Resubmissions
20-10-2024 00:05
241020-adhe3aygrj 320-10-2024 00:04
241020-acxtcsxbmf 819-10-2024 23:57
241019-3zz68ayeqp 1019-10-2024 23:54
241019-3xxy3syejp 819-10-2024 23:50
241019-3vygtsydjj 1019-10-2024 23:42
241019-3qhwksyaqk 10Analysis
-
max time kernel
175s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-10-2024 23:54
Errors
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 10 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
UPX packed file 10 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Windows directory 8 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
NTFS ADS 7 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 28 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6b9246f8,0x7ffb6b924708,0x7ffb6b9247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5888 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3492 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\Downloads\ArcticBomb.exe"C:\Users\Admin\Downloads\ArcticBomb.exe"2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1796 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5500 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6052 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\ClassicShell.exe"C:\Users\Admin\Downloads\ClassicShell.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6408 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"C:\Users\Admin\Downloads\FreeYoutubeDownloader.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"C:\Windows\Free Youtube Downloader\Free Youtube Downloader\Free YouTube Downloader.exe"3⤵
- Executes dropped EXE
- Suspicious use of SendNotifyMessage
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6364 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\Gas.exe"C:\Users\Admin\Downloads\Gas.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6112 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,11086533522537294505,2389131035819433542,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Downloads\HMBlocker.exe"C:\Users\Admin\Downloads\HMBlocker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 6 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\HMBlocker.exe\"" /f3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\HMBlocker.exe\"" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa387b855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD50a9dc42e4013fc47438e96d24beb8eff
SHA1806ab26d7eae031a58484188a7eb1adab06457fc
SHA25658d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151
SHA512868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f
-
Filesize
152B
MD561cef8e38cd95bf003f5fdd1dc37dae1
SHA111f2f79ecb349344c143eea9a0fed41891a3467f
SHA256ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e
SHA5126fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d
-
Filesize
1KB
MD55ba49a07361c4f3caf680cb6c7d37115
SHA106aba050220a80ffa516c6f5a6145483ec3adfbc
SHA2565175bfebe5d22539653d6dd00e2207b0e9dca06a7b01e78353c125bb4803e2e2
SHA512c3bdc9bdf969b20bafee239d5062676a30545e3a3602cb38924fb560078aa01b25908fa7eef251a5cd91d8359a06c6dd7be6975cf999efe5669625a12f1aac67
-
Filesize
1KB
MD5544ec53b55fe9e8fc1d5dae72c7de2bb
SHA1a49d53aad1a53e5b505ff90bcad5395ed7cbf9b1
SHA2562fe704ba15ac916e7cd203a00339de547fdede1c19a23a2608f451a80ca01a1a
SHA5125dba2b52908d4ffcf04808ce4fc79f07ba392e9c4c53446c55f045532e8fd6d2fc5c6de4ef33c2ac538df349634b3b56eb20cf16b08724c971bb303cc5975160
-
Filesize
2KB
MD56a52b5a417d89d3c0ac94515a17aa268
SHA10b1311c00392f3ad9923af261ce6053e84fc7923
SHA2560e3bb49c63ac9a208fdbe6c9e345ad88a6b6965a8214e249cb2c7dce1fd8ff30
SHA51218f0be31cd1912ba0a8b64693bac792f5923e06de83f2e4778bf5d61f679940ebfcb4167565d6c3d35f32f93a80189121c4304b326f7488d4fa59539241c27a1
-
Filesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
Filesize
6KB
MD5386e662152ee87c8e3575fbdf0ca240f
SHA1c0667ea68666d371e532293264a9c09b1f7d8a55
SHA256dfec5fc7ef6ed942d9081635d09cc033ecf8e7d74d2d630a602f3c20f99b3d29
SHA512f609a944ca502e297d70fa98a2ed61cf18f774059c02dacdfbcc996621a620aa9a3c2c56f0a23a911e63e074e30e3e57a1f2b92aaba4f34d4e9cd8d3799abf16
-
Filesize
5KB
MD5e8180db90ce412814a45f553180f9ac9
SHA1276091e5b45d3cdb91ef6f4fd3ea692df530d6da
SHA256b25c1fe39f148aedb8288eeb4fd00193b6062a55ecb38cf14feefc68a1a8dcd2
SHA51242626db5f6588edb0d5ecc8bf8194e9a37ffad3142843c857f256c62ce5aa66320e1476684f10619880eee6e1a8ac1c09ace13430fef0ca59500f9cf10b2af98
-
Filesize
6KB
MD5de47064601575b613c38f7342580eb96
SHA15078cf9cdb00d1ed0f198a1203067af08cc1e441
SHA25654f2b721c325063869de78b1ac50c90c8ac0f853b703c1f37916ee438f475578
SHA512a775fd8b61db59b0480461ad76ab2eabc667eccb47430ff928cdf2b594be691c469a5da6f5bcea9dc9281186d6c63ffb0385c3f47d6d0763e2ea6556abc295a3
-
Filesize
1KB
MD5799050e4fcc62e732e25a7636b66c9c3
SHA142cf51079cfcddd807564a6d8e217ebdfae4abb9
SHA256a0063bbde1af2447720317cebf26cd2f58fe87a33c1a59defb6108a1890a48af
SHA512602191bb3ba5244192225fa0987c24a7d0508ea8bdcf335abc687637bfa9d34c14d01a5438e3fef75992fca72c311aceab3ef6938257eee92d1e97a687e5d9ed
-
Filesize
1KB
MD579a954a160593717b9ac3148f0c6c39a
SHA1c6d05561fcec5af41ea046591a3f1f4a8510c3c2
SHA2569122e24c28300d38a80a04f00512782803bcb00ff691efd2ab08eb2d76961fed
SHA5129ffee22c634d5e791243f4c6ec5e9fc6a58f8706551f47de5c2a3caedab9a262867fbf732ae7cc2e055d8b92dbfb5b1744bc5c2b0a426ee6e9129f12142c967d
-
Filesize
874B
MD5b64fd5a21b4b4949ab6d2f34bf931913
SHA17823b874486030244c978ff1969ec55219a31f47
SHA256f3d86e31b2a20733b39612dcba92b53866a9d812be6a176ced80cd493a8f931e
SHA512222af09f4b595dbc9aef981dc93b7f2c284c1da86cfd486e7e3ab775d566bdd52039669ddec477ebda9be015ad53cf14e8db7c6928bc46b4bbb196436620d294
-
Filesize
874B
MD56cdfd7e78d851b5248ecb033d6de98e2
SHA1f30fdad81f1bea68ed87cb6a77e66ed4156eb1c4
SHA25620be48142ee746f0e19743a34b2c8b0db6541ce5c6ce91db2fdb927e403690ef
SHA512fd93463a921b9a011ae17efa1548ba4a2bfefa5d8884a2ddd221e1e1e5a6ec10f22801e0077c553e888c58d84fe9e86dced9c0779bb234f19353226f859fee90
-
Filesize
1KB
MD560ed16578707fdf75c704cd134a179ce
SHA1272d5babd1a4d25b212a77713ad1f7c78fdbaeaa
SHA256c69288bf4efac0c9684f149430aa5c5847c984e50802edcb3c4521ff9006def8
SHA512ef956a296d51e59ee92ae628db93dad0d8227af1b329b2e8c8186614cb766392907ad155f533147f0ab17ad0fb638d0be75c39b72ef0db69b60ca2533370f951
-
Filesize
1KB
MD5af2244e7913536460f057b2a89f1b514
SHA19d0385378e8ea2b24b5b6548a4420741e60cc0ed
SHA256f829ad6c64d6164b573620fe3839f04ae724e528241317223965d003e0c41156
SHA5121028a51a4a9ea27d2b6e3c96a8f4a3fd7b16f56c8ffd4fdc82850743a93954ea677cd8b62ce45dc9c7a3f9c308a5de4e5b5c51737fc873837bffbdc83153ad55
-
Filesize
1KB
MD57c39b68235fba1080b006adc5a419976
SHA1ef68be8db6092104ee3c1a5808709b37376cce2d
SHA256d279f0368207e3da60e338a1fc4f82f061df5a1224b9264c18fd92b53200cf6f
SHA51244edcd45475e5c2bc64b076a47b45dd1c6f9512260a6427a64d39d55288bec855f2e3dc94cca4c77e8bf5c448390ef42a1a2fdbecabf7a73edf09e15a329c9d1
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD559c5c3d0af7b886a47d37e54c8ac69b0
SHA1f1c36a3d4ddccba6e52ec5d696bfc4ea637bcb86
SHA256080a679ccc774b3374098abd6eee1a2f6a833a971e348a598db7bfd33617b3a7
SHA5129a822d3218d16a89e1244539112e23e9b467f36a67136d05fbef3169d9061ac2c9ab0b75c43d370568ed1fd10e9d23cf9ef826cd4de3a2f64faee1cec9c7d8fc
-
Filesize
12KB
MD5878e042fe3738a0e4335ac1dcb595c1d
SHA14eca8eba92c2e56b9bdb2a724d711c55c3beb223
SHA2568e2eafc46891b13f3094ff02d1075b9532c6dfd1c1726c26bc6aa44ffe26d16d
SHA5126ee0318d31e2f726f8083fc977a968a6f71167d83c17189c9e7bc45035ec417262470c0fc051a9c12bfd698e870a4ccfbfeb6a698b24762deb3c2eb42db0c1de
-
Filesize
12KB
MD524f1c1dcc772d51ee270ffdc51c9d524
SHA16a5ff809b6111306e76f8808faa607c98b0ded89
SHA25648f59039bc952dbebe98bbf243b3e94babe4d5f41a84f06bf4e35b67aa5f4a31
SHA512d72d412c766c70b303dab3e1f3adbd593f1e537f4c2399a33d39c9ca4b529a8d5091c78e623e13009a5993fbd1f4a10b1824d2aadd565167abfd789c0c765340
-
Filesize
12KB
MD5c7b0e6ebacb17e073d384d8afa70fa59
SHA1bcf33e6a7d038a15686257ca169658ea40facf4e
SHA256eed909bd90cd13a6a3d6c9616bcae1c2301be1820bc2c889caaea90b139846d2
SHA512b7ec3186739032b35ee1d2032add40a2a08e5c3c3481540bc5da6261a6dcac2a25ab561d00f73f28bcab5607914df230299b7beaf12fd73772c90ac18b5cd967
-
Filesize
12KB
MD516e96b00f8f2d8b4bc24414f060c521e
SHA1dc2d43b84c190598c5195add26801f5b4b511edf
SHA256fb407e9225f315291f47e5efbc566ce09ca701bca878f566e07a1ed6f9df6e05
SHA5126ef5ffa7a31cc90ec7fad3c810e94ee36f7e687d167b9c62b4b5f907064740557cc1d5e35a4364f16fc1abf57555f1b79f4491e2e0661a964dc640d86e640b3a
-
Filesize
36B
MD58708699d2c73bed30a0a08d80f96d6d7
SHA1684cb9d317146553e8c5269c8afb1539565f4f78
SHA256a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f
SHA51238ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264
-
Filesize
176KB
MD5bc82784f4aa47bcfed93e81a3b9950f2
SHA1f5f2238d45733a6dde53c7b7dfe3645ee8ae3830
SHA256dd47684334f0a2b716e96f142e8915266d5bc1725853fd0bdc6d06148db6167f
SHA512d2378f324d430f16ce7dcf1f656b504009b005cdb6df9d5215fe0786c112e8eba8c1650a83192b6a9afad5892a1a456714665233f6767765619ccb5ff28e2b8a
-
Filesize
2KB
MD5594687559197086a5e2f738a5bec9b02
SHA1557a7523c401019fda18c88e9817de49644432a6
SHA256dbe0f77589a418fc6d50dd4c5066c7cb2faa548ff77c2d83743c28255fb50ee1
SHA512d0cb2859735509516e81ccbda4913f2980218c62ab0aa502f3fe45e7859cda0ff544ac6bf94a98e53cf0faf0c202698b4524f8b007be0e6b81d66db657d13a37
-
Filesize
9KB
MD5b01ee228c4a61a5c06b01160790f9f7c
SHA1e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA25614e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140
-
Filesize
125KB
MD5ea534626d73f9eb0e134de9885054892
SHA1ab03e674b407aecf29c907b39717dec004843b13
SHA256322eb96fc33119d8ed21b45f1cd57670f74fb42fd8888275ca4879dce1c1511c
SHA512c8cda90323fd94387a566641ec48cb086540a400726032f3261151afe8a981730688a4dcd0983d9585355e22833a035ef627dbd1f643c4399f9ddce118a3a851
-
Filesize
6.8MB
MD5c67dff7c65792e6ea24aa748f34b9232
SHA1438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
SHA256a848bf24651421fbcd15c7e44f80bb87cbacd2599eb86508829537693359e032
SHA5125e1b0b024f36288c1d2dd4bc5cf4e6b7d469e1e7e29dcef748d17a92b9396c94440eb27348cd2561d17593d8c705d4d9b51ae7b49b50c6dee85f73dec7100879
-
Filesize
18KB
MD5e7af185503236e623705368a443a17d9
SHA1863084d6e7f3ed1ba6cc43f0746445b9ad218474
SHA256da3f40b66cc657ea33dbf547eb05d8d4fb5fb5cf753689d0222039a3292c937a
SHA5128db51d9029dfb0a1a112899ca1f1dacfd37ae9dec4d07594900c5725bc0f60212ab69395f560b30b20f6e1dffba84d585ef5ae2b43f77c3d5373fe481a8b8fc3
-
Filesize
396KB
MD513f4b868603cf0dd6c32702d1bd858c9
SHA1a595ab75e134f5616679be5f11deefdfaae1de15
SHA256cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7
SHA512e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
48KB
MD521943d72b0f4c2b42f242ac2d3de784c
SHA1c887b9d92c026a69217ca550568909609eec1c39
SHA2562d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
SHA51204c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8
-
Filesize
438KB
MD51bb4dd43a8aebc8f3b53acd05e31d5b5
SHA154cd1a4a505b301df636903b2293d995d560887e
SHA256a2380a5f503bc6f5fcfd4c72e5b807df0740a60a298e8686bf6454f92e5d3c02
SHA51294c70d592e806bb426760f61122b8321e8dc5cff7f793d51f9d5650821c502c43096f41d3e61207ca6989df5bfdbff57bc23328de16e99dd56e85efc90affdce
-
Filesize
153KB
MD5f33a4e991a11baf336a2324f700d874d
SHA19da1891a164f2fc0a88d0de1ba397585b455b0f4
SHA256a87524035509ff7aa277788e1a9485618665b7da35044d70c41ec0f118f3dfd7
SHA512edf066968f31451e21c7c21d3f54b03fd5827a8526940c1e449aad7f99624577cbc6432deba49bb86e96ac275f5900dcef8d7623855eb3c808e084601ee1df20
-
Filesize
110KB
MD5ab648a0df4fe7a47fe9d980c545b065d
SHA1ce28ea7dd117289daf467467a592bc304c72d4e6
SHA256905a849721ec95ab08754aeee9a60b3ed435d36962466fcbe5cfca63dfc455cd
SHA5127ae99da55fbf1c31c5281e5f4e10ab2bc33b89effeee82b574eb4b60541c5ea2913d5d99836608873da372c78e75436ae7e535568f48d81cb9dd26d2cc1b3a8c
-
Filesize
110KB
MD5139df873521412f2aebc4b45da0bc3e9
SHA13fd72fd5bad8ee9422fb9efa5f601f6b485404df
SHA256efe6bd2e0fc7030994fc2837b389da22c52a7b0bbdbd41852fcaf4308a23da10
SHA512d85cf83d3b2cf9af3076e40d7419be42a561bce1160376ba580b3078b581ed2bd6d274fb2a0767aa81a9e92052762f39c1c391ca0cac3043ad85a72862713bd3
-
Filesize
3KB
MD5c92a1d4d0755c886dd137c6cab43c35e
SHA1fc16175e58ad1f67c57e7fdf55333fdd0e01d936
SHA2566ab1ee65e6c9c5e31fe3680fc92a2a0ae73f216e966f5582a2d9c265357238d4
SHA5120525880a1f4cc7dd912ca4006fe4bd02bf1218931fcb56489a0ec728a682fdf1ecd35e8797c665c63dc19d8236942d9b832a6a8c46e00df02afa2c65327dd9de
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
184KB
-
Filesize
240KB
-
Filesize
6.8MB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
336KB
-
Filesize
240KB
-
Filesize
336KB
-
Filesize
336KB