hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
60s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 12:02

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

7^/10

discovery persistence upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1028-316-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/1028-341-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_HMBlocker.zip\\[email protected]\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
74	raw.githubusercontent.com
75	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133684562660247642"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "233"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe
Token: SeShutdownPrivilege	2948	chrome.exe
Token: SeCreatePagefilePrivilege	2948	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe
2948	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4844	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 944	2948	chrome.exe	85
PID 2948 wrote to memory of 944	2948	chrome.exe	85
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 1268	2948	chrome.exe	86
PID 2948 wrote to memory of 4792	2948	chrome.exe	87
PID 2948 wrote to memory of 4792	2948	chrome.exe	87
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88
PID 2948 wrote to memory of 2392	2948	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe024bcc40,0x7ffe024bcc4c,0x7ffe024bcc58
  2⤵
  PID:944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2628 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4984,i,10869775938043848671,3340613146513499647,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:4344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:1028
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 6 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1644
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2720

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3977855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fffe6221af14af0916a45c4edda0adbd

SHA1
964ae8765f61be60059293e074910c3dce95262e

SHA256
ef0a6fd1aacb8ff29ae4fc7a4c3252ff98da07599e4772a26ea43dfaa210e978

SHA512
7cefd7f329869ddbfa460ae731640f11c8571d269d781e77f2fc02a7d2521945ef074ec182f4d69c3729cc8b6d8f06af2e3dedc15c4563310f53e641924b7a0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9e3647be5a5b99709c0fe954f074f3de

SHA1
10e9a6b06ec3f4eef231a91cf905cfc015314245

SHA256
f553235a92ff830bdee53a4fcc428918547d166877725dcccb78809b6780dc3f

SHA512
fcd0db4004a3abe91a1654482069c1555025470a91a3e3fde572af1b7e91c5f05a9f37b08efd9ac78e8ded53a2f9c3472233857e89d871f1b13632168e28c998

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9a66dcf871f8fc0bfb68d5fda9e250ed

SHA1
8a2721925b58f0b74deade1ff5aaf7e581c4f40d

SHA256
f103c4f189f4c41438afc93e7956ad8197bdf99e3721ba0477ca20a3f88eb942

SHA512
bc4bc8d7979c16ad8a5eb533e1e4e749b7f73404d2f3f816ca7582b091608c9c84679e7ba0ab77aa8985cfdd36073bae1efc21852c6404b62ba04499235c9830

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e1fb6772ffc5d27fb20ea777c1ff7f83

SHA1
78a37ab227670b511bd434342da7e58f0bc59306

SHA256
cc5df7ccef86a38683b446b469dc78160aaffaf1cb69992e0c77c2388de65735

SHA512
03b46bc14b8d3563de48a4ba120441117f1cb69e4f82f58d6356977c9cf2af29c1ba0d12614a3c4688e07ad7297b0ca5b7a5231654564169e1107b4c55725340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bf6764e9403b85cde45e69da9a3cdb56

SHA1
44c03b90a76404e15ed47aeffd44df41cc7136d4

SHA256
278f1fa28ca09606746b4d74c86afdb7404d626da907632ea3afc6d16156259e

SHA512
55a16749cf63cd8fca2e12202233b0db416f85a2f0336ae233315e83bb7a139c84b86e3512cfa9cc780a946a816f4a7144df9ba66efb00d94987dbb8f1bd42d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
641df3918d7bb25fb705cb4d4a7da4bf

SHA1
53dad9d9acd381664773579f1b70d562a5f25c6b

SHA256
a4f1f34b53dac26f33bb6d2fcc66c8b83caa775a9b9e8c2c0fcf716cc174bbbd

SHA512
ef85f0ee46254d076ed3b867362d15a020fcee0dc21045072660f625961b5d45eddefc90382bae761974a04d1f8291e67337b70fd88a716b1df92540f5d4ef46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9577ea64bdced04d244be10a6b150517

SHA1
6a90fb386f202940596b23bc35f336801628fcd7

SHA256
915f4d01c0db0b3e476bbc6d3c78718e3b7b6210123eec208c6d5d9e86718bd5

SHA512
5fc3909b8ad710e8c0c3ba58f7d081982ff9896e5ba910eb61350b6f8616ddf16e9c14a6961de01f5a8c1d362eaa7d275ea438435ec14286f1c6f56589e0a72e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc2159c887828bae697485fd76902fbc

SHA1
ebb92b4f3b91a9a666441f9a2b5165f2001da288

SHA256
243599ba3a98f26c3d2f9016d43b2321ce459c59d60deda45f1126745160f65e

SHA512
fa839c401ecfb57c028d8fca90e8f9c95b792ddabd7612abb5bf49b3f2f6ff5fba221604cd37d3a571b59ac287bd77c324b911d27e1e4446df27acf683d15c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7428d4721a0fecb19a34166e1ef00c08

SHA1
3c2d92ce5e16477dc4d217513913ff8e25e58fdd

SHA256
71ec25bcec13f945afe2e42619942d8e44be70c8c1499de231b172b42581f891

SHA512
a7717c3486e41609d831800ba2d92f26270dcd109d997ab4cc448abb1ffb430b5a9d3a0be442b5f0282b75a8f514ec00b4306e5bb11d01ebb9ac436b46f783e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a6282b841397350da24d66f2840d2d9

SHA1
cb99121523cc00a2d205117253f2b23e22bb83bf

SHA256
95362bfa4b8fe91d33f8a69d791f919c1f5d2644f75110fcf4bdd37a39f706cc

SHA512
7fbe45f1fb7634a6f00e869aa052f6292569f62f92fb2c9fa4e3147e549b1021db02f5e85bd886ae14af473ebd343f7baa1d7173b4a01915b615700db1726839

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
ffcb4f4d853c26b5724f55ea871e4f66

SHA1
d95f3d27fafbb9adeee82d9be96955fcf7bc2ba8

SHA256
e2c3f2edca6a2822965d06d1216da3f3f4cbab639c3da0987eaf3a75d6fe37c3

SHA512
fcc223c84ee08e860aa84e524c999d3e32056032ebcac50c485c014e3e43deaec713d8fe69bd991d42fd71f9d452ffd50099ad4ba40c38a48288e72a098bc62d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
464a8fb8578d8aa16af815712ffbf4f8

SHA1
7367fe10fcf01a6447ba704f33f196f66a18c333

SHA256
02d0490615e27acb7a1ecc82e2eaaeb04375d9e7d14b329782e44f8620525dc6

SHA512
ff696f1a5e4cdc42dfd30476353b2b67be6b73b3131c91ebe02139b0a115ae72181522b529c2296deba70c88f54d5c44fce9ae865052193e2038cc4fe0628f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3c56c8bae7d4e103a092f357753f38ea

SHA1
a2aaa0caaa46c4246e0355c2cd9f7804fe012658

SHA256
2e1dbcbdfba8321d3b30ec69e01d51372efae9929c97bddea468953bd20536b6

SHA512
ad38513eec43726754867e6ffd2f0bb91002bf6855b11374da457dab76d9a08ae9ccb6c94d5780a569f3719a55c746f0ad809d3e45c49508a3bce76c9dbe4f02

Download Submit
C:\Users\Admin\Downloads\HMBlocker.zip

Filesize
38KB

MD5
5968e8a8caa61b46ba347f8c521c1f2e

SHA1
88f9a7ce6e77d191c9a57ecf238ef5e9e9ba6c7c

SHA256
a181f8925c8c66614be38de89e6dc38cf85715379a10de8d9f9d70b04891ca35

SHA512
6b0659ff7a5548cd1b752a72a70b147d1c9676dce14148430961a7b5204d4e3a42de5530d423ebb879f8e5c72785a45e5b20bd40cbf93cfaefe981534e96cbe3

Download Submit
memory/1028-316-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1028-317-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1028-320-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1028-318-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1028-341-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads