hxxps://github[.]com/enginestein/Virus-Collection/tree/main/Windows

Resubmissions

05/08/2024, 22:21

240805-19s5jszgqk 3

05/08/2024, 22:15

240805-16newstgke 10

Analysis

max time kernel
147s
max time network
149s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 22:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/enginestein/Virus-Collection/tree/main/Windows

Score

10^/10

defense_evasion discovery evasion ransomware trojan upx

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3756	ScaryInstaller.exe
1808	CreepScreen.exe
2980	melter.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000002aaca-700.dat	upx
behavioral2/memory/3756-744-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx
behavioral2/memory/3756-788-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx
behavioral2/memory/3756-816-0x0000000000400000-0x0000000001DFD000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
44	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp"	reg.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ScaryInstaller.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CreepScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScaryInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	melter.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
2224	timeout.exe
3872	timeout.exe
5068	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2456	taskkill.exe
2312	taskkill.exe
4712	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "142"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-661032028-162657920-1226909816-1000\{00895E17-9248-4D69-933A-F3355F742720}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	cmd.exe

Modifies registry key 1 TTPs 3 IoCs

Modify Registry

T1112

pid	Process
2064	reg.exe
4240	reg.exe
460	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 753053.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ScaryInstaller.exe:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
688	vlc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4920	msedge.exe
4920	msedge.exe
2028	msedge.exe
2028	msedge.exe
1780	identity_helper.exe
1780	identity_helper.exe
4708	msedge.exe
4708	msedge.exe
2428	msedge.exe
2428	msedge.exe
2324	msedge.exe
2324	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe
4144	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
688	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	2312	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: 33	1532	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1532	AUDIODG.EXE
Token: 33	688	vlc.exe
Token: SeIncBasePriorityPrivilege	688	vlc.exe
Token: SeShutdownPrivilege	756	shutdown.exe
Token: SeRemoteShutdownPrivilege	756	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3604	MiniSearchHost.exe
1808	CreepScreen.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
688	vlc.exe
1804	PickerHost.exe
4816	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1320	2028	msedge.exe	78
PID 2028 wrote to memory of 1320	2028	msedge.exe	78
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4604	2028	msedge.exe	79
PID 2028 wrote to memory of 4920	2028	msedge.exe	80
PID 2028 wrote to memory of 4920	2028	msedge.exe	80
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81
PID 2028 wrote to memory of 4788	2028	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/enginestein/Virus-Collection/tree/main/Windows
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffddae93cb8,0x7ffddae93cc8,0x7ffddae93cd8
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2368 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Users\Admin\Downloads\ScaryInstaller.exe
  "C:\Users\Admin\Downloads\ScaryInstaller.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5B55.tmp\creep.cmd" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4360
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2456
  - - C:\Users\Admin\AppData\Local\Temp\5B55.tmp\CreepScreen.exe
      CreepScreen.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1808
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\5B55.tmp\melter.exe
      melter.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2980
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 10 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:3872
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im CreepScreen.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2312
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im melter.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4712
  - - C:\Program Files\VideoLAN\VLC\vlc.exe
      "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\5B55.tmp\scarr.mp4"
      4⤵
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:688
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f
      4⤵
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:3428
  - - C:\Windows\SysWOW64\rundll32.exe
      RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
      4⤵
      System Location Discovery: System Language Discovery
      PID:3632
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2064
  - - C:\Windows\SysWOW64\reg.exe
      reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:4240
  - - C:\Windows\SysWOW64\reg.exe
      Reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3712
  - - C:\Windows\SysWOW64\reg.exe
      REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:460
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:4052
  - - C:\Windows\SysWOW64\net.exe
      net user Admin /fullname:"IT'S TOO LATE!!!"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3564
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:580
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 8 /nobreak
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:5068
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6112 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,1413068596195664504,15200909033004765724,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3540

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3604

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1804

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9af507866fb23dace6259791c377531f

SHA1
5a5914fc48341ac112bfcd71b946fc0b2619f933

SHA256
5fb3ec65ce1e6f47694e56a07c63e3b8af9876d80387a71f1917deae690d069f

SHA512
c58c963ecd2c53f0c427f91dc41d9b2a9b766f2e04d7dae5236cb3c769d1f048e4a342ea75e4a690f3a207baa1d3add672160c1f317abfe703fd1d2216b1baf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0177afa818e013394b36a04cb111278

SHA1
dbc5c47e7a7df24259d67edf5fbbfa1b1fae3fe5

SHA256
ffc2c53bfd37576b435309c750a5b81580a076c83019d34172f6635ff20c2a9d

SHA512
d3b9e3a0a99f191edcf33f3658abd3c88afbb12d7b14d3b421b72b74d551b64d2a13d07db94c90b85606198ee6c9e52072e1017f8c8c6144c03acf509793a9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
3995b3f8416a327c8a58745407388125

SHA1
10abc0cca7ca2652cfe308ec1d47c63248657a05

SHA256
5848af29045c00f7faaa3f5caf1f6ebe6abd51395ed17e593c5c02fe3d4eeae5

SHA512
7585f8dbbae766627491e4b591fb1d674f2e964cf6f6223cf4dd5ec30a6a7dd427777d06beff3c6a5fcc45c282ce9ffc169447c08689afcb812a646e3afd729e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7e53860bd5dd58aac78be206ee092d33

SHA1
e9a0034f8cb5d9e8f3e7160d063eed2fee37ade5

SHA256
2631ece2c2931cbd5d46fac2f24812db6aa8e58a50324e085b613942e78aa61b

SHA512
106de792edb8890b17a90fca8a994a35406d10e62c3cc7fde6b3bfd45fe63af9d71ccd402ea84def4bdae5b315f1d12183eb2ba8507f9f6ff8a01f0c48fd858d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
870B

MD5
0e699407399980873bc5c81d2615fb19

SHA1
b5878b68457ae9c8d91ef2c75cfa91143ffc01ae

SHA256
8bfb9e82ea6f92150f4ecabc79981304fff62816e89eaa536118a43b8b80ebd4

SHA512
5c5a67531e1ccf728ddccad4d1d6e9a453d4ce17919f17f738808170b73b8a96452e69f7294eec7b9c4c63a5649513068e2cd0907ddfb4a0d17ca11ca81692e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
486f305a90a456ee245f58c283ed7075

SHA1
ffb22f995cbc936b3a8ad34ff3e0ac0d94b02d51

SHA256
94157b6388a91a38407aad2ffe09238b41eede735416fd6c208bc0af6d1a8b03

SHA512
65146c487ab665d5a3b588b414d51d75977eb72dbf268bffbfa1bed4ef5d47e7219b8b4cfebaf721eb9aafb15fcccf2811e9bb4d9e206fc59b7592fe03dfb8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
70d390b78602625f5348ada348b2cdfd

SHA1
10dd1f7af95fbc7558c1581390817f824b14212e

SHA256
d0bb03ec949d0a8cf5ce06c44ea201ac29c0868ac7093ac1f84de1b06c7abbf6

SHA512
9a4b098ac46ee83543262e45b6d6a058882d6c48bc3d4b7857b61c70e2821eaa72ff2a7321519d0a18374dbd52b48d3ae21e160155844a8f0e09e6c1c9bff5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e833152462eb533d27d1182132648c65

SHA1
964dc9c9ff8b6ffec626d0ab2d2259d66ae65f47

SHA256
4980fdf3c4b8d64a31624c479395c3d6cb2e14935c663d5cc6f4cbf3ef8dabad

SHA512
697db8c023468fdf260f81da28b5276509746b547afa46942fc993bce604bf6d75efbb08f4b7362aff586bd79455b7e726cd60db0e2e966d95dc86c428739db0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3f1aeb8fdb5ebfaf4d8ec281d43fd53

SHA1
4ce7c9b6d963512c9652ef501a7a6923f7bd89a5

SHA256
c6a21e04c8e1187616fd0abe45b8a6d3148f4d4405f8611d5ed07df7a4c0eb8b

SHA512
e10b912c2aeb5912e68e3d4cd1fd2e9ed2a69bc7cdcda1ba60c1a1d51d2557f97d8c2ac5c70b290da149ecf59bb70348b0a0a71f5750ff4d6f864ab4345c3816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b9b351a6dea9f598e833c123ad31741

SHA1
fd1bca3ea65f02b5eaffae8653d9f9e1e5e76ed2

SHA256
bf742e305e3f4a1428ef04fb7cff3614d4f92488dec4a535308f6e9271952e35

SHA512
9dd955bc3a0304571bd42cc99bbea23bf586abc442e528b718a403a1ca77d725b86d91b8c284ae90a2af7778273a2c7bb0c22a82ce2373ac962322584a56ba1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3fca3715d8c835fefb940b82175cf12

SHA1
7a50f1c1b967de41b7f19ff2a152d48e18c0542a

SHA256
1c1c566347951d08b31606b690c539c9062c3f7310c0baf8f8bf02cea6607046

SHA512
1dfd955382f26361ca84e0d55ac7e3066d8071c3873965d2ef564c5cfc9479d2c2bb16d42fcada7ddea7323978a8e37a6b046f4eb4bf60e0943b629450119707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
009cfc2413b341be9e6325039837b09d

SHA1
fd27375707db1e7cc52e76083e4d96f7046f2916

SHA256
600f4758148015211dbcd807877e051b8b18051dda8756f2e3113753587966b9

SHA512
4bdc1f8f0c15dac52a5a8e30f8b8ee57e1cde785414b32775a05f61261a83344f33f2c7c7d00bdcfb2f70c4b8a73359f9a5e2acfd43bd7b149c2631838511d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e38a0d03a968324d6cf88a7c9e1d91b

SHA1
e9eb14262443f1cb980b2778c326ff926d71059f

SHA256
46c94acc0d007d9de6e4e7c99215f3a27eff30259281690f46b1d12a8da5d688

SHA512
9632c3977d9a2c22a3249d5eee2b5d79e98922a24eb428370aaabc3a947d04f502094f26a6c9368596fe2a7c253f8a80b687865632d7e241155bd44eb6c34045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
76a9acae3137d4dba11fea4b62e49be3

SHA1
e36f648758b06c2db36a2363c14550e60443d72f

SHA256
36b68f7794ca6d74fe113b0d7e9674f2fd7020997c781d77288c23a11a743fcd

SHA512
d2dd01465488e35b85cd18a438eae1a976b5d1c88f5e3c5539cf0dbd2b9f3bcb008452fdad51998abf5ccd67e44b12441fc12fe239136af6007a3e34eedbfc8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce967edc6731c0ba0046f11739330ccd

SHA1
cae720621b9b9ce9e696a7364b9865a6080064bd

SHA256
0f6c39fc77b9d5021256c9432433868afd660411279dad543b3c249fa2210c5e

SHA512
605bc37450d623fead7cb8bcaf8c6a48c55b9f7d71369d4fd6d42f60deabe675c7f70068dc2e424c9abdb09a81f5e253f9932e40d664221ec245470b05db958d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
96861c4f72601d90f5e049b05f3ba84d

SHA1
9b4a4ab9a843a29271fb1ca42fe7dcc2cc3e7398

SHA256
53b04b9f78746ff8dad2d27d82dff51203fa5cf6f58c01ee98928666b3375556

SHA512
fdbc35d550142d2cfdb378e9340320f67cc80a9366cd326f1c8b8cb0620eab66b4ac13afc03bbd9530311c6c7c6e5596826c08cc45f6b445f266b2e93eb59460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
0e8364c7dda5884350354ca0c334fe04

SHA1
b6962abd508aa376b28fa4aeae06100550658d1b

SHA256
7a94cffb828a1e80d08048a56a1f856ed8e3c47c646fdedcb70019ac4852f651

SHA512
03cb7c788e42c3a708be1203a8d21dbdfa85fb7edc31b9a5b605c343f5460c0d7a9d3be1ddccb44de454c3c01d484153802f44898f29d2b6fb50bfe30035b53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e89b.TMP

Filesize
371B

MD5
75cf1a88abe70dd76a4b91f7ae1734f2

SHA1
2220797c5f279cd3ecfd88707c7eeb58b0ef5b8a

SHA256
bf4479c07b829d799db12f51bf8d1f66587bf8123f334391bc52d98276e403a8

SHA512
9977b3d0cf389f66189de2400f799e70101a2f4304a88604f84856454339b04d281714c9716b6bde1cc53473755e6b1e2eef2c908c394d5f1f50dfecec78feff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\bd044498-6537-4c65-b08c-abbc93af0516\0

Filesize
16.5MB

MD5
a725357eb37e4b43a65b9dfb50202c1d

SHA1
3308690577f8186444eeb242bb4e75cf45a6a4e8

SHA256
c760b5f8e5dc948db88e266ad5b44322d210d2d5f54a0300d17e19c3f5d3906c

SHA512
e1e8ea6e907c5afb29e392e02d93b2596839583aff3cecd7097611705496c7509b268d0c3340e819985715ce7b3cedb32972367f431ab9d21d7dfcf83e9766d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
41139e3a66582ab2faffa0a8e91b9b18

SHA1
45c582b835b9e11126f7f75035b324e4ca53ddd6

SHA256
96b65e92ed7931661a2481ac4966687af9445ff921cfe4e3a3bffeb75f7356ba

SHA512
3f3ace7067c96084c1f84d122add17be1b05f0614890f181b8133d2084b8c3d876eb4364091b900772e524e4d91a1b218e8ddba20238013378e75b3932f864ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e66569077dcb2bf432bc4bf55956a686

SHA1
1361d07a7bc15c5d5b82d75ef34be53f0eb07e19

SHA256
6e1f4a046620e14d8218a34b209d744c60d1e09332e6bf3459cb97c5a0494cfa

SHA512
18575c21edd8aab979cd9fe4b5d087a276aecf6c34de30ea7dd346f34ca15d9c4a82337a82ae22a5d7556caeee8fdbfef03a98a3bd0b43a28a8608c80c57c1e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B55.tmp\CreepScreen.exe

Filesize
128KB

MD5
4ab112b494b6c6762afb1be97cdc19f5

SHA1
eed9d960f86fb10da90d0bbca801aea021658f02

SHA256
ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e

SHA512
4f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B55.tmp\bg.bmp

Filesize
5.9MB

MD5
463e7914d89b7dd1bfbba5b89c57eace

SHA1
7f697f8880bcf0beed430d80487dd58b975073fa

SHA256
fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d

SHA512
a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B55.tmp\creep.cmd

Filesize
1KB

MD5
e77d2ff29ca99c3902d43b447c4039e2

SHA1
2805268a8db128a7278239d82402c9db0a06e481

SHA256
1afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c

SHA512
580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B55.tmp\melter.exe

Filesize
2KB

MD5
33b75bd8dbb430e95c70d0265eeb911f

SHA1
5e92b23a16bef33a1a0bf6c1a7ee332d04ceab83

SHA256
2f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12

SHA512
943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B55.tmp\mover.exe

Filesize
548KB

MD5
c1978e4080d1ec7e2edf49d6c9710045

SHA1
b6a87a32d80f6edf889e99fb47518e69435321ed

SHA256
c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8

SHA512
2de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B55.tmp\scarr.mp4

Filesize
19.0MB

MD5
a504846de42aa7e7b75541fa38987229

SHA1
4c8ba5768db2412d57071071f8573b83ecab0e2d

SHA256
a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89

SHA512
28b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea

Download Submit
C:\Users\Admin\Downloads\ScaryInstaller.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 753053.crdownload

Filesize
21.5MB

MD5
ac9526ec75362b14410cf9a29806eff4

SHA1
ef7c1b7181a9dc4e0a1c6b3804923b58500c263d

SHA256
5ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164

SHA512
29514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621

Download Submit
memory/688-838-0x00007FFDD2790000-0x00007FFDD27C0000-memory.dmp

Filesize
192KB

Download
memory/688-830-0x00007FFDDA600000-0x00007FFDDA618000-memory.dmp

Filesize
96KB

Download
memory/688-879-0x00000188EA820000-0x00000188EB8D0000-memory.dmp

Filesize
16.7MB

Download
memory/688-818-0x00007FFDDD610000-0x00007FFDDD644000-memory.dmp

Filesize
208KB

Download
memory/688-825-0x00007FFDDB1F0000-0x00007FFDDB20D000-memory.dmp

Filesize
116KB

Download
memory/688-834-0x00007FFDD75A0000-0x00007FFDD75BB000-memory.dmp

Filesize
108KB

Download
memory/688-833-0x00007FFDD75C0000-0x00007FFDD75D1000-memory.dmp

Filesize
68KB

Download
memory/688-832-0x00007FFDD75E0000-0x00007FFDD75F1000-memory.dmp

Filesize
68KB

Download
memory/688-831-0x00007FFDD9640000-0x00007FFDD9651000-memory.dmp

Filesize
68KB

Download
memory/688-842-0x00007FFDD1980000-0x00007FFDD19D7000-memory.dmp

Filesize
348KB

Download
memory/688-841-0x00007FFDD2030000-0x00007FFDD2041000-memory.dmp

Filesize
68KB

Download
memory/688-840-0x00007FFDD2050000-0x00007FFDD20CC000-memory.dmp

Filesize
496KB

Download
memory/688-839-0x00007FFDD2720000-0x00007FFDD2787000-memory.dmp

Filesize
412KB

Download
memory/688-855-0x00007FFDD20D0000-0x00007FFDD2386000-memory.dmp

Filesize
2.7MB

Download
memory/688-835-0x00000188EA820000-0x00000188EB8D0000-memory.dmp

Filesize
16.7MB

Download
memory/688-837-0x00007FFDD6650000-0x00007FFDD6668000-memory.dmp

Filesize
96KB

Download
memory/688-828-0x00007FFDD9F20000-0x00007FFDD9F61000-memory.dmp

Filesize
260KB

Download
memory/688-829-0x00007FFDD9EF0000-0x00007FFDD9F11000-memory.dmp

Filesize
132KB

Download
memory/688-836-0x00007FFDD6670000-0x00007FFDD6681000-memory.dmp

Filesize
68KB

Download
memory/688-827-0x00007FFDD19E0000-0x00007FFDD1BEB000-memory.dmp

Filesize
2.0MB

Download
memory/688-824-0x00007FFDDB210000-0x00007FFDDB221000-memory.dmp

Filesize
68KB

Download
memory/688-823-0x00007FFDDB230000-0x00007FFDDB247000-memory.dmp

Filesize
92KB

Download
memory/688-822-0x00007FFDDB250000-0x00007FFDDB261000-memory.dmp

Filesize
68KB

Download
memory/688-821-0x00007FFDDB270000-0x00007FFDDB287000-memory.dmp

Filesize
92KB

Download
memory/688-820-0x00007FFDE1210000-0x00007FFDE1228000-memory.dmp

Filesize
96KB

Download
memory/688-819-0x00007FFDD20D0000-0x00007FFDD2386000-memory.dmp

Filesize
2.7MB

Download
memory/688-826-0x00007FFDDA620000-0x00007FFDDA631000-memory.dmp

Filesize
68KB

Download
memory/688-817-0x00007FF6DFA50000-0x00007FF6DFB48000-memory.dmp

Filesize
992KB

Download
memory/3756-744-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download
memory/3756-788-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download
memory/3756-816-0x0000000000400000-0x0000000001DFD000-memory.dmp

Filesize
26.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads