Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/01/2025, 15:22
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://GitHub.com/Da2dalus/The-MALWARE-Repo
Resource
win10v2004-20241007-en
Errors
General
-
Target
http://GitHub.com/Da2dalus/The-MALWARE-Repo
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation HMBlocker.exe -
Executes dropped EXE 2 IoCs
pid Process 4044 Whiter.a.exe 208 HMBlocker.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2503326475 = "C:\\Users\\Admin\\2503326475\\2503326475.exe" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\2503326475_del = "cmd /c del \"C:\\Users\\Admin\\Downloads\\HMBlocker.exe\"" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Whistler = "C:\\Windows\\system32\\whismng.exe -next" Whiter.a.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 75 raw.githubusercontent.com 76 raw.githubusercontent.com -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\whismng.exe Whiter.a.exe File opened for modification C:\Windows\SysWOW64\whismng.exe Whiter.a.exe File created C:\Windows\SysWOW64\whismng.exe:SmartScreen:$DATA Whiter.a.exe -
resource yara_rule behavioral1/files/0x000800000001e2a6-411.dat upx behavioral1/memory/208-444-0x0000000000400000-0x0000000000420000-memory.dmp upx behavioral1/memory/208-468-0x0000000000400000-0x0000000000420000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HMBlocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Whiter.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 704944.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 799242.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 2304 msedge.exe 2304 msedge.exe 5088 msedge.exe 5088 msedge.exe 4620 identity_helper.exe 4620 identity_helper.exe 4292 msedge.exe 4292 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1968 msedge.exe 1456 msedge.exe 1456 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 1644 shutdown.exe Token: SeRemoteShutdownPrivilege 1644 shutdown.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2712 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5088 wrote to memory of 3100 5088 msedge.exe 82 PID 5088 wrote to memory of 3100 5088 msedge.exe 82 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2640 5088 msedge.exe 83 PID 5088 wrote to memory of 2304 5088 msedge.exe 84 PID 5088 wrote to memory of 2304 5088 msedge.exe 84 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85 PID 5088 wrote to memory of 2412 5088 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://GitHub.com/Da2dalus/The-MALWARE-Repo1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c6c46f8,0x7ffd0c6c4708,0x7ffd0c6c47182⤵PID:3100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:22⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵PID:2412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:1284
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:1320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:1960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵PID:3956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:12⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:4848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6004 /prefetch:82⤵PID:1448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5756 /prefetch:82⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4292
-
-
C:\Users\Admin\Downloads\Whiter.a.exe"C:\Users\Admin\Downloads\Whiter.a.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\notepad.exenotepad.exe C:\Users\Admin\AppData\Local\Temp\~sn7182.tmp3⤵
- System Location Discovery: System Language Discovery
PID:4132
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4912 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:12⤵PID:4932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2396 /prefetch:82⤵PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,11322930878480214158,6071582857684956054,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456
-
-
C:\Users\Admin\Downloads\HMBlocker.exe"C:\Users\Admin\Downloads\HMBlocker.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:208 -
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /r /t 6 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f3⤵
- System Location Discovery: System Language Discovery
PID:3776 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v 2503326475 /t REG_SZ /d "C:\Users\Admin\2503326475\2503326475.exe" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\HMBlocker.exe\"" /f3⤵
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v 2503326475_del /t REG_SZ /d "cmd /c del \"C:\Users\Admin\Downloads\HMBlocker.exe\"" /f4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3684
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5112
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3676
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3951055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
20KB
MD5f1d158ece6be315d911c63a682b25376
SHA1dcebef35fd5e52275d87a2ceada92b81c7654bac
SHA256d5b683905e1df7cca17a653daf22ec2c5b16534c9e27c09768b1e0c82229aecb
SHA5120148d7f2f42994de7a3d4be660f0a00d9546f82ffe9e6a597d38b6a1bd1efba8717691a0efe1652c62395f40648b39686d4c7033dfe9c52070b1e1a852509125
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5858a8f25682dc3f4f1c5e411141b9dca
SHA172bb38107565a0a7b625c1df5fe3dfebd90496f4
SHA25695b100d050c50991b7a3813048925d96281aad20c0290c688058ed659a677618
SHA512570c1cdd230351b29afeea3f540d014ec0d35cb5ef091fc5f02771a8145606e592ed521259d277b28ab89ef25e317b24812eae939e07c91757280152040c4805
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5c6c3a77ef0cc778c63a6024d08a2cb58
SHA13816e1770aec60c9d1e41a8b15b34950ac924f36
SHA25655c1b99a6a04296134e706cccd47b94004b860216edc48ef7ccab2f9c0a9d7b3
SHA512bc2856b5e0a4e61ef70716144895ae8665d7b7de64b78914d59a95532f3abf3592e76bfc861a64c6ab9561fd2d448ae45cffd5f2f88e3eabf658ad679b7ef9aa
-
Filesize
579B
MD5be85a012866f82533b134a3e7c03581c
SHA18f361377763dc0f643a3c2746149ca5850c5d8c0
SHA2567c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0
SHA51238aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621
-
Filesize
6KB
MD54154f960586dff8650a4fa076abb21e4
SHA12166f6f62a5d59c57e9d4683d6867db85db6a1e6
SHA25641d33e1960d05ea662f11f13e521c45c3c8b579858d4332103c78ab5be79d625
SHA5124a58c63e86dd4059c98908b0bd76ce2df475c01d75c67e3141077a18e766682d6d384b0b19f1c5c4048a4b733ffb33f9f49a6f5422a5535ec5e3dba6c63f1710
-
Filesize
6KB
MD5d5e45dcea66965761551e766e729d9cc
SHA1aaf33efa9fe6cda81d2db53dd96b260e05166e90
SHA256e8ce735ba0137bc8a5d48f1f20c464dc930b0eda57276b5b2796788202a130ab
SHA51266eaa926ec0c689c14987f683ee598fc7801d8673e987e0fdb10f62a8e5446c30d029cf523ab382c926fd8e47589f60af90bd55a82d93fc0dcf1803de1e8246f
-
Filesize
5KB
MD5a91f23fee5155c18ebcdf3501174f4dd
SHA1ad03bc677b23615c4874a3d90a67386a6734e602
SHA256c545a25a790ee73b83e5002482e28a3a969551931359d05f14bca244122a2680
SHA5125d7bd8551793f02598c1db1a67a999476f820e361cbe775bfbe7d869ddd160904fda819169f17b51317fbc2c842a47ca7926902445d91d4fc2f277b393e6883b
-
Filesize
1KB
MD5a906a1ce091d79b791262546a6fd2eae
SHA1e006e0e100221bbd57f702848a5f2af2e62ff1e6
SHA2562f0f2895d35b5dbdab5f7f4cea189462f7cd80d00a34768c53aae94452e05791
SHA512a17a8755ba24be13c21e3d6ef57035c47d57fbb3d76c984a37c223d556217ba6826cd57adcb686bb2a728ee44c6e54677541f1835287aca6dc254c74f012f2de
-
Filesize
1KB
MD5bd3f931cba40b70dd409e49686182713
SHA1aaa7dc3eadcd889f517588ac51f01f43630111ee
SHA2562619e3b989bff7a0add5bb83eef50ed9eb229b148db08cd941310c9421fb6482
SHA51283a08e53d58c1eeb0632a165216e1cc7661ac07b058e267e50829f20a66ac8ae26b19f979c48af48bd0615230b741a830ee8511ebc989a667d330c1a233a5801
-
Filesize
1KB
MD581b945f84781bddf75f2ff3d8946b697
SHA1a83200633caec9a746f41fe3946a3c90eddb5e5c
SHA256f361271cadd1319754208fd83cd82ea7f08bd0648f5583742ee766dcc52f7574
SHA51260253fc544cb9e9c0a32df762504a63d2f6a42d68e4cec46bca2e87b10d1b7efd41aaff1e62e749066183c2da03c21fe6c70224eb2e1e16966143c0b6aef90b6
-
Filesize
1KB
MD5c9de575e4324d7b3f30bb44755fde010
SHA14499b3ad3b2f934f4613d01738eccd60b7a58bb4
SHA256a473c3bd96abd8a7134a1a47f4bfdeed012153b003749129d03b0e430bbe9170
SHA512272daa9ee418f3a25d1a331c978a8f2c46c60a641c0333cb9b10b0fa8cffc63e6141e5dfba606cc3840912b2e1a5c5b162a51373dcde3d5f74477d79dad44852
-
Filesize
1KB
MD5b00bb26e42be27d7922cfc11495f7f73
SHA11f4b3bdbc843462937a975377fe6c52b6114107f
SHA256c8654f8aab6bbe8e4fdd067012422c46a47cf4eb699ca8d09b5979b67eb35b4c
SHA512042bc8c14af5080b69fc6646819da6a1f8dc5ce82d0a1b1d3eed247df48855b70ff2258c6b49755ecede8a1fed57f82eff2ea81ba667d57363fe7ceeca6e3f9d
-
Filesize
874B
MD57c6f6c909e44c2cf848d3b19d3354e23
SHA18ac4d8c862e7f79710678b027cb70d13c5ad43cd
SHA2567564fc121e314f8759f692570b171630aeafeb2ed483210a36db4076dd344a2c
SHA5126652d479b477257c0a9e9e7d63b730f78b27475981d65b8d82f262621b49c1ddcea8c79817b603618c3a984388feec85475f30ae3e45279721b4d77da079c5aa
-
Filesize
874B
MD55ae0b566fb2c40696e3254ac3c42d939
SHA19a7ad0819c0088dd780be72e96cfa6b13cf49eed
SHA256f06fa2bfe120d707d166039a8445853954b2b4f468fad099c169a5d6d050ddb3
SHA5129ac2e2de3b2b279f68f4359479244f3dc7e494256b10499c4e418668d4e156d28268d3a5cd44bd4661042ebda0507a7baecbe82da9e2777adafe408fa4c48141
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD515bf38dd9e30bcefcfe4b99bbac76e2e
SHA1edb0ed3430cb1c96a8936f2af9d08bb601d1e808
SHA256e0c9b60c123ec9d61cd8376e3cc9fd5043e21898e12e53a3fea2808449c8bf79
SHA51264e84895d323763648100211414ba2e93f3fdb5c200198f614b62d6ab4d3f741a652d08c576c693ab0d80f099e74a31e44b262b1d151410446c5dc7a6d6817d0
-
Filesize
10KB
MD533b6b1cff06709f4ed1d12ff349b656e
SHA1f597195d854077796221a4af08eb79b1eed366cd
SHA256142777dc12e9290c32cb013685cea2cc63645ac70eec47159818e0c38802d09d
SHA5120b7c7448e01da9555a00811a778c91db56e0c27cd675e994aec80b5ff5dc7cb9ec36debd32895040fdc0aa0a3f0957cb014c99d47e37490982f8c9bb5f6b154d
-
Filesize
11KB
MD55f0722f0599021513c1754edc06f826f
SHA13fe9166fe590fc18ede1bcb66f65a525fe9e2b0f
SHA2560f905168a311cf345afbbac823da7f36de714be9cb9ecd93d238d2a42a3434ae
SHA51268fc789a9bf35777b5e97456a7c30c3c7ef0044b52355153491630dff18a616258512594b4875540e47aaa066293c926560116568b8d16322bfaa505fd4ad2a3
-
Filesize
29B
MD59bce9c4c80f0cc60671f537e8fc9a166
SHA1319712a541ea3c61f93980b610fd8147e3c437ff
SHA25676f643fdedc45056c971d4408bcd4504a25623a1cc9b04d90a66cc27ca6e8207
SHA5124855d6f848d7e1c3aab16aeb5072977c116bb666f4b99274b302eb03022425ccbaf1a30de22fa72470a5ae47d761bb1676ec34a3b32e1f54164b979d608688bc
-
Filesize
56KB
MD5799b57227561238a7d7a284c5568c1ad
SHA1f62ddd138ab15b67a2207438b38414fd236d5278
SHA256fe974c995cfb27e8c91123081986847f6d3d4252b6a8d1e1385c558f2aeb7057
SHA5122a6de3d751f9b74227bfd7069b989175ebd81548af6e1f4bf87f63cf9e0a69ec6cbbac5b837dd80e7effdf7f648c2c768124257d347f1a0d394a0dd9a5552f12
-
Filesize
48KB
MD521943d72b0f4c2b42f242ac2d3de784c
SHA1c887b9d92c026a69217ca550568909609eec1c39
SHA2562d047b0a46be4da59d375f71cfbd578ce1fbf77955d0bb149f6be5b9e4552180
SHA51204c9fa8358944d01b5fd0b6d5da2669df4c54fe79c58e7987c16bea56c114394173b6e8a6ac54cd4acd081fcbc66103ea6514c616363ba8d212db13b301034d8