Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 14:58
Static task
static1
URLScan task
urlscan1
Errors
General
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0009000000023463-83.dat family_umbral behavioral1/memory/5440-91-0x0000023EE5A30000-0x0000023EE5A70000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5660 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts bootstrap.exe -
Executes dropped EXE 2 IoCs
pid Process 5440 bootstrap.exe 5560 menu.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 65 discord.com 66 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 57 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 menu.exe -
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 5264 wmic.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "12" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings msedge.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 5572 PING.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 1428 msedge.exe 1428 msedge.exe 2952 msedge.exe 2952 msedge.exe 4816 identity_helper.exe 4816 identity_helper.exe 4900 msedge.exe 4900 msedge.exe 5440 bootstrap.exe 5440 bootstrap.exe 5660 powershell.exe 5660 powershell.exe 5660 powershell.exe 5968 powershell.exe 5968 powershell.exe 5968 powershell.exe 4512 powershell.exe 4512 powershell.exe 4512 powershell.exe 5384 powershell.exe 5384 powershell.exe 5384 powershell.exe 6024 powershell.exe 6024 powershell.exe 6024 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5440 bootstrap.exe Token: SeIncreaseQuotaPrivilege 5536 wmic.exe Token: SeSecurityPrivilege 5536 wmic.exe Token: SeTakeOwnershipPrivilege 5536 wmic.exe Token: SeLoadDriverPrivilege 5536 wmic.exe Token: SeSystemProfilePrivilege 5536 wmic.exe Token: SeSystemtimePrivilege 5536 wmic.exe Token: SeProfSingleProcessPrivilege 5536 wmic.exe Token: SeIncBasePriorityPrivilege 5536 wmic.exe Token: SeCreatePagefilePrivilege 5536 wmic.exe Token: SeBackupPrivilege 5536 wmic.exe Token: SeRestorePrivilege 5536 wmic.exe Token: SeShutdownPrivilege 5536 wmic.exe Token: SeDebugPrivilege 5536 wmic.exe Token: SeSystemEnvironmentPrivilege 5536 wmic.exe Token: SeRemoteShutdownPrivilege 5536 wmic.exe Token: SeUndockPrivilege 5536 wmic.exe Token: SeManageVolumePrivilege 5536 wmic.exe Token: 33 5536 wmic.exe Token: 34 5536 wmic.exe Token: 35 5536 wmic.exe Token: 36 5536 wmic.exe Token: SeIncreaseQuotaPrivilege 5536 wmic.exe Token: SeSecurityPrivilege 5536 wmic.exe Token: SeTakeOwnershipPrivilege 5536 wmic.exe Token: SeLoadDriverPrivilege 5536 wmic.exe Token: SeSystemProfilePrivilege 5536 wmic.exe Token: SeSystemtimePrivilege 5536 wmic.exe Token: SeProfSingleProcessPrivilege 5536 wmic.exe Token: SeIncBasePriorityPrivilege 5536 wmic.exe Token: SeCreatePagefilePrivilege 5536 wmic.exe Token: SeBackupPrivilege 5536 wmic.exe Token: SeRestorePrivilege 5536 wmic.exe Token: SeShutdownPrivilege 5536 wmic.exe Token: SeDebugPrivilege 5536 wmic.exe Token: SeSystemEnvironmentPrivilege 5536 wmic.exe Token: SeRemoteShutdownPrivilege 5536 wmic.exe Token: SeUndockPrivilege 5536 wmic.exe Token: SeManageVolumePrivilege 5536 wmic.exe Token: 33 5536 wmic.exe Token: 34 5536 wmic.exe Token: 35 5536 wmic.exe Token: 36 5536 wmic.exe Token: SeDebugPrivilege 5660 powershell.exe Token: SeDebugPrivilege 5968 powershell.exe Token: SeDebugPrivilege 4512 powershell.exe Token: SeDebugPrivilege 5384 powershell.exe Token: SeIncreaseQuotaPrivilege 5740 wmic.exe Token: SeSecurityPrivilege 5740 wmic.exe Token: SeTakeOwnershipPrivilege 5740 wmic.exe Token: SeLoadDriverPrivilege 5740 wmic.exe Token: SeSystemProfilePrivilege 5740 wmic.exe Token: SeSystemtimePrivilege 5740 wmic.exe Token: SeProfSingleProcessPrivilege 5740 wmic.exe Token: SeIncBasePriorityPrivilege 5740 wmic.exe Token: SeCreatePagefilePrivilege 5740 wmic.exe Token: SeBackupPrivilege 5740 wmic.exe Token: SeRestorePrivilege 5740 wmic.exe Token: SeShutdownPrivilege 5740 wmic.exe Token: SeDebugPrivilege 5740 wmic.exe Token: SeSystemEnvironmentPrivilege 5740 wmic.exe Token: SeRemoteShutdownPrivilege 5740 wmic.exe Token: SeUndockPrivilege 5740 wmic.exe Token: SeManageVolumePrivilege 5740 wmic.exe -
Suspicious use of FindShellTrayWindow 33 IoCs
pid Process 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5744 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2988 2952 msedge.exe 84 PID 2952 wrote to memory of 2988 2952 msedge.exe 84 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 2176 2952 msedge.exe 85 PID 2952 wrote to memory of 1428 2952 msedge.exe 86 PID 2952 wrote to memory of 1428 2952 msedge.exe 86 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 PID 2952 wrote to memory of 1084 2952 msedge.exe 87 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 5612 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Cyendd/Giftcard-Generator/archive/refs/heads/main.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8797646f8,0x7ff879764708,0x7ff8797647182⤵PID:2988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:22⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:1424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5060 /prefetch:82⤵PID:3888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:5812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:12⤵PID:5820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:5708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11741907227689699709,12321082529542929557,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵PID:732
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2688
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4652
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1720
-
C:\Users\Admin\Downloads\Giftcard-Generator-main\Giftcard-Generator-main\loader.exe"C:\Users\Admin\Downloads\Giftcard-Generator-main\Giftcard-Generator-main\loader.exe"1⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5440 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5536
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe"3⤵
- Views/modifies file attributes
PID:5612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5660
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5384
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5740
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:5720
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:6096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6024
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:5264
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\RarSFX0\bootstrap.exe" && pause3⤵PID:3024
-
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:5572
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\menu.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\menu.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5560 -
C:\Windows\SysWOW64\shutdown.exeshutdown.exe -r -f -t 03⤵PID:5420
-
-
C:\Windows\SysWOW64\shutdown.exeC:\Windows\System32\shutdown.exe -r -f -t 03⤵PID:5456
-
-
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3901055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5744
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding1⤵PID:5912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
Filesize
5KB
MD5ce4e1a1361515516a644509c7ee57966
SHA12f2ac41792b1ddf1ea8a9309317801a05b4e9b6e
SHA256ccf080a4fa27723ddce6a97172b86797e7549fa0fa4327afa92178d45bcac542
SHA51211f5d3f1eabe34821f05b9114eff10560cd4dbf05723a3321b983f76af49d2f1c0b35bd04a0582a837c6ec3261f4a7f7ddd75f711aedd13d650ab39fd26a6b30
-
Filesize
6KB
MD5b8f697a388ebfe8b3b80d75a72dd722b
SHA1d856e9839cbfdb46fdd7904359d1da2fd205337d
SHA256b7e7efd599869ea7fa9bbd499f9f100e3a48f6c31ed3d6b6fd209661cef63e73
SHA5126131bd9374aa3f3763c2144171ed06464cedd470a484e80d3a24c89885e1b969302b313e15652cd3e4ee39ffaf796e75ce56a8270472067ac1e31247ef3c170a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a7c4f3799b7fde4556b9c554a26110b1
SHA10ea82b615601f5998f55d830ee2b15fdebefba99
SHA25626fc3f2273e28b93916e8a1d4f448a5c9fc7005c6dc7a14907e1fb543926fb1a
SHA5121abca9d5763afcaaa2d693d93e025b69a2e0d623bae5f975c40e40fe30f399ad41025b45138627640cbff06ee9dbe5d7d23d42dd174e4f48b6d41f366abd5ed1
-
Filesize
11KB
MD53d933cce3dd61ebe6598bb882da3af8d
SHA1c98d1d02fba00d7c96a7ed1877406bf68d55d27e
SHA2569601078b901c5a25863fc57ce2e69465576f14727fb7cc35d54240ba135e79b0
SHA5128b50e9c51f7a6fd6319b3dffd99ac46125637e1b88aed6207ac402ef532325715753202c9d5f84ce92a4d5b17f2b61ee93b2df9c27a43097fa7591cdabbbfc88
-
Filesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
Filesize
948B
MD5c65738617888921a153bd9b1ef516ee7
SHA15245e71ea3c181d76320c857b639272ac9e079b1
SHA2564640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26
SHA5122e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5ca58d1913d3261f116a299095e04f734
SHA1941d13d0c8c65adb6513f23991acfa0d62facdea
SHA256755daf72f2f5e983abb009c3b1eef4c7c660999f5ff581545bbcae7088c17c69
SHA51287b0d8c9a5348235e9ad6416e09665764db1af408bf763857dc40e39411fa0cf405e3e8b9f0b8540c72aa874059d1dee865aa0cff8dba0fde5779ec9480b5e40
-
Filesize
229KB
MD52f7917208470cb60a461821bd3bd7b38
SHA160439ca8b3355d217a1ece1f059adfdc893a15a4
SHA256bcd85c22f2dc22bfaca369c126912de4ddae0be03bdf69d6ed7bcbc51668a191
SHA5122f961f422cc7f66326708e832031ffaf2c4efea2ca1f5129e7d07bf056faf3d11046a161c36f69dbd3043d6f353a9e0cc943a94fed9fcd73e5bc64855d94d699
-
Filesize
71KB
MD5bfe57939db2d2e05f2c01d9810c414cd
SHA1502fbf4cdb80eccee2798efa7bf81d2fe6b21420
SHA2562a9e09c96ab0dbf75f4c1277295ca5e16345698415b35da414d9954ddaa8de98
SHA5126b9cf57859162d92ee0b7b26d613e935b194047f26e8e7ebd1cbab452014e90a30e5a14004ad385713c536f9b8b72f95f8e9d8b848d4522c4693ed7f8ee8e13b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
283KB
MD56e614f123bf3c9ef51aec7e517387008
SHA1caef2512f74331cf59860e8059d58fb57222269c
SHA25664b42c91eefced7635415b0a29cf7edbef38861faaf8050238fcbe802ef731a3
SHA5124f7e581e9a1962a8f349c469c4e1fd209c22fa4c9184ac9dc0ab6a81476be8ddb47928cbba1a7c75c93826cfc07707563c17e65c5eadc37892740ed3cc529e4c
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b