23c75e988d1579ade684b8fc3e9ebea0f2d62b955d190c974c4a47112681048a

max time kernel
317s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-07-2024 14:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

493KB
MD5

937cffd4aed2741d390f12cdaceedfe6
SHA1

6e4053037c6fb57b01fb8aadd59f1b4bab4413dd
SHA256

23c75e988d1579ade684b8fc3e9ebea0f2d62b955d190c974c4a47112681048a
SHA512

8296f202f1538be8425c725e8be4816e692aaec686c89b525c67d2911c4da968047676f3801bed62f7bd95f54d258d775ef42dfa54d93978981c5a4a4e58d444
SSDEEP

6144:5DoAwoAwKAwtAwoAwtAw5AwBAw+AwMAwpbQ:5EArADAEALA8AUAaAFAJA2bQ

Score

7^/10

bootkit persistence upx

Malware Config

Signatures

Executes dropped EXE 14 IoCs

pid	Process
1932	mbr.exe
1988	bytebeat1.exe
3700	rgb.exe
1652	sinewaves.exe
2268	Lines.exe
4192	txtout.exe
428	patblt.exe
2116	txtout2.exe
4024	invmelter.exe
4968	cubes.exe
444	rgb.exe
488	txtout.exe
3004	txtout2.exe
1504	bsod.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3660-698-0x0000000000400000-0x00000000004D8000-memory.dmp	upx
behavioral1/memory/3660-757-0x0000000000400000-0x00000000004D8000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
6	raw.githubusercontent.com
80	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	mbr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4484	taskkill.exe
400	taskkill.exe
2784	taskkill.exe
3424	taskkill.exe
3908	taskkill.exe
3764	taskkill.exe
1528	taskkill.exe
2152	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{3D6C3C24-A201-43CE-90F0-D07A607990D6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WinRGBDestructive.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
4732	msedge.exe
4732	msedge.exe
4696	msedge.exe
4696	msedge.exe
560	identity_helper.exe
560	identity_helper.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
3872	msedge.exe
3872	msedge.exe
4084	msedge.exe
4084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	1000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1000	AUDIODG.EXE
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	400	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	3908	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeShutdownPrivilege	1504	bsod.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3660	WinRGBDestructive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4748	4732	msedge.exe	77
PID 4732 wrote to memory of 4748	4732	msedge.exe	77
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4480	4732	msedge.exe	78
PID 4732 wrote to memory of 4408	4732	msedge.exe	79
PID 4732 wrote to memory of 4408	4732	msedge.exe	79
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80
PID 4732 wrote to memory of 2376	4732	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff842c53cb8,0x7ff842c53cc8,0x7ff842c53cd8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:1248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1800,8740275484921426578,17478523742664763833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3340

C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe
"C:\Users\Admin\Downloads\WinRGBDestructive\WinRGBDestructive.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3660
- C:\Windows\system32\wscript.exe
  "C:\Windows\sysnative\wscript.exe" C:\Users\Admin\AppData\Local\Temp\24BF.tmp\24C0.tmp\24C1.vbs //Nologo
  2⤵
  PID:2636
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe"
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe"
    3⤵
    - Executes dropped EXE
    PID:3700
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe"
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe"
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Lines.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im sinewaves.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe"
    3⤵
    - Executes dropped EXE
    PID:4192
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im txtout.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4484
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im RGB.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:400
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe"
    3⤵
    - Executes dropped EXE
    PID:428
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe"
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im patblt.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im txtout2.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe"
    3⤵
    - Executes dropped EXE
    PID:4024
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im invmelter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe"
    3⤵
    - Executes dropped EXE
    PID:4968
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe"
    3⤵
    - Executes dropped EXE
    PID:444
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe"
    3⤵
    - Executes dropped EXE
    PID:488
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im txtout.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe"
    3⤵
    - Executes dropped EXE
    PID:3004
- - C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe
    "C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1504

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4faec26c-efa7-4504-8cc8-4a58748bfc4d.tmp

Filesize
6KB

MD5
33b0ba2b6cdefb137f7262a7192b6138

SHA1
1e081b586781b88c54547d55c0182c6fe1579ebc

SHA256
17c9575275b5b8d5f991a4a3c5a72bd9403b91fc91dad8c8a87df07bc1151bcc

SHA512
ec5dd4dde81fbf977c583ca9713fb238655949b6b9854542215f11842cfbbef1caa882a2627029f020ee63b7b50c0fa7d60a161012656c4665d2d3cc0248600e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
abf599d57d81aa1a1fe327abe202f149

SHA1
9981a20c9d54d3fc66346095ea255e2be6042d4d

SHA256
f7e0927433e1d0c1e4a18856fdb614ca49f9ed93fbd57585fa5da4dfafd2830a

SHA512
4b9277288bd27d6bef04dc7abf42fd6bd6061c247653541cd3ce0da739964ae0abd59746083ee72abc7df5f51620ba994758755999aa275146a2a94fc5f408b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0227acca84a98204d1845dbfcdb32919

SHA1
b6f1372ec60a4561fe558ba93431555c5f8769eb

SHA256
f7d36d8f7ccbaf5c66a6846c1f89b462da06945c00250c05e1c6333600adf729

SHA512
21e6efd4a02d50a719d36b20435a031d63eb0e331833ad59e3a55755d7aeed10393134b4ebefcbfc16c58097edadb53d5a02582f39fafcd424e6f93b2a368e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3459ddf3de65f7b498855939c5891027

SHA1
4edc506602d61b8babf7cac9338d1127966fa083

SHA256
7bb859c4e70876b5ffc38feee2e5e6241ee9eab79d2b4dab7993d8b1e8c24b2e

SHA512
1680428b220a459018bc4204c9260ac9fc1de6d0619294161427458b5163be942273ee91c2e217a2e0e9d8f60e76b88e2481d06c853569bb7710dbe84dbca0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0190e85324d223a7802bf1363b598781

SHA1
63b64fa147d0fa9c8610d56357c74b4e83f9f24d

SHA256
ed933c21c73bef949c71e71411c9cf1e3929751da444134f6686d45e099958a0

SHA512
81b2feadbb76542444e5c9b6a253920f3666a390179ac1d7380110da66833834b8ab770729e25c43585cc75afae504fb68589cfe02253860f74628e065c60398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aef964b2bc3b6c84301b925e90b4f8c7

SHA1
3a266a47ef48c909c9182dd8381949b795d63ef5

SHA256
4c301c057320b3e894ff466705b0606750653a5f19b6cbd7a468a958a33dba4f

SHA512
f7aaa70152d40043f8d74a7f225919fa4118ae5aa811bd93bf86f175a9e3be234968a19d474995b802f2cb9f6eb1ec83aa66197a5c55a427300fbe93cd4c5518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb2b2a2ab23c17a394bbdb03563efaeb

SHA1
9833d8dbedf9bbbc75e095650a400b892da64d30

SHA256
2d53399d229d1ab829062589fe02ae16769221bc0a2f66958e57f56d8da8a127

SHA512
8b5a6965327a778e9ae50a3cf208797723197fe04bc2ea58d18eb79819cc713643a5dbeee1536d56fd30726bdebe4954b47ce853b058f3b8964981709f55cf51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
968440030dc4ef255ffc8fb6d4c427ed

SHA1
94f92a4f7830431ba6cfdbf210007b560b4f1399

SHA256
976085a2702deaca66ecf6048cbced39547688d47a233ef8bbff9da43dea8bea

SHA512
6ebcde2333515e7b70577140c3725d8f622ab81b90e6efb1ce282f85e4bd4981f5baa6dcbddc447a7aca5eb88619b53541d4294ce3f378baefefb0341a5521b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0677faf7fd3d9ef977636bbc7d5ff76d

SHA1
9cf942b5fbf5b37689ab9ecae4c09b79f464b71e

SHA256
bbcfa1c53dd53cb446e584f341f39c901115999e05717047edf04956fd353c9f

SHA512
da51f1747dfbef4cb13e954c37bbf7a5c0b5b4eca0514700dd036ada5761f0a939b6a43dc2d403dabf6404e583562f3af00b2797c3ca8aabab5c94d775dbd319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\fbcfddda-0647-471b-969c-a721ad1d9420\index-dir\the-real-index

Filesize
1KB

MD5
4ace4a91e7dca3f6e2c76f6f5df89dcc

SHA1
c1fe47e2aa13298d14e6d54f2b5b6c4a5755ac94

SHA256
8be1c137115c53fd143112e52708a8e6964ae92e3339a936f8e7f138fc2dbc94

SHA512
f807cc592e6c19906e381a10569d38dfa80d0422d8779dce33f3c1cabdf271713d334293c4a50ff95fa5f95000db8f1f09cb02aa9c857484744f9687e7df7f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\fbcfddda-0647-471b-969c-a721ad1d9420\index-dir\the-real-index~RFe5826bd.TMP

Filesize
48B

MD5
096f070bbc4d82b68995401e79121723

SHA1
3076e39f623b8309a6caa10018e1d0a06e175824

SHA256
d19a63fe3656ab3fce31ef0f6f7e91ad5254f0c86e8f035f483e784f1ee4cbe5

SHA512
2fe296c6ba082e359857c23bbfcacf6a4f3b11eb0b14cf14493a044152e23e23e5562cafdd1fb7a2f76cb74deb42469f8d9fddde82929483c80277680ba591f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
73B

MD5
30cda24dc407cb86da6339b4582c7718

SHA1
e018b59d7e41a26c60a2c7a3b7261bd102bc39a7

SHA256
4415f79e3b04fce81f8dd775020d4a8128e1af888744ebfc24d380058df2d0e0

SHA512
70689abf1f37f41d66133381219cbf07390c491af3311fb2ed50e3074a9949ad643afe27b99288fa3cb9aedaf1cc94bdaec8476313263639a8795b64b28e2d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
130B

MD5
55676aff8699aa1be89268fd9b865c52

SHA1
ac2d169a6b4a6c6301d32b4aaaee11f6ccbda105

SHA256
258b52eaa22eb22f8931c5829653249f79dbc1ddb85b56060e0ff87552420c21

SHA512
87c8055efadc88ff7dbb6d56e2c97b95ea9ded519eda20e6b8e9fa63c7c8420a15ec4ab9e91f30bd8161a09db0f941c620f3e7bc1df903c011435fcc821d42a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
66B

MD5
547d623575ba300fa6fc9f9c435a3d43

SHA1
e0703adc90a562fcfb42050dc6c8040f1c7527df

SHA256
ec1c15a58a1527f14ca3858fe24ce54c063de9ad986400ce665debc45639f07b

SHA512
d0cfd337d6b8d671d4136991e49c780861cbd37762f7e4f8645578abe67f0092a096e4d8ffd6db5479a0d5e6a6fd28499d352d1e16e11fcc696ef5d6fe21cf6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

Filesize
68B

MD5
0407120ade3009769eeebffcf36389a3

SHA1
5c95d4b2658edfcbebb9c54b2f37ff14811a84de

SHA256
922af5a8454a2d2e63bcc3bdf98e6947fb294041e6f674a9153e7444fd857dbc

SHA512
166a434f55e3b6c736e781b9a3cbe874dc5a1432426322ca835e4d5e8624c62a740b8a273e0ef737d5b508874e1d7d26d2500c5f5538195c35162723aa85e232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9cdeb5f33703f16033d849a8e662d423

SHA1
05e36ea45ebb91bb039bb90fc3204c803fd94b0f

SHA256
763f5a72c9f15a0497f706da7377b894acea35f9728c9a1a243a32f10cdb90f3

SHA512
ac369418016e4544d664c036e67499ff8f08e0d194fd968c9529b8cf5ada7d90d88d248d7468109b7bc8cab4a4d89e268f377e01bd377e153a34bdf789196c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
727da89eb8dec9a098852819dbcc9211

SHA1
1c526f30571d6864740967fd5bfb6e5de78dac56

SHA256
9ea5719517c8f4a76836b96a6066d3e30a0f8a429ff9646c48f1bf4a69244375

SHA512
dd31ff5342ba48a60ab50c729437b4179c9c14d65e118ddc11dfb7e52f66b0a34e67aa5b8cf639da6d588f731d946f6705eaa331831562d3abceadaba6914793

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59d3a2.TMP

Filesize
538B

MD5
eb4433415451f4b4fc80335741e68e3c

SHA1
5c674af976cdc7e19bec8b4c3f0e039d25abf9b1

SHA256
e221273af477698bee6e33a80809171a809906c4be80c5c8e293283a919f2bd9

SHA512
1387b152f6e4fe88332424f21bb09a75d5ea865e1e17ee1d29f0dbc5635b20c5a882a819409e4b7ab73fc17856f53afd38a2b5d5ea42f441fddd60ccf52bed92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9108d29922cf4a3638b07e60e3078e6b

SHA1
699ce22268d72acdb9ba53923914a128ec6af5a4

SHA256
5c0ed90f1fa8b362b3174cb2b4c11dc6e718f1d3827c61afb3e12c5c077955f3

SHA512
6840f5357ccf308613300d9ef67ef25b491f4d7b72ef14f84c3f6bab0f81dc871b113694d34ecabfec71234a94352d6df837a8f37eee9b53c623db4203818afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e9f161c7734414e377f414ab69d0f61e

SHA1
f9f2b1e6412c732865c9a91078bc462fd0df9f23

SHA256
7f1d4de6cfa366a5761275935f73e770d5b4be8e55f83a01b025f306477e42ca

SHA512
fca3c5ddf3f5b4818b6d092a893a50d51be7895b205da31a79a7c075cc8bd2bc9a79aa8ceec217c23ea0d0d3c294a97ad69ff2973bbb68a842d4c8ed1590effb

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\24C0.tmp\24C1.vbs

Filesize
3KB

MD5
dbe460e73bc825119c6326250ac8f223

SHA1
191f599142390b486868a952f6c3df8eedc60ab2

SHA256
39ec4ede07d340f3ce319a28da8ebf3cdee86ae95241a53fa99fe729746aaef0

SHA512
f363475209e743e38b32078a24f99e89c93e18e7100a4c28d49d9054e981cbcaaef6960d434464af6f37789f76065d18671609e3a1b369ced34a8b14da1b06a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\Lines.exe

Filesize
103KB

MD5
6381e3e4b02204e1353218ee6ec45c2a

SHA1
a350d4432d2a1a8c7a34d5ea7214326ffc02c270

SHA256
df3cc9a807a80697cd8b72f8f17a365849146cb4e41b4340e42f78d1bc1722e1

SHA512
ac7f21c539667a77236b78006740c634b7d4c0a55dcb776872bb339501112c62e1990bbb73b8f3c4e5b065167b8102fe35aa4633248b19dca602606b68b15015

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bsod.exe

Filesize
11KB

MD5
2c0970f41f80a89af6da46f72076a008

SHA1
0a5e3f7871a51bc6a37cbc910aabe9d25a823b32

SHA256
b1cb05d160f4469801cb993f76b2bbb7b077611973b4a914f50752b5852770d6

SHA512
d9123debc1c21351ef6403646acf3383ee2c9d8d71d173db6b62aeda1148f5a6af851e6ba8989812c601ebe6dd1e0541a9e2b653f536c371c274aaf3f828da32

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.exe

Filesize
102KB

MD5
6b673ece600bcc8a665ebf251d7d926e

SHA1
64ef7c73a713bf3c55fb4ac4e5366a7a425f1b4e

SHA256
41ac58d922f32134e75e87898d2c179d478c81edaae0d9bc28e7ce7d6f422f8b

SHA512
feb18a1aa72de47fd67919e196abd200afdf22ad5a7e5dac20593252d8b2ca86982bb07c2fed3681ef06c9933c6d197590c1df65aa5df93cb6abafca5e53e9ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\bytebeat1.wav

Filesize
1.3MB

MD5
09d2094f56d2d38aa64eac1d90c5a554

SHA1
c6268759b1eee9fdfafa0d605d62bbbf85defbca

SHA256
4599f6f06c7f491a50e3c4012a83cce9f3ee13ae209189cb8964f0b6ba14614c

SHA512
4ca756a06612c281ec03dd9f064b9ddaf6756b00a5d54dee62728f5cdd7ad3d928559b9857ed2f733b8b3e842b396fed94b212ef2a384265ac623433d67010f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\cubes.exe

Filesize
103KB

MD5
ed695dac2b14ccad335e75f5ddd44139

SHA1
35f4fae272c9b8dc84ffdae9b4dbfa4ed32936eb

SHA256
2d3e7cdbf244704934afa447552c049a891a9ccbd6d4ab42ca2504ad0a99e803

SHA512
a028c258cc65e208303f458279035d430f8447c6ca950d2de9c345aa7c2a13cff3a36fefdeb9305f8caaffc7da91fff91e05ef8e52b9d3672f7a71b49bbf47d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\invmelter.exe

Filesize
103KB

MD5
0928425141c06ebb894e50a54c2aa1f0

SHA1
5f27cdf914df73946a0d2e35bfa38ade93a16bd2

SHA256
229f07414798adb8f850697cb0ad12a1911443c8b31c0484c1b96a16efee9a02

SHA512
bb734885ce1e6a8ec2bf32bc0bdaf89298a419b25d6ac73362b850742f5bc11f4e6bf3cf03cc6d1bd025487140a778859211f70cbd2798fed1ea8fa57c957371

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\mbr.exe

Filesize
577KB

MD5
d1174d4066bc2b4c09059e7839651eac

SHA1
a2b326436cb9a61ab1a9c1daa0aa6e6d424dc878

SHA256
5000f70ff57cf2662d4b49c1c4ad275ac3f3d241f620988978e552c6f1c2d4fb

SHA512
7ddef5b623aaa5de346cafb51a88b527d98190f7dea747b8809cfe7e7fd869dd2a202385169896c84d77db76df3d68ecfdb7d7cbdec556d071028306fe7375bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\patblt.exe

Filesize
104KB

MD5
02a349c19fa0cef84bc88abf65f8bc2c

SHA1
65a1215867c12109150c10f3f831e997e411e131

SHA256
ad088fa2c014bb718c005149138f284b183c494dec633ccb88c6c14ef1935199

SHA512
33a1517cd1ef56429dc387fcec7e1b6f90438c5608deefb408d310239520a8e5b6c977b13b419d5795f7ba68c7ef03e951ff61534fd53fe6d36912a6fa93d06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\rgb.exe

Filesize
105KB

MD5
bfc9e8ab494313d6efb67fc8942f5ee9

SHA1
1b42cc97803221538e020cb90517cb808cf19381

SHA256
33cbdb6e00f3f42f58502af8a9150604a44bb9b26825c909aa0edb5c744a1f13

SHA512
2d01f92397b65eade1f6140f80e2cb626b3e53b112c7e77e84ea7f6092b07c05eacb9e5e9bcb4676c8bdd10fcfba4fe297f2a01eedffffa594af87839baae030

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\sinewaves.exe

Filesize
108KB

MD5
e9534d452e7b06b5591e0509553f8d86

SHA1
2be1075e3ffe29c95fb0fcbed4dcf9fc54788a58

SHA256
edce21b4ec9b68e4e8a5232c1432d5de0865f1fded27fc69965a2d3d568de909

SHA512
21c40c98f9351676f9a105a733472b4b9145a2a2fe13a82b681fec1c73d893bd2be472938e2b84b70836875ed18d0e615a003b4af0f99d5d463f2031500b57c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout.exe

Filesize
105KB

MD5
4fa1fa5d513c7fa461af0b0fcdedc2a0

SHA1
f9d0b9bbb95d8584050056a2a55541389d506566

SHA256
57f402713148807269c35f71eaa37b3f9309f259dc03a14a304fa7598f8acd4f

SHA512
8434b1f647ba903cb0d411f54d8566430bf7c1822e67d165b9e6f18cb906101be1c9566d8cc09741c9a629c9f45f774317112e4d20f3ac3ea1ad513b05cc90d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\24BF.tmp\txtout2.exe

Filesize
105KB

MD5
21d90b4350b6c69d01174240997806c3

SHA1
ca6cdfe5f7f0a15ca177eabf7596d64bc284215c

SHA256
ecadb0f872cf2c112620e0bfdb9f657dd5ac25188c762b2ed7261f9612163757

SHA512
1e8089c7c6f1660652b29ab5a5ccac7a51dfa5fa2e28144df5a196b232b4ac489d5eee7e873144365004b76995ce8315d29f7af5ffc90130b61c38a06f1966a7

Download Submit
C:\Users\Admin\Downloads\WinRGBDestructive.zip

Filesize
6.7MB

MD5
2ccf48c0f0e4379e7fe1290008e9e27b

SHA1
4841ae2ef01eb9cf6046034ee605eb0082efcd48

SHA256
f14dc938825e26808ceb544d8dbdeea14a3e88ee299d9b07f60b851e4f4b188b

SHA512
ead74378f562cf24cd9b52917a0a6dac93659f7714f6b5477ded57e28fb9c93a67611fec4744b4c63cc95f634e3520724775ec263498fc8e0c5cb77719aa0671

Download Submit
C:\Users\Admin\Downloads\WinRGBDestructive.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/428-795-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/444-814-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/488-819-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1652-765-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/1932-751-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/1988-760-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2116-796-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2268-770-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3004-830-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3660-757-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3660-698-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3700-761-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4024-808-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4192-783-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4968-813-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads