Analysis
-
max time kernel
900s -
max time network
1176s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
24-05-2024 18:18
General
-
Target
sample.html
-
Size
16KB
-
MD5
3a8fb09f8cfd8c9012520e9d45f961ba
-
SHA1
faba2dba5063476f5f8742932963249d81c5c0cb
-
SHA256
3464373dc628c72a680e4c69c3dd73c3aea0f66a8b509933f5818e516fc03985
-
SHA512
d144ba21d218fd3f77f66665577c40c048c4bc6f30efa1ad3b2e3ecc9d95eeb425dd2b02243b20410a3c3c6bf2625c342e6f6299ba48c49c648f7e2ea14d49d4
-
SSDEEP
192:x4ufWIyc+MDg9PxUfrULIAFCy8GAGYoQN6S5+MO2FHB/ibLDiTkok:x0Vig9pUfrUz8GAGM6O+x2V1i/DiTkn
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 58 IoCs
-
NTFS ADS 1 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of FindShellTrayWindow 47 IoCs
-
Suspicious use of SendNotifyMessage 18 IoCs
-
Suspicious use of SetWindowsHookEx 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff8eb03cb8,0x7fff8eb03cc8,0x7fff8eb03cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5992 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6004 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,15083796721055954176,8518631136336747507,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Bhavesh Virus Maker v1.0.0.1.zip\Bhavesh Virus Maker\Bhavesh Virus Maker\bin\Debug\Bhavesh Virus Maker.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Bhavesh Virus Maker v1.0.0.1.zip\Bhavesh Virus Maker\Bhavesh Virus Maker\bin\Debug\Bhavesh Virus Maker.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adad.bat" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\wannadie.bat" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\wannadie.bat" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\adad.bat" "1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\dadadaadad.bat" "1⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\net.exenet stop "Security Center"2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\tskill.exetskill /A av*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A fire*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A anti*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A spy*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A bullguard2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A PersFw2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A KAV*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A ZONEALARM2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A SAFEWEB2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A OUTPOST2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A nv*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A nav*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A F-*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A ESAFE2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A cle2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A BLACKICE2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A def*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A kav2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A kav*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A avg*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A ash*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A aswupdsv2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A ewid*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A guard*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A guar*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A msmp*2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\tskill.exetskill /A mcafe*2⤵
-
C:\Windows\system32\tskill.exetskill /A mghtml2⤵
-
C:\Windows\system32\tskill.exetskill /A msiexec2⤵
-
C:\Windows\system32\tskill.exetskill /A outpost2⤵
-
C:\Windows\system32\tskill.exetskill /A isafe2⤵
-
C:\Windows\system32\tskill.exetskill /A zap*2⤵
-
C:\Windows\system32\tskill.exetskill /A zauinst2⤵
-
C:\Windows\system32\tskill.exetskill /A upd*2⤵
-
C:\Windows\system32\tskill.exetskill /A zlclien*2⤵
-
C:\Windows\system32\tskill.exetskill /A minilog2⤵
-
C:\Windows\system32\tskill.exetskill /A cc*2⤵
-
C:\Windows\system32\tskill.exetskill /A norton*2⤵
-
C:\Windows\system32\tskill.exetskill /A norton au*2⤵
-
C:\Windows\system32\tskill.exetskill /A ccc*2⤵
-
C:\Windows\system32\tskill.exetskill /A npfmn*2⤵
-
C:\Windows\system32\tskill.exetskill /A loge*2⤵
-
C:\Windows\system32\tskill.exetskill /A nisum*2⤵
-
C:\Windows\system32\tskill.exetskill /A issvc2⤵
-
C:\Windows\system32\tskill.exetskill /A tmp*2⤵
-
C:\Windows\system32\tskill.exetskill /A tmn*2⤵
-
C:\Windows\system32\tskill.exetskill /A pcc*2⤵
-
C:\Windows\system32\tskill.exetskill /A cpd*2⤵
-
C:\Windows\system32\tskill.exetskill /A pop*2⤵
-
C:\Windows\system32\tskill.exetskill /A pav*2⤵
-
C:\Windows\system32\tskill.exetskill /A padmin2⤵
-
C:\Windows\system32\tskill.exetskill /A panda*2⤵
-
C:\Windows\system32\tskill.exetskill /A avsch*2⤵
-
C:\Windows\system32\tskill.exetskill /A sche*2⤵
-
C:\Windows\system32\tskill.exetskill /A syman*2⤵
-
C:\Windows\system32\tskill.exetskill /A virus*2⤵
-
C:\Windows\system32\tskill.exetskill /A realm*2⤵
-
C:\Windows\system32\tskill.exetskill /A sweep*2⤵
-
C:\Windows\system32\tskill.exetskill /A scan*2⤵
-
C:\Windows\system32\tskill.exetskill /A ad-*2⤵
-
C:\Windows\system32\tskill.exetskill /A safe*2⤵
-
C:\Windows\system32\tskill.exetskill /A avas*2⤵
-
C:\Windows\system32\tskill.exetskill /A norm*2⤵
-
C:\Windows\system32\tskill.exetskill /A offg*2⤵
-
C:\Windows\regedit.exe"regedit.exe" "C:\Users\Admin\Desktop\nokeyboard.reg"1⤵
- Runs .reg file with regedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\dadadaadad.bat" "1⤵
- Drops autorun.inf file
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\net.exenet stop "Security Center"2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
-
C:\Windows\system32\tskill.exetskill /A av*2⤵
-
C:\Windows\system32\tskill.exetskill /A fire*2⤵
-
C:\Windows\system32\tskill.exetskill /A anti*2⤵
-
C:\Windows\system32\tskill.exetskill /A spy*2⤵
-
C:\Windows\system32\tskill.exetskill /A bullguard2⤵
-
C:\Windows\system32\tskill.exetskill /A PersFw2⤵
-
C:\Windows\system32\tskill.exetskill /A KAV*2⤵
-
C:\Windows\system32\tskill.exetskill /A ZONEALARM2⤵
-
C:\Windows\system32\tskill.exetskill /A SAFEWEB2⤵
-
C:\Windows\system32\tskill.exetskill /A OUTPOST2⤵
-
C:\Windows\system32\tskill.exetskill /A nv*2⤵
-
C:\Windows\system32\tskill.exetskill /A nav*2⤵
-
C:\Windows\system32\tskill.exetskill /A F-*2⤵
-
C:\Windows\system32\tskill.exetskill /A ESAFE2⤵
-
C:\Windows\system32\tskill.exetskill /A cle2⤵
-
C:\Windows\system32\tskill.exetskill /A BLACKICE2⤵
-
C:\Windows\system32\tskill.exetskill /A def*2⤵
-
C:\Windows\system32\tskill.exetskill /A kav2⤵
-
C:\Windows\system32\tskill.exetskill /A kav*2⤵
-
C:\Windows\system32\tskill.exetskill /A avg*2⤵
-
C:\Windows\system32\tskill.exetskill /A ash*2⤵
-
C:\Windows\system32\tskill.exetskill /A aswupdsv2⤵
-
C:\Windows\system32\tskill.exetskill /A ewid*2⤵
-
C:\Windows\system32\tskill.exetskill /A guard*2⤵
-
C:\Windows\system32\tskill.exetskill /A guar*2⤵
-
C:\Windows\system32\tskill.exetskill /A msmp*2⤵
-
C:\Windows\system32\tskill.exetskill /A mcafe*2⤵
-
C:\Windows\system32\tskill.exetskill /A mghtml2⤵
-
C:\Windows\system32\tskill.exetskill /A msiexec2⤵
-
C:\Windows\system32\tskill.exetskill /A outpost2⤵
-
C:\Windows\system32\tskill.exetskill /A isafe2⤵
-
C:\Windows\system32\tskill.exetskill /A zap*2⤵
-
C:\Windows\system32\tskill.exetskill /A zauinst2⤵
-
C:\Windows\system32\tskill.exetskill /A upd*2⤵
-
C:\Windows\system32\tskill.exetskill /A zlclien*2⤵
-
C:\Windows\system32\tskill.exetskill /A minilog2⤵
-
C:\Windows\system32\tskill.exetskill /A cc*2⤵
-
C:\Windows\system32\tskill.exetskill /A norton*2⤵
-
C:\Windows\system32\tskill.exetskill /A norton au*2⤵
-
C:\Windows\system32\tskill.exetskill /A ccc*2⤵
-
C:\Windows\system32\tskill.exetskill /A npfmn*2⤵
-
C:\Windows\system32\tskill.exetskill /A loge*2⤵
-
C:\Windows\system32\tskill.exetskill /A nisum*2⤵
-
C:\Windows\system32\tskill.exetskill /A issvc2⤵
-
C:\Windows\system32\tskill.exetskill /A tmp*2⤵
-
C:\Windows\system32\tskill.exetskill /A tmn*2⤵
-
C:\Windows\system32\tskill.exetskill /A pcc*2⤵
-
C:\Windows\system32\tskill.exetskill /A cpd*2⤵
-
C:\Windows\system32\tskill.exetskill /A pop*2⤵
-
C:\Windows\system32\tskill.exetskill /A pav*2⤵
-
C:\Windows\system32\tskill.exetskill /A padmin2⤵
-
C:\Windows\system32\tskill.exetskill /A panda*2⤵
-
C:\Windows\system32\tskill.exetskill /A avsch*2⤵
-
C:\Windows\system32\tskill.exetskill /A sche*2⤵
-
C:\Windows\system32\tskill.exetskill /A syman*2⤵
-
C:\Windows\system32\tskill.exetskill /A virus*2⤵
-
C:\Windows\system32\tskill.exetskill /A realm*2⤵
-
C:\Windows\system32\tskill.exetskill /A sweep*2⤵
-
C:\Windows\system32\tskill.exetskill /A scan*2⤵
-
C:\Windows\system32\tskill.exetskill /A ad-*2⤵
-
C:\Windows\system32\tskill.exetskill /A safe*2⤵
-
C:\Windows\system32\tskill.exetskill /A avas*2⤵
-
C:\Windows\system32\tskill.exetskill /A norm*2⤵
-
C:\Windows\system32\tskill.exetskill /A offg*2⤵
-
C:\Windows\system32\net.exenet user Admin Bhavesh2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin Bhavesh3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\wadawda.bat" "1⤵
- Drops autorun.inf file
-
C:\Windows\system32\net.exenet user Admin Bhavesh2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Admin Bhavesh3⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5390187670cb1e0eb022f4f7735263e82
SHA1ea1401ccf6bf54e688a0dc9e6946eae7353b26f1
SHA2563e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947
SHA512602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58294f1821fd3419c0a42b389d19ecfc6
SHA1cd4982751377c2904a1d3c58e801fa013ea27533
SHA25692a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a
SHA512372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5aa68cb7aea86360b71565d3cae820920
SHA1fabb5c5f715d563926f3e69ca22f29aa881b4c71
SHA2569fadb67b57246fe12fae3cbf3267fd65234ce87e8296092c1eeb75530bd59bbb
SHA51262c834d24bd6684baac28853fea82ab24e41ebeae684dd3a844238011e60f34254315b57d1d23830755cbbc3b9b24bbbfa11edb4d2c8b43c82942235d32e23b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
4KB
MD59ef52af052523722bc088028607846a3
SHA19cb24c2b16916a6d7fe4ad29cb71f78bd88442fa
SHA256568024800387683d97728fa2448aa6a73ee8f89bfb53474f7cfbea7a75807d30
SHA512d9beb32cf86302f80f841fc4010417d921dc8c6e286fa3b9efc7b53c14d9d73a63c5ef829b92fe874ed0b599f9027691ffbd14ecd0ffbcea582462ac280d56db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD53637b765af8e63d2babd875fb107b762
SHA1149240299d606066d16ad82f3624506422aa41df
SHA25660c103008b1c04ab1bae11775f7a7f812a7e76dd0b6618a81306539e3771b98b
SHA51225ec835922b2f51e61e59390f387a25f58d710ff63d692d40469fdf8048237c6ed74c4f3375dc45c0ab35e0d8f73b7d22c0799b8ae4fcbe05f0b37033b69e537
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD59f58e8b5d8693ba7698f3bbc01e88a07
SHA1f01ade8bd03f0b4c9ded8c3de556b4c6da4f7c1a
SHA2561b4a83cbce485217003d2b951e41a4b25d5903fa541f71e78c062a5947ed9c06
SHA512c54ccf5babafd3059990a8537d74369b0ef2980c116c32332b86829312f737a2c303e4b0f2a0df226ec3a7fefc3ae645d6d901d8ed46357ddb111bd531a76f6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
8KB
MD56a3c4d1c3d481ea8952e05e1d7651421
SHA117d11aba90144d82c9a2683e1b1fdf0754c90147
SHA2567b655456785cbb3dd9b0b7f4257fd6d70b5814aa6ba38331d2c8692cbcda48f2
SHA5129a27c61a5aaecd1f958416359b70fe80d64e8ead810c3fead543078d06e7aa5640f766bfee18cb90274f8d98ab5e4c40d44c8851331fa7374019fe12782b9e79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5176cfcd399a1449aec5a585e58bd0de7
SHA1d03f4cfb63b8b2c7a97c790886dc3d966a35d847
SHA2564e810b49b9d27313f9523bef6b0d7264b808de8d243a249c996f73177a28cb81
SHA512918560d9e7da7eb2db3651b524a7f89721934b3c94024844d36de431ff03024fd8d852ade9c48f94da79af0f6e29454007d8aef39fdec85e3026a8269c4cd8ca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD53f8ec36bc5e25bf2b2b29404b72d0a3d
SHA1a1339c624da6c1f6cebe3be8d555ec91e0acef76
SHA25660f1e91e503886930fc1f6b68d0ff78beaac286b1f400e1896ccb7380bb0a021
SHA51296ce28d58d522964d553ad0df01652b8ef9051e024ecf5ac28fa7780ac57cfe89ff866a36d9880c03097946561e6f556c27f59d8325091124917b982d8920c9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51712fc1fa4521a4306de6feba62a18b5
SHA1ce2bbf7c5685a101187ee5dd0546ee686f8b8915
SHA256d67d661af824b45a68df108005adc9e1ceb8919cd27072c415277a659b141e42
SHA512237e586419c6109317b92378a6b128556a0ccbcdd79de2e4b1f4a28f249126b98d08bc8952062ad02bb86e3477f4afae5f8d494c76b7264192de7327a5fc7b08
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
11KB
MD5cd56e155edf53e5728c46b6c9eb9c413
SHA114b1b0f090803c9ee39797aed4af13dc7849566d
SHA25670a6cf268c013fb4d907bedc12af3e5f802f179f0cc8353c7b8227dde840d31a
SHA512a4ada455d44a89fd2baa505aa9266b70913967b839522ef5da8d7afd31af6662c3ad96ac3e3531d82a72be7d019c9d88f1ce391c5b5fa0e4422a634c51491165
-
C:\Users\Admin\Desktop\FIleList_xml.txtFilesize
217KB
MD514faabcc977d1c6577ad07e24b5d87cf
SHA1da72387ef02295b747426fb997d7a9e693a6bb4c
SHA256a5d8258cbfeaf06565f88ea4a1d05122a86f3c87429ce1891507e66c21f1a5d9
SHA512c616ad763f957095525a1b44d545382bcc5c908b6c34f3544e99a2b09eae3be84dae04a76ef74e4817b092a7ce81db2952e7cf1222e2d45fab8df18044a40f16
-
C:\Users\Admin\Desktop\adad.batFilesize
176B
MD5bbaad817427b2bef920c7d827d2f47f0
SHA1fb840c64b3deda8c299561d262fc3cddf2402972
SHA256165fcc6e740b0ba227a992920770d8c776e3beb7d083494c001faf49ddd79c92
SHA512b4296ad87eec7be8fa1bfbb7a20fc7d4851c43fbdcd1df3ca94cbd15145aca34f05dec0f7f4dabf47239793239402b75b91156bee192b0d1f3a0d3a2145f18a4
-
C:\Users\Admin\Desktop\dadadaadad.batFilesize
5KB
MD5aa0263b537d59c11108d5fda5df24234
SHA1404b9c6e89ff9690d4e27372417cb2e4e7cec628
SHA2564adde65272e293c0ac8eaa23f02e61296c8c8ca3653e31fa7e767425a0fa41e7
SHA5123e417dbb765824a32608ff7fea3f9918307073b173499490f9a0ce771dca0d795986a1f2b1a38a79be4a6b97604e1433911d9dbae40a85b5b10f1b30f6a6aa6e
-
C:\Users\Admin\Desktop\dadadaadad.batFilesize
5KB
MD57bdf0565c74c57c576078c145ef518e8
SHA199a2717990512fd1dd03e5ed7204da417d329391
SHA2564aef3ea110602dffc9dc9b05ca1845cd37557e7221571580e262f5c2edc8289d
SHA512842f9c8dfe0f2fb49af9abf88330d89628e9c14c8616e1ea84e70d06962364b2d59f026a12d543df1ab7c8ecde20ad00f51b4dda7202b40431dc9a746c766de3
-
C:\Users\Admin\Desktop\nokeyboard.regFilesize
576B
MD553ffa92a2a3cdcbd3fb0e3ecf0a9dd80
SHA1eb2a145817caa9cf2bebb8b0d8e8d76a66f168e5
SHA2569a8e8d373b872678f65a7e2ff1e395328ce9fb97e079c2d0e9a4ec692458e489
SHA512a5d1ad458f58ba4cd214b51183b3a0244e393c393204c752b62b15acb037ced703b4a427cc3b0ef756f3d13cb26bd760578ff61dffcd266ff517aae8b1597f5f
-
C:\Users\Admin\Desktop\nokeyboard.regFilesize
1KB
MD5fa5412123f5ef3f83c2bd8b8c23fdf4d
SHA15d2a7c634ac64fe9a40fbc217d25178f77c118a9
SHA256a029ae77eced03e515a2acb0ee8ebecf3aebea402e441beef1615e3488234f8e
SHA512bdc6d8201b1a334bfd3f204cf4e633f02d024ac693dcb5816f604a885c23f33c1db03dd07378f13d08fa4255fbd642782142a6f7f7f1647b3c26a2c7cd544d54
-
C:\Users\Admin\Desktop\wadawda.batFilesize
472B
MD5fc671f127970c600804004319b508567
SHA12939432340ce812dea14e9f7588997c8d12eaca1
SHA256ff08ddfce642ca4e72d38d8ce76b1313e2c4afedf758856a90536b8cfabfd806
SHA5128f5b2e5897d127f539f7f0061d41f27b72212995a81feda2d650d51d765c4f7edbb3113c4fe65650c547db57e00d1d23ccd13819cd760a5a46980d6d4ef6b738
-
C:\Users\Admin\Desktop\wannadie.batFilesize
2KB
MD58f9f12ef5f32084e8b7f17f14eab1d69
SHA1b3a276699fb511b10ab7889e3477ad1b45ed2300
SHA256e7b56df9f0f0256ea463c004d9a1b4460d43b3c82035cdbbcdf84c8784519721
SHA512dce5dd518553f846419c59b274d7b227577920371686dd4408a289f5e4f5c245bf1e482723a0d6d35643a479dd25a6279392b02e4a619c3214a7930191fcba62
-
C:\Users\Admin\Desktop\wannadie.batFilesize
7KB
MD56b91e7ced0fb5373b08704f76bc4dc85
SHA1db313029c41b18aa20f137eb1952ef3636a88bd0
SHA25626255e7df58dfc3cb73124c28fb43219cb8731b7c7760de8e73ef7d003989957
SHA512a912853bb601dae7067ce50a4fc5c517072538dcd3b6ed5d7446004d8191251d84da784238a28a4fc882f29f2af7b0901171551ff27bc07017879e74bd16c255
-
C:\Users\Admin\Downloads\Bhavesh Virus Maker v1.0.0.1.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 554281.crdownloadFilesize
3.4MB
MD5fc611459d76232259ac3fd1f3456d60a
SHA13407a2b1b913239e8b70786160b6584a1577d151
SHA2565bb924807d43e98d404a520d35446eca67ada7a30218360bd6325e10deb9c309
SHA512a430e5d4c7d61f62ed362ef1bdb87d68610d4d11b718a0208fb73f6270471b255bf3465955b0ec9a9ed8a766b38872d5b33187b87d0223d3694ea6fb577edf12
-
C:\autorun.infFilesize
98B
MD5c6dcf29bf2f2bd6b3afc8fa325da8d3a
SHA1cb97a804a71843ef85dee8ff58949805e7dcf036
SHA2565cfedefb0a3cde24469a2ffbb534b773eb18b537a03a4b9e0e2d1b55ccb867cc
SHA512ab8a199f14e5cdcfeaddcba7c6ca7e9bfd155dccf46eb85de253353498d776e48731fb6c4045de55c832a79430df2844821443e8e654db699556aa2a5b6dd60c
-
F:\autorun.infFilesize
61B
MD500de926f8029b30a0e2c80d856ed4ee9
SHA19bd8b6d6888e0071b5a63684d4a31be04120c49c
SHA2568f857d774d9ae8d69355be32ff3b5c5e0985e7c6ef3a22bf2bd1ae33be4d0d60
SHA5126dc2e95e6e6971c663053be5dcf5948bb206a7b07638439187f6c44d0d5ac4bdb6fafe22a33e178bf5c978a9d43a252571b1294afbbe5e3fd1608f93204b1d56
-
\??\pipe\LOCAL\crashpad_1196_UNXRJIDNDDSOZQERMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4320-501-0x00000000007F0000-0x00000000008AA000-memory.dmpFilesize
744KB