Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 21:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Resource
win10v2004-20240426-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Malware Config
Signatures
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
pid Process 4196 satan.exe 1544 satan.exe 4604 ofexw.exe 2496 ofexw.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{4B758C0C-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Urho\\ofexw.exe" Explorer.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 70 raw.githubusercontent.com 71 raw.githubusercontent.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 3440 Explorer.EXE 3440 Explorer.EXE 3440 Explorer.EXE 3440 Explorer.EXE 2496 ofexw.exe 2496 ofexw.exe 2496 ofexw.exe 2496 ofexw.exe 2496 ofexw.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4196 set thread context of 1544 4196 satan.exe 133 PID 4604 set thread context of 2496 4604 ofexw.exe 137 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2752 vssadmin.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 267325.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4820 msedge.exe 4820 msedge.exe 2544 msedge.exe 2544 msedge.exe 708 identity_helper.exe 708 identity_helper.exe 1132 msedge.exe 1132 msedge.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4196 satan.exe 4604 ofexw.exe 4604 ofexw.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeBackupPrivilege 2260 vssvc.exe Token: SeRestorePrivilege 2260 vssvc.exe Token: SeAuditPrivilege 2260 vssvc.exe Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeDebugPrivilege 5984 taskmgr.exe Token: SeSystemProfilePrivilege 5984 taskmgr.exe Token: SeCreateGlobalPrivilege 5984 taskmgr.exe Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 3440 Explorer.EXE 3440 Explorer.EXE 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 2544 msedge.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe 5984 taskmgr.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3844 StartMenuExperienceHost.exe 3912 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 3432 2544 msedge.exe 83 PID 2544 wrote to memory of 3432 2544 msedge.exe 83 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 1072 2544 msedge.exe 85 PID 2544 wrote to memory of 4820 2544 msedge.exe 86 PID 2544 wrote to memory of 4820 2544 msedge.exe 86 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 PID 2544 wrote to memory of 2396 2544 msedge.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:516
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:776
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3116
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1ce946f8,0x7ffe1ce94708,0x7ffe1ce947183⤵PID:3432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:83⤵PID:2396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:13⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:83⤵PID:4380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:13⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:13⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:13⤵PID:5208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:13⤵PID:5216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5816 /prefetch:83⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:13⤵PID:5620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6264 /prefetch:83⤵PID:5708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:13⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,14176789601566361086,12621748119933879212,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1336 /prefetch:23⤵PID:2716
-
-
-
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4196 -
C:\Users\Admin\Downloads\satan.exe"C:\Users\Admin\Downloads\satan.exe"3⤵
- Executes dropped EXE
PID:1544 -
C:\Users\Admin\AppData\Roaming\Urho\ofexw.exe"C:\Users\Admin\AppData\Roaming\Urho\ofexw.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4604 -
C:\Users\Admin\AppData\Roaming\Urho\ofexw.exe"C:\Users\Admin\AppData\Roaming\Urho\ofexw.exe"5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2496
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_6b898cc2.bat"4⤵PID:3892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4048
-
-
-
-
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2752
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5984
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3548
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of UnmapMainImage
PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4056
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4108
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1884
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4456
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5140
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4596
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5c9c4c494f8fba32d95ba2125f00586a3
SHA18a600205528aef7953144f1cf6f7a5115e3611de
SHA256a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b
SHA5129d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d
-
Filesize
152B
MD54dc6fc5e708279a3310fe55d9c44743d
SHA1a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2
SHA256a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8
SHA5125874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5af9eb8831185cf7ed7dcb6ed1f2b2391
SHA16c51733ef0a1610d648c14f2615bbc30fe4cbc15
SHA256fa54550f3b3b76a040ff8098ad5763371790345b5914db762f2b3700d7064afe
SHA512787b6739358bbeb6d711e16db768d024ff195b72a0a0ba2fa18dc765526161d32b59c26cf023c095d4adbfbfd05ec0772f1a899e6300eaf938b326b9e5706111
-
Filesize
579B
MD5000fbec379b54832c8f3ca39dad9344f
SHA1b3e63db91eb9b4cea7fa69ec5789450850da2aba
SHA2562236ec3b053951ccc64977ad11e4d512a39d47799735f5b5de15ada77ed49933
SHA51247da5d2362c6b4f33a6a7b5bdf3d6715612e11d5544924fa2aa5682c2f7462840bdb4ae86ced006670a9109eb5bd5e709191973d87a241091fb5740b1cddcd14
-
Filesize
5KB
MD5600e94939ebc1ac4cdfb3e99c0289fdf
SHA1020518c7f8ef38c86813b1c806a23100a530d7ce
SHA2564c8ac626a274017fe00f4f1e3911982b8e46771de188274c85ea7c4bb12fb43d
SHA5125f08d2a4e5d64a29bbf41f49d1c0809bbd91b8a7695f2880a702cb4302823029cf6a08c871e1055e06e10e027a777bdcf59491244c1719504e39d1f9de00bb64
-
Filesize
6KB
MD5a601b001eb2be1697fcb77d8780f0f01
SHA162e27e2740598fa456a623c1c10cf001ace6225d
SHA2565182bf9d9eebc7a06f3a92cd4b47cc45fae84defa7aaaa2a133a2cc21b0d9346
SHA51242ace7f49c38aa3e0c27b13e6e3bfdffc009bc2a26d828813b119c52d3bc029e388957cba4bf6fa2c90d127a706907ab6c04e918914002a20283233b8e983657
-
Filesize
6KB
MD5b94f8fe825966bd7774b530ceb834cda
SHA1aa828eff5a55961e3487cb945333ef2f96820623
SHA256d2242f7e84d938e933fde93c1777fb36fe61d4ec952f614f0044bf03561d719b
SHA51285b69061a2760702641feb7792c4fc4c62a9ab231291b27caadd2cb2e877859500d09bfb09459657b71bfadefdfb9ac2629259425f7ed91e53df18acc1be3d40
-
Filesize
1KB
MD568dc17461dbd58dac902bd07823e4cf1
SHA1f41e002c0935c5ba8933af12b29831c96d78cf8e
SHA25647cecceda6b9266bdc64580e15370b96d9bd95ab56ad2eca34c1c80415b06993
SHA51236db6463b779608579a62bfa5ec0a15dc6a367f6a9cf34ccd4ebec987ed15c69b57476ac779017af57337385a6bb4d07b03abad08b98addd61e8fcb4bb3c62f1
-
Filesize
1KB
MD5db2a96b03d78d22b6b54e6aaa7614c1e
SHA18eeb895a4c1172f2591cdd04d9f4210f7d153d15
SHA25622c709fcddb17dfee7d7041ca273a1583bb58e9047c0f846698572b32ff20087
SHA5128ce819eccc7c6421d7c260f9274fb5374d4752d746a53f455d17794a17307b86e1421626595ec3a3f9e0446852986df14da37ef21c61d438cc2668c322187d1e
-
Filesize
1KB
MD530d078a5fa44c0e131cb99facb81d262
SHA1f2ab724912c855ccdfacbd92d3c0e6fe322a9551
SHA256f88bd7131db9e8bf990f0e6ecf8f3f03d065246a34d515a95c646cb628a658b9
SHA512d21ace6ca854c0862620f0cf350f1b86d948164f69d4226acdd484d4e8367e772f874eab5a31077b53299f2cf008b984ada2d54cb76afa028c06355edd2e3868
-
Filesize
1KB
MD5fd0cd2061896d2ebddbff28bdc07a91c
SHA1799302fc0d41543502011807eb130f811b487e87
SHA25653d9af9e68c91614fef07859bdfb0e5782b798430ecefbd48fc8db095b88033b
SHA512c639796de60541aabdad437795f845f147620c9d670e79114da820d6d5015a7b6293f0ff7792c8e271ebb812cd0893a3c6fe2cfb956b4ae11a465a56ffb7ffba
-
Filesize
1KB
MD580cf9e04e37bc70f986b84bc96c20bc7
SHA1d117c8d16f6e18d3987869ebf571ef883ddda3dd
SHA256c5dd4355c8221b4511105c685a5cba379e916200964c07e94f44a220561bb527
SHA51285fe1f33cb59821b26963c4fdcf4f2917abd5a159c892025d9082e409f81e4e23ebe1fb135c625404e38e1f211856da047f97e65fb22a4ef9009b94456a52a6b
-
Filesize
1KB
MD5623b1b485c259894f15dfe98a012e71c
SHA1101e55268dae29525f83d12471107bc9c3029b47
SHA25616597c81cdbf337814aec2c53fa16f070f1b83e929e6828411e3000bbae0d21c
SHA512ac572215357bcf164ea6f501ee89fcc4a1cf12d2b573f0c13fca2b65f9db8e3b6f04018b523be80358c892e98e88c19908dc29d18a65a7fc0bfe5e47e01dd698
-
Filesize
1KB
MD5e8abe09a11f3d0264021b80d6e162e92
SHA1a4e61dca5898110ded08882d961b06915bcefcbb
SHA2562b3eedb1edde1a83f9993305dd4165e3e166ef5bcd95edad6e3483b40c17051b
SHA5124f7d48a4bbb661173618ad0cbf2a474bb287401ca3e8d13c52d0790632f4d0cf98a33a1afbbbdf81f9880798bfaf45ffe715b2f568973167c21d3862369ff43c
-
Filesize
874B
MD5c27eb77b52ccb1955671a1bf3c10c2b2
SHA1e9eb22971c60daef884a16d2920f9e80a6df7654
SHA256711ac39b03377c5846a436b6d8e96c4cebbf435e0b463ceefcb331d205797448
SHA512cb714a8316e53f11f1d2348334b0e84feef596ecafe3b5192d0ba57524ebab4d844a449a1760d7a73bfa23006ee09f28079ef7945535bc5a6739be28fcf86d33
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5dff6ea0494f4e02287c0a9bba5bb56c1
SHA1485f11701850ed7d23a822fc3d97c6fb1b17f769
SHA2560db7bdceab6a0d00b317396796871319d2232607f67005130c49c8c9d468438f
SHA512800502426bc9538c2dacb99a598fa2b739b515a7616fa8e624183bf8e80563f434f4b4c3a18b45acd9f3febb1041b9ecd6ab273a40c269f4cabf1af83dbc10fc
-
Filesize
12KB
MD5f93a99b46ce5589fd7eac8a1451df9c6
SHA13b0b4c40f08f0a21969519f2cb6d1572b73933a7
SHA25642d15024b541616faa4afd149e2f6cb0a0305498b8e14d62c575c279c5630775
SHA512f9924325dbfc2d655f3a524a12cc2db696c8bcd8fe254c0f402b3d3b8f349863527ee32f3ba611ab1cebe8b55e91681f326a8845c556006415cdaa3a1cb37a9b
-
Filesize
12KB
MD5500d52fc5c7d1ec949921e7d66410c0a
SHA17389197a77052463d2c8081b5636a7f372d469af
SHA256aef1150c2ad12dade3dfc5a3991104770758a005cb43a0e60a2b7cd573e2d287
SHA51231743b47e9828e66e8de2358a07ae220fef8cc0c7d22d869ebb39bbe80f2d7f4225f22d34895c8e3befe98b0b857fc75a239ecf51d577e2b3c8ff0ff10ad1812
-
Filesize
172B
MD5c482e08cecb112fecd2aabada37632b1
SHA1c0b8789c419f537de9111a445f9004eb5c16ea15
SHA256a69b07abec0beb8ec71f8f69385d20a8bae288fda47d4dc1e8fe4ddc1503193d
SHA512a11ac5544834fe154f7cca67584ff57110d740fabd8cac25d870dfb249b52c3df0b93aaf94457bf8c787cd3f3e3d7ae50ed09a9aa01742c52b7a6636a3b68015
-
Filesize
67KB
MD5b4b3a8aee43eb2480f654ae5cbe1fbea
SHA1448bd6d09ca43fd921e608cade2ec206af430a75
SHA25631c2b5ee8fc1ddaf12bd47b04bc08f1035c24d12835d6ecf7263d20d9340284c
SHA512f25f87b91aeecb34b815f7b7c3f8f49a11b165aa996f88ec9cf20ee632661a81d5e04b238020f4df51062ff5baa124bc6fbcc2c7094722a4f658c599450b6623
-
Filesize
184KB
MD5c9c341eaf04c89933ed28cbc2739d325
SHA1c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA2561a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA5127cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b