Analysis
-
max time kernel
1800s -
max time network
2618s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 12:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/LotusTrojan/Virus-Maker-VB
Resource
win10v2004-20240611-en
General
-
Target
https://github.com/LotusTrojan/Virus-Maker-VB
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\en-US\i8042prt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\BthMini.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pmem.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ipfltdrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\lltdio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mountmgr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\storvsc.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbuhci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\disk.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mrxsmb20.sys cmd.exe File opened for modification C:\Windows\System32\drivers\raspptp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Dumpstorport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\filetrace.sys cmd.exe File opened for modification C:\Windows\System32\drivers\xboxgip.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mountmgr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pcmcia.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ndistapi.sys cmd.exe File opened for modification C:\Windows\System32\drivers\acpipagr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\volume.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\acpiex.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tunnel.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\kbdhid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tcpipreg.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mouclass.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\rfxvmt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\scsiport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\sermouse.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\Microsoft.Bluetooth.AvrcpTransport.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\sdbus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mstee.sys cmd.exe File opened for modification C:\Windows\System32\drivers\amdppm.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\CAD.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\wudfpf.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\portcls.sys cmd.exe File opened for modification C:\Windows\System32\drivers\raspppoe.sys cmd.exe File opened for modification C:\Windows\System32\drivers\USBXHCI.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\werkernel.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Acx01000.sys cmd.exe File opened for modification C:\Windows\System32\drivers\IndirectKmd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\KNetPwrDepBroker.sys cmd.exe File opened for modification C:\Windows\System32\drivers\volsnap.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\fvevol.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tcpip.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt cmd.exe File opened for modification C:\Windows\System32\drivers\ipnat.sys cmd.exe File opened for modification C:\Windows\System32\drivers\monitor.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vmgid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dxgmms2.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\scfilter.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fileinfo.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rootmdm.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tcpip.sys cmd.exe File opened for modification C:\Windows\System32\drivers\bttflt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Dmpusbstor.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\winnat.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mmcss.sys cmd.exe File opened for modification C:\Windows\System32\drivers\TsUsbFlt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\disk.sys cmd.exe File opened for modification C:\Windows\System32\drivers\WUDFPf.sys cmd.exe File opened for modification C:\Windows\System32\drivers\sdstor.sys cmd.exe File opened for modification C:\Windows\System32\drivers\serenum.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\SensorsHid.dll.mui cmd.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\wintrust.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
icacls.exetakeown.exepid process 4308 icacls.exe 2156 takeown.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
Virus Maker.exepid process 456 Virus Maker.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 2156 takeown.exe 4308 icacls.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\vidcap.ax cmd.exe File opened for modification C:\Windows\System32\en-US\mprdim.dll.mui cmd.exe File opened for modification C:\Windows\System32\lv-LV\SyncRes.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\runas.exe.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\wshqos.dll.mui cmd.exe File opened for modification C:\Windows\System32\itss.dll cmd.exe File opened for modification C:\Windows\System32\wbem\en-US\NetTCPIP_uninstall.mfl cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\C_WPD~1.INF\c_wpd.inf cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\rndiscmp.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\netbxnda.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\rdvvmtransport.dll.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\racpldlg.dll.mui cmd.exe File opened for modification C:\Windows\System32\wlidcli.dll cmd.exe File opened for modification C:\Windows\System32\WsmPty.xsl cmd.exe File opened for modification C:\Windows\System32\config\SYSTEM~1\AppData\Local\MICROS~1\Office\OTele\OFFICE~1.DB cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\c_netdriver.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\it-IT\c_media.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\ja-JP\termmou.inf_loc cmd.exe File opened for modification C:\Windows\System32\uk-UA\FileHistory.exe.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\Licenses\_Default\PROFES~1\license.rtf cmd.exe File opened for modification C:\Windows\System32\wbem\en-US\mstsc.mfl cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netv1x64.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\RDCameraDriver.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA354xp.bin cmd.exe File opened for modification C:\Windows\System32\mcicda.dll cmd.exe File opened for modification C:\Windows\System32\migwiz\dlmanifests\gpmgmt-DL.man cmd.exe File opened for modification C:\Windows\System32\uk-UA\esrb.rs.mui cmd.exe File opened for modification C:\Windows\System32\uk-UA\ieunatt.exe.mui cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.format.ps1xml cmd.exe File opened for modification C:\Windows\System32\downlevel\api-ms-win-security-base-l1-1-0.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\iaLPSSi_I2C.INF_loc cmd.exe File opened for modification C:\Windows\System32\wininitext.dll cmd.exe File opened for modification C:\Windows\System32\ja-jp\stobject.dll.mui cmd.exe File opened for modification C:\Windows\System32\spp\tokens\skus\CSVLK-~1\csvlk-pack-Volume-CSVLK-3-ul-store-rtm.xrm-ms cmd.exe File opened for modification C:\Windows\System32\Windows.Payments.dll cmd.exe File opened for modification C:\Windows\System32\fphc.dll cmd.exe File opened for modification C:\Windows\System32\fr-FR\AboutSettingsHandlers.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\rdpendp.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\mstscax.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\wcncsvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\RMapi.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\netip6.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\xboxgipSynthetic.inf_loc cmd.exe File opened for modification C:\Windows\System32\wscsvc.dll cmd.exe File opened for modification C:\Windows\System32\WSDPrintProxy.DLL cmd.exe File opened for modification C:\Windows\System32\zh-CN\chspy.spd cmd.exe File opened for modification C:\Windows\System32\de-DE\quickassist.exe.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\RmClient.exe.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\winusb.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\PlayToDevice.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\smbwmiv2.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\TrustedSignalCredProv.dll.mui cmd.exe File opened for modification C:\Windows\System32\msvidc32.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\MSFT_NetEventVmSwitchProvider.format.ps1xml cmd.exe File opened for modification C:\Windows\System32\catsrvps.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\itSAS35i.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\sppcommdlg.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\taskbarcpl.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\CredProv2faHelper.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\dxdiag.exe.mui cmd.exe File opened for modification C:\Windows\System32\spp\tokens\skus\PR3CDC~1\ProfessionalWorkstation-Retail-1-ul-store-rtm.xrm-ms cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\APPVCL~1\ja\Microsoft.AppV.AppVClientPowerShell.resources.dll cmd.exe File opened for modification C:\Windows\System32\en-US\XblAuthManager.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\IEAdvpack.dll.mui cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\termsrv.dll cmd.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 763099.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2280 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4708 msedge.exe 4708 msedge.exe 2800 msedge.exe 2800 msedge.exe 3776 identity_helper.exe 3776 identity_helper.exe 2388 msedge.exe 2388 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
Processes:
msedge.exepid process 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2800 wrote to memory of 2272 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2272 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 804 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4708 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4708 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4260 2800 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/LotusTrojan/Virus-Maker-VB1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe808046f8,0x7ffe80804708,0x7ffe808047182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2352 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5116 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,13375584071556775736,7650675328294145310,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6056 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\Virus Maker.exe"C:\Users\Admin\Downloads\Virus Maker.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\bro.bat1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\bro.bat"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
-
C:\Windows\system32\takeown.exetakeown C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System322⤵
- Possible privilege escalation attempt
- Modifies file permissions
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD586d1eec673a4dcc2ab91ede6e088d0e3
SHA1a5fc225450df518826bd96226ba6b750bed2f849
SHA256ec8da24deb9b91eaa142dff62ed0e9f045d5351c1acf4eb3b3dd7d3365974601
SHA512eefea99bf4912588fc1bb26c603463b6caa5845adeceb682cffea9af76a28fb561b0c58fc8ee1a89dac85dc0c95a0f50bf596efa68c9cf5b8e6e9343efee0cb5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
595B
MD538814757bed1b394fc225f44c1384214
SHA15c0405a2964d8b5ea3736d4c3f182d97bf7ead67
SHA2560aca0d43c630d3477c5f6e619a56e1841ee38d8ac699270935615d1fb06af69e
SHA51265a80226f2be9fd62d40d1d321a489839bdcff093d40e6e67860a01a6ea4bbfc33e435218cdbaefcd8ef62514540d83a81043280d659bea85e3c1828af52f45c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
678B
MD51d9bf44973c18a2a639d1ed1eb792d88
SHA14ca08303ca556d377ec860d8e8526a257afba41a
SHA256425622de3fd0a3557af7b98894d3e97dbbb3f0624b64567df01c3097e0383647
SHA5123a682153587571be751d257cb4aeeea94af2315a138c9836d68a51328863b741707674c9fa879c78edfb6b322648cadc5ecab1eb6025b267d086e23c9e2aa36b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54cc265ae851b0fe14a5a7801460aa76a
SHA11c44b50f9aec621b5e3771d7388300fc3574ff86
SHA25647ae42997f1d78d7b505d304c5d3c7321832f3d5e16f9af1f7d187e653889058
SHA512b0ff599fe47484431c866e7109202f0d679dba246ba1854ea5b25530e3cf471a979d00efd5086b9dc1f27a7d1e4672c2cfefb6ab44aa5c5ba7919442aa8a85b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5adabe229b4b701fea1bb3c323d62e814
SHA18b112c9165e824fcdf98cb64b1d2792741eb2943
SHA256513550206d0387418c93c57c6daa7462efb1f4990dbfe4475bd012fcc6579560
SHA512dc988b937e28522ed96780304a9213341a9ea7f6280fa7493c7f5dac567bcf5c217ce1501eb4a6e9476e66ebb31c512881e355088fbce6aad63edec3284f1d57
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5dbb5a0c4504ee122d0a6a46530d0066d
SHA1709fcf91a4be91488ecae537785760179b1e42ed
SHA256e35a0373ac9eee9da25a3a9a2aaa7f770279d72138d7655b6fe15c6570db36b2
SHA51217f296e0b2802250df2bfb95aaeb84b592504fa205282436b5055c4d06361426e9573bda36f57a7e5cd44a0dba9d4773059267908996e2bd050deccfc341e85d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5281501ee4d0b8414a6f373cb43f2cb5d
SHA19c6688ba064a85ae11f5483caa22e86b3a2a3bbf
SHA25680f01656bcfefdee91304f1b3cfb121160d89dd215f70532a1c3790b8a729e88
SHA51230acd2d34a603c5e9aec65b0335434dd24739a473a31415d744e2e50be571be5d1515d1eccf40da908786716871a170987f3da26a87a070bccad00bb58f62c99
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD515252235f21cc9e37d8294e63138d927
SHA18fd9ea221ff37011ae9a19c067b4e3cdd87d8f27
SHA2564b0b4e2996af206538f0358b7cce2da21b0e7f22897f46b8a2555586ba4082ce
SHA5125db4c7c182ba9b0387a849460297423d44ebe7c90f0838eb202e51987df380b0459460d1387acb7be5d808a20e1faf0bbfde1d6cea42649eaff3ded59dffdc97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51f62c604efc249ef6a41a720f90d7da6
SHA15a458f95a595d8659e425c56f7df913e83a929d3
SHA2560f071b91bd2bbc76c08e8c7c9a513e2700140c8bd3fd85352af9d347ed88afba
SHA5125ce8664179c394a2b69c08d164273ea826295621a22e3ef8e947893ba51999113a8e7d3079bd6f9cd3a3730fa91fe456e90161925a6975041fe489974e01eb24
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50b2f74472565bcab6664c65b3462090a
SHA1f621170113d96da4da9588713b51a0580517e0a7
SHA2568a9480eeccc06cdb30aeed65009388d30a9034bcf2a3355c5474bd66419ac9d1
SHA5127f46268818951abfdc4bb888642ac0f0416ddcd8ba85b03a57bba8f942e290620de51ac06b609781c4ffb36e0c698fe513b3819d7966af6e4ff85a09afe9f138
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e52950d1d9bcb59f21bda1198bef1046
SHA1dd9c089d511ee4400377b2a9383afe56a21be7b3
SHA2569a83b8b503eed3a0ee86ecfa6d295a39b0ede9b8aa971341064cc91c473738d6
SHA51265a6785044b20c4c3cdb4c5b64d396436fed4bb5d214e5548cafb22fb651bce76183cd6d0c1ad6df702267e775ac8ebceb48af6502e85981da800ba9c65a599a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57855c.TMPFilesize
1KB
MD5db79801a49cbb68bf8133ab311fa6e24
SHA14579a40b2162828a0335365cb8d0abc2fe45cfe3
SHA25681bd84e8b13db1ef137672a9ef1177aa09f0d13abc9ac8c177ff54497ba83cda
SHA512a743d3c2aa7183a99e35c0e8984eae892f31e206383268ecfc739a19f606ad8f5d2a996dd8f02c80aa51c13c302f6cd2abe3225f4e63af634095d7f50e61fdab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54e62f37998f1de4fe4d34bd27640e6d5
SHA1fedf443116a0beed9fbcc4a661660744ce0b1dc2
SHA256e94d967cbef6ea352deb8a808748d87df686252d4ab82e364a0de76dd3c37a90
SHA512c3c45ca7749711e71fd993480251815e44ca4977f6e6652f7b8daa1002bfd4d3b3340b2875757da90612590fb6aeb03b3f8f6ccc3e740c884e02df3f0ea71434
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5cdb3987a4863b47a290b91dabd1cf73e
SHA162752d7a69edd7c799686b4087e62c06469c7a08
SHA2569620a03a074aa27a35381c1d2a24878c8b78994767ec5f8d374c9c40c6efefa7
SHA51246c70ced19c92b94b94c9939ae54448ef35c63c238f81e0f5bfd6e21cb233509ae29f57eebf5ac1b65967d0b1b383b3901a17286330f474bf744ab1734de956a
-
C:\Users\Admin\Desktop\bro.batFilesize
83B
MD557b50a6ac39ca6bb5def00ab473eebb8
SHA12c9c6131c56461bf0d845182294cfd89262aa655
SHA25651a7bacfcd60d7d7ceaa35b07097f9ae9215b95d1cae22eb1e80d5f9a21d4935
SHA512b59642aeb6fa9dd5674807319a6064c2508b5c02dd4093bd7cdf1b4a1183b4a5faee55c155c4fc3009b6f0545cac1a1e32ea7ac4333ec3504abbec9e69bcc71b
-
C:\Users\Admin\Downloads\Unconfirmed 763099.crdownloadFilesize
4.0MB
MD5584f1f458f1f7fbe966cea5fded1fd91
SHA15e97ba311228796ac9cfd0556d96cb6c22111a3a
SHA2560dfa569df3b8b2b075d29cd63c5a35a5473b89b355fad0af2c5aa148346edc70
SHA512572f3593a6d3c7efb612f42ab647ab33073ef1c64ab46697b3e0024c9425cf20e307b0b815e742e65b2be728b084662e4ae53e730dd3263e9a5825c52392a7c3
-
\??\pipe\LOCAL\crashpad_2800_RWZQAQMQLGVLTHZPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/456-355-0x0000000005580000-0x000000000561C000-memory.dmpFilesize
624KB
-
memory/456-356-0x0000000005BD0000-0x0000000006174000-memory.dmpFilesize
5.6MB
-
memory/456-354-0x00000000008B0000-0x0000000000CB8000-memory.dmpFilesize
4.0MB
-
memory/456-362-0x0000000005620000-0x00000000056B2000-memory.dmpFilesize
584KB
-
memory/456-363-0x0000000005560000-0x000000000556A000-memory.dmpFilesize
40KB
-
memory/456-364-0x0000000005820000-0x0000000005876000-memory.dmpFilesize
344KB