Resubmissions
12-04-2024 19:03
240412-xqpq8sgb7s 412-04-2024 18:55
240412-xk4m7sda76 1012-04-2024 18:50
240412-xg6ndsga71 10Analysis
-
max time kernel
363s -
max time network
368s -
platform
windows11-21h2_x64 -
resource
win11-20240412-en -
resource tags
arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system -
submitted
12-04-2024 18:55
Static task
static1
Errors
General
-
Target
sample.html
-
Size
479KB
-
MD5
7623a5f4888348a1470e2c5bbe2e826a
-
SHA1
4f86a2e6585914e77eab7166d159a5e309a0a3e7
-
SHA256
8a1ca44c57db2910334734c555645f5e4cce911b0b6a51020eeadbe1f5432b4e
-
SHA512
7838893132be1b99c2878f689a4685495dfd793ccdc6d303163cb64edf9de28ec58d4c8cfdec2fae4428e58d50dcc4115a51e8e1e6539f880864e7cec283f8f6
-
SSDEEP
6144:7sTibDibtib+ibdibOibcibyibjiblibBkk:7Yi3iJiqipiaiAiGivi5iNkk
Malware Config
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, wscript.exe \"C:\\Program Files\\mrsmajor\\Launcher.vbs\"" wscript.exe -
Processes:
wscript.exewscript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
wscript.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "1" wscript.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
MistInstaller.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\mistdrv.sys MistInstaller.exe -
Executes dropped EXE 1 IoCs
Processes:
eulascr.exepid process 4252 eulascr.exe -
Loads dropped DLL 1 IoCs
Processes:
eulascr.exepid process 4252 eulascr.exe -
Modifies system executable filetype association 2 TTPs 2 IoCs
Processes:
wscript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/3896-568-0x0000000002BD0000-0x0000000002BE4000-memory.dmp agile_net behavioral1/memory/3896-570-0x0000000005250000-0x0000000005260000-memory.dmp agile_net C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe agile_net behavioral1/memory/4252-588-0x00000000004E0000-0x000000000050A000-memory.dmp agile_net -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Duksten.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XRF = "C:\\Windows\\system32\\PrTecTor.exe" Duksten.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
unregmp2.exedescription ioc process File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\I: unregmp2.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 5 IoCs
Processes:
Duksten.exedescription ioc process File created C:\Windows\SysWOW64\PrTecTor.exe Duksten.exe File opened for modification C:\Windows\SysWOW64\PrTecTor.exe Duksten.exe File created C:\Windows\SysWOW64\PrTecTor.exe:Zone.Identifier:$DATA Duksten.exe File created C:\Windows\SysWOW64\regedit.exe Duksten.exe File opened for modification C:\Windows\SysWOW64\regedit.exe Duksten.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Lokibot.exedescription pid process target process PID 3896 set thread context of 1028 3896 Lokibot.exe Lokibot.exe -
Drops file in Program Files directory 16 IoCs
Processes:
wscript.exewscript.exedescription ioc process File created C:\Program Files\mrsmajor\MrsMjrGuiLauncher.bat wscript.exe File created C:\Program Files\mrsmajor\default.txt wscript.exe File created C:\Program Files\mrsmajor\def_resource\f11.mp4 wscript.exe File created C:\Program Files\mrsmajor\DreS_X.bat wscript.exe File created C:\Program Files\mrsmajor\mrsmajorlauncher.vbs wscript.exe File created C:\Program Files\mrsmajor\MrsMjrGui.exe wscript.exe File created C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\def_resource\creepysound.mp3 wscript.exe File created C:\Program Files\mrsmajor\def_resource\Skullcur.cur wscript.exe File created C:\Program Files\mrsmajor\Icon_resource\SkullIco.ico wscript.exe File opened for modification C:\Program Files\mrsmajor\CPUUsage.vbs wscript.exe File created C:\Program Files\mrsmajor\def_resource\@Tile@@.jpg wscript.exe File created C:\Program Files\mrsmajor\Launcher.vbs wscript.exe File created C:\Program Files\mrsmajor\reStart.vbs wscript.exe File created C:\Program Files\mrsmajor\WinLogon.bat wscript.exe File created C:\Program Files\mrsmajor\Doll_patch.xml wscript.exe -
Drops file in Windows directory 1 IoCs
Processes:
Duksten.exedescription ioc process File created C:\Windows\m_regedit.exe Duksten.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 3304 4424 WerFault.exe DanaBot.exe 1980 4976 WerFault.exe Duksten.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies Control Panel 4 IoCs
Processes:
wscript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors\Arrow = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors\AppStarting = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors\Hand = "C:\\Program Files\\mrsmajor\\def_resource\\skullcur.cur" wscript.exe Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000\Control Panel\Cursors wscript.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe -
Modifies registry class 16 IoCs
Processes:
wscript.exeOpenWith.exemsedge.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp3file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file wscript.exe Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\DefaultIcon wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile wscript.exe Key created \REGISTRY\USER\S-1-5-21-243033537-3771492294-1461557691-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mp4file\DefaultIcon\ = "C:\\Program Files\\mrsmajor\\Icon_resource\\SkullIco.ico" wscript.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-243033537-3771492294-1461557691-1000\{3D5110B4-127E-41DA-94DD-AACD8671D49A} msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeLokibot.exepid process 3468 msedge.exe 3468 msedge.exe 1816 msedge.exe 1816 msedge.exe 1424 msedge.exe 1424 msedge.exe 2232 identity_helper.exe 2232 identity_helper.exe 1504 msedge.exe 1504 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 4344 msedge.exe 4344 msedge.exe 3896 Lokibot.exe 3896 Lokibot.exe 3896 Lokibot.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 664 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
Processes:
msedge.exepid process 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Lokibot.exeeulascr.exeunregmp2.exeshutdown.exedescription pid process Token: SeDebugPrivilege 3896 Lokibot.exe Token: SeDebugPrivilege 4252 eulascr.exe Token: SeShutdownPrivilege 4796 unregmp2.exe Token: SeCreatePagefilePrivilege 4796 unregmp2.exe Token: SeShutdownPrivilege 3192 shutdown.exe Token: SeRemoteShutdownPrivilege 3192 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe 1816 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
OpenWith.exeMrsMajor3.0.exePickerHost.exeLogonUI.exepid process 924 OpenWith.exe 1520 MrsMajor3.0.exe 1600 PickerHost.exe 964 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1816 wrote to memory of 1172 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 1172 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 800 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3468 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3468 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe PID 1816 wrote to memory of 3564 1816 msedge.exe msedge.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
wscript.exewscript.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system wscript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wscript.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8bd083cb8,0x7ff8bd083cc8,0x7ff8bd083cd82⤵PID:1172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:800
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3468 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵PID:3564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3056 /prefetch:12⤵PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:12⤵PID:1828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1424 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:12⤵PID:2604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1588
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:2968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:12⤵PID:2668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:12⤵PID:3320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵PID:2040
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5016 /prefetch:82⤵PID:4608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5004 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1504 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:12⤵PID:4520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:1740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:3844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:2508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6212 /prefetch:82⤵PID:3768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:12⤵PID:2316
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵PID:2932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6732 /prefetch:12⤵PID:4636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,14405834075779605033,289808879651277785,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5948 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4344
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3184
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4900
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004CC1⤵PID:2596
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1772
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"1⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4424 -s 2962⤵
- Program crash
PID:3304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4424 -ip 44241⤵PID:4972
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Duksten.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
PID:4976 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 5922⤵
- Program crash
PID:1980
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4976 -ip 49761⤵PID:776
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\rogues\SpySheriff.exe"1⤵PID:2884
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896 -
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Stealer\Lokibot.exe"2⤵PID:1028
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Mist\MistInstaller.exe"1⤵
- Drops file in Drivers directory
PID:4940
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:924
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"1⤵
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\system32\wscript.exe"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\3139.tmp\313A.tmp\313B.vbs //Nologo2⤵
- UAC bypass
- System policy modification
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe"C:\Users\Admin\AppData\Local\Temp\3139.tmp\eulascr.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4252
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\BossDaMajor\BossDaMajor.exe"1⤵PID:1060
-
C:\Windows\system32\wscript.exe"C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8AD3.tmp\8AD4.vbs2⤵
- Drops file in Program Files directory
PID:4580 -
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:2140
-
C:\Windows\System32\wscript.exe"C:\Windows\System32\wscript.exe" "C:\Program files\mrsmajor\mrsmajorlauncher.vbs" RunAsAdministrator3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies Control Panel
- Modifies registry class
- System policy modification
PID:2056 -
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"4⤵PID:4996
-
C:\Program Files (x86)\Windows Media Player\setup_wm.exe"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Program Files\mrsmajor\def_resource\f11.mp4"5⤵PID:2668
-
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon5⤵PID:3796
-
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT6⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4796 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 034⤵
- Suspicious use of AdjustPrivilegeToken
PID:3192
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:1600
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a3f855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e51956799fa67379ea02ed281264a0e4
SHA1e8f9403225aedfc94b27d902b72ca6591858d643
SHA2566f3fd42d136b90c98ace40fb6b1522f1b9a1076b431e5290f89cabb4948c3a57
SHA512c5e017b2b06bf486daa64612f8bbe5dd9f28633d6dfc434f1605c2f36cc08ae6ae40c187316fe1ff998ed7346deef35a66cbc445f2adbb273ac928175e735391
-
Filesize
152B
MD5b0d0271cd8394035d3f04a57c4376225
SHA16ef25cb6b29467e6a659b8dbc28b52006778dabb
SHA2561c8016ee1208109e59206f98b68b821b61f1cff2ab3852042379b3287674c42d
SHA512b856d97096d0288fe0547b484abddce5fd100c080a7992709b0158b7e2d498c9820ba54f99b6b71056bdff7f0d6ceeac87793ab074f126e506aee2c83d2523ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5cd57a41c25cba16517b4a778d901125d
SHA184e05c4aa2e30d3840fd87490d54cd79fbe113a6
SHA2564c874e57c9e739e637fbb65b630f6b05672470056380b8603b693e3a0653740d
SHA512546ef6d9de8cf558d4b87a10514557bf21b40788a7ce78b0cd8c2eb7aad1047ea12dd7d2cdaf2dc6780dc7d8bfbd5587209fa23ccb0f0d26c4dff443bb69a11a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5051b2efbdb7ce1eb57129effd76c205d
SHA1cc97d12a38a48956ba9b2f707782b80d4d8fda10
SHA25611f9df507cf8471daa720b2bc85d60fd85a2aaf6114d55ab77c7dc9945fb5d40
SHA51293abc8ce4d1c4f8add257f7b2ac69b39af35d515866375f1e7afdd1d92155c259ff11def614ea952fee295fcfe2fe1dd7d4992b9487d0c040201200cb7bcadcf
-
Filesize
1KB
MD5acd129f1bfe95986dee0d2f4951bb1e6
SHA1876bccb284d3396a0a45de5d4855fa94e62c872a
SHA25683c14589cd3dd6e085d8495a852a22593bebcac83b1342707f2fcd76116fdf44
SHA5125d94ae460c780e2a98eed3c77b13cc09a9911cf4b55a573c82ab58ec9ce930de7e2555f907b40b92b47456921d7ba7839cc925ec33e0afdf6e55bc04a33fab48
-
Filesize
2KB
MD514febf3288a65f26b42bc2e4ef340099
SHA1372a684e3f16f9776ae1c76da81e7424005a5d4b
SHA2565cd916f1ff6b8b7062966b62f4fc2e4eb33c769fd7d9b42727e38727babb887e
SHA512f4d7fbc2e6462d11f0530c67bfa0b35581dff98808c2772f4546e1c1b2c621d7dea1feda0009f7b1f1e97941abcdafe2253520f9868516bb2e7f53d6a0ae71db
-
Filesize
6KB
MD540f7dd1df414759610e9d403737261c2
SHA1b20240b948dda30e3d982978de2cdeb80eb9bfb8
SHA256e66bcec6ae38e34e7b455072f55e8de149d28ce7c7d7b7c7cb6350ffcfb95f0c
SHA51218ccb785b168511757ada5c8ead87ec198b710d572231920ec72984f520982382002c94aaf187ce334294a0a29deda53ca3eb826fffb232025ccbaa6fb547bcd
-
Filesize
5KB
MD538c85007f322d3a3445e680c7d2685c6
SHA10e6d92fba475fbc6c6f3e5bd45057fdf22d4420c
SHA256592ba16ae112da8b5ed3a6dcb57291eff6b81e05674c2595fc8dc39f155246f5
SHA5120db5345ef9cd73336ab32a9fc4deb3c510239198ef4b1ff6aa5fe93e6c9f6a5c2c9cf068e5b7625eb3e9b2372e827e23732c85ff52102cc29bf1b7237a500240
-
Filesize
6KB
MD5d3426ae0cc61ab447ed77de9e18f437f
SHA10840bee36fe20e908269c30090763b6e26432887
SHA256ef04a1a7be583bb5de24497f20e122af950cd12a1bd2e175b55af3cbef10140e
SHA512d4d51c3dfa429d31fe4c38e5e9ffb53cdf0c2bc3c7b58e185d734057182d3bb77d0d94e7d89ce09e54027e841d67b195b2b4b6d8f144c3634ba168bd26fabc4d
-
Filesize
5KB
MD5cd48cfebf9a014113f774a9615a5ac72
SHA1d439c42a515be3688378926b79994f0ea2bc3b6f
SHA2565feb88d0028ed02586a54c6722d86528ffaf5976f7b18ac6123c77c33b0e35a5
SHA5123b9fde350a0f93a66bfa8372c70fab77bdf6abb62ca8ab0211f515bb746cec72b7598a8e9e66e491f553c302b7c98944fe0dc6487200142813780722eebfdcb8
-
Filesize
6KB
MD50cdcbd7a6f60943ef22eec8377d24051
SHA1237ca106117bdf2022cd7898c4db5282807e3fa3
SHA25669af35435891f3ecbdfcc1b23b6f2a68aa1afc08f60117c61152f0583e1f9de0
SHA512c071ded76223b92ae4aacefb5abc86f650bebe581959dabc25eface73b81760828dfa178a8e42ecc1cc9e8d488c7b6663ff82259f94a116984d91b57dabf1c17
-
Filesize
872B
MD59d6cabf167e35a2cc40d7d64e7902f60
SHA1c7e4cec181f8a117d1462497f414ec57c70747f3
SHA25616df80b6d6f5455e284111618ff8dbd30d44872f99e089fdfcc80001cf314103
SHA512fa6c42b44eb6becf8ba3a0f56c1283653fb6562906e27001fb11733cd9a9336ed501499398e70cfc9d1e7ca730fd1b0c1568beaafdfd70e2a98c892072358d63
-
Filesize
1KB
MD575ac9ff932c16d93ebd8e068374195da
SHA11bb37ed611c17bb154cdaa6c418ea3cad70b74d7
SHA256a3f2efe68415eaef1856dcec3ed0b0b19e0fa5cee76e2411a3f2a22c0c2a9cf8
SHA51226c83fa080310971df3f8c27d6a9d4d3a4366561464d1e4777d07579276a527c3c308ea421badd00bc2b00f57246d5b78c88e53530af080b0b1462e25bb2522b
-
Filesize
872B
MD58dc32368bbd7e3838c10c22d7991b808
SHA1902109924e517d993d807e7512f03aa281e9a171
SHA256a2adf4870cf4dd3ce72210817d4303370557a5188663070a3fdab6e7f6056c4b
SHA51240098f1380516c70b437043c4011cbba20d2ab52ef65490d595a80e5764199532c69b1d2eafc534c3e0f5cf689523695790864113b8b3e457c381b6eb5c62ee1
-
Filesize
536B
MD58f6d7a577c8c24902d75c481552b2932
SHA1f8456f674413b137e91e644ce1c1b6ca371747ee
SHA2566daf23e52c95c9dd7681356336eee91127da5300facc7a3b63f03d475c11ad5d
SHA512cd0303707edc6ea2d24461a116444eed3f1eba57f33e9e114cdc1204db9982d45ee0e5132960539556682030b10f59bd9195df1e79fc4d513bf14dbd1701b7a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c3535560-cc91-4f9a-8328-cc953dd7c693.tmp
Filesize6KB
MD5b3c9c6f6765481c2956aeaad0d37a8f1
SHA164ce1d3a4e0900552a0594c08a0dc1ebfa51ac3a
SHA25635c237b9c6a5e586aebb7b0dae34933d30c75c5b6d74f40df1357ea1dbb57571
SHA512230169d8495788516cc7899813d6856fd6a013e8a2a6bafcb6dce5e90bf8c857e95e62d01662a0e1ecf5e4a558fbe956ae9102f0d6bf9e74c5e4db8bced11ad3
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50ef321ed5e2cc26ab81d9a092a8baf47
SHA1bc85fb78dddd53c9e01910fa4ac218c2e9c7a648
SHA25663ae26b9f972c8d46e4dedb7de5ce38d9ecaae1910c610f088dd6de169038dd5
SHA5127f9795a76fc419cb6ab54cd3a30299bd3b0bc4dc35d765af5ffa6c6acaffbc609b4aa67a3907877c77e8f1666b85f7948bc1fdcf819ea3b749dfa8ebf26efd74
-
Filesize
12KB
MD579d66f7e53a5078f4838652e81bed824
SHA18c129edae9b6af1796eaeb43c4bb7edd5292bedc
SHA256930050a1a1089466620f25e1d4a55479555104a54c1dfdda230b242f97acf9c4
SHA512479bf7c80fec0ae6d8b63fb086adbaf8f4226319d4411e04da312886bbbaccc87a6ff42b0e58205bdcce932b89639c44b76f6337fe4992ff0fd55bda678ae031
-
Filesize
576KB
MD5a9be73b2b9966467455d78e84a13c7c2
SHA104a3799395b0121d8b2fc6bfb4ebddda935c012d
SHA25665726b1172f3f7678811fc60cf1d6a5980ca778c43c1e4db4aa1f75e9f1ae0ef
SHA5122d6f99a66a0195e1dfda1321e1f41c1ce6ace1f65467960bc988fb498ea46b21f8b299bca6a9226a86231778069bee502b5aeb69d75d4be84b880edea78f0b8f
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
352B
MD53b8696ecbb737aad2a763c4eaf62c247
SHA14a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5
SHA256ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569
SHA512713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb
-
Filesize
143KB
MD58b1c352450e480d9320fce5e6f2c8713
SHA1d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a
SHA2562c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e
SHA5122d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
1007B
MD55706bc5d518069a3b2be5e6fac51b12f
SHA1d7361f3623ecf05e63bb97cc9da8d5c50401575c
SHA2568a74eead47657582c84209eb4cdba545404d9c67dd288c605515a86e06de0aad
SHA512fb68727db0365ab10c5b0d5e5e1d44b95aa38806e33b0af3280abcefae83f30eb8252653e158ac941320f3b38507649cce41898c8511223ee8642339cfece047
-
Filesize
92B
MD50e4c01bf30b13c953f8f76db4a7e857d
SHA1b8ddbc05adcf890b55d82a9f00922376c1a22696
SHA25628e69e90466034ce392e84db2bde3ad43ad556d12609e3860f92016641b2a738
SHA5125e66e2793e7bc88066b8df3dccb554351287dea18207e280b69d7798ecd5cdc99bd4c126c3e394db9f45f54bb561e6688f928de4f638c5eca4f101dc2cea54a1
-
Filesize
360B
MD5ba81d7fa0662e8ee3780c5becc355a14
SHA10bd3d86116f431a43d02894337af084caf2b4de1
SHA2562590879a8cd745dbbe7ad66a548f31375ccfb0f8090d56b5e4bd5909573ac816
SHA5120b768995187f988dc15d055f9689cee3ab3908d10b05a625b40d9757c101e067bbd6067ccbcf1951ebb683f5259eec562802ea6161d59475ce86cf6bc7c957f2
-
Filesize
244KB
MD5c7bf05d7cb3535f7485606cf5b5987fe
SHA19d480d6f1e3f17d5018c1d2f4ae257ae983f0bb5
SHA2564c1cfbe274f993941ac5fa512c376b6d7344800fb8be08cc6344e6c16a418311
SHA512d30952a75d94dd64b7bd253ed72810690f3550f2262cfaaef45854fc8334f6201a8cbafb9b175c6435f7ce0499567f2fa8667b4b0046bfb651bf61eb4278e6c8
-
Filesize
590B
MD5b5a1c9ae4c2ae863ac3f6a019f556a22
SHA19ae506e04b4b7394796d5c5640b8ba9eba71a4a6
SHA2566f0bb8cc239af15c9215867d6225c8ff344052aaa0deeb3452dbf463b8c46529
SHA512a644c48562e38190720fb55a6c6e7d5ccfab60f362236fe7d63caebdc01758f17196d123fb37bd11f7e247ce8ab21812165b27496d3bd6ca5e2c5efefab8fb03
-
Filesize
71KB
MD5450f49426b4519ecaac8cd04814c03a4
SHA1063ee81f46d56544a5c217ffab69ee949eaa6f45
SHA256087fca40e079746b9c1dfaf777d3994c0321ea8f69d08238cdfc02fb109add1d
SHA5120cae15d863120f4edc6b6dabfe2f0f3d2e028057025d7d5ffe615cde8144f29bdaf099850e91e101e95d13f8a83cb1410a06172dda25a5f92967abcbc8453cbc
-
Filesize
98B
MD5c7146f88f4184c6ee5dcf7a62846aa23
SHA1215adb85d81cc4130154e73a2ab76c6e0f6f2ff3
SHA25647e6c9f62ffc41fbc555f8644ad099a96573c8c023797127f78b1a952ca1b963
SHA5123b30fa1334b88af3e3382813d316104e3698173bb159c20ff3468cf3494ecfbbc32a9ae78b4919ecd47c05d506435af4a7ccee0576c0d0018a81fbd1b2dfcf10
-
Filesize
117B
MD5870bce376c1b71365390a9e9aefb9a33
SHA1176fdbdb8e5795fb5fddc81b2b4e1d9677779786
SHA2562798dad008f62aace1841edfb43146147a9cade388c419c96da788fcaa2f76bc
SHA512f17c9898f81387daf42c9b858f507889919474ac2a17f96fc6d4606be94327e0b941b23a3ccc3f4af92b8abc0522e94745616da0564cdef1c3f20ee17ee31f53
-
Filesize
7KB
MD53e21bcf0d1e7f39d8b8ec2c940489ca2
SHA1fa6879a984d70241557bb0abb849f175ace2fd78
SHA256064f135fcc026a574552f42901b51052345f4b0f122edd7acd5f2dcc023160a5
SHA5125577e20f76d6b1cccc513392532a09bdc6dcd3a8a177b8035dc5d7eb082e0093436068f92059e301c5987e6122c4d9aff3e5ae9cc94ccc1ecc9951e2785b0922
-
Filesize
3KB
MD5cea57c3a54a04118f1db9db8b38ea17a
SHA1112d0f8913ff205776b975f54639c5c34ce43987
SHA256d2b6db8b28112da51e34972dec513278a56783d24b8b5408f11997e9e67d422b
SHA512561860907fa2f53c7853094299758232a70c0cd22c6df3534abd094c6970f28792c6c334a33b129d661a46930d90fd8c98f11cb34f3e277cf20a355b792f64f0
-
Filesize
1.2MB
MD54a9b1d8a8fe8a75c81ddba3e411ddc5d
SHA1e40cb1ee4490f6d7520902e12222446a8efbf9a8
SHA25679e9a3611494b5ffafaa79788ba7e11dd218e3800c40b56684ccc0c33ab64eac
SHA512e7a28acb04ca33d57efe0474bb67d6d4b8ceff9198198b81574c76c835d5df05d113fc468f4a4434580b1b58189f38184c376976604dc05d1424af1721995601
-
Filesize
227KB
MD517042b9e5fc04a571311cd484f17b9eb
SHA1585d91c69c3f9e3d2e8cb8cf984871d89cc4adbb
SHA256a9b0f1f849e0b41924f5e80b0c4948e63fc4b4f335bbdf0f997b03a3aff55424
SHA512709076c6cef8dd61701c93e1fe331d2b1a218498b833db10ee4d2be0816e3444aeebfa092ab1bd10322617cf3385414e8fdb76fd90f25b44ac24d38937b4d47f
-
Filesize
266B
MD530cfd8bb946a7e889090fb148ea6f501
SHA1c49dbc93f0f17ff65faf3b313562c655ef3f9753
SHA256e1ebbd3abfcaddf7d6960708f3ccd8eda64c944723f0905ff76551c692b94210
SHA5128e7d98e6d0c05d199114d2d6ab8da886aed68de690c4d79643868eaf051c229fff94c88d937adb3da5e31fe48116613cf79dd00dda30f296746ce0a8aded9fe2
-
Filesize
3KB
MD5e3fdf285b14fb588f674ebfc2134200c
SHA130fba2298b6e1fade4b5f9c8c80f7f1ea07de811
SHA2564d3aa3ecd16a6ba46a9d6c0bdacdcd9dce70d93585941a94e544696e3e6f7d92
SHA5129b0bfbb07c77d9e9979a6c0f88b0a93010133f7dd3cf01e1de5dfbe812a5ed920e916d16d6a32fe21b9ee4b5425e61a616ded1aeeb35a410d4f77c0f9392ed0a
-
Filesize
638B
MD50851e8d791f618daa5b72d40e0c8e32b
SHA180bea0443dc4cc508e846fefdb9de6c44ad8ff91
SHA2562cbd8bc239c5cfc3ef02f8472d867dff61e5aed9fde8a3823cda28cc37d77722
SHA51257a9d1d75dbbab842060b29f01958f7e6b27d0175ff9a3f7b97e423c1b4e3fae94547a569c2e5c88224fc5dcc785f5a1d49c61199a8c7b3afeb4fc520600df40
-
Filesize
1KB
MD541a7be9ceada14ffd112f53f7ca8c6cc
SHA156f3943d20112e63e3fae540f3f231c1aae2f7c0
SHA2567f39dcefa5bad753d49d89ba15e107cf5ff12f9979eb854952e68681cac6e9ec
SHA512939239fa6adec71e6b2ba9bcb771b4b1a9269887bd119e2743a65c20954995f6a0df2060558a3c62e61ed02c4653d9cffe647d2268d43cdf61c970c0808143bb
-
Filesize
27B
MD5e20f623b1d5a781f86b51347260d68a5
SHA17e06a43ba81d27b017eb1d5dcc62124a9579f96e
SHA256afeebe824fc4a955a673d3d8569a0b49dfbc43c6cc1d4e3d66d9855c28a7a179
SHA5122e74cccdd158ce1ffde84573d43e44ec6e488d00282a661700906ba1966ad90968a16c405a9640b9d33db03b33753733c9b7078844b0f6ac3af3de0c3c044c0b
-
Filesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
25.5MB
MD57208e5f9e495b7aae9401089cb96924f
SHA1454d0fbf093e4cf0d0341ee02fa541b17b330f02
SHA256e2c2d9966385189bfb7e85c42eb1a706f745f7ac9d85ac27b979b0c35155654a
SHA512764a7ff53a1ce6acd1c4a210bfe0e3738014ce9bbe7241c18aaaf0ea1e7f9907cb8fea16f650658709b42a1484ae2477a77ba9a95ebf6f4ad260ea1dc0cce216
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e