92a657
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
146B
MD5f3004e458bd836c8c52aba6812b7e143
SHA1dde67b335dc4377babac528db43b2caa00aac2fe
SHA256488c1b8ce3eec2eca2a6f0eb039bab6bee090f8b69498c807c0a58421bf632c8
SHA5126c467aa272a56ee64e4e9b94c0aeaac874682b088ee9a57b889ac615ec75f73bfe01d682bfaa7b304d8bed798623398d2c1db7645febb2370b161333d08d8bd3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txtFilesize
82B
MD50efb7e82db1b947e0655d232cc8b98e0
SHA1560f8fbbb6b0c8ca61f4361ebc2078b90ef4d4af
SHA2566744e524028c24e5dce1e4b6f0f76e68c58500149c3fc573cce7e299f16b2b57
SHA512307b6c9adc453b781c2d68fffe736723fad4ada0866f7c5cdcee12bcbabf98c8fe331818d3ff214dded3f8dfe839421d2f03c688b9e72df6994f73a3d9baa675
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5c4a56e058248dc22a69531f4e7a90cfd
SHA114c5585e2260ee8e31459bf5e99f82e01c722cb1
SHA256c26efa985e21d4ac7d02d269f9418c245e44bcdb530abda4742a345d3cbd39bb
SHA5122c50b24b0a030b9a37758a6ec6c3a55c1ef0141ba062fbf9f773855458a945d9bff96c49ed633531aa6df9dce85ea95b2254a03ef2a3527690d8c10ffeda119a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583a64.TMPFilesize
48B
MD53db2088a1de8dd856195a9e97f48060b
SHA1ff2fca281a60ed2de9b8e1d373c4935a4f47af84
SHA2563340291ada8221dc1f16f00d9b7ed2c13516135cad49d5eb0e9d430ff64df037
SHA5120aa6935724ff3137a5d39d555145633d13f4714c218fad8d635e97fc7769b59d18d7ffd38a7b249e63311089939a63611ac510a464a589fb225a25510f701136
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD588f5b49db579c55c99b1cd72c59bf974
SHA148fd7a01f9e68501db9220cdd33f0fc70d0aec5e
SHA2566215d5befef14938a0a9d9e4b0406b736183c4d2152adb6582bc06d3c937883c
SHA5125aeaf8e4ae293d2234c859b279da3ccd813394ef37e19495575e9029cdf09dd788516d45be478155123a64c8460c2965222c54e554814d5b1a1224e869471ae2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5fd64b1186dfa97602c38e303ca8f3e61
SHA1d75a22791106310f8eef2c44cd5844cef514e334
SHA2569fcd3d75f400065b0f8553187db3e9ae11651f8440ef6a6aab59c1fa9c551804
SHA512c105764f5ed0e3db3569b7d876c37f17da76c19e681745396bbc8960bfad5945827658ca57d99a97b42fce8053c289e0ea73a64cb1ff33fd853b68b1950d3cba
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD525fdee90fce7b0b96dc2ee97ec66834a
SHA1c32a6f1e3b1033bec69a5a41de255c98944dcdc9
SHA256c433a9b0345ba06be0b2acc2fcb9d689f81837ada86b6fee2fb2b4b838d1ea6c
SHA512b76230cb1cee4dc3e434bc49b239525f4ea51f449b0587b828a8888c6ff54d26c5cd16219934dbe44d4f84057d8e77bbc458d71e55b10d79ef8d0eda74e7399d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvbmz1ed.rdx.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dbxcjp.txtFilesize
78B
MD586ec301953f9252687fb4a4eba9e775e
SHA1e245181761cac6375cd7e0023d6ca87471c25b8b
SHA256544319010bcf88498a69f1744591830db96cc3abdb3d09a1186f41f42485108b
SHA5120878245bc4e023d0a2b8f0154e3289438d2990bdddc33205b00f7722eff4dd0fd801343f63e26e3db516bfb77fee2f841413b2ea694f7ebe534a04f177b46457
-
C:\Users\Admin\AppData\Local\Temp\qiygww.batFilesize
72B
MD55e1b8916ee329f500e51c41010a9c327
SHA16413effc04552c786894889f2b7374c42aa1b7cd
SHA25672e86d40709e36d11cdb616eb1b50bdec1d86f9b5f8594422a1d3bbd7b31fd7a
SHA512c15c57442a703a42b43299429ba304dde0c038775c5b5ce6cc648b59005db7aba846ee00452b9a071931a353c55cb237e960cadc36cc3955b472a8fabfb555f6
-
\??\pipe\LOCAL\crashpad_1508_MHYKEQCTPUIBKDEFMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/724-171-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/724-0-0x00007FFE59E73000-0x00007FFE59E75000-memory.dmpFilesize
8KB
-
memory/724-53-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/724-1-0x0000000000E20000-0x0000000000E36000-memory.dmpFilesize
88KB
-
memory/724-404-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/1320-17-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/1320-14-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/1320-13-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/1320-12-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/1320-11-0x00007FFE59E70000-0x00007FFE5A932000-memory.dmpFilesize
10.8MB
-
memory/1320-10-0x000002DFF8C40000-0x000002DFF8C62000-memory.dmpFilesize
136KB