Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
23-08-2024 21:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
https://github.com/Endermanch/MalwareDatabase
Resource
win11-20240802-en
General
-
Target
https://github.com/Endermanch/MalwareDatabase
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4216 ska2pwej.aeh.tmp 3836 walliant.exe -
Loads dropped DLL 21 IoCs
pid Process 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe 3836 walliant.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\walliant.exe" ska2pwej.aeh.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 raw.githubusercontent.com 54 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language walliant.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ska2pwej.aeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ska2pwej.aeh.tmp -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings msedge.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 walliant.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a walliant.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a walliant.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Walliant (1).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Walliant.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1320 msedge.exe 1320 msedge.exe 932 msedge.exe 932 msedge.exe 1016 msedge.exe 1016 msedge.exe 4296 identity_helper.exe 4296 identity_helper.exe 2280 msedge.exe 2280 msedge.exe 1568 msedge.exe 1568 msedge.exe 2080 msedge.exe 2080 msedge.exe 2080 msedge.exe 2080 msedge.exe 4216 ska2pwej.aeh.tmp 4216 ska2pwej.aeh.tmp -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3836 walliant.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 4216 ska2pwej.aeh.tmp 3836 walliant.exe -
Suspicious use of SendNotifyMessage 13 IoCs
pid Process 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 932 msedge.exe 3836 walliant.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3836 walliant.exe 3836 walliant.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 932 wrote to memory of 4368 932 msedge.exe 81 PID 932 wrote to memory of 4368 932 msedge.exe 81 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 2160 932 msedge.exe 82 PID 932 wrote to memory of 1320 932 msedge.exe 83 PID 932 wrote to memory of 1320 932 msedge.exe 83 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84 PID 932 wrote to memory of 1416 932 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0x100,0x110,0x7ffbebd33cb8,0x7ffbebd33cc8,0x7ffbebd33cd82⤵PID:4368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:82⤵PID:1416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:12⤵PID:240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:12⤵PID:1144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5908 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:12⤵PID:4120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,3415777639114517088,12597977750121723147,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6304 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2080
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3492
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2528
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1012
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant (1).zip\ska2pwej.aeh.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant (1).zip\ska2pwej.aeh.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\is-4CH44.tmp\ska2pwej.aeh.tmp"C:\Users\Admin\AppData\Local\Temp\is-4CH44.tmp\ska2pwej.aeh.tmp" /SL5="$4020E,4511977,830464,C:\Users\Admin\AppData\Local\Temp\Temp1_Walliant (1).zip\ska2pwej.aeh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4216 -
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3836
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:1568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:4184
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\526b2663-31a2-46d8-9cef-a4fd27a6994a.tmp
Filesize5KB
MD5d85542dac65a13a7cc0601a3397771cd
SHA12f38734a2ec5c1575ee334483980c80d0d5b17e0
SHA2568fae334d37a1ab5b55273a824fa68bfab5cf17c651e633ffd15422a00a15d73e
SHA512c6a8d976a8565cc50e7643610735e6b5cb41f26a04fef3d6cd74d8d7c783bb3b64a82c3ae6dddce445451247f7fe7d45ac6f0ee39ef2c6981d8c8258a70a6c26
-
Filesize
4.5MB
MD533968a33f7e098d31920c07e56c66de2
SHA19c684a0dadae9f940dd40d8d037faa6addf22ddb
SHA2566364269dbdc73d638756c2078ecb1a39296ddd12b384d05121045f95d357d504
SHA51276ccf5f90c57915674e02bc9291b1c8956567573100f3633e1e9f1eaa5dbe518d13b29a9f8759440b1132ed897ff5a880bef395281b22aaf56ad9424a0e5e69a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5150d70e1486454b18840e9c9d6d36af7
SHA13487f792cc4c4d95d4eb4bd1c75dc2336ed5bae0
SHA2569c4dff19ff8c0a2c5158379ea7a7936e6348d9994241a57f9eb1193e0e79cc2c
SHA51215254648cfb61c43479a6cc2ad6478ee8a45070377abc3a7908986b23feddcb7186f22cafe3a618606ab7ec302615cdec7b225ac3569e629e2a2cf220f78bb17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD540eb2e582007c7c58571a75f266c6666
SHA17676d1094d143abc7a2571b5145abe0e8669ab0b
SHA256bdec5e2c8d92f53fd3f92024126b102dced4b6578334018d340480569b2246ac
SHA51225e72d8963b6ed1a4c47443196709d063f0f3dc1b63e6ac0759f3ab16fdb43952b96144306e4e832e7689f7ac95a5685e3399f810480d9db39cbcee71b12462c
-
Filesize
595B
MD5aab27555e7a463caded4f29d822c83b3
SHA16cf256241088d23ddfd332efab796f282be1bdb3
SHA25661ee79248875f3044a61c3fe7df3e6637544b3ad59b124da575ab25921b05b9e
SHA5120dbb85b5b19dbbe741446c3a83bafb1109c810de1761ff3d15969d3c345b499e26c24dab78c85227e6305f652e1425022dd52fb3909275f69ec776f251bbaec3
-
Filesize
6KB
MD580553107ad354dfa7abbca1cd29ed6e8
SHA17bea3ed946fcf995a58a7305bc4f2a5e5a341edc
SHA256fbacb1646a8e45beae2d2ca737c5b91028f388f147262527d745b2ac7445d0bb
SHA5125041ede5803374bed8c5d0d759e6158c5ed5a6e9cea7c3bf169eb35546f00c3ca1939be2cff7851df63632c42dca12e088019c304c225a2f94ea1979bdefddb8
-
Filesize
6KB
MD530ddeea067ef05aee983fade7a95c39a
SHA145260a26f8cc02f2e07217b80870bc76e3448c30
SHA25696d3b478dc08b848687e0b0db67a936635db458d3f2303cedab6693a99f2729e
SHA5124bc9ed4dda1d08945a314caad4556b082faf8c38ead2688e26c0ed8a0c6e82821a29277a943a2987a82da76c36b57c12d9aee6fdbfddf5553d6c19c5d56d93e2
-
Filesize
1KB
MD5c36838757fea2b2cf7e2dc81451a3381
SHA1146e9d304b4446ca1e0ee3700892c6e7aba9e19b
SHA256ce2a81d904ee65bb2ce0f150c1dc5af293c1e9f1fe097c4bcec901e752a2c1e2
SHA5123c57827b5098ab07b897b21f447e7d0869dc1733ba0c9a0fafe665d8a182896d9fb1d97c9a9f1f06444b501da1ebe3d597fafbb5dc092976b5b788282da81592
-
Filesize
1KB
MD594bdd26de61978f0855c6cb89eb7f7b3
SHA185805de97f887b44c11373c1961588cab385ad67
SHA2560f4c64b7041fb7b01f04145d21c638ae8e1813271cd4b40172970aa4b75e7da3
SHA5129cb5db42122f5e9a464f9a0155683cd930121ded128082442660b8bc3c04fefed5ae46651437becfce5cbcf81a9152bc4ca00bca9a9e74e3e1181ad347de4c2f
-
Filesize
1KB
MD557833e80d346678c8b8a1d657e68ee0e
SHA10c064536ca0094dd452eda9ad6b07cdc15c523c3
SHA256cf26ef535ff4de17b73991253716c7079768fa27cad1e7a7a497f47f2438caae
SHA5123dadffa79a54c994e5fe67f3d9cba267e289f6f5b6db8c64a035c7caa8d03a261b50c22baa09609f130955793d052e263b2b78987c033f753b4fb6971912a6b7
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD56abf85a28e41f679fc042b7341ff6f81
SHA1d3883e00fb81271a4497eb82ada710b0e0fb4998
SHA25603d600fdf7c861e37d63f56a753a9e9c24750e65ac2e9240d1a23e11ba6490b5
SHA5123fbeda1ee7ced4237a5d85a8f02213c17779024783f944cf1b82bce5fd3d1eaa4af757a58a55d50276264d916d46ce20731483dbd39ab2af8a8275c962efad10
-
Filesize
11KB
MD5897fece66cb2099fc0fef5a54c428727
SHA1cbfeb83e396ba45ca0182e1fb5e68576b86993e1
SHA256a23ed1eaf57be3323bc5d7772568f40dc464484557b93311a13740a47fb40b19
SHA5122f8fe9004c687200df741ceb5cc02981266f5ae5dc432c261a4bdfb4ff2a56e6168ee7d80d43c7b193b16e1fde9f43b411192815baf1a8fae345de63ed73b5f8
-
Filesize
10KB
MD56fde8db62755759a865df855edc79f8b
SHA1ac88b9f896bc20ddb022f9273275b4173f7ca747
SHA25693e2d08b8f35e2045acc43657b063748bd2064171f6e2e583b6872924eeab6e8
SHA51228aed747a9e6892218b3666c3dd461595ca51770d6f3cb1ce41bf7a92833b6245c47737bb4621bdafba334e15af8270fbc7bb07c373aa3d0f73055dfc82ae3ae
-
Filesize
23KB
MD535cbdbe6987b9951d3467dda2f318f3c
SHA1c0c7bc36c2fb710938f7666858324b141bc5ff22
SHA256e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83
SHA512e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7
-
Filesize
114KB
MD5bf6a0f5d2d5f54ceb5b899a2172a335b
SHA1e8992a9d4aeb39647b262d36c1e28ac14702c83e
SHA25632ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6
SHA51249a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90
-
Filesize
495KB
MD5283544d7f0173e6b5bfbfbc23d1c2fb0
SHA13e33b2ef50dac60b7411a84779d61bdb0ed9d673
SHA2569165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735
SHA512150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b
-
Filesize
72KB
MD5c1a31ab7394444fd8aa2e8fe3c7c5094
SHA1649a0915f4e063314e3f04d284fea8656f6eb62b
SHA25664b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4
SHA5123514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e
-
Filesize
378KB
MD5f5ee17938d7c545bf62ad955803661c7
SHA1dd0647d250539f1ec580737de102e2515558f422
SHA2568a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78
SHA512669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c
-
Filesize
11.3MB
MD5fddc7534f3281feb4419da7404d89b4c
SHA119bdefc2c9e0abd03fe5ee4fad9c813a837f844f
SHA256f13da9813fa11b81ee4180794cbad2b280422716a080bf4c0791996be7f7908e
SHA512c5428179dc222366234125bd78f63a9350c9329e4d46646bb3361de143974d261bd7a8df6155bc7ef46ad3725302837f4769a26459b8b4b5b5304a810303b1ea
-
Filesize
257KB
MD560d3737a1f84758238483d865a3056dc
SHA117b13048c1db4e56120fed53abc4056ecb4c56ed
SHA2563436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9
SHA512d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe
-
Filesize
1KB
MD5b492287271363085810ef581a1be0fa3
SHA14b27b7d87e2fdbdda530afcda73784877cc1a691
SHA256a5fcca5b80f200e9a3ff358d9cac56a0ffabb6f26d97da7f850de14f0fb2709e
SHA512859fa454d8a72771038dc2ff9e7ec3905f83a6a828cc4fc78107b309bdcd45724c749357011af978163f93e7096eb9e9419e3258ea9bd6b652154fe6dd01d036
-
Filesize
2.5MB
MD562e5dbc52010c304c82ada0ac564eff9
SHA1d911cb02fdaf79e7c35b863699d21ee7a0514116
SHA256bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2
SHA512b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98