dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/%24uckyLocker[.]exe

Analysis

max time kernel
128s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/%24uckyLocker.exe

Score

10^/10

dharma evasion persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe

Executes dropped EXE 2 IoCs

pid	Process
5616	$uckyLocker.exe
4972	CoronaVirus.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	raw.githubusercontent.com
68	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "0"	$uckyLocker.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailAppList.targetsize-48.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsStoreLogo.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.boot.tree.dat.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailAppList.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Reflection.Emit.dll	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSplashLogo.scale-300.png	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClientSideProviders.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\msdasqlr.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Square71x71Logo.scale-100.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.scale-100_contrast-white.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugin.js.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\View3d\3DViewerProductDescription-universal.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\snooze.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\ui-strings.js.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-il\ui-strings.js.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ui-strings.js	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp9.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-black\MixedRealityPortalAppList.targetsize-24_altform-unplated_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-GoogleCloudCacheMini.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarSmallTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nb-no\ui-strings.js.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Cryptography.OpenSsl.dll	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_hover.png.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Medium.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-72_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\Classic\TriPeaks.Large.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress_spinner2x.gif	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\UIAutomationTypes.dll.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageStoreLogo.scale-200_contrast-black.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_EyeLashEye.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxMailAppList.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\MedTile.scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcvbs.inc	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vreg\powerpointmui.msi.16.en-us.vreg.dat.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Message_Sent.m4a	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-20_altform-fullcolor.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogoDev.png.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96_altform-unplated_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-40_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1850_40x40x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Exchange.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluCCFilesEmpty_180x180.svg.id-10BCD7B0.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\vstoee.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML	CoronaVirus.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
12196	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{0A3D6B73-6034-40DE-A684-271D02F439A2}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 581453.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 783203.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
4492	msedge.exe
4492	msedge.exe
4592	identity_helper.exe
4592	identity_helper.exe
5424	msedge.exe
5424	msedge.exe
4816	msedge.exe
4816	msedge.exe
3020	msedge.exe
3020	msedge.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe
4972	CoronaVirus.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe
4492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3752	4492	msedge.exe	89
PID 4492 wrote to memory of 3752	4492	msedge.exe	89
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 4304	4492	msedge.exe	90
PID 4492 wrote to memory of 3092	4492	msedge.exe	91
PID 4492 wrote to memory of 3092	4492	msedge.exe	91
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92
PID 4492 wrote to memory of 4060	4492	msedge.exe	92

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/%24uckyLocker.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8591346f8,0x7ff859134708,0x7ff859134718
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4696 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5424
- C:\Users\Admin\Downloads\$uckyLocker.exe
  "C:\Users\Admin\Downloads\$uckyLocker.exe"
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1128 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2728 /prefetch:1
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6732 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6736 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Users\Admin\Downloads\CoronaVirus.exe
  "C:\Users\Admin\Downloads\CoronaVirus.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:2864
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:6420
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:12196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16762951608269142297,86812172914729438,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3448 /prefetch:2
  2⤵
  PID:8244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
PID:6048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:7324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-10BCD7B0.[[email protected]].ncov

Filesize
768KB

MD5
27b6a2e0cd3b78a1aa729e5ef3444279

SHA1
075764a8bba8e13942e833ed91267f0c6d89be72

SHA256
df1d05914a8faf75c2d6421d21990f78134c51a3e6d7b434a5fbfd1c350ebea4

SHA512
e1fee7154fd0cb7602a62523801b690ea30ff59a86a094e1aee5062deca582d72d0ca6be9fac5b6951029300186fe2e87849a4add9af205f54240b97f804eaf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\197cd757-2f31-46e2-be20-a86f7b2eaf1f.tmp

Filesize
8KB

MD5
87818055381b4539c003d2bbdceba47d

SHA1
745938fb18c96efa83f88b3c69f417367b8a81a9

SHA256
e866369c2e5f03dba075f504aa0624248b5b26bfd9c557774ff8b5eedf5a8f9e

SHA512
2373842d890ad2672ef4eead1159512717445ac43255271ed754245840fbdef0c8e7f1fe9d5c51d586d4b7f41cd6bb6df3ddcaa3fe6d4aa700c12d697896e5ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ef1fef2f7cfbb93ea09b2675b7708784

SHA1
c971565c338758b58f7d1653aa71d0ee24c44b5a

SHA256
032727b742171626898263a443eb3f8340facafb7ea42472d61a9b6d1f92c4f6

SHA512
99eb2d49f51e0c1e1a0dc78edb2acefd72cdc909ce85b661eb251092b037e5ba54c24e1e9689859157313574e87d9d267a59458c61600c3efd3eef544bb685bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
dd1cb7c3a5cede5b4a01ca77da44f6af

SHA1
425fcc6e4dadd02e2e8a9c02c0026613ac544838

SHA256
f45fdf9243b0730b4d1178d10395d0e6c28822f530ea824a3a1e480f5101b9a0

SHA512
f27ba4bcd4f9330c378e639277a3435a5f48077d9ba127bd40644daaa0b8883d3858724812505cf22bc832b4c8a793f8c4d4a0ec374df3d0867d492ccbd22889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
649B

MD5
ce049c4a35daeeed17f500be9a60c329

SHA1
1438e1d0a796a5c1f250ad87e17031aab4e9d312

SHA256
7b0fff498eb13842ea3c49c3bf7415cdea167dfc6d775b80ac1fdc344059fb86

SHA512
80ca2de4a1ee2889cdd6391f35b335a294d567650dbd81860ae35efe1e961f33706db8373e95f36d98edc8a94ca2b269e2e4d1363ecc1913f39ab4a6ad3bc7b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e65f8e1855f6c0a25978ef586d69130

SHA1
efc522a433c57b4259d47effc9472a76c02483bb

SHA256
e3f1bd4de6fdbb02b0e4b77840980d96e9cae7642cb3f1d372840c84639741da

SHA512
d261538057a831e8065ec5924b7ed88159d8394b80d8fc1ce98b81e5055708c378665abfd23f24128b1c121acc45d20bede91862fdd9e04e95fc37d75b62af82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8fa130fd4ff9ddbac526970a13bc1ea

SHA1
2d0fa9e40ac407ec14b1fd5cd2545f8dd3aaec4e

SHA256
567ef31709fe3bd8f64b3bc75b1a3d790ab1ed95db254b4144d2f7c22a1f553e

SHA512
9b2a50ee7a3cf576e0c6adeae9fe30da7ba105f750b2c3b7befa940b27090c14534468af9e854e632b992244dfe6070432cfca9179f76f3efaf02ece1c5ef4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1facdb85b182c3aadf43460f924fe7a6

SHA1
598d19744354f56b6bd6b1009047f7d9a1a555c9

SHA256
2ad988dca48efd67f8e22c403562f2149c7070a5e933d94fc383f80a4b0f1099

SHA512
099ac3ba54bb9f8072fa02d46d051d9c7ca2801042b235cdc12dbac0e4ddc68cccd00a35b94afc350d65f0440d976794f941685a67e3bfe2ecd761c598057287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f75a8d684592bd5f325d782b3aad6068

SHA1
7adb0014a9c5c3326418971707b6de4cb5e09d49

SHA256
6a3bd873012703c73ceb5b59842e5594dca6a4592c12c0a7dd9f148f327a2985

SHA512
fe5ef6cb183979ea10df61e4f023323faf9b581df37992fb6e4963c2ff961b7620b7d5818cfcdb41e9ccaaa2f1620f2e462a93761529f50467c85bce6ffb06df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55d127207d8968892f68056ea9bd1d0b

SHA1
a341b3628bab67c9e8ee14082cad47adc5d172bb

SHA256
81ae5d435e5a428c2f44ce3a505429a144b690e4daa0d7948f12711c4274277e

SHA512
96a4940f728332fbfa50e213247cd2f795a1079d09c3f518bedfd526c87981e33385a47c480198e34e4f28e10151b8e0a30955f1d3cbac3539c64bdbc7bb5cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
57a6f908e62b1ec5c196284c7874f1a8

SHA1
04d5885ab789a117c65d7bd13ea6721ff0ae725d

SHA256
8c1df3eb6b6409f28e39b3c60c1ff0b3630012e3e3fa43e053b59d4cd2948f1f

SHA512
5de39eb65947d77416060da2108f504f43904d558bcefe76a4fbb5da35310886589db9b2950235882102ce4bd746665d590f92cef1c539cf0be46cb90860d608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
96c10f58249c3b06129acc2bd2ecc103

SHA1
001f4372c5b1e172252bf58007f1a85637c8361e

SHA256
ba0aeb99fed63988fd14c0901c7c4588062b1a9c534f16d619a0ae5062c56916

SHA512
ca389dd1eb54bfde2edeba1107baaed578f5563dca2eb07caaf5f48e17e4f1bc8b6299c26946f0c8736bffdbeb896d198f175560c4e13fbdef3c48fcd1005935

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c12c4539a7e0b76aab3ab073f37ff6a

SHA1
177025240c87a380b47433e7526aeb4fc19c1806

SHA256
1c95c99e8981ca02bf050573697a5ab943e85b27fcf861724fa14df9ab3419a0

SHA512
dbde40bf65da907f168136b77ed57aefeae7ddcdff2bbcf44ad2ed69a027e8207dae0481d56b309cef6be2fc19bff4d16310a1453297663f1baa53dc497a99c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581018.TMP

Filesize
1KB

MD5
13cb506466569adbb425813ea863ec3c

SHA1
ee8b6b0f9bb9507eb83b7ec5a3300aa03266deff

SHA256
47a2d6acfa6ecfa22cd46fd4f2c87fdcdfb5f7480da9a1a88bf2411cc5cf7b40

SHA512
55182f9cb0b2838c2cf29ea4d97a7bc87766c9744bbfae5817c3547f55f1c22e18fb2056c340d7327d3df5b133134d8beddd821505fc74317d0acc2d88d126a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
199c83dc38721adbc597f0a3110dd89e

SHA1
db75f95a0f830d105262c96408b8784f150321ad

SHA256
f8a3d6eaf3b31145bf953dc52a63af857ea4f59dba101ee07c7f8a1b81ddd933

SHA512
def4016073b72d794a121078b8dc74eb138ace4674bc73dc49f44d0231649c272278979aef4336b3cea456e9e38427ca6d4c3db85a89105549d06fe73352be9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
927abfb195d50ef0302d1432644f59ba

SHA1
6f6f6a11d8e4e6f710917976472cfae3cf739cad

SHA256
9a47f239c6f91772142e21a76fe19efd39b50a9c72d6d4ab017e57547112297c

SHA512
a7a94aa0557a17ec14fc76c669e4850e3360950fb7c15d8c93088c4cad99fe50d9c27a4ac0e12ea04474a3d47cb9dd31bd80d575c4949af1a90a1f151d19112e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3c7e739432886bd098aa0787de3db64a

SHA1
0354d5867b6a66d6ec8dede0b11d771fc8017d77

SHA256
d0d9df1b81d573330909a42089bed1c074dc92475e795e11f94943ce5d4ca50f

SHA512
d5b785edfb8d871ad2cde23c97bdb429ab076c86067a80ed3bd0927f74bdbac9a7f2f1df68a385805b33297898dce3762bae5fed98ae89737863716dd289114d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8c2efb81e4fde395ef316e7cdc53e9eb

SHA1
6dd23ab8579bf927ec6424ec1aa635762e5d9e74

SHA256
e07664fef638560d5e7e6f52585bd979df664f3124c4c1db4ab72a1ff053e8af

SHA512
89855e1b563b2b3d80013254b3618be2a271093bb059653050e131273ef18478c88aad65a40e1f8f80d9fef582026e65655b6f85b57f605ef9c6666ec5917bb9

Download Submit
C:\Users\Admin\Downloads\$uckyLocker.exe

Filesize
4KB

MD5
d807bbc0b1c2514590da62666e82718a

SHA1
25f63ffac3e7ec60235445c5b62e227208edfd68

SHA256
4f5f3188503e5c5bf7af1d8c6be735af8275965d5f72256631a4d7fbfd70d980

SHA512
8c0c3756a86ca4577f4a3abfd5731ffa1cb4429d76cca7b1b9470c7789117e1fdda4bd5aaf8ed511213ba4b1c34adb2ee6de6484c9058602245737a3fb0ea693

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 581453.crdownload

Filesize
414KB

MD5
c850f942ccf6e45230169cc4bd9eb5c8

SHA1
51c647e2b150e781bd1910cac4061a2cee1daf89

SHA256
86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f

SHA512
2b3890241b8c8690aab0aed347daa778aba20f29f76e8b79b02953b6252324317520b91ea60d3ef73e42ad403f7a6e0e3f2a057799f21ed447dae7096b2f47d9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 783203.crdownload

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
memory/4972-596-0x000000000A5C0000-0x000000000A5F4000-memory.dmp

Filesize
208KB

Download
memory/4972-566-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4972-5928-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/4972-597-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5616-184-0x0000000005B70000-0x0000000006114000-memory.dmp

Filesize
5.6MB

Download
memory/5616-197-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/5616-187-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/5616-237-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/5616-241-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/5616-198-0x00000000055A0000-0x00000000055AA000-memory.dmp

Filesize
40KB

Download
memory/5616-183-0x0000000000B30000-0x0000000000B9E000-memory.dmp

Filesize
440KB

Download
memory/5616-182-0x00000000752B0000-0x0000000075A60000-memory.dmp

Filesize
7.7MB

Download
memory/5616-199-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/5616-240-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download