hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

04/09/2024, 22:43

240904-2ng1tsygkh 7

04/09/2024, 22:39

240904-2legxsxgmn 3

04/09/2024, 22:32

240904-2f7lhsyfjf 10

Analysis

max time kernel
297s
max time network
298s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/09/2024, 22:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3372	Free YouTube Downloader.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2832-433-0x0000000000400000-0x0000000000420000-memory.dmp	upx
behavioral1/memory/2832-456-0x0000000000400000-0x0000000000420000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\Free Youtube Downloader = "C:\\Windows\\Free Youtube Downloader\\Free Youtube Downloader\\Free YouTube Downloader.exe"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_HMBlocker.zip\\[email protected]\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe"	reg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Box.exe	[email protected]
File opened for modification	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.exe	[email protected]
File created	C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Uninstall.ini	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MalwareDatabase-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2516	vlc.exe
2224	vlc.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4024	msedge.exe
4024	msedge.exe
4008	msedge.exe
4008	msedge.exe
1968	msedge.exe
1968	msedge.exe
2372	identity_helper.exe
2372	identity_helper.exe
1088	msedge.exe
1088	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2516	vlc.exe
2224	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	1468	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1468	AUDIODG.EXE
Token: 33	2516	vlc.exe
Token: SeIncBasePriorityPrivilege	2516	vlc.exe
Token: 33	2224	vlc.exe
Token: SeIncBasePriorityPrivilege	2224	vlc.exe
Token: SeShutdownPrivilege	764	shutdown.exe
Token: SeRemoteShutdownPrivilege	764	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2516	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
2224	vlc.exe
3372	Free YouTube Downloader.exe
3372	Free YouTube Downloader.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2516	vlc.exe
2224	vlc.exe
876	[email protected]
1340	PickerHost.exe
3564	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 4032	4008	msedge.exe	80
PID 4008 wrote to memory of 4032	4008	msedge.exe	80
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 3560	4008	msedge.exe	81
PID 4008 wrote to memory of 4024	4008	msedge.exe	82
PID 4008 wrote to memory of 4024	4008	msedge.exe	82
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83
PID 4008 wrote to memory of 3736	4008	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffc96d3cb8,0x7fffc96d3cc8,0x7fffc96d3cd8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,4011736218382460274,16774553217687182652,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:424

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Temp1_Google Robot Virus Removal.zip\Google Robot Virus Removal\android.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Temp1_Google Robot Virus Removal.zip\Google Robot Virus Removal\files\cs4.mp3"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_FakeActivation.zip\[email protected]"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:876
- C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe
  "C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:3372

C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:2832
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" /r /t 6 /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4068
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1856
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\AppData\Local\Temp\Temp1_HMBlocker.zip\[email protected]\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1720

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a35855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
73d629cb67fe74bbc165683169f63b7a

SHA1
04b886606b4caa9d89577237057a4065d6a7d04b

SHA256
9c46b6e4c6964540287ac58608fbf242bdb68fcad85167100d83eeefb1ce70d7

SHA512
2e12663380ee68477572325a2a099324af060849d2f3811ae06b989b822de872ea6c8ce67ae566e6ec787b4eb0ac384e83fa5473e0c0af6dc613c789a499ba59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
672B

MD5
11495c7e82f1eae263412572560ddfa3

SHA1
335fce52bc97bd449d892adff810a815c499e3f6

SHA256
c528d4c3ff971608ac296729c21a4fd6953852a79c10040a92bc58fed86ff277

SHA512
4a3a561da517a1d7288b99af05e3e82e7ebc2e27b4d74645e4827806f9332bb47ec97fd5bb3fb54f7a4fb1b2469a94c625811f1b71b49435a75f279527e2ae09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
672B

MD5
05736178ca06de192ea96f5fd08b0cf9

SHA1
1802c472675db209782f725ed80458a8b1ed2116

SHA256
ae4a00627ed5a9fb6f0fb8c6b5bf03074fa524cb57eb2c948037712f190154a6

SHA512
2d88e5eff92b29092eb60f558ccbdfe3f4aa9dab8692435b85fb0a84b7d5729ad25bd196fd18d8631e61e83131bfc38bc7628b793e0bec221c89fcadb9fcb9f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
52b061632b53a8cbfb55049b807ff0bb

SHA1
69614efb174b706625c930482fe363d740d60ebb

SHA256
f36352ffb59c058e7455029687de0baf1348c53b18cdcfbed67832ec7dc80467

SHA512
fedf99e8a0b94f3292a87eac0a2db80f9f9d953d2a9c96b76dd9e8361b4c3e4486403372c0cc24b367fd85dfd6ed0cadf4714ecf64ee6ea31fdfe1664d5b41cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c54db7b22d7d87b2d6c23ba8b5145253

SHA1
a75127b8e48dddc101f7f1a04843490e2f791d39

SHA256
00a899fb2088f794cf695e680fb37a6b42fa645fd30b4b27f8d1c446a74cf75e

SHA512
a93885375ee42ee85feef9110cefd3d76cee3ff3399d572c6f591a7cdb1c574f0446f0f6b9552a4494ee9aa1977fa16fffbeecce589b6f3032c3607fd35c14fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
196488602b203ba52ef3bfa226c0c223

SHA1
44b9308c68f4bed24af25de770bed3e96d969e8e

SHA256
a2dfa7ef6c69510dbf9824a4599b3df45cb50436be794b9beaea61e3944558fa

SHA512
f33db57712833ce4b735be1f8f927d92d9ceac54137d0448f9ef516956461ef2633b3efe74dca165c79edebbb5a9393ab2d0aa1cf2dbc80885d5cc798ca8eac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1122194e4f4d98fe1cc6b664b724fce

SHA1
a442658bc03caf91e91f4609cffca1c0e901d20c

SHA256
72daa3c58afb6f2db9510597818df0530e8034c09f1a1c1d85014b21c98c73af

SHA512
50f7291acd9b1fec18c6a0f678d0176d7c6f18d958567c8369b5efdc2667a68686570227ef4b4e62f7f1d8e96ed83b2900eb8407c6de57611c979012641c8c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f9a8874622cbb8838e41461576e628d1

SHA1
1e0a8c72e344dd0bca167abd98308d33df9ee3d5

SHA256
f23da2123d1382ebd24a8a8d872c495be1d6fded21023b788536d1ba50bdd691

SHA512
0523912bd690918631f4a5414f05283ca27f2ddffd702d0c2d61c70434ac74349b1b961aeefbd5d219d06d29bc2b006ea8338280fc0119942b9a64c7796ca7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593c53.TMP

Filesize
1KB

MD5
20f41c890f6ae06b19f53f0053e7dbac

SHA1
6a9f406c78377d6fdd0f689d6b93979121652f29

SHA256
895b9e61356012cd281eaf5538dfa3a802e4c5220cf5bcce6dfbb6c6961167ae

SHA512
c0f473b1de23af69a13a034e915f124bcc49d667af7ec6433daa9b69ba03e906ebc62d6afd997ccae04a276de56482020fa7427fb7afe615dac2951899a01882

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b76de943bae6718451c786df51c72c3

SHA1
e016a55406eb1374a506e609ad406e05fee3affe

SHA256
1c84142184ac225f9a48f9c963924868e30b1d45504e3e718896b677f0e83522

SHA512
1fb47532bb5cb2bfa316c35d892c324329a9f141fbe7574001ffd897a78b2927bfe1cbdfb25ff3464eaa4163577c8da4c3c64040356c5ab63599d2968ba915c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
80173f7278d2c09c5c9b117c1490fc12

SHA1
90b6d65e4d443336259c1405ac71e116b8a9b936

SHA256
3c6a9cb433c47d9fec08196f1bffc5a063dbaaf2913e2924acb6d9da5a94e529

SHA512
9869f012d210ae0853d4860f3bab3463f44dd82f566cb70ce2df6660b4d55e5880a02e984e4b600e517f2d2b56ac2f7421d13ebf46e017bbdbd6f738327d8788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d56e7715dfdafd666da7d041f84a69e8

SHA1
5bef16fba29eb88c9a8ad8c300c8ac1a7dba9a36

SHA256
838b2d1c0921aa7db7e292423779ee6e7052037ac34006d3cfd32f80f2396e19

SHA512
f1da065f334bb89da383b04fd247226aff4b1631ab1491baff305751ac79671bb3ed251df4b9ea6cc333aab3952322f6c944f8fa12bed8477c6800177aa3a11c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79d9eeb27a6e177d119489d88db45e21

SHA1
be1c7a9457ea48f5e39ba994caa661d7c4d9d61f

SHA256
e30d845b2977c8d3f0c79bcc93bf750b86a19c1f449030fe995236dd5bdc514d

SHA512
306f72fbb3247db995f80787670b891fc3665b1650678bddc7ac5c882dc30bdef2f8234eb99649b33c1642ea935183a6d7de8234c81920d9a3b8575e8197fc5f

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
608B

MD5
50217ae6c4872eab7041179d59319e9b

SHA1
6aea4e663a9e52bc2fa5963ea3fee39bdd36632e

SHA256
bf8e975f1538a8906747eb83666dbc11955c8479f230bedd9866890c22fd08b8

SHA512
ddc2f3cf1f03f883a374d277dd31a15c13bf91f5de37a71fc7710f55156dd8f17b8602d5c9e8d398f2354e49d28f9c432676b92017575e625dc09beea93bbfe2

Download Submit
C:\Users\Admin\Downloads\MalwareDatabase-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe

Filesize
153KB

MD5
f33a4e991a11baf336a2324f700d874d

SHA1
9da1891a164f2fc0a88d0de1ba397585b455b0f4

SHA256
a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7

SHA512
edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20

Download Submit
memory/876-402-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2224-366-0x00007FF75E980000-0x00007FF75EA78000-memory.dmp

Filesize
992KB

Download
memory/2224-369-0x0000017D66080000-0x0000017D6618E000-memory.dmp

Filesize
1.1MB

Download
memory/2224-368-0x00007FFFB2520000-0x00007FFFB27D6000-memory.dmp

Filesize
2.7MB

Download
memory/2224-367-0x00007FFFC9480000-0x00007FFFC94B4000-memory.dmp

Filesize
208KB

Download
memory/2516-350-0x0000022FE9A60000-0x0000022FEAB10000-memory.dmp

Filesize
16.7MB

Download
memory/2516-349-0x00007FFFB2520000-0x00007FFFB27D6000-memory.dmp

Filesize
2.7MB

Download
memory/2516-347-0x00007FF75E980000-0x00007FF75EA78000-memory.dmp

Filesize
992KB

Download
memory/2516-348-0x00007FFFC9480000-0x00007FFFC94B4000-memory.dmp

Filesize
208KB

Download
memory/2832-433-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2832-434-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2832-436-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2832-435-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2832-456-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3372-403-0x000001E8A03D0000-0x000001E8A03FE000-memory.dmp

Filesize
184KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads