95a8e22f4586b962c8bbe268f28b9561ecfafc06bee75f3571ced253d66d5531

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

holfix.exe
Size

256KB
MD5

53f0c95938fdb4b3f0f4814bc8b1b9cc
SHA1

08c2a4a3df5381f8f49a5ee2372728400bd24671
SHA256

6b3ed396381a68ca58a1f4c73f00b40e2c2f555d031690865a64f26d2c5ed7fb
SHA512

2eac3782b5c1e1f45c9492b17910b60f28d2ab69aa7ec1b3e39e3ccf628fe30226c2824309a87d1b84c288b6028b903d3085d01df762ba421c7a5d5a7ddd6f9a
SSDEEP

6144:wMWnwQaTtvIa5rD1U8x7Am6OoyFoLp1kvWlp2FN6A5B5dn01:pJQatIerRUAA0o8CTlkFN6Az5dn0

Score

8^/10

defense_evasion discovery exploit upx

Malware Config

Signatures

Drops file in Drivers directory 4 IoCs

Processes:

holfix.exe

description	ioc	process
File created	C:\Windows\system32\drivers\tcpip.copy	holfix.exe
File created	C:\Windows\system32\drivers\tcpipreset	holfix.exe
File opened for modification	C:\Windows\system32\drivers\tcpip.copy	holfix.exe
File opened for modification	C:\Windows\system32\drivers\tcpipreset	holfix.exe

Possible privilege escalation attempt 27 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exe

pid	process
8	takeown.exe
1516	icacls.exe
4380	icacls.exe
1424	takeown.exe
848	icacls.exe
3148	icacls.exe
3560	takeown.exe
1076	takeown.exe
456	icacls.exe
1280	icacls.exe
3932	icacls.exe
2124	icacls.exe
4652	takeown.exe
648	icacls.exe
2432	takeown.exe
4060	icacls.exe
3068	icacls.exe
4572	icacls.exe
3236	icacls.exe
2272	icacls.exe
5036	takeown.exe
3896	takeown.exe
4192	icacls.exe
4764	takeown.exe
5088	icacls.exe
3064	icacls.exe
3184	icacls.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

holfix.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation holfix.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	holfix.exe

Modifies file permissions 1 TTPs 27 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
8	takeown.exe
3068	icacls.exe
3896	takeown.exe
648	icacls.exe
3932	icacls.exe
5088	icacls.exe
3064	icacls.exe
1076	takeown.exe
5036	takeown.exe
1424	takeown.exe
4572	icacls.exe
3560	takeown.exe
3148	icacls.exe
4192	icacls.exe
1280	icacls.exe
3184	icacls.exe
2124	icacls.exe
4060	icacls.exe
2432	takeown.exe
4652	takeown.exe
1516	icacls.exe
848	icacls.exe
4764	takeown.exe
456	icacls.exe
3236	icacls.exe
2272	icacls.exe
4380	icacls.exe

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

behavioral24/memory/3116-0-0x0000000000400000-0x00000000004C8000-memory.dmp upx
behavioral24/memory/3116-124-0x0000000000400000-0x00000000004C8000-memory.dmp upx
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

resource	yara_rule
behavioral24/memory/3116-0-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral24/memory/3116-124-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Drops file in System32 directory 28 IoCs

Processes:

holfix.exe

description	ioc	process
File opened for modification	C:\Windows\System32\en-us\user32copy.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\uk-ua\user32copy.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\de-de\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\uk-ua\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\it-it\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\uk-ua\user32new.dll.mui	holfix.exe
File created	C:\Windows\System32\en-us\user32copy.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\ja-jp\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\ja-jp\user32copy.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\es-es\user32new.dll.mui	holfix.exe
File created	C:\Windows\System32\uk-ua\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\es-es\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\fr-fr\user32copy.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\fr-fr\user32new.dll.mui	holfix.exe
File created	C:\Windows\System32\de-de\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\en-us\user32new.dll.mui	holfix.exe
File created	C:\Windows\System32\es-es\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\fr-fr\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\fr-fr\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\it-it\user32copy.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\ja-jp\user32new.dll.mui	holfix.exe
File created	C:\Windows\System32\de-de\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\en-us\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\es-es\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\ja-jp\user32new.dll.mui	holfix.exe
File opened for modification	C:\Windows\System32\de-de\user32new.dll.mui	holfix.exe
File created	C:\Windows\System32\it-it\user32copy.dll.mui	holfix.exe
File created	C:\Windows\System32\it-it\user32new.dll.mui	holfix.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1916 msedge.exe
1916 msedge.exe
4320 msedge.exe
4320 msedge.exe
4464 identity_helper.exe
4464 identity_helper.exe
2188 msedge.exe
2188 msedge.exe
2188 msedge.exe
2188 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

4320 msedge.exe
4320 msedge.exe
4320 msedge.exe
4320 msedge.exe
4320 msedge.exe
4320 msedge.exe
4320 msedge.exe

pid	process
1916	msedge.exe
1916	msedge.exe
4320	msedge.exe
4320	msedge.exe
4464	identity_helper.exe
4464	identity_helper.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe
2188	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5036	takeown.exe
Token: SeTakeOwnershipPrivilege	3560	takeown.exe
Token: SeTakeOwnershipPrivilege	1076	takeown.exe
Token: SeTakeOwnershipPrivilege	4764	takeown.exe
Token: SeTakeOwnershipPrivilege	2432	takeown.exe
Token: SeTakeOwnershipPrivilege	8	takeown.exe
Token: SeTakeOwnershipPrivilege	4652	takeown.exe
Token: SeTakeOwnershipPrivilege	1424	takeown.exe
Token: SeTakeOwnershipPrivilege	3896	takeown.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe
4320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

holfix.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3116 wrote to memory of 4736	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 4736	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 5108	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 5108	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1056	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1056	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 820	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 820	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 4108	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 4108	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1168	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1168	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 824	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 824	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1208	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1208	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1356	3116	holfix.exe	cmd.exe
PID 3116 wrote to memory of 1356	3116	holfix.exe	cmd.exe
PID 4736 wrote to memory of 5036	4736	cmd.exe	takeown.exe
PID 4736 wrote to memory of 5036	4736	cmd.exe	takeown.exe
PID 5108 wrote to memory of 3560	5108	cmd.exe	takeown.exe
PID 5108 wrote to memory of 3560	5108	cmd.exe	takeown.exe
PID 4736 wrote to memory of 4380	4736	cmd.exe	icacls.exe
PID 4736 wrote to memory of 4380	4736	cmd.exe	icacls.exe
PID 1168 wrote to memory of 1076	1168	cmd.exe	takeown.exe
PID 1168 wrote to memory of 1076	1168	cmd.exe	takeown.exe
PID 820 wrote to memory of 4764	820	cmd.exe	takeown.exe
PID 820 wrote to memory of 4764	820	cmd.exe	takeown.exe
PID 4736 wrote to memory of 5088	4736	cmd.exe	icacls.exe
PID 4736 wrote to memory of 5088	4736	cmd.exe	icacls.exe
PID 1208 wrote to memory of 1424	1208	cmd.exe	takeown.exe
PID 1208 wrote to memory of 1424	1208	cmd.exe	takeown.exe
PID 1356 wrote to memory of 2432	1356	cmd.exe	takeown.exe
PID 1356 wrote to memory of 2432	1356	cmd.exe	takeown.exe
PID 1056 wrote to memory of 4652	1056	cmd.exe	takeown.exe
PID 1056 wrote to memory of 4652	1056	cmd.exe	takeown.exe
PID 4108 wrote to memory of 8	4108	cmd.exe	takeown.exe
PID 4108 wrote to memory of 8	4108	cmd.exe	takeown.exe
PID 4108 wrote to memory of 3064	4108	cmd.exe	icacls.exe
PID 4108 wrote to memory of 3064	4108	cmd.exe	icacls.exe
PID 1168 wrote to memory of 456	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 456	1168	cmd.exe	icacls.exe
PID 5108 wrote to memory of 1516	5108	cmd.exe	icacls.exe
PID 5108 wrote to memory of 1516	5108	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4060	1356	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4060	1356	cmd.exe	icacls.exe
PID 1168 wrote to memory of 1280	1168	cmd.exe	icacls.exe
PID 1168 wrote to memory of 1280	1168	cmd.exe	icacls.exe
PID 4108 wrote to memory of 3068	4108	cmd.exe	icacls.exe
PID 4108 wrote to memory of 3068	4108	cmd.exe	icacls.exe
PID 820 wrote to memory of 3184	820	cmd.exe	icacls.exe
PID 820 wrote to memory of 3184	820	cmd.exe	icacls.exe
PID 824 wrote to memory of 3896	824	cmd.exe	takeown.exe
PID 824 wrote to memory of 3896	824	cmd.exe	takeown.exe
PID 820 wrote to memory of 648	820	cmd.exe	icacls.exe
PID 820 wrote to memory of 648	820	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4572	1356	cmd.exe	icacls.exe
PID 1356 wrote to memory of 4572	1356	cmd.exe	icacls.exe
PID 5108 wrote to memory of 2272	5108	cmd.exe	icacls.exe
PID 5108 wrote to memory of 2272	5108	cmd.exe	icacls.exe
PID 1208 wrote to memory of 3932	1208	cmd.exe	icacls.exe
PID 1208 wrote to memory of 3932	1208	cmd.exe	icacls.exe
PID 1056 wrote to memory of 3236	1056	cmd.exe	icacls.exe
PID 1056 wrote to memory of 3236	1056	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\holfix.exe
"C:\Users\Admin\AppData\Local\Temp\holfix.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\de-de\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4380

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\de-de\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5088

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\en-us\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1516

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\en-us\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2272

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\es-es\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4652

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3236

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\es-es\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4192

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\fr-fr\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3184

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\fr-fr\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:648

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\it-it\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:8

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3064

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\it-it\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3068

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\ja-jp\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:456

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\ja-jp\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\uk-ua\user32.dll.mui" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:848

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\uk-ua\user32.dll.mui" /grant "":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3148

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\System32\drivers\tcpip.sys" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3932

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\System32\drivers\tcpip.sys" /grant "Admin":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2124

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset&"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f"
2⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /F "C:\Windows\rescache" /A
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /reset
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4060

C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" "C:\Windows\rescache" /grant "Admin":f
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://half-open.com/
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffabe0446f8,0x7ffabe044708,0x7ffabe044718
3⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
3⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2492 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
3⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
3⤵
PID:2436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
3⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
3⤵
PID:2968

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
3⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
3⤵
PID:4008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
3⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
3⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
3⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,14334908941739313457,14180323922232030651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5544 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
360B

MD5
afc1565dde920d0818f4d86822b89168

SHA1
8cc34419b0c846ded7b03a83b78d252f23e555c1

SHA256
69bbccfff19ffeeb3e993373d88f9f7409d85ec6d96c7c5556a732ffd0350f2f

SHA512
17cb542a44616ae0c292c185a79cbe1967d5d26ff6bfdd8a36a61c91d5978cf2a0e57b98ebc8629739023dc1b7df0628cb34c1521a16637bd969e94879e7e6ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
b3636fd09e4cdf221662df3d176c42a2

SHA1
ee9964491509a596007c5b26e11b396510c9bfc8

SHA256
8260b8b12c3aac8516a34842bb766bf6cec40efb3fa4fefb5a43187f0185a56d

SHA512
391ff2610ce4ee34bac809f5f73c28a83e6f7d5160cf7297ad59d61d812b0d7b919e5beaf4f70a9bd7fa69f45a425d839c67bd0ff7b54112d4e5933f656455dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
44c502709f99b8389b5ddbcf49c11865

SHA1
4cbce8e99fe2816134c9c81c57dcf5a5cb23f175

SHA256
83b8a5d7774541a77b492d5350ede6cb4516926530831a1b76563a80163011a3

SHA512
f5d835f35938fd6466f7caead29bcc2e5a7611c39f8219e4a2447ae9e59682dbac70b2f927d5ed11151d3ae971935820bdf5a9b2c7fc14858f5c67af63d2e5cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8fa62fede32216e0a4113d259982f89e

SHA1
b53c005a9d75289b698b15e4c853f9c2b6cae5ad

SHA256
ef0943c95eae441209447db9b229d89eed1599cd8e66166c8d584bef39e15997

SHA512
313c173af97f93f0ca09b2ab0f4f13cafcc8e540ae2ca29497fb06e089726284a313ad736ed0f5f2a380600e285199ef8e90a29dfebfe7c62771c8fd752186c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e33e35f71221d8b8f5827d8d951ee176

SHA1
18903c3a3d9e7e4e96385b9cb0d78ef087ece1b8

SHA256
6e921610f7c39a9db45c25f1d5d59906b449e82fb5d0a2fcbc4f8dbba32d7e7e

SHA512
7b7fb3522e0daca459a17857d93a2f6ab4c69b9b3b8a8ce922cc8c3cd6144a2593ed456988b8799616a9398fafeb1be14611d22a39b7be82c575fa8fd084d128

Download Submit
C:\Windows\System32\de-DE\user32new.dll.mui
Filesize
19KB

MD5
f8d6dd4349b7f240c6cd4d04d21657f7

SHA1
744e7220be770ddce55fc6242fa3c5547725fcd7

SHA256
bd2c70e7e8720942b4bc3020929b894bfbe5e9d97082a821272b73f5d480e9b3

SHA512
96f3e427b735a63b49c07e7f14754b996324a58cc15cf99e55c1ba1555dfdbeb7734719b06d4a95c322b3a9bb31c0bb192d78b06981c03ba0678538dd4890f4f

Download Submit
C:\Windows\System32\en-US\user32new.dll.mui
Filesize
17KB

MD5
90b43ec7eb2e379561b0efd0d93342bb

SHA1
efdc5321144229a02e2347ae71ef1e9a869d8d3c

SHA256
6921a8d82bd3586df770d2854dc9c538f6de996a64c63c29e31b1e84be040f4a

SHA512
5cc5f9045c90e8fd7d0ddbc242ef64df71b10e36c3a6e5d25db8dbc2608aa3ec48b2a6b71686fa4646e40eefec700e0b2c324e8bde7da9239be98f1416a58e4e

Download Submit
C:\Windows\System32\es-ES\user32new.dll.mui
Filesize
18KB

MD5
88e058f2f65a9ecfc4023f5d6512bfee

SHA1
c3a86890e1560d33309c0e019d573855028a811b

SHA256
a0fc551bc1fe60ecedc79c387a3311f9879d1f69509e61c6a6e472534d7b4448

SHA512
e51ac8a044bd5a0de3eb5128efccaa04ee54c5578c698b00bef3ffd9094e51e550b757916af4e7992407019614fd816dd9d78231b6821813bf3e9b4e217f807d

Download Submit
C:\Windows\System32\fr-FR\user32new.dll.mui
Filesize
19KB

MD5
3996e9a5f0cc85e93aa7ade49a892c5e

SHA1
fa2b4d88bc4b2efb7acd13a83003ec23c44c2664

SHA256
39519ade42cac753b5fd8586786e292ada3c4910041353b31730fa3079801c21

SHA512
99a84f565c0c730472ebb7940c260460f54b1c88c446c3869ce5e889f4fd14230b40c6267de751d93a3e1882d6ac6cd29a6026591aebb3600caa7b508bd5d414

Download Submit
C:\Windows\System32\it-IT\user32new.dll.mui
Filesize
18KB

MD5
c99c413b13017aa89431469764aab8cd

SHA1
a556fc89f96414c3d2b262841b207065a5e205c9

SHA256
da174e40ddc8260b809f6331a2d3aa37daa108acd09aef38048432bd1ca283f7

SHA512
da93ae0f081900c612c66967c27baf19b2d2054462971887d295b3db3ca5c1e5dbfd92bd258c4acc683b7ea3414466ded4d6ae85464a4eca7e08029fb4c1d615

Download Submit
C:\Windows\System32\ja-jp\user32new.dll.mui
Filesize
13KB

MD5
e69bdd36a3eb328b1af034c72f160495

SHA1
7615ada4ae284c46dd7ae5212e336aef597814ca

SHA256
9c8c73bd07a703b1561e611e8e0754e3070aca9780069016061986550c3da772

SHA512
f6fb9b3936b856548d2a728506898556048e0708be7803b50a12063db39943f9ebb5013a8f670e3e1c2ce1f4865b7cc6470c3b87bc01957b8749305cc4cc2ec8

Download Submit
C:\Windows\System32\uk-UA\user32new.dll.mui
Filesize
18KB

MD5
aa12a3301c30a46acd35972b04c0a71f

SHA1
56a6a8b5f74e1bddb382f70e8fafa84d2313e364

SHA256
4d8dadf1c2659434290a2e304f9e87a1bd7de443ec8c7599d44d6f9e1636e77e

SHA512
cd64db81fcc2129b73c864bc63f987b447b7c1cea3194bd48f9aa34fb905617e72c585885f3dc071063a08b760bb75ef57f0ae2bca261435c567b4ce8e6f80c3

Download Submit
\??\pipe\LOCAL\crashpad_4320_HLTKBFDRBXUQPHTE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3116-124-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3116-0-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3116-1-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download