Analysis Overview
SHA256
e6ad75d8479592e80915d78e7a2188ed113e58c7acf23282f53008f9af5255dd
Threat Level: Known bad
The file TheMalwaredev-s-garbage-main.zip was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Possible privilege escalation attempt
Disables Task Manager via registry modification
Checks computer location settings
Executes dropped EXE
UPX packed file
Modifies file permissions
Loads dropped DLL
Enumerates connected drives
Writes to the Master Boot Record (MBR)
AutoIT Executable
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry key
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious behavior: CmdExeWriteProcessMemorySpam
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-02 20:30
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
148s
Max time network
131s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC4030D1-D8D3-11EE-9CE2-EAAAC4CFEF2E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000cd95730ad2687d71a0a681ec27e88df6435234edbbd6c3a10d16712e20febfec000000000e80000000020000200000007d5c18b2409f95a89ae23b0e2e0a0adff380c7f247a7eb05000bb3257eaf51be90000000519974e9e633c6b9c7b085f4b06b490b24404adfac9b4841a4c37e2470246d3d238d2494b0ba28182f8aca5afc360191772268a71cf2295f21a39411b0b3474de83b52db33a764e3945ea51abe79c45182b935bedb65e5bc98206beed3c4a4c2898ac86aa72df69876b5095720100d9df189a4cac1fecb90f196cd21127d5db99c7188c987bf3735f4f7863441d24e2340000000d4284acdb315e11f5b955bcfbc67100106f59883f9c4aeac5f2cccb81b18cb0c6c2dac4c770313bb3d4588f75812080129e1c3eb90f4eea72b3292c50ae10155 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415573334" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000d149bf49700659b08aea98ca70da35ab342c516ff23d01d81e51637823334119000000000e8000000002000020000000d2676160316a871e48aa9b798814df0824f176ae7a29930950ec944d668ec78c200000003f5804f4a669cf20ce0d1c742cbffda73ba6149161e827bd3364135f0f5bf96b40000000a5c7bc3d58b61c38782ccb4cfe505a8dfe765142d50e0c2287a0e415bfa3242c52946acb72a4d5e773b8b8307f6649a41ff5a3162f0bc199b2c954ce8b11fdc7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2042dda0e06cda01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2492 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2492 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2492 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2492 wrote to memory of 3008 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\explorer.html"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab44FF.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar460F.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c984a6a32212ce55f1baae8aea6bb54f |
| SHA1 | d507db207af7ef81bba29e904fbae431c90ac35b |
| SHA256 | 5501f2304edfd109e2eae71dee0f19b936c4876a86d7044c89935527bb2bb76b |
| SHA512 | e0eab56db21128f05713c74731f2892aa0776b1f81d211cd9465445461136484d532bf9d16e0da7fdc5ed4ef0139399847840284cbc2a27f8c4acdfae4f31e73 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b04b000cdae0edd48a27e83ec5fdc0a |
| SHA1 | 96f93212df8d16f02e9298be9c4adb14e09c5eae |
| SHA256 | d806721031b86097536b0dd029ae440fef4346af35ea6d7885c60378e2a63074 |
| SHA512 | 9c9aefac2f03201b70e53dd2e05f62bd49ed3c740dcad00f758f787680fcc0598db1ab560995c4261b0de7b4135bb22c82324ae4bffbd42056d093ab94b914ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cad1ecafcae5774209cddc57d03a7948 |
| SHA1 | 4a5a743e8107c22aae9cf7a22c2438094b6ff246 |
| SHA256 | ea145f3c7a91eea141d26786556d472457b4589d3638cb46a93ecdc5480de2d7 |
| SHA512 | b5fada307d535e12e9d54f90845b84ceaa3ead0430608afcca8961218c52582e6a87dad86137c8ef9436daa2b67c4d2a01000e152a09e72988491b177bf074a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 413f4cff86f9f178bf93d25445cb7fe5 |
| SHA1 | 6c6c0495b0713f6b38b3bfa50c898226e5a086eb |
| SHA256 | 98a5593d304df0df9c66cfb60a23f7483d6fc3a368f46d259c382f3142abeba5 |
| SHA512 | 47d4dc6c46f158eaa48e92986b1946d75d4e1c29d5805ee6963175f8d49e274880a7c8b1fcbe7e1c2e552f03dadff75e5589f028a5ab4ae1fd07bf63701080fc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e2176554c2abee26f685cb6064f4313e |
| SHA1 | 9642942e58cf96440aeb00c24f822ee1343e6a98 |
| SHA256 | e52b3cce6c29466615d30ec11eeffff2d194ae7e78cfc55ef573efc23baeedff |
| SHA512 | 79d0a9f835e2008f6ac4f821e2c90f5e6dae4a51cb95f8063d3dad081b0378b5df9b32e10a70a78403dc66099bfe99c1e535b8102ddae165a9057fa39cbe788e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 551505a9ce764df166efd51ba85ca610 |
| SHA1 | d329944140f04af7bf9732abdb444b2bcad4ef41 |
| SHA256 | 064eb3a50f6763eca732b56d63158e6ca9a0ff38a14c206731044261b2596d2e |
| SHA512 | 333b00e75a032df6b60464b0e16774437db90c16b31b25a48049195f8aa81a3ed888a368a09fbdd8b965b8ed30f428df27d06753968b4043b3412aeb72ca15dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8cfb93fe99164a384383691afce4f9b3 |
| SHA1 | 3eb3a05b453e423e3d73d23ec45192e6def32556 |
| SHA256 | 35d7e9455a74a723ed6963b9f2e49a8cc4cbe510063b3d1b031fa6c2194a6615 |
| SHA512 | aa125a1d532c50c6bbeebd5da6668b8614d1442afb803b19abd80270aa5ec8f1f540decc9996325c4641361664bce9d99d3e38f98557f71381bbc67be12b082a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e6abbdb24bbb802fab5c7836032049f |
| SHA1 | 5477457a2c568762e96edca210866aeb56bee2cf |
| SHA256 | 329776f0b4588a9532b00ae749817830c2973f70f1708cd8ef7dc96e49762316 |
| SHA512 | 58a1faea3768eeecdb80f09f840890f78058cd8e29b93c6544d317fc351469b878552924d4082435bdca9128c357ab7bb56d78b4465845675e898d7d7ee32dac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c24643e1af231a47d264fb5d3bb6485a |
| SHA1 | fc76434ed764cfed438d310c1000e9b5be79835f |
| SHA256 | e8ea37332eacaed4f9327820b88a1924c0fbfae99d6c9892762cd0d2ce8899c4 |
| SHA512 | 5b292a78dc544c879dd6f75acc5929386528a8d6b1faa2af3cff1abd7c794d1894266e146937eac75568a36fbb5a695bf7a65fd2507cb0b8acc2d538406f31db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 32c4e06b43fe931ea2ee39e6ec7d3534 |
| SHA1 | 69aca00d60b9e802b6f54efbf26c4eeece93eb8b |
| SHA256 | eeb01fed55a14657b2ff5dda2ca8506b5005124546e1d8b01699ba8e01de13f9 |
| SHA512 | e82fd4c32d656fef4531bb1efd0471359d90070a01ef0e771cdd64910fc6f7d298a00111f3cb403eda05373c7ac22482dba8e81b5ced4baf332e62cf9ade9fc7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1e98a725801a5ae410da310bf82a41b5 |
| SHA1 | ecab477a73ff7f73e88fa0c7e4db13fed7a2e148 |
| SHA256 | f61bbb97b5a1ee142045d25015f03f2d04643a8eee50d48b4bcae9993e6cd91c |
| SHA512 | b04e3348550040bb4681500648d95aef1b6afeebd369aff29e429837ef88e7dec7936a1fefc27e09095504d16e2d0873a3339303f1b2b49c71e9925f2695dcf4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75394cc93b234208d3052c2b685f42b7 |
| SHA1 | 3298d4a36e3b5321551f5b928c13498689aaf1dd |
| SHA256 | 3f180abb12d254eb2705e29801f23d20118a59cdc3861d5ec4fcea74023c3dd3 |
| SHA512 | 8f07beab562c9b3fbe2386e30d56b8eae93a7860e6d227732683c37c688dac291638b00543197969ef1a850bc0af3a5dd9b7d07ff778342e3c4905105e91d3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 183dfea8c5f3c05937b993e8ae839238 |
| SHA1 | daaa4af6d9612f9ac70587e926046025e7a7eaef |
| SHA256 | 69054152252460a5bac4626391c8a407838df52be5b7ab7dac403c193dba9981 |
| SHA512 | 7dc27db96f9066fba8806b7af1c9aed4089073351d37633cd63d80448bbf20bbed7e4948d1c4ce7eb318278009aa9beade05fce048596b82aa16ef56399fa44f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51fb01ce105bc9e22441497a77027dfa |
| SHA1 | 54d01c81437da81244f20609f5725fcf4e8ff1e7 |
| SHA256 | b8773a351fed13f6df1e4df87af05b0d995523762664039cc6c4fc60e7a74cf1 |
| SHA512 | 3ca43c8c86f4a71e01b1a935ebe7cd98032c9ee5c50db51ddd74a6a87d0e59b6b4513a5bd30b40b24d70fae7a95e0f2d01d28ec42393f4bb9ca3a80850a59eb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e682d5727eb3739fb50d240833b01859 |
| SHA1 | 7fbef496aa50932c31f5c46e9ff2b3fd0853868f |
| SHA256 | c76caf687edb6367fb9cd76ce4932329a5234953af51db0badf743c882a5dca8 |
| SHA512 | e96aee268da2901a503f24519612520564a11c14a275da02a7ad201523b43d8b746d7cb5d96413e5088da11dbe3e02f3721efa9bf21b88bb6cadeffcfdde2249 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 59120ada190a0d689d754e4f5ada0429 |
| SHA1 | 58d76ba00f127fba5e537e3b6bfb9646c2ee72f0 |
| SHA256 | 93df48ba638c758d199e54d430079c690f5513c5118e5848aec328af071fdfc7 |
| SHA512 | 058be21ca86a83ee66c7f97ca1599c851460beca665edc0103f277e7ffd61aea45cba0aacdc254a5a958f27ea860ca90d0d054ab4e4dd0f3e6b5b7ada7fb4b1c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de34fdc598196d5ab10540a9a3c423a9 |
| SHA1 | 709a1a58c4247d9210b8681e49db29bae7bd49ef |
| SHA256 | d444d6750142f7260059251de3f69279515fd101fe9e2aa5bb29b24a90e77895 |
| SHA512 | c6a552ef5e28e51325000a5fb610d062edee421851047f176dcf644c587c651a23b4048669edd54ec8f9feff3d6f57beb89540e95a9506fe88736f73873c1b20 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\doom.bat"
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
118s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\1.vbs"
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\mshta.exe |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\explorer.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 760 -ip 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 1508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\o.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
122s
Max time network
133s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\random.vbs"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
162s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\__tmp_rar_sfx_access_check_240617312 | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1540 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1540 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1540 wrote to memory of 1928 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\SystemUpdateInstalled\doom.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
C:\Windows\SystemUpdateInstalled\doom.bat
| MD5 | 87ff7a4be8ba06c3d469b27fc8d665bc |
| SHA1 | 2ddb2e14bb115a85b13cfbe6204a45360c78de04 |
| SHA256 | c5e12fc8cceb6155d5176025c3aeff5e3d8aef8e54e6eabf5af43f19329a634b |
| SHA512 | 38a8d7ccc7f447b9e7b61d7f876a4f6de9782b09d1491e93bd0fcd3e15b6552cd6cfe015b020686eecea14a0951ed392abae55490b55af9c393eb02530632c35 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
165s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\1.vbs"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4156 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
14s
Max time network
142s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Program Files (x86)\mbr.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\logon.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\ScreenMelter.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\error.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\mover.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | \??\c:\Program Files (x86)\mbr.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Program Files (x86)\mbr.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\ScreenMelter.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\error.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\68F0.tmp\68F1.tmp\68F2.bat "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe""
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
\??\c:\Program Files (x86)\mbr.exe
mbr.exe
\??\c:\Program Files (x86)\logon.exe
logon.exe
\??\c:\Program Files (x86)\ScreenMelter.exe
ScreenMelter.exe
C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
\??\c:\Program Files (x86)\error.exe
error.exe
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
\??\c:\Program Files (x86)\mover.exe
mover.exe
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
\??\c:\Program Files (x86)\RandomLines.exe
RandomLines.exe
C:\Windows\system32\timeout.exe
timeout /t 4 /nobreak
\??\c:\Program Files (x86)\tunnel.exe
tunnel.exe
\??\c:\Program Files (x86)\ScreenGlitch.exe
ScreenGlitch.exe
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
\??\c:\Program Files (x86)\bomb.exe
bomb.exe
\??\c:\Program Files (x86)\InvertColor.exe
InvertColor.exe
C:\Windows\system32\timeout.exe
timeout /t 4 /nobreak
\??\c:\Program Files (x86)\start.exe
start.exe
C:\Windows\system32\timeout.exe
timeout /t 8 /nobreak
C:\Windows\system32\LogonUI.exe
LogonUI.exe
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /f
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
Network
Files
C:\Users\Admin\AppData\Local\Temp\68F0.tmp\68F1.tmp\68F2.bat
| MD5 | df6f6c2eae66cff8c13a3faa2bf1699d |
| SHA1 | 0173e526e42ccfb8dbe81b70f56764d923cc5b58 |
| SHA256 | 2a3e63f855dfb9a48d89337959d521650b04b038463d8dd96d7e344b4ed47c34 |
| SHA512 | 438419caa2ce8e6fdcbd8270959178644da2f4b716511cfef35d9ca37354805a563c077efc5354a78115f47ec1213793da70d7fdad6000b032224f2315ae95b3 |
\??\c:\Program Files (x86)\mbr.exe
| MD5 | 03dc6a471476a26055fc25b81df800ef |
| SHA1 | 8f3bc66b51516c07e2a7a9dd43e33cfc5d81961c |
| SHA256 | ba125e407dc4bac03a8e7ae352ce4d17f6dced729f69689058d020ce00f95643 |
| SHA512 | 4564f26763227ffc7c7a8878a3e713d388da6a8f9e0fb6dff307f7a52a17ea5fb052306fb393f5f931d0b918ed8909326343211c5d18afada74ef35f40ee2bba |
C:\Program Files (x86)\logon.exe
| MD5 | 2d88dda976244bc9a14591abf1432f46 |
| SHA1 | cfea29897c1882cadad18841f75013f9d4b2e6c8 |
| SHA256 | b738e6861277724c5f2f1037fd529b77ed75749b00df76860e949e1ef7316eac |
| SHA512 | f65404b030835ca4c84bc4a3cacd0d2695e69708fb3660698e140e5a8a4260d1658c783d130407eefb14139d5c42cf2253d82da3f48ade76fcab934e8a3daf95 |
memory/2624-28-0x0000000000400000-0x0000000000412000-memory.dmp
\??\c:\Program Files (x86)\ScreenMelter.exe
| MD5 | 615d04a80c94f9e36efb9c567a8afc34 |
| SHA1 | cb3b158ce9b5a0eef3097c55c226e6084a4f4877 |
| SHA256 | 9f2c6d14a476d10615fe8e099ef8f87681b80382665b81c041eb5128ae7c7cb8 |
| SHA512 | 0b4c3e073d170b7de1635e3b6af1f641215d217ce9f96d6c57d2ca8a6af45c9aa94a84b6b9f0876a7a8a7a31763943ba5e3bb6f44316a3a2007574359c461294 |
memory/2548-32-0x0000000000E50000-0x0000000000E5E000-memory.dmp
memory/2548-33-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp
memory/2548-34-0x0000000000C70000-0x0000000000CF0000-memory.dmp
\??\c:\Program Files (x86)\error.exe
| MD5 | bcdc1a6f1805a6130dfd1913b1659bc2 |
| SHA1 | f4b80ac7fe17332f916ce450d29f7ce671e49bb0 |
| SHA256 | 78e706c684da0134ace5fdd5cc5e7263c5f17b905d783f928eb68d558116aac6 |
| SHA512 | 0769ecf207e224ceceba33854b457d4389897163037b91141b958762304f64e75af32679c4d6ea88c4cf02aaadde077fef048837ef280a13948e82d69b6358b4 |
memory/2532-37-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files (x86)\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
memory/2580-41-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1460-42-0x0000000140000000-0x0000000140126000-memory.dmp
C:\Program Files (x86)\RandomLines.exe
| MD5 | 50caeee44dc92a147cf95fd82eb6e299 |
| SHA1 | a6619a150a31f4c1b4913884123f5b5334e23489 |
| SHA256 | 81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e |
| SHA512 | e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b |
memory/2548-47-0x000007FEF59C0000-0x000007FEF63AC000-memory.dmp
\??\c:\Program Files (x86)\tunnel.exe
| MD5 | 0909dca5d016f70b982b3a39b92aa0ff |
| SHA1 | d210e6a3de95b2c651a849cb80fde5b3cfd63a87 |
| SHA256 | 4f74cf50abb877593ca5fe53281b206adcf6bda2ffc9a600eca0eb1206c5dd6b |
| SHA512 | 1908b38c2baec2938c927e800501b146825ee7650517e5f7096fdc91f023a8d693911c72c5002483499e912fe0e66fd923639d9b5a96388bc251d6c51021448d |
\??\c:\Program Files (x86)\ScreenGlitch.exe
| MD5 | 47801f0cf73d320054676a56d0264edb |
| SHA1 | 14147de6009f6ad7308cd0cc42864f85d4f41fa9 |
| SHA256 | f25853b17ee25c1df537cd39ba15a338b92b0812833e3a523aa2f90efbf766e8 |
| SHA512 | 2d8f22ea28fbde67f63ea59d262df06658f075d1ef05c2837cea599528d01115a84ab5f88678c4a1fefd4f66a4946b7b20c7744a5bea8dcb3b5444e6c614d2ed |
\??\c:\Program Files (x86)\bomb.exe
| MD5 | 05ad3f85b73e5ff86504f8dcc55b5d42 |
| SHA1 | 927d4554328cc6d767a566c3c6cb54c16d58857a |
| SHA256 | 124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af |
| SHA512 | 6fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18 |
\??\c:\Program Files (x86)\InvertColor.exe
| MD5 | ebb811d0396c06a70fe74d9b23679446 |
| SHA1 | e375f124a8284479dd052161a07f57de28397638 |
| SHA256 | 28e979002cb4db546bf9d9d58f5a55fd8319be638a0974c634cae6e7e9dbcd89 |
| SHA512 | 1de3dcd856f30004becee7c769d62530f3a5e9785c853537adc0a387d461c97b305f75cbaf13f278dd72ba22d4650e92c48edf3c3a74b13ed68ffc0d45e13774 |
memory/2644-56-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2580-58-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2376-60-0x0000000000400000-0x000000000040A000-memory.dmp
memory/2516-59-0x0000000000400000-0x000000000041D000-memory.dmp
memory/1832-61-0x0000000000400000-0x000000000041D000-memory.dmp
\??\c:\Program Files (x86)\start.exe
| MD5 | 67088968f1b274502a887933e634ceb4 |
| SHA1 | 0fc02f39152bafe954158d3da8facbbd62b15b0e |
| SHA256 | 81c9ad8512b2c5248a6a107b7f6fa529c959fa23329e599c9afa2afeb84d2163 |
| SHA512 | a4cb194f53865f5a41e80795a97c548f572aa66d50a75741e908353b598b17f61e1289d0b98f6c01b400522f2082985f7885a1d7dae0dc86925d81ce949d26c9 |
C:\Windows\System32\LogonUI.exe
| MD5 | 53774c83432658cabec4e2ccd2f25d2a |
| SHA1 | 8264ed786bf6b732ab1ccb0acf27d3dc23e26a8c |
| SHA256 | 7a3409c7456705b53959f83adbdcb7f812a51124df794393f1488c776dc2f20f |
| SHA512 | 37553c19ff120267b45df0b45d34b7c6170d4b98ba3ed587e622d4891138a2aa1484c25253ef43c38c4853cae5fa13b9747c84d63bac33d2b11a993ca06c8d4c |
memory/2644-66-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2580-68-0x0000000140000000-0x0000000140126000-memory.dmp
memory/764-72-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1604-73-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2644-75-0x0000000000400000-0x0000000000477000-memory.dmp
memory/1096-74-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1084-79-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp
memory/2644-80-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2580-82-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1096-88-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1604-87-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1084-92-0x0000000001180000-0x000000000118A000-memory.dmp
memory/764-96-0x0000000000310000-0x0000000000311000-memory.dmp
memory/1084-97-0x000000001A990000-0x000000001AA10000-memory.dmp
memory/1096-95-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2644-98-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2580-100-0x0000000140000000-0x0000000140126000-memory.dmp
memory/764-104-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1096-106-0x0000000000400000-0x0000000000450000-memory.dmp
memory/2644-107-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2580-109-0x0000000140000000-0x0000000140126000-memory.dmp
memory/764-113-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2644-116-0x0000000000400000-0x0000000000477000-memory.dmp
memory/1096-115-0x0000000000400000-0x0000000000450000-memory.dmp
memory/1604-119-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1604-114-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2644-120-0x0000000000400000-0x0000000000477000-memory.dmp
memory/2580-122-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1096-132-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1084-154-0x000007FEF4FD0000-0x000007FEF59BC000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
133s
Max time network
167s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\random.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240220-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SystemUpdateInstalled | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\__tmp_rar_sfx_access_check_259397604 | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled\doom.bat | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File created | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
| File opened for modification | C:\Windows\SystemUpdateInstalled\installer.exe | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2208 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2208 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2208 wrote to memory of 1144 | N/A | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\SystemUpdateInstalled\doom.bat" "
Network
Files
C:\Windows\SystemUpdateInstalled\doom.bat
| MD5 | 87ff7a4be8ba06c3d469b27fc8d665bc |
| SHA1 | 2ddb2e14bb115a85b13cfbe6204a45360c78de04 |
| SHA256 | c5e12fc8cceb6155d5176025c3aeff5e3d8aef8e54e6eabf5af43f19329a634b |
| SHA512 | 38a8d7ccc7f447b9e7b61d7f876a4f6de9782b09d1491e93bd0fcd3e15b6552cd6cfe015b020686eecea14a0951ed392abae55490b55af9c393eb02530632c35 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\doom.bat"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:34
Platform
win7-20240221-en
Max time kernel
178s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\matrix.bat"
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:31
Platform
win10v2004-20240226-en
Max time kernel
3s
Max time network
36s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
162s
Command Line
Signatures
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation | \??\c:\Program Files (x86)\logon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Program Files (x86)\mbr.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\logon.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\ScreenMelter.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\error.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\mover.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\RandomLines.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\tunnel.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\ScreenGlitch.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\bomb.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\InvertColor.exe | N/A |
| N/A | N/A | \??\c:\Program Files (x86)\start.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | \??\c:\Program Files (x86)\mbr.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\LogonUI.exe | \??\c:\Program Files (x86)\logon.exe | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Program Files (x86)\start.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\72CE.tmp\72CF.tmp\72D0.bat "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dead.exe""
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
\??\c:\Program Files (x86)\mbr.exe
mbr.exe
\??\c:\Program Files (x86)\logon.exe
logon.exe
\??\c:\Program Files (x86)\ScreenMelter.exe
ScreenMelter.exe
C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F"
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32
C:\Windows\system32\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
\??\c:\Program Files (x86)\error.exe
error.exe
\??\c:\Program Files (x86)\mover.exe
mover.exe
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
\??\c:\Program Files (x86)\RandomLines.exe
RandomLines.exe
C:\Windows\system32\timeout.exe
timeout /t 4 /nobreak
\??\c:\Program Files (x86)\tunnel.exe
tunnel.exe
\??\c:\Program Files (x86)\ScreenGlitch.exe
ScreenGlitch.exe
C:\Windows\system32\timeout.exe
timeout /t 1 /nobreak
\??\c:\Program Files (x86)\bomb.exe
bomb.exe
\??\c:\Program Files (x86)\InvertColor.exe
InvertColor.exe
C:\Windows\system32\timeout.exe
timeout /t 4 /nobreak
\??\c:\Program Files (x86)\start.exe
start.exe
C:\Windows\system32\timeout.exe
timeout /t 8 /nobreak
C:\Windows\system32\LogonUI.exe
LogonUI.exe
C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
C:\Windows\system32\taskkill.exe
taskkill /im explorer.exe /f
C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\72CE.tmp\72CF.tmp\72D0.bat
| MD5 | df6f6c2eae66cff8c13a3faa2bf1699d |
| SHA1 | 0173e526e42ccfb8dbe81b70f56764d923cc5b58 |
| SHA256 | 2a3e63f855dfb9a48d89337959d521650b04b038463d8dd96d7e344b4ed47c34 |
| SHA512 | 438419caa2ce8e6fdcbd8270959178644da2f4b716511cfef35d9ca37354805a563c077efc5354a78115f47ec1213793da70d7fdad6000b032224f2315ae95b3 |
C:\Program Files (x86)\mbr.exe
| MD5 | 03dc6a471476a26055fc25b81df800ef |
| SHA1 | 8f3bc66b51516c07e2a7a9dd43e33cfc5d81961c |
| SHA256 | ba125e407dc4bac03a8e7ae352ce4d17f6dced729f69689058d020ce00f95643 |
| SHA512 | 4564f26763227ffc7c7a8878a3e713d388da6a8f9e0fb6dff307f7a52a17ea5fb052306fb393f5f931d0b918ed8909326343211c5d18afada74ef35f40ee2bba |
\??\c:\Program Files (x86)\logon.exe
| MD5 | 2d88dda976244bc9a14591abf1432f46 |
| SHA1 | cfea29897c1882cadad18841f75013f9d4b2e6c8 |
| SHA256 | b738e6861277724c5f2f1037fd529b77ed75749b00df76860e949e1ef7316eac |
| SHA512 | f65404b030835ca4c84bc4a3cacd0d2695e69708fb3660698e140e5a8a4260d1658c783d130407eefb14139d5c42cf2253d82da3f48ade76fcab934e8a3daf95 |
C:\Program Files (x86)\ScreenMelter.exe
| MD5 | 615d04a80c94f9e36efb9c567a8afc34 |
| SHA1 | cb3b158ce9b5a0eef3097c55c226e6084a4f4877 |
| SHA256 | 9f2c6d14a476d10615fe8e099ef8f87681b80382665b81c041eb5128ae7c7cb8 |
| SHA512 | 0b4c3e073d170b7de1635e3b6af1f641215d217ce9f96d6c57d2ca8a6af45c9aa94a84b6b9f0876a7a8a7a31763943ba5e3bb6f44316a3a2007574359c461294 |
memory/544-33-0x0000000000400000-0x0000000000412000-memory.dmp
memory/3356-34-0x0000000000D80000-0x0000000000D8E000-memory.dmp
memory/3356-35-0x00007FFD22D70000-0x00007FFD23831000-memory.dmp
memory/3356-36-0x000000001BA10000-0x000000001BA20000-memory.dmp
C:\Program Files (x86)\error.exe
| MD5 | bcdc1a6f1805a6130dfd1913b1659bc2 |
| SHA1 | f4b80ac7fe17332f916ce450d29f7ce671e49bb0 |
| SHA256 | 78e706c684da0134ace5fdd5cc5e7263c5f17b905d783f928eb68d558116aac6 |
| SHA512 | 0769ecf207e224ceceba33854b457d4389897163037b91141b958762304f64e75af32679c4d6ea88c4cf02aaadde077fef048837ef280a13948e82d69b6358b4 |
memory/1484-39-0x0000000000400000-0x000000000040D000-memory.dmp
C:\Program Files (x86)\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
memory/4572-42-0x0000000140000000-0x0000000140126000-memory.dmp
\??\c:\Program Files (x86)\RandomLines.exe
| MD5 | 50caeee44dc92a147cf95fd82eb6e299 |
| SHA1 | a6619a150a31f4c1b4913884123f5b5334e23489 |
| SHA256 | 81b9a2e3e9ee39f05b585ad871696a946837fcf784d3d4ecd4b9caea16560a1e |
| SHA512 | e009de28d24abbecac2b20c4dcbbe4bd2de461c0d3140043d1ef6db3e4807d13723fb1916bc9bd1a636cfdc4bb3e102ecae645e783901ebdf9996e9bcdd9466b |
memory/3356-49-0x00007FFD22D70000-0x00007FFD23831000-memory.dmp
C:\Program Files (x86)\tunnel.exe
| MD5 | 0909dca5d016f70b982b3a39b92aa0ff |
| SHA1 | d210e6a3de95b2c651a849cb80fde5b3cfd63a87 |
| SHA256 | 4f74cf50abb877593ca5fe53281b206adcf6bda2ffc9a600eca0eb1206c5dd6b |
| SHA512 | 1908b38c2baec2938c927e800501b146825ee7650517e5f7096fdc91f023a8d693911c72c5002483499e912fe0e66fd923639d9b5a96388bc251d6c51021448d |
C:\Program Files (x86)\ScreenGlitch.exe
| MD5 | 47801f0cf73d320054676a56d0264edb |
| SHA1 | 14147de6009f6ad7308cd0cc42864f85d4f41fa9 |
| SHA256 | f25853b17ee25c1df537cd39ba15a338b92b0812833e3a523aa2f90efbf766e8 |
| SHA512 | 2d8f22ea28fbde67f63ea59d262df06658f075d1ef05c2837cea599528d01115a84ab5f88678c4a1fefd4f66a4946b7b20c7744a5bea8dcb3b5444e6c614d2ed |
\??\c:\Program Files (x86)\bomb.exe
| MD5 | 05ad3f85b73e5ff86504f8dcc55b5d42 |
| SHA1 | 927d4554328cc6d767a566c3c6cb54c16d58857a |
| SHA256 | 124cf5ca90e7aaede685fe0cda72b6a63b80583d2d5ec04d5baeb4a1851c48af |
| SHA512 | 6fda7808e0b96caf3a1ff35734fec63f1e78cca6ae0abaa54fd5dd7bca6299a587b8f2c455b9385d7cf9b9cd9b74edbab1e37d8f98e8777059b3c3e2964feb18 |
\??\c:\Program Files (x86)\InvertColor.exe
| MD5 | ebb811d0396c06a70fe74d9b23679446 |
| SHA1 | e375f124a8284479dd052161a07f57de28397638 |
| SHA256 | 28e979002cb4db546bf9d9d58f5a55fd8319be638a0974c634cae6e7e9dbcd89 |
| SHA512 | 1de3dcd856f30004becee7c769d62530f3a5e9785c853537adc0a387d461c97b305f75cbaf13f278dd72ba22d4650e92c48edf3c3a74b13ed68ffc0d45e13774 |
memory/3076-61-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3284-62-0x0000000000610000-0x0000000000611000-memory.dmp
memory/4068-63-0x00000000020B0000-0x00000000020B1000-memory.dmp
memory/4572-65-0x0000000140000000-0x0000000140126000-memory.dmp
C:\Program Files (x86)\start.exe
| MD5 | 67088968f1b274502a887933e634ceb4 |
| SHA1 | 0fc02f39152bafe954158d3da8facbbd62b15b0e |
| SHA256 | 81c9ad8512b2c5248a6a107b7f6fa529c959fa23329e599c9afa2afeb84d2163 |
| SHA512 | a4cb194f53865f5a41e80795a97c548f572aa66d50a75741e908353b598b17f61e1289d0b98f6c01b400522f2082985f7885a1d7dae0dc86925d81ce949d26c9 |
memory/1240-69-0x0000000002070000-0x0000000002071000-memory.dmp
memory/1712-70-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3208-71-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1876-72-0x0000000000400000-0x000000000041D000-memory.dmp
memory/3076-73-0x0000000000400000-0x0000000000477000-memory.dmp
memory/3284-74-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4068-75-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Windows\system32\LogonUI.exe
| MD5 | 53774c83432658cabec4e2ccd2f25d2a |
| SHA1 | 8264ed786bf6b732ab1ccb0acf27d3dc23e26a8c |
| SHA256 | 7a3409c7456705b53959f83adbdcb7f812a51124df794393f1488c776dc2f20f |
| SHA512 | 37553c19ff120267b45df0b45d34b7c6170d4b98ba3ed587e622d4891138a2aa1484c25253ef43c38c4853cae5fa13b9747c84d63bac33d2b11a993ca06c8d4c |
memory/3964-80-0x0000000000880000-0x000000000088A000-memory.dmp
memory/4572-81-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3964-82-0x00007FFD22D70000-0x00007FFD23831000-memory.dmp
memory/4572-83-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3964-84-0x000000001B640000-0x000000001B650000-memory.dmp
memory/1240-86-0x0000000000400000-0x0000000000450000-memory.dmp
memory/3076-87-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4068-91-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4572-93-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1240-96-0x0000000002070000-0x0000000002071000-memory.dmp
memory/3076-97-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4572-103-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3964-106-0x00007FFD22D70000-0x00007FFD23831000-memory.dmp
memory/3964-107-0x000000001B640000-0x000000001B650000-memory.dmp
memory/3076-108-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4572-114-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3076-117-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4572-123-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3076-126-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4572-132-0x0000000140000000-0x0000000140126000-memory.dmp
memory/3076-137-0x0000000000400000-0x0000000000477000-memory.dmp
memory/4572-139-0x0000000140000000-0x0000000140126000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
143s
Max time network
162s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dos.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:32
Platform
win7-20240221-en
Max time kernel
118s
Max time network
124s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\temp\\noescape.bmp" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Web\NO.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\winhelper.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\Screen\154.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\setup64.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\WinKernel32.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\updatepush.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\NO.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\setup64.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinKernel32.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\you cant escape.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\you cant escape.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\updatepush.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winhelper.vbs | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Handler = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\IconPath = "%SystemRoot%\\system32\\shell32.dll,-16769" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\ItemName = "@shell32.dll,-30397" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "xxx" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\MenuText = "@shell32.dll,-30318" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config\DontRename | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\NullFile | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\main.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\update.vbs"
C:\Windows\system32\timeout.exe
timeout 20
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg import virus.reg
C:\Windows\system32\reg.exe
reg import here.reg
C:\Windows\system32\reg.exe
reg import death.reg
C:\Windows\system32\reg.exe
reg import no.reg
C:\Windows\system32\reg.exe
reg import password.reg
C:\Windows\system32\reg.exe
reg import color.reg
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe
mover.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Windows\system32\reg.exe
reg import im.reg
C:\Windows\system32\reg.exe
reg import systemmessage.reg
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg import UAC.reg
C:\Windows\system32\reg.exe
reg import inkfile.reg
C:\Windows\system32\shutdown.exe
shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F68F.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F69E.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AE.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6AF.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6B0.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F6CD.tmp\x.cmd""
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
C:\Users\Public\Music\FREE SOLARIS.vbs
| MD5 | ac910281f16a464b6257102b715ffafc |
| SHA1 | 590add7ed48a1d5fa78093812ef88f9d0dfbb7c5 |
| SHA256 | afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e |
| SHA512 | a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad |
C:\Users\Public\Desktop\Hacking2.vbs
| MD5 | 81c5f570e4fb185d0d675c450741f28b |
| SHA1 | cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a |
| SHA256 | 0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376 |
| SHA512 | 2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936 |
C:\Windows\updatepush.exe
| MD5 | 27d4d788b5190d8ad943f03479c86360 |
| SHA1 | 5ca05ed08987ade8d20a9e1bd3d7245d9b3ef4e7 |
| SHA256 | 2d3586f1ce37337292ac4b3ece03ab78b3aa5c28a5925d7d498d35ca32434993 |
| SHA512 | c55a8819dc3285d655c2033e98e47db6397654ad1aee6a22e8ac50d8b6cb11b8eb41a59a6aee5bce1a784167894f4664b0ad390110e94013a19d221a9cfba02e |
C:\WinKernel64.bat
| MD5 | 284e7e79635ec15370bb7530d20f6b7e |
| SHA1 | 471f6b7bc91a8c6b51f291c75126a38b082a92ce |
| SHA256 | 4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235 |
| SHA512 | 3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\note.txt
| MD5 | 1ebb3ddb5424eae8205a111a3b4e2237 |
| SHA1 | 7f6603ae0410ea2dc5adfd879632039b0eee955a |
| SHA256 | efc4f3065ab66661a92daebbf770103b2e8306d3985ac5c5ae816e0f64e6ab4e |
| SHA512 | cc9d3d208f97f8f9f46865ce75257cff6616e49f49b90e1273fa923c1d7c05c68e0ea35eec3361de4167839acec86e03c40cf4f1bf7bb039ec91cd4f8e3c855f |
C:\Users\Public\Desktop\Escape.vbs
| MD5 | 23873c064655ec26585bb489cab1965c |
| SHA1 | 575d47d57ddb6ffb5335f5d48f6bd222e17af599 |
| SHA256 | 828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63 |
| SHA512 | 44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348 |
memory/2880-176-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2000-174-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2880-178-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2484-275-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Public\Desktop\setup3.exe
| MD5 | 9d0cbe0006b8e6760679bf893c5d848f |
| SHA1 | a85c9378a962f1f3454ec34ce596dea318031618 |
| SHA256 | 41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c |
| SHA512 | 13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2 |
C:\Users\Admin\AppData\Local\Temp\F68F.tmp\x.cmd
| MD5 | 5156c0df260ccc7bc13b73b6de4d9a25 |
| SHA1 | e6f8b1f6ef658a1f5772b83c898088330184d291 |
| SHA256 | 565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88 |
| SHA512 | d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39 |
memory/2656-338-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2484-337-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2732-342-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2824-343-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2488-341-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2628-340-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2572-339-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2880-344-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2296-345-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240220-en
Max time kernel
140s
Max time network
121s
Command Line
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe"
Network
Files
memory/2084-0-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-1-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-2-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-3-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-4-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-5-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-6-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-7-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-8-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-9-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-10-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-11-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-12-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-13-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-14-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-15-0x0000000140000000-0x0000000140126000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:34
Platform
win10v2004-20240226-en
Max time kernel
155s
Max time network
182s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 80
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x450
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:8
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe
melter.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
C:\Windows\SysWOW64\timeout.exe
timeout 20
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.201.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 106.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs
| MD5 | cdfafa9e845ccc0facf0e9338c1ef55c |
| SHA1 | ac8e7e70cd63fbb5cb2c3d1635117e9308946cb2 |
| SHA256 | e8dcb3afcd37591ebc9e959151f1249dab477ac68ad01761600f07dda804d2d2 |
| SHA512 | 01bb8942927bd050d35bd30937ab9d4380b5bd2722da58d0347e3d0f8d39b2ac626ad36fd505c25816b5fcc67635f754cdf7ca19df9af066b4deceb23a0f3803 |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat
| MD5 | dfd87cce00d2ea4bb4bf851f28cc0d8f |
| SHA1 | d8e679b4bc879ee3ce960fc675a2e32cf9ec4c73 |
| SHA256 | d036988fa00174c637f2fafa9ac0ca3150bdc4bc9449b319536dfafc33abe4e1 |
| SHA512 | 0356c8b95e0f18b79ead2cf74368e779b145c7c3436123d2034996a91e9dae2d3a7fe84dde5a7a1572686cd76422d261ef3f6c307ddfaa8badc4d5d66350006d |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs
| MD5 | 7f1f2f18b81c7ff47430c518defb9f48 |
| SHA1 | 33642f35825428762b8133721ca38466e7b69559 |
| SHA256 | 208337c0a3656061ad50d85b608cc0fec353f71d16ccd6896aae2ed4e5bdfa58 |
| SHA512 | c441e17a5f48c7b381a233f95b88b640f167ac053584a77e20cf5f9cc0e199527051ce7d39d450573af6db4ea5c8056ed62189322c2e0ba9a6779dae1dbbfc04 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\boom.wav
| MD5 | fb74ebc977bcb28d26d23989dfded4fe |
| SHA1 | f2e419d0605de9682496a7c191a9723fe55c1779 |
| SHA256 | d2466e56374b453b8a0c0df3be04b8dd5aa002f3113c73525d586d42f080e434 |
| SHA512 | b33a23b4c76c9d22df7e738a1ecab0d717d748ef1c2a73cac6362ec8ee18b356a9811996d24d6b4c150bab88137d48910a08e91652c3b6d1f120378083cc88f2 |
memory/2352-45-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-44-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-47-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-46-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-43-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-48-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-50-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-49-0x0000000005620000-0x0000000005630000-memory.dmp
memory/2352-51-0x0000000005620000-0x0000000005630000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
| MD5 | b17223e59994f60c5833030795f2bcac |
| SHA1 | 66f5f5caf68849cfe574cbef7f8278dacdafdd5f |
| SHA256 | 49fdaa4ee215c3a142144184d0e82964efb4c11c7d8ce726c5806bfca13888ca |
| SHA512 | c7aea16c9327e9c19860c4a1487a94cb7edc8953d57aef9617a6d9accd645eb3fecf5e81f0eca6348f9dea86077d55d00546fc270bcd5d5cb9d8c864d9bf0003 |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe
| MD5 | d9baac374cc96e41c9f86c669e53f61c |
| SHA1 | b0ba67bfac3d23e718b3bfdfe120e5446d0229e8 |
| SHA256 | a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412 |
| SHA512 | 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457 |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs
| MD5 | c11dcd084c37d3efafe67ba11bb6c02a |
| SHA1 | 7041fe5b22b2a373593601a0f7b53bf91b4f8468 |
| SHA256 | 9faf3a654b5139565960b5977d08ca08e03667c2bd1b151d4813a01555f7ec64 |
| SHA512 | e8d7ba4e76997a144d6a4538ddba5c31e77d2d48c67efa88e86809b5de4748c7ba9a08b4e98582f7a5e07a62bc9c5c98fe16ab947bc8a1b0ea7821cf0a69da1a |
memory/5104-69-0x0000000000400000-0x0000000000402000-memory.dmp
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs
| MD5 | c613a5c08c5326e673704395d63dcdcc |
| SHA1 | dbccc7410a67d633bef046dab24ee55b64d0f1af |
| SHA256 | 8c7609a125582d9d5bab8b5b020e4f9ef9467795fecc9a5fb38895ee7f6e9418 |
| SHA512 | d02fc6e220f7f5a7acedc1fece4e282f4889f824e926d73a3ed573767eb8a86c8d21dbd1ed63627b9cc8ad2c4aa532c58adebad98f7c8d3cdaa360a1198c2c9e |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs
| MD5 | b03f8296e9ca8c4e0775aa97046e7b0f |
| SHA1 | ad54c88af769649efbf634050050da2a93fb5699 |
| SHA256 | 9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98 |
| SHA512 | 1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d |
Analysis: behavioral11
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\dos.vbs"
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
161s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\explorer.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc865146f8,0x7ffc86514708,0x7ffc86514718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,310324865304912160,4915434912552287270,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c6aef82e50d05ffc0cf52a6c6d69c91 |
| SHA1 | c203efe5b45b0630fee7bd364fe7d63b769e2351 |
| SHA256 | d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32 |
| SHA512 | 77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed |
\??\pipe\LOCAL\crashpad_2840_SXDUGGEGQPZNIXEJ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7c6136bc98a5aedca2ea3004e9fbe67d |
| SHA1 | 74318d997f4c9c351eef86d040bc9b085ce1ad4f |
| SHA256 | 50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2 |
| SHA512 | 2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 10a641d8160d11cb6bf44228f546802c |
| SHA1 | f60f096883d20c6cfb390b3df53422b6506b3a71 |
| SHA256 | a7dc45bf6f9f16097f7785ae29548f3795dee29668541c5501f99d4917b890be |
| SHA512 | de8b79d631f3405e94c42558c1c104253972c14f59dfee6012aa302a05274070d9926c06d9455d462268dc392a08b4eceedc1bbc8ed07161ebc6f579cb8a1c45 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 14f56be3dc1a2ceb8b5f2260ad278646 |
| SHA1 | d83fce265badf3cdae085fbfb8eb74d005d3d3d1 |
| SHA256 | f5beda62b3854a9b9c547274d649328d385b2252061af003a3be0b3a4de093b0 |
| SHA512 | a04ee6b43480b41292b0c79e4764bd6763a0088bd62cbf6f9aa54f92a12f985ff316e4cbf6d5f3ef19fed56d7360a0ee6c6144283963e7fa9432f59fafda29e5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | afa6fb0b4adb2582e204a2192cae47c1 |
| SHA1 | 94d5a1a643701f25d2bd729ea3510c3248931234 |
| SHA256 | 9621f63f010206b5cd1e14faf31fd5937cf1790e083ccc600b1abf09e8b1b59f |
| SHA512 | b958abbdb5b1e201be9915d334d5fc009c5fc8cbf0db6afa04c457d1aa91d5a6a0731f52c891ca0f9bebe389d24e5ce03c1d5c713890abfb10219d08b536a992 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
122s
Max time network
138s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\melter.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\melter.exe"
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
148s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\res.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 80
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe
melter.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im melter.exe
C:\Windows\SysWOW64\timeout.exe
timeout 20
Network
Files
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\run.vbs
| MD5 | cdfafa9e845ccc0facf0e9338c1ef55c |
| SHA1 | ac8e7e70cd63fbb5cb2c3d1635117e9308946cb2 |
| SHA256 | e8dcb3afcd37591ebc9e959151f1249dab477ac68ad01761600f07dda804d2d2 |
| SHA512 | 01bb8942927bd050d35bd30937ab9d4380b5bd2722da58d0347e3d0f8d39b2ac626ad36fd505c25816b5fcc67635f754cdf7ca19df9af066b4deceb23a0f3803 |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\cmd.bat
| MD5 | dfd87cce00d2ea4bb4bf851f28cc0d8f |
| SHA1 | d8e679b4bc879ee3ce960fc675a2e32cf9ec4c73 |
| SHA256 | d036988fa00174c637f2fafa9ac0ca3150bdc4bc9449b319536dfafc33abe4e1 |
| SHA512 | 0356c8b95e0f18b79ead2cf74368e779b145c7c3436123d2034996a91e9dae2d3a7fe84dde5a7a1572686cd76422d261ef3f6c307ddfaa8badc4d5d66350006d |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\snd.vbs
| MD5 | 7f1f2f18b81c7ff47430c518defb9f48 |
| SHA1 | 33642f35825428762b8133721ca38466e7b69559 |
| SHA256 | 208337c0a3656061ad50d85b608cc0fec353f71d16ccd6896aae2ed4e5bdfa58 |
| SHA512 | c441e17a5f48c7b381a233f95b88b640f167ac053584a77e20cf5f9cc0e199527051ce7d39d450573af6db4ea5c8056ed62189322c2e0ba9a6779dae1dbbfc04 |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\boom.wav
| MD5 | 475f4bfd5056d438d8daf8179b53aca1 |
| SHA1 | b2b5f744c88925b53aac42aa2c5694d954e44adb |
| SHA256 | 7eea211b1f67cf2d3404fe5b0dae02b0b3ad50e4c3311791c651f2a712436092 |
| SHA512 | a664f9391ba0066cc6daa11c63903e89e424b1cf9f3217490c477bdf5ccda917f9e8f11e17a7df2f2816bc10f9a761428c194c7e5f710b0adbb4aa7033bc5920 |
memory/2948-47-0x0000000073030000-0x0000000073342000-memory.dmp
memory/2948-48-0x0000000073030000-0x0000000073342000-memory.dmp
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\melter.exe
| MD5 | d9baac374cc96e41c9f86c669e53f61c |
| SHA1 | b0ba67bfac3d23e718b3bfdfe120e5446d0229e8 |
| SHA256 | a1d883577bcb6c4f9de47b06fe97c370c09bddffb6569b6cf93576371bdbc412 |
| SHA512 | 4ecdf8757e75b02da06a9d42a8ca62b9f2ef292dc04fa37d96603af78433f8aa9dd82fcf1e128a8f463b9691dcc1645b4a64e34f3c5d631f3a0e0670da0d0457 |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\likeme.vbs
| MD5 | c11dcd084c37d3efafe67ba11bb6c02a |
| SHA1 | 7041fe5b22b2a373593601a0f7b53bf91b4f8468 |
| SHA256 | 9faf3a654b5139565960b5977d08ca08e03667c2bd1b151d4813a01555f7ec64 |
| SHA512 | e8d7ba4e76997a144d6a4538ddba5c31e77d2d48c67efa88e86809b5de4748c7ba9a08b4e98582f7a5e07a62bc9c5c98fe16ab947bc8a1b0ea7821cf0a69da1a |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\NoEscape.vbs
| MD5 | c613a5c08c5326e673704395d63dcdcc |
| SHA1 | dbccc7410a67d633bef046dab24ee55b64d0f1af |
| SHA256 | 8c7609a125582d9d5bab8b5b020e4f9ef9467795fecc9a5fb38895ee7f6e9418 |
| SHA512 | d02fc6e220f7f5a7acedc1fece4e282f4889f824e926d73a3ed573767eb8a86c8d21dbd1ed63627b9cc8ad2c4aa532c58adebad98f7c8d3cdaa360a1198c2c9e |
C:\Users\Public\CmdDesktop\Users\a\b\c\d\temp\op.vbs
| MD5 | b03f8296e9ca8c4e0775aa97046e7b0f |
| SHA1 | ad54c88af769649efbf634050050da2a93fb5699 |
| SHA256 | 9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98 |
| SHA512 | 1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d |
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:31
Platform
win7-20240215-en
Max time kernel
24s
Max time network
28s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\SysWOW64\reg.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\temp\mover.exe | N/A |
| N/A | N/A | C:\Users\Public\temp\x.exe | N/A |
| N/A | N/A | C:\Users\Public\temp\x.exe | N/A |
| N/A | N/A | C:\Users\Public\temp\x.exe | N/A |
| N/A | N/A | C:\Users\Public\temp\x.exe | N/A |
| N/A | N/A | C:\Users\Public\temp\x.exe | N/A |
| N/A | N/A | C:\Users\Public\temp\x.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\temp\\noescape.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Web\setup64.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winhelper.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinKernel32.bat | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\updatepush.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Web\setup64.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\you cant escape.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Web\you cant escape.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\winhelper.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Web\NO.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\NO.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Web\Screen\154.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\WinKernel32.bat | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\updatepush.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\ItemName = "@shell32.dll,-30397" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\MenuText = "@shell32.dll,-30318" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\NullFile | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config\DontRename | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\IconPath = "%SystemRoot%\\SysWow64\\shell32.dll,-16769" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Handler = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "xxx" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\shutdown.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Public\temp\main.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\update.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 20
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg import virus.reg
C:\Windows\SysWOW64\reg.exe
reg import here.reg
C:\Windows\SysWOW64\reg.exe
reg import death.reg
C:\Windows\SysWOW64\reg.exe
reg import no.reg
C:\Windows\SysWOW64\reg.exe
reg import password.reg
C:\Windows\SysWOW64\reg.exe
reg import color.reg
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Users\Public\temp\mover.exe
mover.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Windows\SysWOW64\reg.exe
reg import im.reg
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\80E3.tmp\x.cmd""
C:\Windows\SysWOW64\reg.exe
reg import systemmessage.reg
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8121.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8150.tmp\x.cmd""
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\816F.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\8180.tmp\x.cmd""
C:\Windows\SysWOW64\reg.exe
reg import UAC.reg
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\817F.tmp\x.cmd""
C:\Windows\SysWOW64\reg.exe
reg import inkfile.reg
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
C:\Users\Public\temp\run.vbs
| MD5 | 362843e8fcf8e162e48abd29903e1246 |
| SHA1 | 4621eac5ff7725d92a591565aa5af49bfcc41123 |
| SHA256 | 243615ac3ba7603b2693224de5b0dd60e06d40f6ee8684df5b31ba921219bf9e |
| SHA512 | e77afbefa77003cd11aca77043b97b67bdfff0dad6733298bcec86502558004621579e1c32becf2f81ddb06664e3878bd1d9bccee5ef4b5c7c0c791d54c11d09 |
C:\Users\Public\temp\main.bat
| MD5 | 5f54a2c61397eb3d4f1bc8e9736fec2a |
| SHA1 | 5c3ad25b0bff96ad74d2743b15089847d6be2d40 |
| SHA256 | 9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968 |
| SHA512 | d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f |
C:\Users\Public\temp\update.vbs
| MD5 | 75f0b9500755a92762ae7e92770ee671 |
| SHA1 | 6162edc92ce09dae4ec438378f0a24a50eca4e17 |
| SHA256 | 4e6280573d50f767191c41a3f5cf465b27bc0bdaff9132873c99236634ae5e04 |
| SHA512 | 25016f615ca12005fa85b2761a21ed1f1bf6211bdc44983c6b26088cef487e3da52cdc124a64019f95b214de3cbe410e37b2f037298e3eccbc2fb3e4361be145 |
C:\Users\Public\temp\wii.vbs
| MD5 | ac910281f16a464b6257102b715ffafc |
| SHA1 | 590add7ed48a1d5fa78093812ef88f9d0dfbb7c5 |
| SHA256 | afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e |
| SHA512 | a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad |
C:\Users\Public\temp\1.vbs
| MD5 | 8896267f3335510e6144e7550a713db8 |
| SHA1 | 9dd5a753186af59997b07c058707ad6faa390ffa |
| SHA256 | 8781a103faaa21cb3053eb21257cf6668f82419248e503a7afd33b8a5509b26b |
| SHA512 | 696fdcfb7d67dcc97d3309eee1bb1b7dd29f36d29d0dacb4bae2b099b8b73ec50c63915f7045acc105633505d9d366d97aedc9e126af841473ec309c918683b8 |
C:\Users\Public\temp\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
C:\Users\Public\temp\dead.exe
| MD5 | f2a055b5634373f384692c2daaedf299 |
| SHA1 | 41d6f65378f2360c48bcc6684baddf9c62585086 |
| SHA256 | 926d3b91619e6a5d327f09b6d95d46486777910c9ca4965c6e0917c30b9561d8 |
| SHA512 | 4656d7d8e5e74c3c490a008e8a06b73f05bb971d458d04c8bec55ec3d25afe2644ee70be98b826f7f397b05e6ed7bc02d14ed88661c12d1651a31dde9478f69b |
C:\Users\Public\Desktop\Hacking.vbs
| MD5 | 81c5f570e4fb185d0d675c450741f28b |
| SHA1 | cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a |
| SHA256 | 0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376 |
| SHA512 | 2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936 |
C:\Users\Public\temp\virus.reg
| MD5 | 4af82811a5a2b8cb619c83e4b61d7d78 |
| SHA1 | f353e56635c6493864f740502042f4f0fcff5cee |
| SHA256 | bf2befa4e44b28bca76ec7b76f2386910f7edd659ee95022b864d4ebf411e037 |
| SHA512 | 8a5ee1b0ab26189d9b5bd2b4208829733a9892aacf3461b3a9bec80f234a5dcf01b836f86c73f2a799fb3194a63c4cc1ca410efe734a626aed74424a22f3df60 |
C:\Users\Public\temp\here.reg
| MD5 | afedbb9b1c857745f4b93259bb68af47 |
| SHA1 | e33964e90622b62d645097f88de405a99a95a518 |
| SHA256 | b44cd8aac57b1b103386b1d014ef0695b6fe5cad198b59f55210900e889bb099 |
| SHA512 | 22634bbd6dc8ced9b655ed6110b318f297173f367836e5962dd9a7d095261bd242fa6a7018065d83deb45089b913e1feee9186dc8fe55cfa0a66b747fd458650 |
C:\Users\Public\temp\death.reg
| MD5 | bd6a649075e3eaf9fe3d6569614f4016 |
| SHA1 | c2facb5fb74a54d955564044cd6e777d79f6698d |
| SHA256 | 879fd141377eec559c7e54374294fcb5880a5feed559a7b04f450425de7b3e18 |
| SHA512 | d16fc905cc8c739e47d2d9f8eb2069a1713f729b0e9a86b6eddab1b18d7d62eee27d8384edb5b86e4d4b06fb6a759eaa6768eaa3cd4fefd3c8ea5d1e6094567d |
C:\Users\Public\temp\no.reg
| MD5 | b407fa400d23edf1a710633435228c90 |
| SHA1 | 4acce131047a4e73dcc61fb038d24e27b2217cc9 |
| SHA256 | 2a222c741e76128ffec9ad0576798ce79d89babb43c2b2fb321cbf6567c262a7 |
| SHA512 | ef7bd2ca4380b99ee7a5f247334d053dd5c60c0d3449d69bb657f2caa7572c8800d438aff7ee428481971d26c576f2dd0b5868128ab365f1400a6ed28a0670aa |
C:\Users\Public\temp\password.reg
| MD5 | b5d54b3eb5911fea78c8f3b2324f4831 |
| SHA1 | b5b86aefd16f54eef78927b8beb4e7eb96c580bc |
| SHA256 | 2a04d7384902f4325784e3577b26e79922c967c9be4cd3614f68014321bf8896 |
| SHA512 | 92eb3b28459e944f6e487ef65b3ea6d8335f22954de4470dd0ca5dbe256a9d699103e3a01a579fe244bf4de7931df7de6d355f08e9209129b296ebc548306e59 |
C:\Users\Public\temp\color.reg
| MD5 | d20ff0fc43ce58afd773c66d3caaf48c |
| SHA1 | 1eaa1f45afc6a5bcc3ced232e9583a0b791326e2 |
| SHA256 | 4eabe39af865548013371e299ce238d14c68587770bb7c4a3f1c3480b2f57727 |
| SHA512 | 6dcabefd5dcc0a0101824db1013bcf2ebfc293985aade65a4b626f31010ffbc9d244e9507fde496d74c9770788c44a5b7511c8819ee23fae55860b82a05d3bec |
C:\Users\Public\temp\op.vbs
| MD5 | b03f8296e9ca8c4e0775aa97046e7b0f |
| SHA1 | ad54c88af769649efbf634050050da2a93fb5699 |
| SHA256 | 9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98 |
| SHA512 | 1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d |
C:\Users\Public\temp\res.exe
| MD5 | 776dd00ae50da7caffb62266523e4e2c |
| SHA1 | f1b8a51d907cedc1dde94447b7762fa3d8f1985b |
| SHA256 | 5cbba3a61797133ca5887c37e3692403d144a7d2b590c9c59d3ac048ea106093 |
| SHA512 | 969c68fa162aa24464bf279fc81bca2e8288afbd394b2825d64f01e90de786b60f6531635eead8a4444c895d4067ebe2ebcf33d4699df5131f7c6d54adeabd71 |
C:\Users\Public\temp\matrix.bat
| MD5 | 284e7e79635ec15370bb7530d20f6b7e |
| SHA1 | 471f6b7bc91a8c6b51f291c75126a38b082a92ce |
| SHA256 | 4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235 |
| SHA512 | 3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24 |
C:\Windows\Web\you cant escape.exe
| MD5 | a4035661f9ec4f866ef34e9c9af987b2 |
| SHA1 | 5012570f90766ff783400fa9b3a7bd83c3167313 |
| SHA256 | e4678b1c602e58d89c4847d5a2492f8f8802221724ab54d755b10e8757f0cfc9 |
| SHA512 | c9cd7253974f631f81818f82b1af948f1746ced6d0d5c7d5dec7ceb7b7d255358f0744b37150a7caaea09ec22f67bb9c53ff0044d4634f5c781dbbd0da36230f |
C:\Users\Public\temp\dos.vbs
| MD5 | 23873c064655ec26585bb489cab1965c |
| SHA1 | 575d47d57ddb6ffb5335f5d48f6bd222e17af599 |
| SHA256 | 828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63 |
| SHA512 | 44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348 |
C:\Users\Public\temp\random.vbs
| MD5 | 2b53c3dc6e4a5163a648f40d033d781f |
| SHA1 | c5301bf506ffdeb6c4c3a76912ac308392fd7ab3 |
| SHA256 | d1ef7d97b3dce60d792a8dd7e8604390e61f63353c5523155e2ab3c63356e267 |
| SHA512 | 554922008e914afe2c254bbc3da600d77d23215fff4f50e74c6fe5554f4c0f23ca2c372cfef2d8d572edc2244e2f68bc5d2244f5a48f454866ed4ab172693cb4 |
memory/2152-184-0x0000000002ED0000-0x0000000002FF6000-memory.dmp
memory/1468-186-0x0000000140000000-0x0000000140126000-memory.dmp
\Users\Public\temp\x.exe
| MD5 | 9d0cbe0006b8e6760679bf893c5d848f |
| SHA1 | a85c9378a962f1f3454ec34ce596dea318031618 |
| SHA256 | 41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c |
| SHA512 | 13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2 |
C:\Users\Public\temp\x.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2152-224-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/2152-226-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/2152-225-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/2152-227-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/2152-228-0x00000000022D0000-0x00000000022E0000-memory.dmp
memory/2088-229-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2152-232-0x00000000022D0000-0x00000000022E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\80E3.tmp\x.cmd
| MD5 | 5156c0df260ccc7bc13b73b6de4d9a25 |
| SHA1 | e6f8b1f6ef658a1f5772b83c898088330184d291 |
| SHA256 | 565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88 |
| SHA512 | d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39 |
C:\Users\Public\temp\im.reg
| MD5 | e7862fe74b0443aebfdb2d78271dba13 |
| SHA1 | df9a7e05451fdae88d1b32497d06b2b37edc68a5 |
| SHA256 | 5cbe571b4df6796806e1236519af8411f30e00c155ba4d7d354d97c195ec6af9 |
| SHA512 | 320bff1f377cb7e787a752c7bf3472b4d3de000ad107a0ab32e7f40ef626951cdbe2a2ef135bcd470247bdc39fb447c138754d8a5b3c1bb67b11d64498a348a2 |
C:\Users\Public\temp\systemmessage.reg
| MD5 | 7a82011ff8c254ea97e49cd6cea313e6 |
| SHA1 | ef46f610cc7f82866c7ccd14ae0f4e89eea2b568 |
| SHA256 | 5b8e55e319108b9cfe305cc818b063fb39a3b832c55be01f6e7de77f2d2f1b60 |
| SHA512 | 1063e84b30ac06b9600cff1c7eb56972ed9ce5d1200517439261c2955001e0907e45bcc8b14e500450377d355c71b656a711e8c7b3812a6aee77fe2f5656cd85 |
C:\Users\Public\temp\inkfile.reg
| MD5 | be427a3d883b3a74c41df28362a82e04 |
| SHA1 | 8df9504ece63b98c90c78f63d657a03697b96d52 |
| SHA256 | fa810840aa6b3b1747cfa0afe48708796d428e7212114b4ce459d65e3e3e67ba |
| SHA512 | afcffc62b3894169b70bc49c0ecae82a2c643395714e4dfc69f892059116b52a2d89d570cf20928e6c0a7eada225c963992caa3af217db6d0c18641c31288bcf |
C:\Users\Public\temp\UAC.reg
| MD5 | 466d1ca357921fc04f74e66066ea45a0 |
| SHA1 | a24d0b8c2203b04649fa40d2bf7d9d5c5113ec84 |
| SHA256 | 1b4e45d04ef96b92b7cca062439ccf80e6e2c2172f99d11cc6587d7d76a11976 |
| SHA512 | ddaf720acc0ef7e4d80750f7babd839f51bfe4596dfe68e1d1acf2736c6badb31cd9f929ec61e64c6e101e5f5b54a37fdcb925e6d3f5ac15f78689da1cadd636 |
memory/1772-302-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/2520-304-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2912-303-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1752-306-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1528-305-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2864-307-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2088-308-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1468-309-0x0000000140000000-0x0000000140126000-memory.dmp
memory/1876-310-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:31
Platform
win10v2004-20240226-en
Max time kernel
25s
Max time network
33s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\SysWOW64\reg.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\temp\\noescape.bmp" | C:\Windows\SysWOW64\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Web\NO.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\NO.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\winhelper.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\winhelper.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Web\Screen\154.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\Screen\154.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\Web\setup64.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\setup64.exe | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\run.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Public\temp\main.bat" "
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\update.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 20
C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
C:\Windows\SysWOW64\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\SysWOW64\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
C:\Windows\SysWOW64\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
C:\Windows\SysWOW64\reg.exe
reg import virus.reg
C:\Windows\SysWOW64\reg.exe
reg import here.reg
C:\Windows\SysWOW64\reg.exe
reg import death.reg
C:\Windows\SysWOW64\reg.exe
reg import no.reg
C:\Windows\SysWOW64\reg.exe
reg import password.reg
C:\Windows\SysWOW64\reg.exe
reg import color.reg
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Users\Public\temp\mover.exe
mover.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\temp\op.vbs"
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Users\Public\temp\x.exe
x.exe
C:\Windows\SysWOW64\reg.exe
reg import im.reg
C:\Windows\SysWOW64\reg.exe
reg import systemmessage.reg
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B1.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B2.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B0.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B3.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6BF.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A6B4.tmp\x.cmd""
C:\Windows\SysWOW64\reg.exe
reg import UAC.reg
C:\Windows\SysWOW64\reg.exe
reg import inkfile.reg
C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3948855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Public\temp\run.vbs
| MD5 | 362843e8fcf8e162e48abd29903e1246 |
| SHA1 | 4621eac5ff7725d92a591565aa5af49bfcc41123 |
| SHA256 | 243615ac3ba7603b2693224de5b0dd60e06d40f6ee8684df5b31ba921219bf9e |
| SHA512 | e77afbefa77003cd11aca77043b97b67bdfff0dad6733298bcec86502558004621579e1c32becf2f81ddb06664e3878bd1d9bccee5ef4b5c7c0c791d54c11d09 |
C:\Users\Public\temp\main.bat
| MD5 | 5f54a2c61397eb3d4f1bc8e9736fec2a |
| SHA1 | 5c3ad25b0bff96ad74d2743b15089847d6be2d40 |
| SHA256 | 9995fab89f303652abc14b153ea864d9a5e39e20c8077d165e9944948eeeb968 |
| SHA512 | d7c84ac92cb35aca9fb4c2e7bb43924e5033ad49a9b4fcee320386a5d0bfddf2ec674e33a575c0848b9d274bebeb4dc9abca0360493c968bbc29c7a09438141f |
C:\Users\Public\temp\update.vbs
| MD5 | 75f0b9500755a92762ae7e92770ee671 |
| SHA1 | 6162edc92ce09dae4ec438378f0a24a50eca4e17 |
| SHA256 | 4e6280573d50f767191c41a3f5cf465b27bc0bdaff9132873c99236634ae5e04 |
| SHA512 | 25016f615ca12005fa85b2761a21ed1f1bf6211bdc44983c6b26088cef487e3da52cdc124a64019f95b214de3cbe410e37b2f037298e3eccbc2fb3e4361be145 |
C:\Users\Public\temp\wii.vbs
| MD5 | ac910281f16a464b6257102b715ffafc |
| SHA1 | 590add7ed48a1d5fa78093812ef88f9d0dfbb7c5 |
| SHA256 | afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e |
| SHA512 | a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad |
C:\Users\Public\temp\1.vbs
| MD5 | 8896267f3335510e6144e7550a713db8 |
| SHA1 | 9dd5a753186af59997b07c058707ad6faa390ffa |
| SHA256 | 8781a103faaa21cb3053eb21257cf6668f82419248e503a7afd33b8a5509b26b |
| SHA512 | 696fdcfb7d67dcc97d3309eee1bb1b7dd29f36d29d0dacb4bae2b099b8b73ec50c63915f7045acc105633505d9d366d97aedc9e126af841473ec309c918683b8 |
C:\Users\Public\temp\mover.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
C:\Users\Public\temp\o.vbs
| MD5 | 81c5f570e4fb185d0d675c450741f28b |
| SHA1 | cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a |
| SHA256 | 0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376 |
| SHA512 | 2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936 |
C:\Users\Public\temp\dead.exe
| MD5 | f2a055b5634373f384692c2daaedf299 |
| SHA1 | 41d6f65378f2360c48bcc6684baddf9c62585086 |
| SHA256 | 926d3b91619e6a5d327f09b6d95d46486777910c9ca4965c6e0917c30b9561d8 |
| SHA512 | 4656d7d8e5e74c3c490a008e8a06b73f05bb971d458d04c8bec55ec3d25afe2644ee70be98b826f7f397b05e6ed7bc02d14ed88661c12d1651a31dde9478f69b |
C:\Users\Public\temp\virus.reg
| MD5 | 4af82811a5a2b8cb619c83e4b61d7d78 |
| SHA1 | f353e56635c6493864f740502042f4f0fcff5cee |
| SHA256 | bf2befa4e44b28bca76ec7b76f2386910f7edd659ee95022b864d4ebf411e037 |
| SHA512 | 8a5ee1b0ab26189d9b5bd2b4208829733a9892aacf3461b3a9bec80f234a5dcf01b836f86c73f2a799fb3194a63c4cc1ca410efe734a626aed74424a22f3df60 |
C:\Users\Public\temp\here.reg
| MD5 | afedbb9b1c857745f4b93259bb68af47 |
| SHA1 | e33964e90622b62d645097f88de405a99a95a518 |
| SHA256 | b44cd8aac57b1b103386b1d014ef0695b6fe5cad198b59f55210900e889bb099 |
| SHA512 | 22634bbd6dc8ced9b655ed6110b318f297173f367836e5962dd9a7d095261bd242fa6a7018065d83deb45089b913e1feee9186dc8fe55cfa0a66b747fd458650 |
C:\Users\Public\temp\death.reg
| MD5 | bd6a649075e3eaf9fe3d6569614f4016 |
| SHA1 | c2facb5fb74a54d955564044cd6e777d79f6698d |
| SHA256 | 879fd141377eec559c7e54374294fcb5880a5feed559a7b04f450425de7b3e18 |
| SHA512 | d16fc905cc8c739e47d2d9f8eb2069a1713f729b0e9a86b6eddab1b18d7d62eee27d8384edb5b86e4d4b06fb6a759eaa6768eaa3cd4fefd3c8ea5d1e6094567d |
C:\Users\Public\temp\no.reg
| MD5 | b407fa400d23edf1a710633435228c90 |
| SHA1 | 4acce131047a4e73dcc61fb038d24e27b2217cc9 |
| SHA256 | 2a222c741e76128ffec9ad0576798ce79d89babb43c2b2fb321cbf6567c262a7 |
| SHA512 | ef7bd2ca4380b99ee7a5f247334d053dd5c60c0d3449d69bb657f2caa7572c8800d438aff7ee428481971d26c576f2dd0b5868128ab365f1400a6ed28a0670aa |
C:\Users\Public\temp\password.reg
| MD5 | b5d54b3eb5911fea78c8f3b2324f4831 |
| SHA1 | b5b86aefd16f54eef78927b8beb4e7eb96c580bc |
| SHA256 | 2a04d7384902f4325784e3577b26e79922c967c9be4cd3614f68014321bf8896 |
| SHA512 | 92eb3b28459e944f6e487ef65b3ea6d8335f22954de4470dd0ca5dbe256a9d699103e3a01a579fe244bf4de7931df7de6d355f08e9209129b296ebc548306e59 |
C:\Users\Public\temp\color.reg
| MD5 | d20ff0fc43ce58afd773c66d3caaf48c |
| SHA1 | 1eaa1f45afc6a5bcc3ced232e9583a0b791326e2 |
| SHA256 | 4eabe39af865548013371e299ce238d14c68587770bb7c4a3f1c3480b2f57727 |
| SHA512 | 6dcabefd5dcc0a0101824db1013bcf2ebfc293985aade65a4b626f31010ffbc9d244e9507fde496d74c9770788c44a5b7511c8819ee23fae55860b82a05d3bec |
C:\Users\Public\temp\op.vbs
| MD5 | b03f8296e9ca8c4e0775aa97046e7b0f |
| SHA1 | ad54c88af769649efbf634050050da2a93fb5699 |
| SHA256 | 9a9c16495a8222ec14d2a276d9235751b498a7cd4c69ab4a78b41f7a7462ea98 |
| SHA512 | 1b3a71e7e7f7a90bcad2ff37727881f3a2063d796ff4551a36eae5ad923c081dd6f0dd2d0ec568b8a94defd5bb9dd2678b1c2a55791784590a605752b566fb6d |
C:\Users\Public\temp\res.exe
| MD5 | 52e4f5549c922e83939e9cb6b506e5b7 |
| SHA1 | 887ac0e1cf821abcc4ea349475577122c2cfe682 |
| SHA256 | 985aa256302b2c2902c357727c1b0f3c90c55464c99ceb349f84598f03f737bd |
| SHA512 | 240ae255f049c10511088133f1f2891f5eedbb28f898a9b7af5f8a740ffc4f67c05f81396886c41051d2590fdb48d8806812d7827d5b8d373143eddee93620a5 |
C:\Users\Public\temp\matrix.bat
| MD5 | 284e7e79635ec15370bb7530d20f6b7e |
| SHA1 | 471f6b7bc91a8c6b51f291c75126a38b082a92ce |
| SHA256 | 4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235 |
| SHA512 | 3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24 |
C:\Windows\Web\you cant escape.exe
| MD5 | 3b20f94fe041b673d479249786b2b88e |
| SHA1 | efe7933d17fff624a624a9f9ea354ddd0cd85621 |
| SHA256 | e728dda4121db4fea7f90288fc87a64fb16985eced0fd1a4ebcd2a17bf196731 |
| SHA512 | f5a0618bbfe3929300d80071ebca9565e4a08d1dd275eea96408e4bfe30ccd4619fd07b8d43ef00db8f31307d6b7f88046f48153ddef7df4099cf554d8e97f49 |
C:\Users\Public\temp\dos.vbs
| MD5 | 23873c064655ec26585bb489cab1965c |
| SHA1 | 575d47d57ddb6ffb5335f5d48f6bd222e17af599 |
| SHA256 | 828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63 |
| SHA512 | 44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348 |
C:\Users\Public\Desktop\lol.vbs
| MD5 | 2b53c3dc6e4a5163a648f40d033d781f |
| SHA1 | c5301bf506ffdeb6c4c3a76912ac308392fd7ab3 |
| SHA256 | d1ef7d97b3dce60d792a8dd7e8604390e61f63353c5523155e2ab3c63356e267 |
| SHA512 | 554922008e914afe2c254bbc3da600d77d23215fff4f50e74c6fe5554f4c0f23ca2c372cfef2d8d572edc2244e2f68bc5d2244f5a48f454866ed4ab172693cb4 |
memory/1560-138-0x0000000140000000-0x0000000140126000-memory.dmp
C:\Users\Public\temp\x.exe
| MD5 | 9d0cbe0006b8e6760679bf893c5d848f |
| SHA1 | a85c9378a962f1f3454ec34ce596dea318031618 |
| SHA256 | 41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c |
| SHA512 | 13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2 |
memory/2324-149-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Public\temp\im.reg
| MD5 | e7862fe74b0443aebfdb2d78271dba13 |
| SHA1 | df9a7e05451fdae88d1b32497d06b2b37edc68a5 |
| SHA256 | 5cbe571b4df6796806e1236519af8411f30e00c155ba4d7d354d97c195ec6af9 |
| SHA512 | 320bff1f377cb7e787a752c7bf3472b4d3de000ad107a0ab32e7f40ef626951cdbe2a2ef135bcd470247bdc39fb447c138754d8a5b3c1bb67b11d64498a348a2 |
C:\Users\Public\temp\systemmessage.reg
| MD5 | 7a82011ff8c254ea97e49cd6cea313e6 |
| SHA1 | ef46f610cc7f82866c7ccd14ae0f4e89eea2b568 |
| SHA256 | 5b8e55e319108b9cfe305cc818b063fb39a3b832c55be01f6e7de77f2d2f1b60 |
| SHA512 | 1063e84b30ac06b9600cff1c7eb56972ed9ce5d1200517439261c2955001e0907e45bcc8b14e500450377d355c71b656a711e8c7b3812a6aee77fe2f5656cd85 |
C:\Users\Admin\AppData\Local\Temp\A6B2.tmp\x.cmd
| MD5 | 5156c0df260ccc7bc13b73b6de4d9a25 |
| SHA1 | e6f8b1f6ef658a1f5772b83c898088330184d291 |
| SHA256 | 565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88 |
| SHA512 | d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39 |
C:\Users\Public\temp\UAC.reg
| MD5 | 466d1ca357921fc04f74e66066ea45a0 |
| SHA1 | a24d0b8c2203b04649fa40d2bf7d9d5c5113ec84 |
| SHA256 | 1b4e45d04ef96b92b7cca062439ccf80e6e2c2172f99d11cc6587d7d76a11976 |
| SHA512 | ddaf720acc0ef7e4d80750f7babd839f51bfe4596dfe68e1d1acf2736c6badb31cd9f929ec61e64c6e101e5f5b54a37fdcb925e6d3f5ac15f78689da1cadd636 |
C:\Users\Public\temp\inkfile.reg
| MD5 | be427a3d883b3a74c41df28362a82e04 |
| SHA1 | 8df9504ece63b98c90c78f63d657a03697b96d52 |
| SHA256 | fa810840aa6b3b1747cfa0afe48708796d428e7212114b4ce459d65e3e3e67ba |
| SHA512 | afcffc62b3894169b70bc49c0ecae82a2c643395714e4dfc69f892059116b52a2d89d570cf20928e6c0a7eada225c963992caa3af217db6d0c18641c31288bcf |
memory/1560-185-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2324-189-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2648-191-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1732-190-0x0000000000400000-0x0000000000410000-memory.dmp
memory/5036-188-0x0000000000400000-0x0000000000410000-memory.dmp
memory/1380-187-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3684-186-0x0000000000400000-0x0000000000410000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
166s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\matrix.bat"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4872 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\o.vbs"
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240221-en
Max time kernel
121s
Max time network
131s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win7-20240220-en
Max time kernel
147s
Max time network
125s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\mshta.exe | N/A |
Processes
C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\explorer.hta"
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:31
Platform
win10v2004-20240226-en
Max time kernel
27s
Max time network
33s
Command Line
Signatures
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" | C:\Windows\system32\reg.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\temp\\noescape.bmp" | C:\Windows\system32\reg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winhelper.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\winhelper.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\you cant escape.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\NO.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\Screen\154.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\WinKernel32.bat | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\Web\setup64.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\WinKernel32.bat | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\you cant escape.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\SAVEYOURSELF.vbs | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\setup64.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\updatepush.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\updatepush.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\NO.exe | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Windows\Web\Screen\154.exe | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "54" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ = "xxx" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\IconPath = "%SystemRoot%\\system32\\shell32.dll,-16769" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\ItemName = "@shell32.dll,-30397" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config\DontRename | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Config | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046} | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\NullFile | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\Handler = "{ceefea1b-3e29-4ef1-b34c-fec79c4f70af}" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellNew\MenuText = "@shell32.dll,-30318" | C:\Windows\system32\reg.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\main.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\update.vbs"
C:\Windows\system32\timeout.exe
timeout 20
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d C:\Users\Public\temp\noescape.bmp /f
C:\Windows\system32\rundll32.exe
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
C:\Windows\system32\reg.exe
Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoTrayItemsDisplay" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoPinningToTaskbar" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg import virus.reg
C:\Windows\system32\reg.exe
reg import here.reg
C:\Windows\system32\reg.exe
reg import death.reg
C:\Windows\system32\reg.exe
reg import no.reg
C:\Windows\system32\reg.exe
reg import password.reg
C:\Windows\system32\reg.exe
reg import color.reg
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe
mover.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\op.vbs"
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\x.exe
x.exe
C:\Windows\system32\reg.exe
reg import im.reg
C:\Windows\system32\reg.exe
reg import systemmessage.reg
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B9.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2C6.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B6.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B7.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2B8.tmp\x.cmd""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B2C5.tmp\x.cmd""
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg import UAC.reg
C:\Windows\system32\reg.exe
reg import inkfile.reg
C:\Windows\system32\shutdown.exe
shutdown /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3947855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp |
Files
C:\Users\Public\Music\FREE SOLARIS.vbs
| MD5 | ac910281f16a464b6257102b715ffafc |
| SHA1 | 590add7ed48a1d5fa78093812ef88f9d0dfbb7c5 |
| SHA256 | afb4e7e0f799d76ec4b197427b0933935eddd933baf6379875b3c37eb6b1bc6e |
| SHA512 | a62b9363acf0628ec373a33409f13e161779f0d28b0dd163b53d4ec9135b172e68c10dfb37a5459e51ec636ff3e23cc17de4a846d273e5a3e9149abe41a806ad |
C:\Users\Public\Desktop\Hacking2.vbs
| MD5 | 81c5f570e4fb185d0d675c450741f28b |
| SHA1 | cc7c042a8ec903ea5fd4171ffa2dfe57e8a5586a |
| SHA256 | 0c32196e293badc8b917f22ecf9d746c631678a15704dc829d594e1e04f01376 |
| SHA512 | 2434226097e83942ddade8a98efaa2d912f8030180729fd6ccedbe70091d262a8d1ac080ae41a6c5ac37c4303c79bbdea8d6fa86828759651536532cb2fa5936 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\note.txt
| MD5 | 1ebb3ddb5424eae8205a111a3b4e2237 |
| SHA1 | 7f6603ae0410ea2dc5adfd879632039b0eee955a |
| SHA256 | efc4f3065ab66661a92daebbf770103b2e8306d3985ac5c5ae816e0f64e6ab4e |
| SHA512 | cc9d3d208f97f8f9f46865ce75257cff6616e49f49b90e1273fa923c1d7c05c68e0ea35eec3361de4167839acec86e03c40cf4f1bf7bb039ec91cd4f8e3c855f |
C:\WinKernel64.bat
| MD5 | 284e7e79635ec15370bb7530d20f6b7e |
| SHA1 | 471f6b7bc91a8c6b51f291c75126a38b082a92ce |
| SHA256 | 4d81298082414e092ccb0dab56007df80a1930b60315a5b759bf1d10d8c11235 |
| SHA512 | 3bcbce046df39bf285a2e63f83374fc0c6b809b4ee5091744496244b5929753f102402c87671205ae9b7caa78b12328cabfae1523fe6abbc5abd6e66cae57e24 |
C:\Users\Public\Desktop\Escape.vbs
| MD5 | 23873c064655ec26585bb489cab1965c |
| SHA1 | 575d47d57ddb6ffb5335f5d48f6bd222e17af599 |
| SHA256 | 828653c66fd126cb9f30a8fc566887d3ae54376ccba637101ae8e0889a6a3b63 |
| SHA512 | 44517e1b3e6ba403d99e3ae6d9340ea3e856a50e4bec3740d3530d066f28677b78ea2a25ebf63df948469dde04547044483bb9d37a5cf79e8b3ea3544bfaf348 |
C:\Windows\updatepush.exe
| MD5 | c1978e4080d1ec7e2edf49d6c9710045 |
| SHA1 | b6a87a32d80f6edf889e99fb47518e69435321ed |
| SHA256 | c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8 |
| SHA512 | 2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e |
memory/652-56-0x0000000140000000-0x0000000140126000-memory.dmp
memory/4120-57-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B2B9.tmp\x.cmd
| MD5 | 5156c0df260ccc7bc13b73b6de4d9a25 |
| SHA1 | e6f8b1f6ef658a1f5772b83c898088330184d291 |
| SHA256 | 565850ac8c04867b561958ea678143b383499e729aebace9c84bec0484772b88 |
| SHA512 | d2e7d791e6ccbf6389659d4fa673bbbb837a8ccbdfec287ff6a5d8a385e9aad413d692bc5cf93cae4d8292f565a7e9ddcc437da97a9b5fdd0c4526c4ca69cc39 |
C:\Users\Public\Desktop\setup3.exe
| MD5 | 9d0cbe0006b8e6760679bf893c5d848f |
| SHA1 | a85c9378a962f1f3454ec34ce596dea318031618 |
| SHA256 | 41bb8333a815138ccdc1809c33d3263d67834b2493c6b8eeebd5dde3d1ffe20c |
| SHA512 | 13f513d75235da33bb032901b506c718cece2f7f9d0fbe4bd9d3508f9efca208b10a319b130ec98327b6c5e054abcf7d052ce3e672f2c1c38bac1c162d4358e2 |
memory/4068-88-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3312-91-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3712-90-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2348-87-0x0000000000400000-0x0000000000410000-memory.dmp
memory/3168-92-0x0000000000400000-0x0000000000410000-memory.dmp
memory/4120-89-0x0000000000400000-0x0000000000410000-memory.dmp
memory/652-86-0x0000000140000000-0x0000000140126000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
123s
Max time network
154s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\melter.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\melter.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.192.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4792-0-0x0000000000400000-0x0000000000402000-memory.dmp
memory/4792-1-0x0000000000400000-0x0000000000402000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-03-02 20:29
Reported
2024-03-02 20:33
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
127s
Command Line
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe
"C:\Users\Admin\AppData\Local\Temp\TheMalwaredev-s-garbage-main\Install Windows20\installer\mover.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
memory/2084-0-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-1-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-2-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-3-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-4-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-5-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-6-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-7-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-8-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-9-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-10-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-11-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-12-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-13-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-14-0x0000000140000000-0x0000000140126000-memory.dmp
memory/2084-15-0x0000000140000000-0x0000000140126000-memory.dmp