hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/PowerPoint[.]zip?raw=true

Analysis

max time kernel
115s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 20:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/PowerPoint.zip?raw=true

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

sys3.exe

pid process

1116 sys3.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

Endermanch@PowerPoint.exesys3.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 Endermanch@PowerPoint.exe
File opened for modification \??\PHYSICALDRIVE0 sys3.exe

pid	process
1116	sys3.exe

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	Endermanch@PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "192"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133247768630305583"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

4112 chrome.exe
4112 chrome.exe
4112 chrome.exe
4112 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4112 chrome.exe
4112 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe
Token: SeShutdownPrivilege	4112	chrome.exe
Token: SeCreatePagefilePrivilege	4112	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

chrome.exe

pid	process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

chrome.exe

pid	process
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4768 LogonUI.exe

pid	process
4768	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4112 wrote to memory of 4956	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4956	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4864	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 1768	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 1768	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe
PID 4112 wrote to memory of 4784	4112	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/PowerPoint.zip?raw=true
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa7d4b9758,0x7ffa7d4b9768,0x7ffa7d4b9778
2⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1808 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:2
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:1
2⤵
PID:4468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3192 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:1
2⤵
PID:4676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5100 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:4988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:2280

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1832,i,10243604871346587075,8636290829614860705,131072 /prefetch:8
2⤵
PID:4176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Users\Admin\Desktop\Endermanch@PowerPoint.exe
"C:\Users\Admin\Desktop\Endermanch@PowerPoint.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:3388

C:\Users\Admin\AppData\Local\Temp\sys3.exe
C:\Users\Admin\AppData\Local\Temp\\sys3.exe
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1116

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39ac055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
0a30ba97216306dca5abbe1859aabf7b

SHA1
bf615f1c8527d4aae484c82bfb1a71adbf156186

SHA256
9c6a7dc9c71df7a2ae8cdee1de231837b96c41c1d87bfa3a463f3c638d28de37

SHA512
e6607d3d4ff34a5cc117a96c7520c9b3bdad030597bc94ca9403c1e5ae478c71c3b4449c120c5656823ea9c42dcd0affc0615e61bb2ec6e5882c16b1be7bf3ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
8ad67c80528a8435b6612c4f97c19afc

SHA1
e214b799e4fbd3b2b4a0657e0540f264df2ddba7

SHA256
25e25688a9fb2ca160e4fa8283fa1490258a42da4d189a5de1e729338a70b62e

SHA512
4ccbc011e3878b8ccb3f8cf31a2bacd48b7af86de6ca9a43442a190a63a8957e0b09c757af7dabe28c2ce55c1d6a33696ec3c61d1629752f0a587a3a96c43317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f3ac3b42ebe30602bead776896828a7a

SHA1
6fe02a1c23a23804f6ecb49e96601e8444e5be53

SHA256
5739586adff25069f303f988a1eb386c83c795f8f941f4e82a5df967cc004a93

SHA512
a2b33b3ced2f56409e9b998ca1d6758669e4740f3a0e2b7fbe36d6c38a075cfaaafb88b32738667c0c079829412d1bf3a47af22ad535b43e062600aa1574851a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1b68d1d18d045e427ba0f5037b50c98e

SHA1
b424ba6626fb2b57cce4c98172f0f1c2b7145f7b

SHA256
1829662e39c0196dcad3d04b3d6ea0c7eb2a2273d64c6a92e8548011076ebe7c

SHA512
fa53efd235710de7308e24cc504ced72de02e6ded9c0cea0208b7b9f4225e446b59994a9376be86352b038782649e81ff587e79302199a808dedee9f4524d456

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
706B

MD5
6d9f85f285155791632e401ea4421670

SHA1
ec91ad0f76399ed5de4852cab069cf67604af288

SHA256
0cebb01801e9de4620abc7fb6b7ef86603b76ece43d288ac1978cefc5434c71c

SHA512
dfaf791d803bf2d5444fe0a43c684dab7a97ac28f8c1057c4f3e3d05735f1457ccb24c6b5c7a5afde8066b18588899ce10d84e4bdd169fbc2c031e7c095588fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c1c38db41c1938e4b895831091de2a37

SHA1
72879f1fe0fff926bed56afa36ecd8372b23dfa0

SHA256
109cff278e10f77084ef8147e00d31b14c42d67c1914b8f5e952ee0ff878cad3

SHA512
6f6636e026977914c3cccd1f427f723a78383a65d023fbd90965abb0c47a940f5c5d7074a36db7ffab26f56a5f604522a5d324743dd5f7275760812b9c3c057b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5e5d92d174ef5046e4601336ffe07770

SHA1
bb4b6cec844db67d6cbf15b423f4a75aea205441

SHA256
a0898648e47c22fe79aaaee81ccbf5d8a1e1b3f1f7c790b18521058106653fe5

SHA512
b9f8cb3aaa7eceb78579630880667f3fd36e22704041bc54344b6a7c4b5e6e691a130e64d22669577240fdc10d65712185c5e8ed2cba2001638f4ea55f0ecbe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
58b140f089a70116812372e739a27c40

SHA1
da9dcf9433b57034371adf90c15c10fd8628af9f

SHA256
9f9333b5dc75fa0a294b8e331d69abfc0e32edfa2f7c7e95b333045b2d8b219a

SHA512
58f9bbf145446c37935c7c6e4857dbb8863aa42e18066447e7c78a032787c6566ac41db7d2d1e101d61eb6fba667a74bce1b6366dab058f6a294662d8b281c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0d433d965f70f6f431621fd6f3eabef2

SHA1
d7a94bc40cd271eac46e87405bf3f0a5c60c370f

SHA256
e99140227e21495f1ec22793e85960ea1d1566aef9ee99b894dfdf1c972320d3

SHA512
6367d12a29f04c3c4a1b0d6951fb6fa6ceb4435d19c3eb5a8c161fe27d9ee669613994e7f9e1467b496882971bf5cbe2df4334ceb8cb3d4b4bee3e3a4c424d2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4f9aaa740843dfe3a9ffad920dd5d911

SHA1
9aaffff352b4340d4036d6f8fa5aa39ffe9e9217

SHA256
47ba8d68337dd77ed35c93452f704fd5b295aab6ec3f899a6bdfbf71dd000218

SHA512
6f635f77b7eaf5ac4e4dbb082cd13770b5d13ed9981f17faf9229786116fffcd1a3f003cbe6967a16062c3a1c5367934d55c30a017c7ec8ebdee0a09ef99278c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
d327b351394bf2d7ea52c9e69ff66735

SHA1
d513c24316d700c66ad892f0c59e40bf43f3708d

SHA256
84d63ffccf4dd1d511792ba06b609cdb3486967420ca419a75a06345e25a1c17

SHA512
6e7edb49f6640163b6f355c109c60286090c88a2c6b5370b81970befdaeefe474d6b07b04287e8fa165c48d21b1eab9a7958a398e5c4271681ba97756b54bb99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
1b71711817f3a930924636e948b82595

SHA1
ac7b4dea520e92facfe377c75b9c55ec8db5dfa3

SHA256
a94aafc9a098ff91b8a2125dc66b532f93a4574623b0515a3418aec0427fcc68

SHA512
5df81df3bacd5a3338a2e109f72c8917be6737519798a23d4664dfbe1b0778ab49e13ec6b089cbc8f74d6438b65022737b8b0d23cf42f8740c945439e5d9736e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
175KB

MD5
66bc52a4cd04256fa22ea561c22f21c7

SHA1
170ebfbcbb4d68a61c7f8f972e90b1946d49a5f5

SHA256
c3f6fceab7003a36230357192222d2939f61837254f2aa970098fc172ff4e4e3

SHA512
ac08b9fab60a04cec15a5fd1cfd77ca4b1b8a43ee6cc566816065939271cba6b2cb118766792d9a72bedb6062e90feb90d30c5ac399a28567a06a92c6e98f7b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
175KB

MD5
2485cfda230e852f41b6ee6bce749858

SHA1
90f618e6c03ec430244748e37c63938e0e263adb

SHA256
dcd1fe01eb006c2e9e52074064df137a8b23a6c2bf467fa1924c2e5becdd49d2

SHA512
aa9a7a31149f4f32c7f4ed2cd334d98ceb0f6594c9abbe831dc117f52e1d18a435f0dac76dcc47d49107286cd9a3f4a3ea1004b4e40bb5f8691db1c03af918a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
176KB

MD5
17bdfa3b2826e26f6f73a435cf663565

SHA1
f1c989cc188fa6ff89d24fbabc1a8ad5cf04586d

SHA256
68690b635aa0d882e9344e0d73a8da214a06d1a9041a076fb7df8656aa8bf705

SHA512
40630940fac9ed6d87b27a7a2cbcdf98457d930c550a29e8ec471bb556087031c29e992483ff8ca4a29ea641bcec8babb4a21f54958ca8c232d2983cd474b088

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c2da0249-5090-4bb0-9687-bf187c7f723d.tmp
Filesize
175KB

MD5
73d18b9fffb8dcdad94009a8027dba86

SHA1
dd54324e7dd391260eece2a6acec04a35b583072

SHA256
79c289e0ee152c204908b24204edeadd69882a438f72d3435e83d0bcc96f64ae

SHA512
bc177be4b58742ca0771c7dd2ce4ee599d0808e83587da7f60b66c708b1ecc336c0f880b2541ec38cbcdd706a4be4df4213c780fae1e95936e4c735b01d74a2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe
Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt
Filesize
48B

MD5
07e3589ce173a5f12986f44253b0bc8a

SHA1
7263c370da58a626831aa45fabefd8f8911a7450

SHA256
69365cd85daf13bf52d9a8b1f0dd4d7658d0b4a364c8cd799e15f8a1bb05b896

SHA512
3cf692a2b3004f0ef5488f5674b6c8adb9dcaab52be1ee9cae709e6a8688af443d735a060796f086d0bc1c4e6ea18f7b8ebe2517e418911dd1946b0aef7ef857

Download Submit
C:\Users\Admin\Downloads\PowerPoint.zip
Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
\??\pipe\crashpad_4112_MFWLEQLUQSJCTCEJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3388-360-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads