badrabbit | 7883074b12c8699252c28d65cedd257056fabe1f4e29d4e0dc2e725d68a70880

Resubmissions

01-05-2024 18:26

240501-w3bjpsfe33 10

Analysis

max time kernel
599s
max time network
601s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-05-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

20KB
MD5

efd8184505de45f5d4e7e82f7c887ec6
SHA1

3329f0c3c6d6eec149808c03a13a0b4bf63cb6e7
SHA256

7883074b12c8699252c28d65cedd257056fabe1f4e29d4e0dc2e725d68a70880
SHA512

b834b4596e86648a8ecfd93e9c996231972d13b623c18c86d82654a1764b56cda72aaf8a2eda2b98e7d9cbf316f7ae059e0c7a85ac75e13edd07491fdf7afc78
SSDEEP

384:rGUtcinm6MDpmReVoOs4mi9ylKeGMuUoUHhhb+iq7QS2LjMrSG+TIJCgMmVn:rGQcinhMBVoOs4mmyI1MQUBhbxM0MrS4

Score

10^/10

badrabbit darkcomet mimikatz agilenet evasion persistence ransomware rat trojan upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

winupdate.exewinupdate.exewinupdate.exewinupdate.exewinupdate.exeAnnabelle.exeBlackkomet.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Annabelle.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

wscript.exeAnnabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Annabelle.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\EA98.tmp	mimikatz

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exe

pid process

1832 NetSh.exe

pid	process
1832	NetSh.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Annabelle.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	Annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP"	Annabelle.exe

Sets file to hidden 1 TTPs 14 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2956	attrib.exe
4048	attrib.exe
4920	attrib.exe
2744	attrib.exe
4944	attrib.exe
4384	attrib.exe
4040	attrib.exe
4584	attrib.exe
5024	attrib.exe
1496	attrib.exe
3400	attrib.exe
768	attrib.exe
1980	attrib.exe
1212	attrib.exe

Executes dropped EXE 8 IoCs

Processes:

winupdate.exewinupdate.exewinupdate.exeeulascr.exeEA98.tmpwinupdate.exewinupdate.exewinupdate.exe

pid process

3320 winupdate.exe
4728 winupdate.exe
3172 winupdate.exe
3616 eulascr.exe
976 EA98.tmp
3212 winupdate.exe
3344 winupdate.exe
1176 winupdate.exe
Loads dropped DLL 3 IoCs

Processes:

eulascr.exerundll32.exerundll32.exe

pid process

3616 eulascr.exe
3872 rundll32.exe
2648 rundll32.exe

pid	process
3320	winupdate.exe
4728	winupdate.exe
3172	winupdate.exe
3616	eulascr.exe
976	EA98.tmp
3212	winupdate.exe
3344	winupdate.exe
1176	winupdate.exe

pid	process
3616	eulascr.exe
3872	rundll32.exe
2648	rundll32.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\87C7.tmp\eulascr.exe	agile_net
behavioral1/memory/3616-1126-0x0000000000960000-0x000000000098A000-memory.dmp	agile_net

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3560-1108-0x0000000000400000-0x0000000000454000-memory.dmp	upx
behavioral1/memory/3560-1110-0x0000000000400000-0x0000000000454000-memory.dmp	upx

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winupdate.exewinupdate.exewinupdate.exeAnnabelle.exeAmus.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe"	Annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microzoft_Ofiz = "C:\\Windows\\KdzEregli.exe"	Amus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

Processes:

flow	ioc
13	camo.githubusercontent.com
30	raw.githubusercontent.com
38	camo.githubusercontent.com
39	camo.githubusercontent.com
40	camo.githubusercontent.com
41	raw.githubusercontent.com

Drops file in System32 directory 34 IoCs

Processes:

attrib.exewinupdate.exewinupdate.exeattrib.exewinupdate.exewinupdate.exeattrib.exewinupdate.exeBlackkomet.exewinupdate.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

Drops file in Windows directory 27 IoCs

Processes:

Amus.exerundll32.exeBadRabbit.exeBadRabbit.exerundll32.exe

description	ioc	process
File created	C:\Windows\Adapazari.exe	Amus.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\KdzEregli.exe	Amus.exe
File opened for modification	C:\Windows\Pide.exe	Amus.exe
File created	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Pire.exe	Amus.exe
File opened for modification	C:\Windows\Cekirge.exe	Amus.exe
File opened for modification	C:\Windows\Adapazari.exe	Amus.exe
File created	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\My_Pictures.exe	Amus.exe
File created	C:\Windows\Pide.exe	Amus.exe
File opened for modification	C:\Windows\Anti_Virus.exe	Amus.exe
File created	C:\Windows\KdzEregli.exe	Amus.exe
File created	C:\Windows\Ankara.exe	Amus.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\Meydanbasi.exe	Amus.exe
File opened for modification	C:\Windows\Ankara.exe	Amus.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\Messenger.exe	Amus.exe
File opened for modification	C:\Windows\EA98.tmp	rundll32.exe
File created	C:\Windows\My_Pictures.exe	Amus.exe
File opened for modification	C:\Windows\Meydanbasi.exe	Amus.exe
File created	C:\Windows\Cekirge.exe	Amus.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4252 2948 WerFault.exe DanaBot.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

2744 schtasks.exe
5036 schtasks.exe

pid	pid_target	process	target process
4252	2948	WerFault.exe	DanaBot.exe

pid	process
2744	schtasks.exe
5036	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3944 vssadmin.exe
1728 vssadmin.exe
3656 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

Amus.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Amus.exe

pid	process
3944	vssadmin.exe
1728	vssadmin.exe
3656	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	Amus.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

Processes:

Amus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet."	Amus.exe

Modifies registry class 9 IoCs

Processes:

msedge.exeBlackkomet.exewinupdate.exewinupdate.exewinupdate.exemsedge.exewinupdate.exewinupdate.exewinupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2878097196-921257239-309638238-1000\{C41D87A0-1E21-4481-9180-97F336E3A34C}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\USER\S-1-5-21-2878097196-921257239-309638238-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Malware-Sample-Sources-main.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exerundll32.exeEA98.tmprundll32.exe

pid	process
2244	msedge.exe
2244	msedge.exe
788	msedge.exe
788	msedge.exe
3780	msedge.exe
3780	msedge.exe
2008	identity_helper.exe
2008	identity_helper.exe
4016	msedge.exe
4016	msedge.exe
4056	msedge.exe
4056	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
436	msedge.exe
1160	msedge.exe
1160	msedge.exe
3872	rundll32.exe
3872	rundll32.exe
3872	rundll32.exe
3872	rundll32.exe
976	EA98.tmp
976	EA98.tmp
976	EA98.tmp
976	EA98.tmp
976	EA98.tmp
976	EA98.tmp
976	EA98.tmp
2648	rundll32.exe
2648	rundll32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

msedge.exe

pid	process
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEBlackkomet.exewinupdate.exewinupdate.exe

description	pid	process
Token: 33	1660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1660	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	2076	Blackkomet.exe
Token: SeSecurityPrivilege	2076	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	2076	Blackkomet.exe
Token: SeLoadDriverPrivilege	2076	Blackkomet.exe
Token: SeSystemProfilePrivilege	2076	Blackkomet.exe
Token: SeSystemtimePrivilege	2076	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	2076	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	2076	Blackkomet.exe
Token: SeCreatePagefilePrivilege	2076	Blackkomet.exe
Token: SeBackupPrivilege	2076	Blackkomet.exe
Token: SeRestorePrivilege	2076	Blackkomet.exe
Token: SeShutdownPrivilege	2076	Blackkomet.exe
Token: SeDebugPrivilege	2076	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	2076	Blackkomet.exe
Token: SeChangeNotifyPrivilege	2076	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	2076	Blackkomet.exe
Token: SeUndockPrivilege	2076	Blackkomet.exe
Token: SeManageVolumePrivilege	2076	Blackkomet.exe
Token: SeImpersonatePrivilege	2076	Blackkomet.exe
Token: SeCreateGlobalPrivilege	2076	Blackkomet.exe
Token: 33	2076	Blackkomet.exe
Token: 34	2076	Blackkomet.exe
Token: 35	2076	Blackkomet.exe
Token: 36	2076	Blackkomet.exe
Token: SeIncreaseQuotaPrivilege	3320	winupdate.exe
Token: SeSecurityPrivilege	3320	winupdate.exe
Token: SeTakeOwnershipPrivilege	3320	winupdate.exe
Token: SeLoadDriverPrivilege	3320	winupdate.exe
Token: SeSystemProfilePrivilege	3320	winupdate.exe
Token: SeSystemtimePrivilege	3320	winupdate.exe
Token: SeProfSingleProcessPrivilege	3320	winupdate.exe
Token: SeIncBasePriorityPrivilege	3320	winupdate.exe
Token: SeCreatePagefilePrivilege	3320	winupdate.exe
Token: SeBackupPrivilege	3320	winupdate.exe
Token: SeRestorePrivilege	3320	winupdate.exe
Token: SeShutdownPrivilege	3320	winupdate.exe
Token: SeDebugPrivilege	3320	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3320	winupdate.exe
Token: SeChangeNotifyPrivilege	3320	winupdate.exe
Token: SeRemoteShutdownPrivilege	3320	winupdate.exe
Token: SeUndockPrivilege	3320	winupdate.exe
Token: SeManageVolumePrivilege	3320	winupdate.exe
Token: SeImpersonatePrivilege	3320	winupdate.exe
Token: SeCreateGlobalPrivilege	3320	winupdate.exe
Token: 33	3320	winupdate.exe
Token: 34	3320	winupdate.exe
Token: 35	3320	winupdate.exe
Token: 36	3320	winupdate.exe
Token: SeIncreaseQuotaPrivilege	4728	winupdate.exe
Token: SeSecurityPrivilege	4728	winupdate.exe
Token: SeTakeOwnershipPrivilege	4728	winupdate.exe
Token: SeLoadDriverPrivilege	4728	winupdate.exe
Token: SeSystemProfilePrivilege	4728	winupdate.exe
Token: SeSystemtimePrivilege	4728	winupdate.exe
Token: SeProfSingleProcessPrivilege	4728	winupdate.exe
Token: SeIncBasePriorityPrivilege	4728	winupdate.exe
Token: SeCreatePagefilePrivilege	4728	winupdate.exe
Token: SeBackupPrivilege	4728	winupdate.exe
Token: SeRestorePrivilege	4728	winupdate.exe
Token: SeShutdownPrivilege	4728	winupdate.exe
Token: SeDebugPrivilege	4728	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4728	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe
788	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Amus.exeMrsMajor3.0.exe

pid process

3144 Amus.exe
1808 MrsMajor3.0.exe

pid	process
3144	Amus.exe
1808	MrsMajor3.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 788 wrote to memory of 3552	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 3552	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 2244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 2244	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe
PID 788 wrote to memory of 8	788	msedge.exe	msedge.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Views/modifies file attributes 1 TTPs 14 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
4040	attrib.exe
768	attrib.exe
2956	attrib.exe
4048	attrib.exe
4944	attrib.exe
1980	attrib.exe
1212	attrib.exe
1496	attrib.exe
3400	attrib.exe
5024	attrib.exe
4384	attrib.exe
2744	attrib.exe
4584	attrib.exe
4920	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff4a173cb8,0x7fff4a173cc8,0x7fff4a173cd8
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
2⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3780

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
2⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
2⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
2⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
2⤵
PID:3064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5320 /prefetch:8
2⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5416 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
2⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
2⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1236 /prefetch:1
2⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6720 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1876 /prefetch:1
2⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
2⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
2⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
2⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4416 /prefetch:1
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,3218679173485726769,15672631232443435804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4860

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 300
2⤵
- Program crash
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2948 -ip 2948
1⤵
PID:1516

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:4780

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Email-Worm\Amus.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious use of SetWindowsHookEx
PID:3144

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:768

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\RAT" +s +h
2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3400

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2956

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
3⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4040

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4048

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
4⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4920

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3172

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4944

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
5⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:2744

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3212

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1212

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
6⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1980

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:3344

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4384

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
7⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:4584

C:\Windows\SysWOW64\Windupdt\winupdate.exe
"C:\Windows\system32\Windupdt\winupdate.exe"
7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:1176

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:5024

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\SysWOW64\Windupdt" +s +h
8⤵
- Sets file to hidden
- Drops file in System32 directory
- Views/modifies file attributes
PID:1496

C:\Windows\SysWOW64\notepad.exe
C:\Windows\SysWOW64\notepad.exe
7⤵
PID:2744

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\ArcticBomb.exe"
1⤵
PID:3560

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Gas.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Gas.exe"
1⤵
PID:428

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\MrsMajors\MrsMajor3.0.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\87C7.tmp\87D7.tmp\87D8.vbs //Nologo
2⤵
- UAC bypass
- System policy modification
PID:2544

C:\Users\Admin\AppData\Local\Temp\87C7.tmp\eulascr.exe
"C:\Users\Admin\AppData\Local\Temp\87C7.tmp\eulascr.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3616

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:4416

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3872

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Delete /F /TN rhaegal
3⤵
PID:3932

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /F /TN rhaegal
4⤵
PID:3884

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2640710691 && exit"
3⤵
PID:2792

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2640710691 && exit"
4⤵
- Creates scheduled task(s)
PID:2744

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:53:00
3⤵
PID:1020

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 18:53:00
4⤵
- Creates scheduled task(s)
PID:5036

C:\Windows\EA98.tmp
"C:\Windows\EA98.tmp" \\.\pipe\{3C0CB060-9480-45B1-AB0D-A4491785D19D}
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"
1⤵
- Drops file in Windows directory
PID:412

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2648

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Sets file execution options in registry
- Adds Run key to start application
PID:4908

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3656

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:1728

C:\Windows\SYSTEM32\vssadmin.exe
vssadmin delete shadows /all /quiet
2⤵
- Interacts with shadow copies
PID:3944

C:\Windows\SYSTEM32\NetSh.exe
NetSh Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:1832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7c16971be0e6f1e01725260be0e299cd

SHA1
e7dc1882a0fc68087a2d146b3a639ee7392ac5ed

SHA256
b1fa098c668cdf8092aa096c83328b93e4014df102614aaaf6ab8dc12844bdc0

SHA512
dc76816e756d27eedc2fe7035101f35d90d54ec7d7c724ad6a330b5dd2b1e6d108f3ae44cedb14a02110157be8ddac7d454efae1becebf0efc9931fdc06e953c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bdf3e009c72d4fe1aa9a062e409d68f6

SHA1
7c7cc29a19adb5aa0a44782bb644575340914474

SHA256
8728752ef08d5b17d7eb77ed69cfdd1fc73b9d6e27200844b0953aeece7a7fdc

SHA512
75b85a025733914163d90846af462124db41a40f1ce97e1e0736a05e4f09fe9e78d72316753317dabea28d50906631f634431a39384a332d66fa87352ff497f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
37KB

MD5
47cd0f9ecdb7f3ce3c16db7abc2f46d5

SHA1
307c836095a2a73635133ba3c0a7753c5851cddd

SHA256
8b3342a18aaa96aa2eb22adb9011a32ffd0b23a1760350bd89811c17fe003f46

SHA512
9d5caaeaa31c3626c8f8a02ecf108f1fb53a82a930a17352a2fb06bf16915b4b27435af09fd7e0921b80cf66355299ab23f9c96b8443d2f29e6649cc575ea895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
1.1MB

MD5
34a02dd7f8b393eff0b3f133576adb8e

SHA1
b512edfa50e3ad8f44064e7805443032f8cc9b28

SHA256
f38d66808f86e685fd596c778cf5e8dca79d1d0b223c008d9b31b636bce2299f

SHA512
53d2669725bece4eb3f9c9d2e9714ff9e73dade82a63c0056cfe9e6bf2cd905866e38fafd0d89ca4a2eb9406ecaa7aa89221cda4641a355494b21922d42ec48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
fd1f3cd74a93f834ceedcd826bd365fe

SHA1
a3d37ef87d33b3260cfbe1900175c2decb231ae7

SHA256
afaeb817cf7e767d366e6c2785376143516a18c6efe967d179833baa20edaca0

SHA512
043d64725ec57610e4cc7513d36412a3b02034d6bce7380f56760bb93f2e3b96abe6afdb58419a365806e0cc981d12aafd145306dcfe79b664e344eed9b1b9a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
896333d1d631f5c9b1ccb693bd4e5c4d

SHA1
5110d8ff0ebac99ee49fde75938a2d88c739b30f

SHA256
900a085e3c8dcc1a801157294b89ab96c580df67a20c1ee0669b0aa68dfb63d3

SHA512
0b4bdaa004c63d2c592b7e4317465f2418a8d5f9efdb3600c8a9c3eeeda81b516cb64bfad11c1c1f25485c2e6bf5cba118e2d1adc596547aeac3564078199528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
e268c9160917a554a161f226f4033a78

SHA1
45c5d480fa4bfadae295b174cd52300f6c564dfe

SHA256
c933bf8218673dc14e2a005fdd3e5f9b6c072b3431ad58cb0f67df91257c41e6

SHA512
2f3cfc92904b54a45201cda8476bdb192b1bc877cb971219da31e355943025851898d33714631a9b401e6a98473d2183245c46ab586b9eb99ccf2a4d9f1a6c98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
8256a5804e74b8179946dc99a221e715

SHA1
926ca99d5bdf39128c9daca5594027453e6c2f9f

SHA256
226be142b5d80d405590c96b3c9878a3459fb43fe546bda0ba47f81429fbe811

SHA512
b1987e37cd0cd48c9502f22e1dc4b2dd003b4ca6648d3c46f9d5773872e94fc6778b78e6474d13163783d28c948a598ec57bd4c09b9b5eff68b4def8bb0ea07b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
c38df1a4cdbd2ad2397a3d0d1a02c8e2

SHA1
fe3abc691a215412cc2dfcb7a6617249732deea9

SHA256
feee3827ba5521c3170a36af37f57311bc3b6690d01ebd81ad4bc65eae9a9163

SHA512
9245cb550e30621ec6a2b37e450ca7735cab51b02f8845054afb5d02f205ddf715ef39cd4636ed01e7e65ecf27cd2309bb4509fa73fed7a11aeb4255ef3a7d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
f4611b01b05928e78d200648b6729026

SHA1
e4f687d20ff5bf68775bfd58cfed1cc7516b5a10

SHA256
50f1450c023b666a02c851ff152ef8eecf72ba95bbe9f7e53b2165268b274ee2

SHA512
81fddff70cc2155e8382c620464e9ff645aee56ce4b290368cfdcdb5df8c2dfcf0743ded40e4bb712ff6cc2c151f55d8e47333681f09707c3f92a20c969e4307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
7af4737fdd4b29e7841b2239e84b3429

SHA1
44ad5bdcf0261a484f4576faa3addd90594ede86

SHA256
dd6dc6e82ad6496d9d24691f733cc78b82c74571838562911f4e784070d61956

SHA512
3553d9264804ceeebececccda2ecd7c9bcbf012588896ff925522ef569878f5299c112cdebb92945e6a8533f5eed0a6ca1dedcb512ced58c99d0c6241c1e9aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4099a24369cc6b688a88cc1d7b9ba9a7

SHA1
afbc9458186528510b530e439671de3cc00fa207

SHA256
6f706aa5a5ab1b69a938b6ef7150d430379e42eb32325e5eac2d622b2bbf1764

SHA512
81e3143f6c0578cd47bffa29160dc55ecce4fb1dad832cc79c5bc4d902ab166a97f38919d5e32ac7416c6f4ddc29344496af6d007c84158b7a88618edebebfa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8415638550591b31ddcf9405d657ee41

SHA1
9e67c73fd5ea579c01cc4e4d606e4e0cade74dbc

SHA256
c47c58310df13fff83bef06cbaaca0c4fe228cf3e454739cba116b0bc0182b4e

SHA512
7ae795ba802bbc4d0dcc00eec3e5644e20cf1b35b890ad05c73ff8b06bff190e07ebd9fdaa3db97367fcef89f68026bebed07b257f23eabb40e986ec2eb34576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
d373f4c0061d6999b6693e3bb7350b49

SHA1
9d82afd2212a340e0f2d819f9338746a759246f5

SHA256
2ca1e8cd4fb875800ab5bb42b9c99b4d4c98387d6268c06a2c2d46fc6ecb1007

SHA512
807cea2c52f3b3eacada955d3a1748fc1f5578e10d904c545ca49e5bbb6f69615bc177279978325304002789bbf732230e08ec1dd5bb5b2662698cc64254d25c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
818ee0e881b05c7209713b29b537e9bd

SHA1
056ef38d9f0d38e34c69c8b4350c5f6eee3a53ca

SHA256
7c66c1cf5c0abcb33e6d651701a009b539ed31c4c3f7e914642f6f231b114afb

SHA512
ec8353acebf67311751464028fd78b37899a2878978c39efe3741ef96cdf35327beae8a06fb25dc959a55fd3b6f23b025dcaa61bd745ae95ad09656fcb3fb9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ca2ebe68e0a57e6b4acd535570a588f4

SHA1
b8a5a13cbaf6c02e02777f771ccd89290f480d1f

SHA256
59ec525c97c7e4e6afab31ae56cdbb873207abb6a88000b46c9f652786dd57e4

SHA512
ac6b227005abd4c9eb033f8e041c967ba593ec09fef334fc85772dbb1caa341d15ebcd79205e98ff723d50682b8cd0d617500ffeef0bbb40cf87050a233b94da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
30d8bd1ca1ce24528dc1cad984722c4e

SHA1
da07b7bd51011ae0a41360e7c1694dcf89d4cf25

SHA256
ccede4c224825813af7eaebebcf930d8626c20e797a625978249916c8a162e68

SHA512
cffad302585ff77231d48daafe4ff806aa4a840a78044c8f9c9aafa91d700c8808a55a50efcd9fdfc5ff6ba83831a7ec0bd3049ed26690bfff887d068fd12159

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
4d52ca1597891cbfe15ed4a3da93e3f9

SHA1
079bfc82d865f5873d35d1709e94a533033c25a2

SHA256
bde18f230e596c44ea7af1468eac0313ddfee477caaa02ccc59124135f0bd730

SHA512
b0ea0ef08704bcd5d609cfd314ef328b3a4ef33149ec9dde79860c1a6e0385555f603b8c40f9588116d88ec289aeae50f9e6d25ad2650c666d0a08603ea96e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
249838966c708f251491feb389952df2

SHA1
957d7737389113d472f94283f780c48d90e096c2

SHA256
cbf62c8b9501357210fec5a6a65bfc153bbf869a9348b17418de19a03ebbfd15

SHA512
8560becd5f1074d41f5322c29f2ae24659eb59fa2184ff8ee25124a702215682f9ad49228df948eae987d78cf0ecabec1dc2a86cc5934c5bee0ce08236415dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1a6c014b78a43079c4eb56772a7c8080

SHA1
248eddac4337d2749561a4ebbccecdafdd71ad31

SHA256
bd1ef29bce0cf1723faaddc7e7ac09aa076796ed430460f96b967c40b25b25d2

SHA512
c280fcc5456c05d78e05f64e2aaff68311dedb55e029a8db819c1f462b88348f7ab09618f631b7a6cdae8a1511099621b539ed72ac7f18152c50bad7ade79261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e4d039e077a59a1fae80f3da222a7312

SHA1
cf983099fd952eae1ad20417663c1ec25511e59f

SHA256
4ed3ff0732a99ae0f6787bc0af1238cf5f8c3ebfe6a4e2798ca69d4fc94b1afc

SHA512
e1108409dd74d8ab7bdfefd7c9497ed2eb41e1d2fe0b548a698bdb9de2819c90045d164a308f20c7722d8a231166ffee79718c7b87f32fa80f07b17115e14f9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585c63.TMP
Filesize
538B

MD5
34093dfd9e462dde5f395453a2d4ff69

SHA1
53d16f9f48db713641ff5bedbaf1eb36846c7fee

SHA256
8818274e6644386e2a18ea0d13ec3001cb419d75540e2ace60aecb08551d2ca1

SHA512
961283c3ced093e86848aea0a807a11d29c76e44e43e14f4c50e3c820ec464a752e474d985e00fc5d633ef828e2ec9be16d705fdbe5cd742efd54c84e0117577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2500a19f1611036bab3a04668e694992

SHA1
37b4ff44ebe8fd878265c66d3eee6dccee57b664

SHA256
0b122db51983863e0d37e6ab7dd75a8c3acca2880d962e1ed8e4b2c50cadaff3

SHA512
9e7cb23fb23fa39e52d3a471cc100513859732380c7794f1f026e39d04af6547992ba5fff43adca9d0ee0b7a37f50ad9603e03a308c88fac214b90c4a9b554a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
423ee6e7e98f9bfa480266656396f906

SHA1
dc1aff7af7e78d94d921f44040299e0160676a07

SHA256
db04fb8c0fe7df0ad9bb79199f29d0bd7744973cfa57b1e871d4437699c3267c

SHA512
df6ca59f5a4a6d4bbc6202edc70e49b2a4ae401d50f1d551f011280cba4a8a6d4f58aac6523242122b80ec0d032ed18ecbe71a19c0ab90b02e3e26d6a1844056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ae8a70f15048ccc301a58a7249992a8c

SHA1
5a68682f00d794138754ecd0c3ec40dcb420fcc1

SHA256
4a7f2a9cdba2d435ab01b770e001a05facc338c8769e463cfc480a61f6e63126

SHA512
41decf811c512fa7569ed42ad1d42e0df6e6f615db86b3102324c1ed72b9d8225aa93ba66c7c47a584ec92725dc6310bc2d462a73e75b2a6edf6b411d0ec4c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll
Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\87C7.tmp\87D7.tmp\87D8.vbs
Filesize
352B

MD5
3b8696ecbb737aad2a763c4eaf62c247

SHA1
4a2d7a2d61d3f4c414b4e5d2933cd404b8f126e5

SHA256
ce95f7eea8b303bc23cfd6e41748ad4e7b5e0f0f1d3bdf390eadb1e354915569

SHA512
713d9697b892b9dd892537e8a01eab8d0265ebf64867c8beecf7a744321257c2a5c11d4de18fcb486bb69f199422ce3cab8b6afdbe880481c47b06ba8f335beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\87C7.tmp\eulascr.exe
Filesize
143KB

MD5
8b1c352450e480d9320fce5e6f2c8713

SHA1
d6bd88bf33de7c5d4e68b233c37cc1540c97bd3a

SHA256
2c343174231b55e463ca044d19d47bd5842793c15954583eb340bfd95628516e

SHA512
2d8e43b1021da08ed1bf5aff110159e6bc10478102c024371302ccfce595e77fd76794658617b5b52f9a50190db250c1ba486d247d9cd69e4732a768edbb4cbc

Download Submit
C:\Users\Admin\Downloads\Malware-Sample-Sources-main.zip
Filesize
18KB

MD5
cf53409ee3de7bca5d9918d345f42c35

SHA1
a08d052ff5a9157e030618356396c2eb3fb316eb

SHA256
1e6cc37325fa35072c79d64743a8bc0d9211b032495a8248d1161467f91df308

SHA512
7c5e0ff423def9d4f017c3900b83c5376bd8b81cc1b7846164e88b1a6a8f2e77911f2020e87817f6c4cec0d43cfe5d726c84e85ee66ccbb28c6b2068175ae33d

Download Submit
C:\Users\Admin\Downloads\Malware-Sample-Sources-main.zip:Zone.Identifier
Filesize
189B

MD5
986f4f785637ae6e91a3bcfafc763e72

SHA1
8d139509e25d8012d694e80ca823d8f6fe0cba56

SHA256
ba2fb2920b1fddeb521f0775cd159111970fce722df5a1711d643e182eabd0e0

SHA512
f32f8772e7516a3b8c8b587df9e1e20a44fdf2847d9e186ce5a0ab5b682ea068aabc1aeed97a3ba8c9d8990cd85194628f1122535d2beba0f3ffef11cdfca1c0

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\EA98.tmp
Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\Messenger.exe
Filesize
50KB

MD5
47abd68080eee0ea1b95ae31968a3069

SHA1
ffbdf4b2224b92bd78779a7c5ac366ccb007c14d

SHA256
b5fc4fd50e4ba69f0c8c8e5c402813c107c605cab659960ac31b3c8356c4e0ec

SHA512
c9dfabffe582b29e810db8866f8997af1bd3339fa30e79575377bde970fcad3e3b6e9036b3a88d0c5f4fa3545eea8904d9faabf00142d5775ea5508adcd4dc0a

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe
Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier
Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
C:\Windows\infpub.dat
Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat
Filesize
256KB

MD5
bf857aef3e4e67f62c3f4c362acb14c4

SHA1
697e922479e94149d15407a9f19b18b120bf806c

SHA256
a5b86bb3baa2f2537aea4548c1328d1d538ca769a00dcf1b708d430fc2fe4387

SHA512
e881b3dd8786bac901cded3ed5a6f9448f91db3a24be37c4c5fe2018c6050879f85e4f689c58117e920e85892ae3ca608242f988942676307aa6b485686af4b1

Download Submit
C:\Windows\infpub.dat
Filesize
64KB

MD5
1d12b78268144bc10cb270fd514c7a71

SHA1
50e1c0574cf417527111f0d01a3b93fd2c3e0a28

SHA256
392f1bf830cb12f3e8d49cee2f94ee7c0defa785bf04b06794223e058e1a0535

SHA512
59b04f5721fd895207e3bed8f01ded02dea7c4d15752791e434c695615dab0273bcb8362d4470682c7c6098d17917f0ba547fa1d6801a6aca7f5b9e00b9a381f

Download Submit
\??\pipe\LOCAL\crashpad_788_PHVOUUFKPCBZBFIC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1176-1205-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2076-1106-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/2648-1186-0x0000000002E40000-0x0000000002EA8000-memory.dmp

Filesize
416KB

Download
memory/2648-1194-0x0000000002E40000-0x0000000002EA8000-memory.dmp

Filesize
416KB

Download
memory/3144-1035-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3172-1182-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3172-1136-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3212-1196-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3320-1115-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3320-1107-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3344-1198-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/3560-1108-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3560-1110-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3616-1133-0x00007FFF33610000-0x00007FFF3375F000-memory.dmp

Filesize
1.3MB

Download
memory/3616-1135-0x000000001D980000-0x000000001DEA8000-memory.dmp

Filesize
5.2MB

Download
memory/3616-1134-0x000000001D280000-0x000000001D442000-memory.dmp

Filesize
1.8MB

Download
memory/3616-1126-0x0000000000960000-0x000000000098A000-memory.dmp

Filesize
168KB

Download
memory/3872-1154-0x00000000024A0000-0x0000000002508000-memory.dmp

Filesize
416KB

Download
memory/3872-1151-0x00000000024A0000-0x0000000002508000-memory.dmp

Filesize
416KB

Download
memory/3872-1143-0x00000000024A0000-0x0000000002508000-memory.dmp

Filesize
416KB

Download
memory/4728-1117-0x0000000013140000-0x000000001320F000-memory.dmp

Filesize
828KB

Download
memory/4908-1207-0x0000026380E10000-0x0000026381E04000-memory.dmp

Filesize
16.0MB

Download
memory/4908-1208-0x000002639C350000-0x000002639D8DE000-memory.dmp

Filesize
21.6MB

Download