hxxp://github[.]com

Resubmissions

02/08/2024, 22:55

240802-2v6b1aydja 6

02/08/2024, 22:32

02/08/2024, 22:31

02/08/2024, 22:20

02/08/2024, 22:13

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://github.com

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1864	ipconfig.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 862398.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 994008.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1436	msedge.exe
1436	msedge.exe
4360	msedge.exe
4360	msedge.exe
3084	identity_helper.exe
3084	identity_helper.exe
4268	msedge.exe
4268	msedge.exe
4544	msedge.exe
4544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1820	shutdown.exe
Token: SeRemoteShutdownPrivilege	1820	shutdown.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 2100	4360	msedge.exe	81
PID 4360 wrote to memory of 2100	4360	msedge.exe	81
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 4920	4360	msedge.exe	83
PID 4360 wrote to memory of 1436	4360	msedge.exe	84
PID 4360 wrote to memory of 1436	4360	msedge.exe	84
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85
PID 4360 wrote to memory of 2448	4360	msedge.exe	85

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2184	attrib.exe
3704	attrib.exe
4768	attrib.exe
5100	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb75e646f8,0x7ffb75e64708,0x7ffb75e64718
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\System-Meltdown.bat" "
  2⤵
  PID:5088
- - C:\Windows\system32\net.exe
    net send * WORKGROUP ENABLED
    3⤵
    PID:2432
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 send * WORKGROUP ENABLED
      4⤵
      PID:2912
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1864
- - C:\Windows\system32\shutdown.exe
    shutdown -r -f -t0
    3⤵
    PID:808
- - C:\Windows\system32\reg.exe
    reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v HAHAHA /t reg_sz /d c:windowshartlell.bat /f
    3⤵
    PID:4052
- - C:\Windows\system32\reg.exe
    reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:2616
- - C:\Windows\system32\reg.exe
    reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1700 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,5006812479197898918,2182322825739401244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Crash PC.bat" "
  2⤵
  PID:880
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h c:autoexec.bat
    3⤵
    - Views/modifies file attributes
    PID:2184
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h c:boot.ini
    3⤵
    - Views/modifies file attributes
    PID:3704
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h c:ntldr
    3⤵
    - Views/modifies file attributes
    PID:4768
- - C:\Windows\system32\attrib.exe
    attrib -r -s -h c:windowswin.ini
    3⤵
    - Views/modifies file attributes
    PID:5100
- - C:\Windows\system32\msg.exe
    msg * Well I'm Here!
    3⤵
    PID:3052
- - C:\Windows\system32\shutdown.exe
    shutdown -s -t 7 -c "A VIRUS IS TAKING OVER c:Drive"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
37KB

MD5
14c460a1feda08e672355847ea03d569

SHA1
f1e46ac6abd71ebbcdd798455483c560a1980091

SHA256
d1161f067875a5f686c1732a442f340142c6a03244f4dd0bc0f967596f6cbe3f

SHA512
cfd6e743986ae5074e73264ee1f311fc00a987bdabeeafbf55f5dd6ef0794ccc393507be9dc7e38181f2f10897c300edc297976acd3fb72da2bf560ec260af91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
6e13703b4b9b3fee9c9679caa6444f08

SHA1
eebd698908234ddf27a333105f645667e2eb7bf4

SHA256
e9c1c07f5fb1e96dc3bad0cbdaeb5503e38382e8e9c838120bb2652940d6baa6

SHA512
873bc00f546d9811befa014c4dd9ccaea032caa559c72674429ace2c1abfd292e2556de69e2db1bcf0641625bdefcf28955905a1d5b65c620fece0df82827179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
017975d305729c957b42440bb7cec4be

SHA1
4ecd64ae942d7994b18210b09e72b9a12c6ad7e3

SHA256
6c9f3f5cc1dfabd4377baced6215ed916ebeca530d76f5afebc7b18f3a6a8668

SHA512
216fb759fd6b7c18e738bf2eda55d316713d54a61fe7c925ef7d1dd82381d214a37bee7f3fdc9ca65c74585decf1a23441eddd6278decc9f4a178ae5252473ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
22KB

MD5
9ec8ba204f6c45d71c998a0ce1dd714e

SHA1
e6790bc2fc03148c9d9cc1b3a91f4c5df3d8295c

SHA256
a4daad6848500cbb261729ecded45a13e2f102d666cff8a0e2bf5991ea5e5c9a

SHA512
d30fe0c1f7589354e7b228a5ca4e522e198c6e7ed30186c54025e991c7dc9a324e1cfd243ed2009aed863c01c3b341ec88bd74aca019e13ad52f8dc2ff3c6ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0794c70fa68c8eefb75be9eb89480678

SHA1
68f39651d5f9c79b81f26e35a888b1042cc1ad15

SHA256
6baae0b064c87f3d1245b01b117a5e903720b15aace23b1bb4ddc995ef0757a7

SHA512
b27e9dc079cf67c8aa104cdfcda7afe9954bc98f40c9ab1cf76afd9390eb0946cbd43922d1d44a845085503819919dccc2e6c6469dad527f21748de1d7eb8e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b5054af19319a226311ab740ac07ef8

SHA1
0469cfce59ab82e734b29f586b1e34cd7b7ae1f4

SHA256
e3b76adadd1b0402cca0f0b0c9ff671e6cd4c212a059537f78eadd88363b55bd

SHA512
1795e4472b78769484ee7d5b2370eaba55ed789955f67269e846366c3092f3072bec7a04661bb4585bd417154e9d6ea6beb4cda04983d8d6c54bae8bf3276af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b91f339a457a07c613b8cdcba20bb5f7

SHA1
25047538fd8d2ce98cb981da7023b70e5e1cff24

SHA256
145448ddee0c5098b13b8dbe3786e6098dcf4a86e99d84b8f6f992a67f02ffa3

SHA512
4ea43081945e1d06a4dffd9b53bca0fa29b8a465e1c6453792aceb066c39dce04597b4184a9445a587701af6a636a7770724e33068fffee84efae647b42e2426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c00ed9a2ca6f24b5894fcd08d6366f4

SHA1
328fdbe66f5ea6d2a67cde1ef77a2ecd243162f8

SHA256
69bbfb801f017dba2c6fac7d17486c06668328b2e5f06bc046dad10b4b835c44

SHA512
a3c090b0c93af4e398747758fbbeb05a9b0fab199e41426142f2fad2199389a1998332d28684aca5077c943f7d6b2a162194da7845074a53c6d1238a2d4169b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b295eaa143b9ccce950ab37a0836cc76

SHA1
ad9ce70a64f00c49ea37015b269fe5a671194fd8

SHA256
1693d02a0ca0f6be7118487b760793cac19d2860c77739da671372e8ae358d78

SHA512
23372c9fd0ce0f6b8bbe202d5683a9d5cca1122627f2ffe00d0a7078cc56fbc5e9fcc4e8e32e54cc16b5b04ff24924671c8ea43d7add4a2934dd2e4ee69b89d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b7c30366a3acd1fddb426dea3600308

SHA1
17aa14ac0d727a8a2327e233b5ee9d6499baa9ec

SHA256
4f9ef353661b7929f2b844d1fb4af27e3f3c21151b3308aa5175f2d492908652

SHA512
3846c629b6f8c12546564d4f5d242cd943ebfee5fec8581159631e765914bc9d5e894b9a4c21a728801b05312ed1beff90af3f0e9763666347476b3a07e0278c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d15688d0f956a7ac673c9c40dd55fae

SHA1
ba4f93b55bed8d912684b7bfe77ef1165e25b454

SHA256
25a41a8b06d913f6c193c8cabfc49e883c65fd6e4d639f1be1d822ab44bc254f

SHA512
654652a97032a7ee36f5a006d0ef2506338f585a779109ebfa9861d2623532f6af15ba2ea26e40e1dc72f2006ab979d482037f73dd9e8a571e34bec20afb4e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
be35e88935a2e88004b650be0588f0ce

SHA1
34135f34d17d9671b21fae657715b530f4b24426

SHA256
5d3ee76509bcbde6ce05b6823ca716492049ec90d0112d7de5900d0b7568cded

SHA512
ba82666887f22bdca5081568fdaf385b5ddcf2e68048a54c191f899d9e951206ab118fc5183ba386fd9a3bb65d3687fbc941910383674ec8e8f7315fb552e967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8aa22a38e4868b0c1287903860d2c54d

SHA1
5fc70a8691370a91e692eca84eddd7536230a044

SHA256
3fe9ddbcb57e8ecec6c3255e953ac9264bdffc087305b300816c907416433ced

SHA512
83fd0cb829562c84cac95bf385aa32f04bb9eed0c5021a96f60827ed148db0a98b578801ea57b01c6a66e8d15aff004860a9692836c3c2131f331a05a121fb59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
864B

MD5
35c618d34cc304972e0393e5f2d5e538

SHA1
468af20292de95bec0b3d66618db6b081c890210

SHA256
3f6d694d6023ac7941c239fc337b29d00d041879a0a52e933eacc2cf4360f6c3

SHA512
20863381f1c4cdde55cf9d144e948ca3f02f9adbc10b9ae0007896a946addb9cc7f8c6d8f980af451578c9c59e0974a8185d2a78aa5e26fe193489f2d3e5659b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
577b4b04de12e9af646a96cdb299477c

SHA1
994ea40dc582ef35ad5759138871feb4083969da

SHA256
ee73dd33b555f174067e05c51032942236d103fc1c59f9e04b21916a30eca3eb

SHA512
1e1032d7a2e90555f104b310fb77f3a0edbce16d873f4a1bfa80536131ea20b1646c3a0067fc2b32bec5c26a50d74e6d425868da532e2e6c8f05f5b0e2c79cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
f73afd6fed90241fcd8c4d193c7ef6bb

SHA1
d3d0462f56b5557e478203f0e4a10441f73d778e

SHA256
e95dd9395e9484950d15e10d16123b359277313ae5414a505dac5faa0ef464c5

SHA512
7f2b28640118e9458fda264fe96865416b8a7bd7be76e3a9c614c3a51dae554fedbd592d5071ad04b2b63a8d5d6fe685cc61c5860fcecbce2aa3ddbc080ff1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1f4.TMP

Filesize
706B

MD5
afe8b74bdc2b82c87c67222d391266b8

SHA1
839b0000dfe936aa85b9961561cc97b9daa14295

SHA256
64d39401f246d56a2bef68eb32c7a66a82143978df4aac31387556b3cf8deb29

SHA512
6a8381f5c6a0168a39367c37e4114ed54298ddc0a1ab73b7534ee200b74fa5ac6afd71fb5e3b98faa62ac07eb06bff6fc3f38414f47eb6ad6b550a85d906e58f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e7da80783ad598e662538d8796690c4f

SHA1
9fc99320d7e0a58d477b057f30883eb373b3e984

SHA256
b68b2c1fd3413be325129d8f2ddab449c5882a9202b28b235d799869647c7242

SHA512
865ea87ca1e6db37da6aef4e503951f4cdbabec33c9ad4bd23cbb247312e2cf733f2286a2da2d62e073ab86993f4ece2f6d107d5d4781b4a901dc1ba800e42c2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 862398.crdownload

Filesize
1KB

MD5
bbfb422cb3f6093321c3184d931bc4f1

SHA1
b6d2361a76ef9cf2929dd21bc30cc43d5cb49ef9

SHA256
ed0acf31b0d7760852499a1c60f9b6b868b9608a4d4642523428adcb60f68de6

SHA512
f1e1da393c301fb15140b17cbcec122ee97b4cf3d5e6c7c7b429fd280b74c9d129515adc47c98c0f65e53f30ede7ef6ebf22c83421c856b2f3148dec03763e19

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 994008.crdownload

Filesize
310B

MD5
c512b104a4f42c1e3ad4c617309204a8

SHA1
f3d51add2e42eea337c9cff7e1c5ad73a33cb03e

SHA256
3e72e8e088e5a57762dd3fb3d262bc5b58a572edef9d1f14651757cf42e2da33

SHA512
57033d86648618c746bb6fadaf5fad5efe2f8e01aae11a4217291e018c13830bce0caa162ce77e1e1e03f6664a7890f764d0b289eb9ce72e53aa775fa3ecf6fb

Download Submit

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads