cryptolocker | f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1

Resubmissions

22-06-2024 18:38

240622-w938astclj 10

20-06-2024 19:06

240620-xscjpashpg 10

Analysis

max time kernel
336s
max time network
390s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 19:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Yonder_Fivem.exe
Size

6.3MB
MD5

b1c825266b3ba65293047125b6187839
SHA1

2717197678e400a693ca7c3a4eedf1fe7001382b
SHA256

f6602a9eba868412294f032e365016623518da2a24c949e9659256c46d156bd1
SHA512

24830021254f1206775201f98fb0323dec02f947374a367c8d2f0c9c328b55fe492a36b0d2217ca41f1cdeb24152290501cef7b01dfb20e717db10f92952760e
SSDEEP

98304:gjWxDXRGFyZftzByQ6/Sw87AB3bq6p9OJmtgiBnuNfXWNasKo+oX2hsfBoj:gjWxFG2JByQ6/g01q6PiNiB6y97X2/j

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\GMDSI-MANUAL.txt

Family

gandcrab

Ransom Note

---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .GMDSI The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/6b7dc5a87f217c | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAKPu7YGdNLZB1IcUHUENwAGii3dovZmzMj5N19aLQCFsD9cU3dFfTVIkJWCkjbool5O5D4hGDQ2KKAU2p2tpjntN0S3rzgzwc5BTQGJic5gn2BEnyPLR5zGoc3iVWAxKKJeJ+fJERu006DVutleYEfI9BwnbtOPMh3y7JqgBSznVYr+jYvcxxh0KiF7kzGxCDvypZbMMckrrMf5I5rEI1920tdwgHGJLtOQp0IvS4Ppv6jCkVUD6xCq3xS5eS+YEOcZpi4K+Pt42HZrgxu60FRcBg2+FevNJaY0A7ogD2kY/T0GuOyUAZiB6GRUnBee3zEB/IEXVu03BgOLvSFQS7j0HqyNzoeGCxbnWTbPCgCkFTzuvD8sOALJNGgIfHrcSbyamefvBCY9ZUapvhQwowmHDqwF/Lf82yG1+lAp3lF3K5N/cktRlkxc0UQTEu4ST9ptXVIQbVE+Qmi7IT4oW4Tpqr+giJNINMxdBse9RC3BP+kzTnIzcPk0fbbT9QL8j/gsXlhjFmIsZsBWnnQA7wwQ7zv8Kfv1oYASQmEm8t7Lc07F9jFFDZJBrb7gLgv1YQOzj6tMDbjqSIuaZrhEwaL1ckzotcN7P0Xh6/3QYUmZqvb4CbLFZi2BtxrOjnC57hm+LQ+3NUsQgD1o4rBoWcfYtw9ZUwn3hYCikPjmMHbYK7a5nqeI5td8JIyWqEEe6M+qSQ2WcDLIqRvuqZFZ+ReAJG2vjeOjzX4dhZVkVyAr4Zc4ndlNI68VMZEJ/O21T95S1I3luJf1j2mpFM+KE9lPPROVXCKNkSazNPRHWwoZaGL7H/AIJ0g3hK8ulbYX+kZkzm5mNQO1YfYUFla+Ls+mg2GqejAa/9CkqSseE6YP/HuOPzmj1nvYPOSvgjhSKfX561hGSmgKRX+YRopo5V+gBpYK4Pc6GXP9KOiqMYIHFVNrHDkLPsNRlDGIKEsbE7c1vZanZpYNPPju4zGOgGVC3ODp5vTGbeZwppOhnAWn4K8ne0aqUyajANYE9cc8nLzgkBiZy7UoEfosu+XE2t8fdinUNxIdfyJww2I3geARM7jjoyKme08tnFr1Hyra+OCPz39/tvQgjlTi/ZuoAjiq2MXntUwII1Uw99Skt2hnBF0Umv2UGAMuCsIODvyWsKtcPxbTPWKDAVAozbvXa8Rod9zctUjuXw9fkUoiXHNZ8PEWP6rlGx8rFikxPMVVS71ddiW+mjhN46kLBUhTaDDDTtbHAH/ka2l7G8KP8Vy6gmQLm3kjYPCbJegY4vm5L5cN6nshvBxCkS/oZfI2q1CZvmhiGqISn6t+ESfuqUfksHTFQHzdHONJYP8k3KNwqUR4fjcfk6DYLaeMmhJxTSG0MATqZwpSoKh62WmEh8fMF9q3tRdGRa17U5nfpjJasg6ShQThGTGA5fSl/Ty2aN9nFe2MVsfpo8Xao5+MfC6i1GJbpat3wPbjrUSyehae3sV2EbJ36NK7s3wmbYMtW++mozYIcPzEnTLwkycWk6t6RQV2ixbLNYglKhzqqPn/LAGQlP2sVRNEnT5VmcLIDoGbfZIuJp9yPLFJENDnKLBQnqT4ZwVeIepfp1LbhSzFLngwE942y83f14ZOq/9nC+fdNhIiaI0svkqBs3r/CPbKnhCsQ9NfS4LaGkcnpAe7kb0AK98qxjPmx45RqXsHpE85AqhQbAZ1F3Yb/aDx/zRHzwUw/AnDfgANbIjPg5IE7P2BviO6U3GLlHt4oexOR6bA00L5MqYZEde84kjuJHq1nmMUYIBHBIWmMnP5p+IbX6Jz8jx5nUVhJZxvyXqyi2W281rcZIgOLdCgx9F7UgBL9lWOwv53AXo5XIEZ4L2L4CYqmzlbnG5kdZjfSGpsVmq7mhfUc1d0IGO7Q3tRy4KwbwdC+Im5Va8Qe3R5IVoJAFXTJ3Qb+mqbAIRc123SMSx0Bf9YrvxJfOaDkNRuAmRcSeUGTvC7JEMmRxGHg3PDr79ubbun3qngIZ+Pw9L00T8MQpK5FXKbMJ5f5URWZCEyQCPY2TEhGvx9MTywgcOcwwcXxJe3wqmjeGDOr8bJjYNDfPFINemzSCzeiR9eiKDTXB/AGuL+Oiw7JhK/YVs6PcijjLIN4iwTLcSC9FlsaxB010DKOsfxhhMw5741Z/pGEhw5BTLZKxf4SGuIYRJTXp2J2I2EgKN+PraFjmCRDy5uwJ8lupsFvVifNcQIXuMBGuxVEYm4d8mEDFkQrlJxoMx2SM/o= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD79NLJJJDLAuyVoODURWnIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJe9BfBiNq+sZtR+W3YLHEmdOR2keCP9jy+/M2LKLjAaO2r1xWuOYPT0rJqfbML150zff7S12zgaAvoTDFrp2MPDax4ChLud7oMFoL6iSV1emrqBtvYbwArtwyqi8E1f2lWjmZ7qh4BOwkgU+wPUyub+sf0dwlLRyjx7jQwF3i9DPYKPigj42cWKb+7QkcvCqikoFdEvhEtCM4ANjhxtQXIE71RkHCybyMY50L1gk//uQFeywEnXTKCo3rMtccPEeVKMogLqob/gmOcGmVrrCCEY6sTrSMnN+abEImb4E05FHfczjSgqIbDBfFz4H7qFFwi0aAxMzGs3U= ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/6b7dc5a87f217c

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

annabelle.exe birele.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "c:\\users\\admin\\desktop\\the-malware-repo-master\\ransomware\\annabelle.exe\u00a0"	annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "c:\\users\\admin\\desktop\\the-malware-repo-master\\ransomware\\birele.exe\u00a0"	birele.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	annabelle.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" annabelle.exe
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (541) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Renames multiple (713) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	annabelle.exe

Blocklisted process makes network request 9 IoCs

Processes:

rundll32.exe

flow	pid	process
194	4264	rundll32.exe
195	4264	rundll32.exe
226	4264	rundll32.exe
227	4264	rundll32.exe
236	4264	rundll32.exe
248	4264	rundll32.exe
268	4264	rundll32.exe
287	4264	rundll32.exe
312	4264	rundll32.exe

Contacts a large (1146) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Disables RegEdit via registry modification 4 IoCs

evasion

Processes:

krotten.exe annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krotten.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	annabelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	annabelle.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP"	annabelle.exe

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

NetSh.exenetsh.exenetsh.exeNetSh.exe

pid process

26356 NetSh.exe
18284 netsh.exe
17728 netsh.exe
8256 NetSh.exe

pid	process
26356	NetSh.exe
18284	netsh.exe
17728	netsh.exe
8256	NetSh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

notpetya.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	notpetya.exe

Drops startup file 8 IoCs

Processes:

coronavirus.exe gandcrab.exe derialock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	coronavirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coronavirus.exe	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	coronavirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-087F217C.[[email protected]].ncov	coronavirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\GMDSI-MANUAL.txt	gandcrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\87f269187f217c31c.lock	gandcrab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	derialock.exe

Executes dropped EXE 64 IoCs

Processes:

yonder_fivem.exe icsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeMadMan.exeicsys.icn.exeexplorer.exeMadMan.exeicsys.icn.exeexplorer.exeMadMan.exeicsys.icn.exeexplorer.exeWinNuke.98.exewinnuke.98.exe icsys.icn.exeexplorer.exeDanaBot.exedanabot.exe icsys.icn.exeexplorer.exeBumerang.exebumerang.exe ddraw32.dllddraw32.dllicsys.icn.exeexplorer.exeCryptoLocker.execryptolocker.exe icsys.icn.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeexplorer.exe$uckyLocker.exe$uckylocker.exe icsys.icn.exeexplorer.exeAnnabelle.exeannabelle.exe CoronaVirus.execoronavirus.exe InfinityCrypt.exeinfinitycrypt.exe icsys.icn.exeKrotten.exeexplorer.exekrotten.exe icsys.icn.exeexplorer.exeNotPetya.exeGandCrab.exenotpetya.exe icsys.icn.exegandcrab.exe explorer.exeInfinityCrypt.exeDeriaLock.exeC948.tmpInfinityCrypt.exeCryptoLocker.exeCerber5.exeBirele.exe

pid	process
1164	yonder_fivem.exe
768	icsys.icn.exe
2124	explorer.exe
552	spoolsv.exe
4904	svchost.exe
2372	spoolsv.exe
5596	MadMan.exe
216	icsys.icn.exe
5396	explorer.exe
5724	MadMan.exe
4908	icsys.icn.exe
652	explorer.exe
5240	MadMan.exe
2020	icsys.icn.exe
376	explorer.exe
5524	WinNuke.98.exe
6132	winnuke.98.exe
2436	icsys.icn.exe
3724	explorer.exe
6032	DanaBot.exe
3556	danabot.exe
4300	icsys.icn.exe
2332	explorer.exe
5732	Bumerang.exe
1804	bumerang.exe
2492	ddraw32.dll
4260	ddraw32.dll
5292	icsys.icn.exe
2432	explorer.exe
6052	CryptoLocker.exe
6084	cryptolocker.exe
5036	icsys.icn.exe
4628	{34184A33-0407-212E-3320-09040709E2C2}.exe
1952	{34184A33-0407-212E-3320-09040709E2C2}.exe
2408	explorer.exe
7044	$uckyLocker.exe
7088	$uckylocker.exe
7140	icsys.icn.exe
6184	explorer.exe
6724	Annabelle.exe
6752	annabelle.exe
6740	CoronaVirus.exe
5712	coronavirus.exe
6988	InfinityCrypt.exe
6548	infinitycrypt.exe
4084	icsys.icn.exe
2452	Krotten.exe
668	explorer.exe
4208	krotten.exe
7072	icsys.icn.exe
7156	explorer.exe
2384	NotPetya.exe
5564	GandCrab.exe
3256	notpetya.exe
3252	icsys.icn.exe
1820	gandcrab.exe
5892	explorer.exe
6772	InfinityCrypt.exe
6856	DeriaLock.exe
6488	C948.tmp
4988	InfinityCrypt.exe
7148	CryptoLocker.exe
1180	Cerber5.exe
22684	Birele.exe

Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs

defense_evasion

Safe Mode Boot

T1562.009

Processes:

birele.exe annabelle.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	birele.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1"	annabelle.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	birele.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	birele.exe

Loads dropped DLL 3 IoCs

Processes:

regsvr32.exerundll32.exerundll32.exe

pid process

5556 regsvr32.exe
4264 rundll32.exe
6980 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5556	regsvr32.exe
4264	rundll32.exe
6980	rundll32.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1804-1953-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4260-1960-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2492-1959-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1804-1958-0x0000000000400000-0x0000000000410000-memory.dmp	upx
C:\Windows\SysWOW64\ddraw32.dll	upx
behavioral2/memory/2492-1972-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4260-1976-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/25940-24892-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/25940-25112-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral2/memory/25940-30970-0x0000000000400000-0x0000000000438000-memory.dmp	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\yonder_fivem.exe	vmprotect

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

annabelle.exe explorer.exesvchost.exekrotten.exe birele.exe {34184A33-0407-212E-3320-09040709E2C2}.execoronavirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "c:\\users\\admin\\desktop\\the-malware-repo-master\\ransomware\\annabelle.exe\u00a0"	annabelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe"	krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "c:\\users\\admin\\desktop\\the-malware-repo-master\\ransomware\\annabelle.exe\u00a0"	annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "c:\\users\\admin\\desktop\\the-malware-repo-master\\ransomware\\annabelle.exe\u00a0"	annabelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "c:\\users\\admin\\desktop\\the-malware-repo-master\\ransomware\\birele.exe\u00a0"	birele.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe"	krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coronavirus.exe = "C:\\Windows\\System32\\coronavirus.exe\u00a0"	coronavirus.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

annabelle.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" annabelle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	annabelle.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

coronavirus.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	coronavirus.exe
File opened for modification	C:\Program Files\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	coronavirus.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	coronavirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	coronavirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	coronavirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	coronavirus.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	coronavirus.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cerber5.exe gandcrab.exe

description	ioc	process
File opened (read-only)	\??\x:	cerber5.exe
File opened (read-only)	\??\z:	cerber5.exe
File opened (read-only)	\??\N:	gandcrab.exe
File opened (read-only)	\??\X:	gandcrab.exe
File opened (read-only)	\??\Y:	gandcrab.exe
File opened (read-only)	\??\t:	cerber5.exe
File opened (read-only)	\??\w:	cerber5.exe
File opened (read-only)	\??\h:	cerber5.exe
File opened (read-only)	\??\l:	cerber5.exe
File opened (read-only)	\??\o:	cerber5.exe
File opened (read-only)	\??\O:	gandcrab.exe
File opened (read-only)	\??\Q:	gandcrab.exe
File opened (read-only)	\??\U:	gandcrab.exe
File opened (read-only)	\??\V:	gandcrab.exe
File opened (read-only)	\??\W:	gandcrab.exe
File opened (read-only)	\??\v:	cerber5.exe
File opened (read-only)	\??\y:	cerber5.exe
File opened (read-only)	\??\q:	cerber5.exe
File opened (read-only)	\??\s:	cerber5.exe
File opened (read-only)	\??\u:	cerber5.exe
File opened (read-only)	\??\B:	gandcrab.exe
File opened (read-only)	\??\E:	gandcrab.exe
File opened (read-only)	\??\K:	gandcrab.exe
File opened (read-only)	\??\M:	gandcrab.exe
File opened (read-only)	\??\m:	cerber5.exe
File opened (read-only)	\??\S:	gandcrab.exe
File opened (read-only)	\??\e:	cerber5.exe
File opened (read-only)	\??\i:	cerber5.exe
File opened (read-only)	\??\n:	cerber5.exe
File opened (read-only)	\??\H:	gandcrab.exe
File opened (read-only)	\??\J:	gandcrab.exe
File opened (read-only)	\??\R:	gandcrab.exe
File opened (read-only)	\??\a:	cerber5.exe
File opened (read-only)	\??\j:	cerber5.exe
File opened (read-only)	\??\b:	cerber5.exe
File opened (read-only)	\??\A:	gandcrab.exe
File opened (read-only)	\??\I:	gandcrab.exe
File opened (read-only)	\??\L:	gandcrab.exe
File opened (read-only)	\??\T:	gandcrab.exe
File opened (read-only)	\??\Z:	gandcrab.exe
File opened (read-only)	\??\G:	gandcrab.exe
File opened (read-only)	\??\P:	gandcrab.exe
File opened (read-only)	\??\g:	cerber5.exe
File opened (read-only)	\??\r:	cerber5.exe
File opened (read-only)	\??\k:	cerber5.exe
File opened (read-only)	\??\p:	cerber5.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER"	krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü. Â îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû."	krotten.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 4 IoCs

Processes:

bumerang.exe coronavirus.exe explorer.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ddraw32.dll	bumerang.exe
File created	C:\Windows\System32\coronavirus.exe	coronavirus.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

$uckylocker.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\Wallpaper = "0"	$uckylocker.exe

Drops file in Program Files directory 64 IoCs

Processes:

coronavirus.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\ui-strings.js	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100_contrast-high.png	coronavirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\ui-strings.js.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoianetutil.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\CompatExceptions.DATA.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\195.png	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\close-2.svg	coronavirus.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_ts_plugin.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\ui-strings.js	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\rsod\excel.x-none.msi.16.x-none.boot.tree.dat.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-cn_get.svg.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7EN.DLL.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\REFINED.INF	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\ISO690.XSL.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\ui-strings.js	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\Retail\Windows_Insider_Ninjacat_Unicorn-128x128.png	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-150_contrast-black.png	coronavirus.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\kn.pak.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\System\msvcr110.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcrystalhd_plugin.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteMedTile.scale-125.png	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\WindowsBase.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-125_contrast-white.png	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-root-bridge-test.xrm-ms	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\offlineUtilities.js	coronavirus.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaTypewriterRegular.ttf.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms.id-087F217C.[[email protected]].ncov	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSWORD.OLB.id-087F217C.[[email protected]].ncov	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\tmtransactions_xl.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\msvcp120.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.fr-fr.msi.16.fr-fr.vreg.dat	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-string-l1-1-0.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageSplashScreen.scale-200_contrast-black.png	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\main-selector.css	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\ui-strings.js	coronavirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\ui-strings.js.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.dll	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\ui-strings.js	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\InsiderHubLargeTile.scale-125_contrast-black.png	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemCore.dll	coronavirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\PlayStore_icon.svg.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreLogo.scale-200_contrast-white.png	coronavirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png	coronavirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf.4F0FE608009B0743AF09D820423F3062119A2EE21978A93C8D7F0B3A90B25CB8.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraAppList.targetsize-96.png	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Forms.Design.resources.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.schema.mfl	coronavirus.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.schema.mfl.id-087F217C.[[email protected]].ncov	coronavirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\ReachFramework.resources.dll	coronavirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Drawing.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll.id-087F217C.[[email protected]].ncov	coronavirus.exe

Drops file in Windows directory 29 IoCs

Processes:

icsys.icn.exerundll32.exeYonder_Fivem.exeMadMan.exeAnnabelle.exeDeriaLock.exeCryptoLocker.exeCerber5.exeexplorer.exeDanaBot.exeBumerang.exeCryptoLocker.exeGandCrab.exeMadMan.exeInfinityCrypt.exeNotPetya.exesvchost.exeMadMan.exeKrotten.exeCoronaVirus.exekrotten.exe notpetya.exe spoolsv.exeWinNuke.98.exe$uckyLocker.exeBirele.exe

description	ioc	process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File created	C:\Windows\dllhost.dat	rundll32.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Yonder_Fivem.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	MadMan.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Annabelle.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	DeriaLock.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	CryptoLocker.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Cerber5.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	DanaBot.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Bumerang.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	CryptoLocker.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	GandCrab.exe
File created	C:\Windows\perfc	rundll32.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	MadMan.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	InfinityCrypt.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	NotPetya.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn	svchost.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	MadMan.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Krotten.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	CoronaVirus.exe
File opened for modification	C:\WINDOWS\Web	krotten.exe
File created	C:\Windows\perfc.dat	notpetya.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	WinNuke.98.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	$uckyLocker.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	Birele.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exeNetSh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5604	3556	WerFault.exe	danabot.exe
1164	2492	WerFault.exe	ddraw32.dll
4724	1820	WerFault.exe	gandcrab.exe
40200	4264	WerFault.exe	rundll32.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

infinitycrypt.exe gandcrab.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	infinitycrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	infinitycrypt.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	gandcrab.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	gandcrab.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 7 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid process

39996 vssadmin.exe
8260 vssadmin.exe
8284 vssadmin.exe
8308 vssadmin.exe
26340 vssadmin.exe
26328 vssadmin.exe
26284 vssadmin.exe

pid	process
39996	vssadmin.exe
8260	vssadmin.exe
8284	vssadmin.exe
8308	vssadmin.exe
26340	vssadmin.exe
26328	vssadmin.exe
26284	vssadmin.exe

Modifies Control Panel 6 IoCs

evasion

Processes:

krotten.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International	krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\sTimeFormat = "ÕÓÉ"	krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop	krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\WallpaperOriginX = "210"	krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\WallpaperOriginY = "187"	krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\Desktop\MenuShowDelay = "9999"	krotten.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

krotten.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	krotten.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	krotten.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main	krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::"	krotten.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

Processes:

krotten.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	krotten.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/"	krotten.exe

Modifies registry class 3 IoCs

Processes:

msedge.exemsedge.exekrotten.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{ED385C60-FB0B-4171-B778-B19DCAC59712}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings	msedge.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND	krotten.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

43444 schtasks.exe

pid	process
43444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exe

pid	process
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe
768	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

svchost.exeexplorer.exe

pid process

4904 svchost.exe
2124 explorer.exe

pid	process
4904	svchost.exe
2124	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 33 IoCs

Processes:

msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

coronavirus.exe

pid process

5712 coronavirus.exe

pid	process
5712	coronavirus.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

AUDIODG.EXEkrotten.exe rundll32.exeC948.tmpannabelle.exe vssvc.exederialock.exe

description	pid	process
Token: 33	3808	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3808	AUDIODG.EXE
Token: SeSystemtimePrivilege	4208	krotten.exe
Token: SeShutdownPrivilege	6980	rundll32.exe
Token: SeDebugPrivilege	6980	rundll32.exe
Token: SeTcbPrivilege	6980	rundll32.exe
Token: SeDebugPrivilege	6488	C948.tmp
Token: SeSystemtimePrivilege	4208	krotten.exe
Token: SeSystemtimePrivilege	4208	krotten.exe
Token: SeDebugPrivilege	6752	annabelle.exe
Token: SeBackupPrivilege	41312	vssvc.exe
Token: SeRestorePrivilege	41312	vssvc.exe
Token: SeAuditPrivilege	41312	vssvc.exe
Token: SeDebugPrivilege	13068	derialock.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe
3464	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exespoolsv.exeMadMan.exeicsys.icn.exeexplorer.exeMadMan.exeicsys.icn.exeexplorer.exeMadMan.exeicsys.icn.exeexplorer.exeWinNuke.98.exeicsys.icn.exeexplorer.exeDanaBot.exeicsys.icn.exedanabot.exe explorer.exeBumerang.exebumerang.exe icsys.icn.exe

pid	process
3392	Yonder_Fivem.exe
3392	Yonder_Fivem.exe
768	icsys.icn.exe
768	icsys.icn.exe
2124	explorer.exe
2124	explorer.exe
552	spoolsv.exe
552	spoolsv.exe
4904	svchost.exe
4904	svchost.exe
2372	spoolsv.exe
2372	spoolsv.exe
5596	MadMan.exe
5596	MadMan.exe
5596	MadMan.exe
216	icsys.icn.exe
216	icsys.icn.exe
216	icsys.icn.exe
5396	explorer.exe
5396	explorer.exe
5396	explorer.exe
5724	MadMan.exe
5724	MadMan.exe
5724	MadMan.exe
4908	icsys.icn.exe
4908	icsys.icn.exe
4908	icsys.icn.exe
652	explorer.exe
652	explorer.exe
652	explorer.exe
5240	MadMan.exe
5240	MadMan.exe
5240	MadMan.exe
2020	icsys.icn.exe
2020	icsys.icn.exe
2020	icsys.icn.exe
376	explorer.exe
376	explorer.exe
376	explorer.exe
5524	WinNuke.98.exe
5524	WinNuke.98.exe
5524	WinNuke.98.exe
2436	icsys.icn.exe
2436	icsys.icn.exe
2436	icsys.icn.exe
3724	explorer.exe
3724	explorer.exe
3724	explorer.exe
6032	DanaBot.exe
6032	DanaBot.exe
6032	DanaBot.exe
4300	icsys.icn.exe
4300	icsys.icn.exe
4300	icsys.icn.exe
3556	danabot.exe
2332	explorer.exe
2332	explorer.exe
2332	explorer.exe
5732	Bumerang.exe
5732	Bumerang.exe
5732	Bumerang.exe
1804	bumerang.exe
5292	icsys.icn.exe
5292	icsys.icn.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Yonder_Fivem.exeicsys.icn.exeexplorer.exespoolsv.exesvchost.exemsedge.exe

description	pid	process	target process
PID 3392 wrote to memory of 1164	3392	Yonder_Fivem.exe	yonder_fivem.exe
PID 3392 wrote to memory of 1164	3392	Yonder_Fivem.exe	yonder_fivem.exe
PID 3392 wrote to memory of 768	3392	Yonder_Fivem.exe	icsys.icn.exe
PID 3392 wrote to memory of 768	3392	Yonder_Fivem.exe	icsys.icn.exe
PID 3392 wrote to memory of 768	3392	Yonder_Fivem.exe	icsys.icn.exe
PID 768 wrote to memory of 2124	768	icsys.icn.exe	explorer.exe
PID 768 wrote to memory of 2124	768	icsys.icn.exe	explorer.exe
PID 768 wrote to memory of 2124	768	icsys.icn.exe	explorer.exe
PID 2124 wrote to memory of 552	2124	explorer.exe	spoolsv.exe
PID 2124 wrote to memory of 552	2124	explorer.exe	spoolsv.exe
PID 2124 wrote to memory of 552	2124	explorer.exe	spoolsv.exe
PID 552 wrote to memory of 4904	552	spoolsv.exe	svchost.exe
PID 552 wrote to memory of 4904	552	spoolsv.exe	svchost.exe
PID 552 wrote to memory of 4904	552	spoolsv.exe	svchost.exe
PID 4904 wrote to memory of 2372	4904	svchost.exe	spoolsv.exe
PID 4904 wrote to memory of 2372	4904	svchost.exe	spoolsv.exe
PID 4904 wrote to memory of 2372	4904	svchost.exe	spoolsv.exe
PID 3464 wrote to memory of 3232	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3232	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3224	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3108	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 3108	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4412	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4412	3464	msedge.exe	msedge.exe
PID 3464 wrote to memory of 4412	3464	msedge.exe	msedge.exe

System policy modification 1 TTPs 46 IoCs

evasion

Modify Registry

T1112

Processes:

krotten.exe annabelle.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1"	krotten.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1"	krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1"	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1"	krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	annabelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1"	annabelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1"	krotten.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1"	krotten.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	annabelle.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	annabelle.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe
"C:\Users\Admin\AppData\Local\Temp\Yonder_Fivem.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392
- \??\c:\users\admin\appdata\local\temp\yonder_fivem.exe
  c:\users\admin\appdata\local\temp\yonder_fivem.exe
  2⤵
  - Executes dropped EXE
  PID:1164
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:768
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:552
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2372
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:32692
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:32816
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:32972
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:33016
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:33064
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:33708
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:23192
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:7584
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:23156
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:7792
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:7864
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:7960
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:28804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:28836
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11964
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:29044
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:28908
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11640
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:28968
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11932
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:29104
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:29176
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:12084
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:12060
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11540
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11888
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11820
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11772
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11712
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:3712
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:33776
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:24664
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11508
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11436
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11392
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:6176
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:7164
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11284
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11268
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11092
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:33900
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11188
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:10976
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11156
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34512
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:11120
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:33800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10616
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:11248
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34444
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34348
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34320
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34268
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34232
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34164
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34140
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34096
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34064
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:33968
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:33976
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10548
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:33804
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10996
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:10960
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10920
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:10868
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10832
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:10800
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10816
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:10708
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10668
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:6924
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:10440
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:10348
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:8348
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34696
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34780
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:34912
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:34988
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:35092
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:35168
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:35272
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:35324
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:35396
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:35492
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:35564
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:35676
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:35728
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:35816
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:35844
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:35888
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:36040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:36180
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:36228
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:36340
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:36392
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:36408
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:36476
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:37040
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:36056
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:36064
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:36212
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        
        PID:37168
        
        \??\c:\windows\resources\themes\explorer.exe
        
        c:\windows\resources\themes\explorer.exe
        7⤵
        
        PID:36684
        
        \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe SE
        8⤵
        
        PID:36808
        
        C:\Windows\Explorer.exe
        
        C:\Windows\Explorer.exe
        8⤵
        
        PID:36860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb16fd46f8,0x7ffb16fd4708,0x7ffb16fd4718
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6104 /prefetch:8
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7132 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2676 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,10670624886370674873,8403837057141560420,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4616

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x37c 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5740

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3188

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5596
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:216
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5396

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5724
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4908
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:652

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5240
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2020
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:376

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\WinNuke.98.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\WinNuke.98.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5524
- \??\c:\users\admin\desktop\the-malware-repo-master\virus\winnuke.98.exe
  c:\users\admin\desktop\the-malware-repo-master\virus\winnuke.98.exe
  2⤵
  - Executes dropped EXE
  PID:6132
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2436
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3724

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Banking-Malware\DanaBot.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:6032
- \??\c:\users\admin\desktop\the-malware-repo-master\banking-malware\danabot.exe
  c:\users\admin\desktop\the-malware-repo-master\banking-malware\danabot.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3556
- - C:\Windows\SysWOW64\regsvr32.exe
    C:\Windows\system32\regsvr32.exe -s c:\users\admin\desktop\THE-MA~1\BANKIN~1\danabot.dll f1 c:\users\admin\desktop\THE-MA~1\BANKIN~1\DANABO~1.EXE@3556
    3⤵
    - Loads dropped DLL
    PID:5556
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\SysWOW64\rundll32.exe c:\users\admin\desktop\THE-MA~1\BANKIN~1\danabot.dll,f0
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      PID:4264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 916
        5⤵
        Program crash
        
        PID:40200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 456
    3⤵
    - Program crash
    PID:5604
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4300
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3556 -ip 3556
1⤵
PID:3460

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Worm\Bumerang.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Worm\Bumerang.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5732
- \??\c:\users\admin\desktop\the-malware-repo-master\worm\bumerang.exe
  c:\users\admin\desktop\the-malware-repo-master\worm\bumerang.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:1804
- - C:\Windows\SysWOW64\ddraw32.dll
    C:\Windows\system32\ddraw32.dll
    3⤵
    - Executes dropped EXE
    PID:2492
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 324
      4⤵
      Program crash
      PID:1164
- - C:\Windows\SysWOW64\ddraw32.dll
    C:\Windows\system32\ddraw32.dll :c:\users\admin\desktop\the-malware-repo-master\worm\bumerang.exe
    3⤵
    - Executes dropped EXE
    PID:4260
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5292
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2492 -ip 2492
1⤵
PID:1088

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6052
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\cryptolocker.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\cryptolocker.exe
  2⤵
  - Executes dropped EXE
  PID:6084
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rc:\users\admin\desktop\the-malware-repo-master\ransomware\cryptolocker.exe "
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4628
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      PID:1952
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    PID:2408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault598aea8ch0b1eh4cbch82c8h521fbb474e79
1⤵
PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb16fd46f8,0x7ffb16fd4708,0x7ffb16fd4718
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,7382243294719745221,3449988348532918725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:6200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,7382243294719745221,3449988348532918725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  PID:6212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault484f456bheac5h4b14h9e10he53347e2d5a2
1⤵
PID:6560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb16fd46f8,0x7ffb16fd4708,0x7ffb16fd4718
  2⤵
  PID:6572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,4506348229546691902,8667698381282602779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 /prefetch:3
  2⤵
  PID:6836

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\$uckyLocker.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:7044
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\$uckylocker.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\$uckylocker.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:7088
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  PID:7140
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    PID:6184

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
PID:6892

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Annabelle.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6724
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\annabelle.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\annabelle.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:6752
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:26284
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:26328
- - C:\Windows\SYSTEM32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:26340
- - C:\Windows\SYSTEM32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:26356
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:39460
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:31272
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    PID:10612

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6740
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\coronavirus.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\coronavirus.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: RenamesItself
  PID:5712
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    PID:1880
  - - C:\Windows\system32\mode.com
      mode con cp select=1251
      4⤵
      PID:43488
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:39996
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:18116
- - C:\Windows\System32\mshta.exe
    "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
    3⤵
    PID:18092
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:33548

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6988
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\infinitycrypt.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\infinitycrypt.exe
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:6548
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    PID:668

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Krotten.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Krotten.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2452
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\krotten.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\krotten.exe
  2⤵
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies WinLogon
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:4208
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  PID:7072
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    PID:7156

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\NotPetya.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\NotPetya.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\notpetya.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\notpetya.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:3256
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:6980
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:14
      4⤵
      PID:6768
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 20:14
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:43444
  - - C:\Users\Admin\AppData\Local\Temp\C948.tmp
      "C:\Users\Admin\AppData\Local\Temp\C948.tmp" \\.\pipe\{534BABC6-EA5C-4A8D-9EF8-2E23184D07BD}
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:6488
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Executes dropped EXE
    PID:5892

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\GandCrab.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\GandCrab.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5564
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\gandcrab.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\gandcrab.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Enumerates connected drives
  - Checks processor information in registry
  PID:1820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1676
    3⤵
    - Program crash
    PID:4724
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:10320

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"
1⤵
- Executes dropped EXE
PID:6772

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\DeriaLock.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6856
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\derialock.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\derialock.exe
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:13068
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:29952
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    PID:14088

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\InfinityCrypt.exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:7148
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\cryptolocker.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\cryptolocker.exe
  2⤵
  PID:28072
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:34488
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    PID:36596

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Cerber5.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1180
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\cerber5.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\cerber5.exe
  2⤵
  - Enumerates connected drives
  PID:26468
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:18284
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    PID:17728
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WOB3_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:11292
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:17552
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    PID:17468

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Birele.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Ransomware\Birele.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:22684
- \??\c:\users\admin\desktop\the-malware-repo-master\ransomware\birele.exe
  c:\users\admin\desktop\the-malware-repo-master\ransomware\birele.exe
  2⤵
  - Modifies WinLogon for persistence
  - Impair Defenses: Safe Mode Boot
  - Adds Run key to start application
  PID:25940
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  PID:13880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:41312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1820 -ip 1820
1⤵
PID:6452

\??\c:\users\admin\desktop\the-malware-repo-master\ransomware\annabelle.exe
c:\users\admin\desktop\the-malware-repo-master\ransomware\annabelle.exe
1⤵
PID:32668
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:8308
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:8284
- C:\Windows\system32\vssadmin.exe
  vssadmin delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:8260
- C:\Windows\system32\NetSh.exe
  NetSh Advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  PID:8256

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:36616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:36936

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3fdd855 /state1:0x41c64e6d
1⤵
PID:39588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4264 -ip 4264
1⤵
PID:40172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.4F0FE608009B0743AF09D820423F3062119A2EE21978A93C8D7F0B3A90B25CB8

Filesize
16B

MD5
ba2bd79bccf042c8b13ebe07829e4dd1

SHA1
e9c8ae28e5b3b99dd5656cfdd0332cdea9e93d2f

SHA256
6b87dacce2926e499ff17b31ff071edc5ea11a4bfe38e9ac6c752b125ed7129f

SHA512
c73f2e8efdcfdbf7a6a07c26676872906143471d00945b94166944635a09568b2ee0eed8fa5ac0efc1368bae8b7be6acea0f36ddab6cc7d0868716eeaceba742

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\MakeAccessible.api.id-087F217C.[[email protected]].ncov.4F0FE608009B0743AF09D820423F3062119A2EE21978A93C8D7F0B3A90B25CB8

Filesize
5.8MB

MD5
9a0194dc5b7746b8874ac0293939f981

SHA1
fc1cc0fe37a7f238440f52f840a32e0ff7ae45a7

SHA256
a7f5012d95dd37e9f170a84ccc51921db4a778c199140a9404e09bc285501dc6

SHA512
aa82f131bb6f4f0bc723e318d752bcf532ef3e5337b6799a476a762b14d95c93b8341d725d996d5317fb1f3cb1a4904d4bbdd154a205b48d75ecbfe168a41adf

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.4F0FE608009B0743AF09D820423F3062119A2EE21978A93C8D7F0B3A90B25CB8

Filesize
32KB

MD5
cf81bfdc9206a13778ef7c34c2c03c23

SHA1
2a922d4aed2ef85f24a552244ff402ac7b71956d

SHA256
d6afeff86c1ff3ffcef887bb4d76065640c90cbb2dd57db0dc85f21c018c9946

SHA512
42567a6c7dc212d1f4af84d45645dac3bad4d08ebbb7d17ea9cb1fbd3fdd1ab4c2a8a677b3a642049553d3e5b514cb0d6c11735d3cb1f98d44a7bcb523f8f6b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-087F217C.[[email protected]].ncov

Filesize
2.9MB

MD5
3c8765cec4c19c3a87a66ab9f9585ef4

SHA1
a6762953a7f790b56d8733ef11baa89ed0b98c7c

SHA256
d6719f98116ebca390cc8057a283abc89cda78ed42fe71997a62b48b37d92a63

SHA512
c0411471a6cfc24191dd37f7efa61007ca87f1fab904042fc7c8fdad580dd99409c9c9cbd0f83e14c39503afd3a342b6783f69547cfab6b1d5159a1eb8d7b4a3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\coronavirus.exe

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e2c71219e052bcb49590d66f813fcec

SHA1
d90d391dd58f40701eb537a7c6f0168364aca958

SHA256
70f42aaceee42f5605d7a17b9178d8a3a5cbf8ad24b6c97f5a0a09ea0efad744

SHA512
b874d10b4b62e33358618a7d8c58390ea84eccbe3c9ec8c07332b357f1c98c9b124d2640890c3d512716407e12ef0554ab0dd95c88d40fcd33f54b0c4a088517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
82189e26c57d45de7e292966a2dade7c

SHA1
24692165dd8801f6203f32b5ef7336b0f87abe02

SHA256
49622e3f1a4e45513eacae89203a194e49e16cf4938158624ee8fef219931316

SHA512
6a4da19b81e3d48a459b3c165c8a1330f84024a8c9def78ed49d361d772d469f6f52f82b8f795e3d022536e40e52cb5b964f87e335dd5f0d237bb968498047c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c39b3aa574c0c938c80eb263bb450311

SHA1
f4d11275b63f4f906be7a55ec6ca050c62c18c88

SHA256
66f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c

SHA512
eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dabfafd78687947a9de64dd5b776d25f

SHA1
16084c74980dbad713f9d332091985808b436dea

SHA256
c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201

SHA512
dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
63KB

MD5
5d0e354e98734f75eee79829eb7b9039

SHA1
86ffc126d8b7473568a4bb04d49021959a892b3a

SHA256
1cf8ae1c13406a2b4fc81dae6e30f6ea6a8a72566222d2ffe9e85b7e3676b97e

SHA512
4475f576a2cdaac1ebdec9e0a94f3098e2bc84b9a2a1da004c67e73597dd61acfbb88c94d0d39a655732c77565b7cc06880c78a97307cb3aac5abf16dd14ec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
69KB

MD5
76c36bd1ed44a95060d82ad323bf12e0

SHA1
3d85f59ab9796a32a3f313960b1668af2d9530de

SHA256
5d0e5d5fdb4d16cf9341f981b6e4a030f35d4766ad945c27381f8d3afb624542

SHA512
9f0555fb531734b786364701e17cb7f57ce94a688d4616fb85bf32cad45a253a9c479a301e05a4f8630cfea141dd52726a31b8e90198c19c16f33fb150a04a40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
42KB

MD5
748f143f9412c4b4f40b2fbe2f6922ec

SHA1
0fb9c1ea3fec9acb2fe0fde54524668f70643231

SHA256
4dfcdf7bb12d6a7c91d7f3367e5611b30a90d661e3c5c04bbdcc2c60005706ec

SHA512
8696a1dec04563a939a5fa9d7a67026c32272d27a7758f05eeb95cd39a0fd0d129b69d5984400954b230c09335d84fe4a1b6e53477e16144b6648cd01ae7514b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
19KB

MD5
635efe262aec3acfb8be08b7baf97a3d

SHA1
232b8fe0965aea5c65605b78c3ba286cefb2f43f

SHA256
8a4492d1d9ca694d384d89fa61cf1df2b04583c64762783313029ae405cbfa06

SHA512
d4b21b43b67697f1c391147691d8229d429082c389411167386f5c94e3a798f26c2457adf6d06caec446106e0f0aa16d895bfc4e8a1ff9e9c21a51173a923e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
88KB

MD5
77e89b1c954303a8aa65ae10e18c1b51

SHA1
e2b15a0d930dcc11f0b38c95b1e68d1ca8334d73

SHA256
069a7cc0309c5d6fc99259d5d5a8e41926996bbae11dc8631a7303a0c2d8c953

SHA512
5780d3532af970f3942eecf731a43f04b0d2bdb9c0f1a262dbd1c3980bcc82fe6d2126236ad33c48ea5434d376de2214d84a9a2ccec46a0671886fe0aa5e5597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
64KB

MD5
2923c306256864061a11e426841fc44a

SHA1
d9bb657845d502acd69a15a66f9e667ce9b68351

SHA256
5bc3f12e012e1a39ac69afba923768b758089461ccea0b8391f682d91c0ed2fa

SHA512
f2614f699ac296ee1f81e32955c97d2c13177714dbd424e7f5f7de0d8869dd799d13c64929386ac9c942325456d26c4876a09341d17d7c9af4f80695d259cfea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
1.2MB

MD5
e5622114d3b8e67d1a75e35f8c9e0414

SHA1
c02c68a3df90ff2c81fb46989bb2236f8a1d275a

SHA256
f8935be61874372cd0cfbd7536c87f6caaf3cf6de95bd148f28d19102d3a2e81

SHA512
ccc2722db5ed5fc0111f52b802327fb1ad20bb4123ead20248041b116a913b6e900e24ef326e352f776cca1dba9322e85c98feefe39b0da19478f0041091907a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9d84e0f0dfe15ec49bc6d84c441e323b

SHA1
d597de23964ec3ee7f3bd04b92c1a114642d084d

SHA256
0e261b70012ce6f519c3b55c2db2f643b58d2fc2c04fab8ec0e481dcc6b68be3

SHA512
97722655ce52711d860cf649b0e2283bfde825834af4c17bb5c23d464d594ed6959e4280a2a682ba8094325ab944dd1a4a2a96292716215d1c060440d910e26e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
829a77ced29e9ce3e8fbf0db79921fb7

SHA1
07fc7670884373dffacbb60fb77ce4c8835441bf

SHA256
3953e6e85c435cf1ad5f5aabafaf05ba2da56154787a248d2ce45c54efa96fa9

SHA512
ea2b7283a43a42ca1668a943f8e3ebb8e3fe0f09a9d9ebe26a0b74721d3c8b24aadd366c56280b5af850ed2ec83b1c29c8045fd61b3e1f669c8dd958ec333a82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ec15f76ea45f408eee1d31a20d27e8b8

SHA1
a2c3998f72a7ac39fd222a6d2459be1964b0f329

SHA256
f5e6272c33e2e294a6ea8946316553414b7d6a51f18f65f871726c4b709dedf0

SHA512
ea119cc3bec335f520f1daff6ac3293f322b352760dca64537d6db74bbfb60f846510bf9b4302fea6268b9f6e1c62fbdf4a58d71572c4d5a5b568680c0760361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
45d7738362a6fe2510a93411625ce617

SHA1
57c441cd06fc0f922326993919139d638d5abcf1

SHA256
19bf7b562bf784d612f72edaa57e367298483cde56604437c85b7aa9ee30c04c

SHA512
ccb122e50234feda14c5485fb21ec8e07883839df5324a118ee59e8ed98fbf349bf10f613868360b563cd6bf83c975a227b16bb21ae394b8b746b90618db018c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fee6ee9c32a7cab578c9f06b54652c14

SHA1
dc9ab29fb5c43678b00eb412594945c2764ec74b

SHA256
140228d05479e197da2d7e66f48fb698c80aafe407c1bc723eca38ad8d68817e

SHA512
ade085f3e226f5380093348c2efb946025d77db7ac14247c93cdd763aade5d5904318bde0cbbdb9b1e92823df5672bccca57f1a368817dd486ae1fbf329580b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
86034feb201d8d96632c4348ec6bfffd

SHA1
59d944c2e5b54642ccf6c3b9947bfe59dbfa2a57

SHA256
3e8e95a737b736e2a63a575bbb9cd00e4cbfea17f4c0994448f5c6cde294100b

SHA512
5c97c1e63cdcce8e77822c0ff51a0fbd5f94d599f5f7e3ada6b597c1353834d17be21cc9f3cd4b938a803db64e49af86a8c4162eea7890772f6d8fb376fe54c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4aa2e3d36d1fad6106b16d410417dc60

SHA1
7e531ea3e4145a5efb7599e88efab4f82a4908f3

SHA256
502fc6a29f56462318da894ab3000ad115ee35050a69ed802ed52d0f7c2104b9

SHA512
4f0b100aa72a07a59c12537b21ad4b69495272010762f23d30c392ebe73639ad6597db81bc08da2dd6a6ec2ba1d3e110e4ab5d1485da79ccfab57af82a2bf43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82cabc08dffb7455b060b21b1c40a2a1

SHA1
29e8c3c252dda349f85cffa2ed7607449793290c

SHA256
01467be1b1f0786f0f6b7bae8746407bf24a2ceaf66ed8fbc00cf3856a0b5ab3

SHA512
41f18eb3baea9952feb45a1b71b10a0c866dc731ff18f73551ba6c322c8e3394e3c1db44e202bb7ecab46bb0a660623547e83713cb63508af16be06ad070880a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
410fa8906ab699bc4ea8548ae0cb4e8a

SHA1
ec4e009604638e089c53da8cdab604e433107967

SHA256
cd6a3b288ddd205188852c617950abc378e04d69ff70b035f1927d9a5ac3df33

SHA512
3e1ee8977398528ece7be750785721cc6959240c943e24f97575b8f18a49e075f059a56961c61f919c217c08bcf9f2e9a3e7e00708ae1546009469963b4c4afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
228c53fc036d18239aba4eef27810f71

SHA1
fdbd4ccae08773085b0eb6d95b49558b1fc8b57b

SHA256
985265dae063f044351863f6df02f5194d69d1495b7fa558868aa57237f58744

SHA512
50c569dacd5db96c2d6bcae5f4f2467c274a6755275a29e4f2b8a7d01bf50ab48b3baa520618ff3431ad6a741c9e492e35d534a8d0a0b95fd00749ce90fff32e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72fe6d8228a77da696f5e7fa415bf987

SHA1
de7a37d83af1d49a1fbe07ef0b73d4d4884fc075

SHA256
33f75c68bfc43601f7d17ecb5ae32a11a385bdc370f6d6711e9f1978716fcfb7

SHA512
741e309badf171071beb002a0536732888d6c45dbce61731eedfa7925c84163a58f112abd79d375730e0ba98ab13c05238a036cfe8e2aba33719335172c5316a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c4ffcf0792d2991aefcba6106753e858

SHA1
c9bbc32f6a0a00485c375ca5ad3a863d1bd45e25

SHA256
42bff6fd44e0f71d1445ea1726dfc8a24ad260e7ddfdd6b91664e7ca61fbc42b

SHA512
faf429a0bdc3fbf09c36ff456b77c02dbc61c1ba99785205ba9e792b8ca1ecc4b9e81e7d831a21ae27c9f87c67a63a9113ba9c06b913611bd0b1b8910e8787be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d6cad8530c962a895852141c43e522a1

SHA1
1883cd3acbfd9eead2b4e5ba29f2ec8a70ce7295

SHA256
96536a559100573ea6a87cf4d9c661c516a3928fa23cebc5c0e668b3c1d55a0e

SHA512
892f800476068fdc7eb03386fc3fd7bf6701adb169e94b4be4b7ac36d273fbf76653f71121626b8a92fba07bc1bfd7abffb9cab5065c52780679a9298e233a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\17827ef7-140f-46d3-8fb7-97d9db4bb363\index-dir\the-real-index

Filesize
624B

MD5
239757f2569a6823bd65ce8b228d9a9f

SHA1
bac3d37d18ca69918fcc80b35c42e0f6a30d7045

SHA256
37dc50041cadef65e164fbea5eb3b7068747db34b26718512976c41c69287049

SHA512
b807b836fa14ac7e2c70878022524d320a2130c908f16224c25407283ba93fc5c171a3f8bb7a1a7d2dfc0a1e82a5c868e78db6d86d7073133cf49a287d2fcea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\17827ef7-140f-46d3-8fb7-97d9db4bb363\index-dir\the-real-index~RFe57eafc.TMP

Filesize
48B

MD5
5520eae7a603128cd8b4d620eac686be

SHA1
3a1ba262f34f5309908380aed9a9019ca253e850

SHA256
f16f020879cda214053a01dc138dcbb4ef15734c7c7a11e68ff2ca221c75cc95

SHA512
92ebff2bdde75405e154821e8638dfd75d0264387a967718586f7f227311a7da7f91accd45475f666f023edd058bc1cf83cf42e6080c2e16af4050f65467bc72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3777d05d-d5d2-430c-b610-78d69be8e9bd\index-dir\the-real-index

Filesize
2KB

MD5
8683e81921c4ff8932715b81df5ea732

SHA1
fe6c240a90bb7ef83f017ab768ce19089f6a6dea

SHA256
9d0c902e6ca2d611e9f86905f537bb7a977ec5ebff380156a79dd7c26e1e8c36

SHA512
d19313ffc8d98c543459d1669ee4294639ce1301856bf37c9b51dfbc450316a7e7081f228c3c6a7bb1106b2dedb5775cfff56e9d7453e67cba85c24e9bf86e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3777d05d-d5d2-430c-b610-78d69be8e9bd\index-dir\the-real-index~RFe57e668.TMP

Filesize
48B

MD5
b76044f918d76e39f1cf4da40f143e49

SHA1
e1bfe3506310f0894ffca28eff51ec7aefa439eb

SHA256
cb1a4933b597e25dd97b931c8b55030677f8d730ea650fa2ebac3f621f94ff36

SHA512
43c5d6374519123f19889e7466738993d919e7609aa03fac85db760f4eca81f03768e672274c2a7baaa7cd1a42db81423d8cc1edc451a3ce1182730cee1d97d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
183e75f8006a63dee6f701204c213258

SHA1
9c4d4c0d5e88d535be581975945490ef3c750b41

SHA256
25d902aa61ad59fa7278c0b9dd8b2c58c3b6dd4df777d471f876838a063b503d

SHA512
68f168134d3efc1734157a7e93cd74ba9216f95be632a456b9cc251972ca35245798bd252b6c9fe861316941babb4f4c240eaed701bfbd990bfd18ad1e85c2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
2d7d805bc1c6ac296f791e0ca3aaf5cf

SHA1
9abc90594a993cb1053e6376d828e1e410630f25

SHA256
df0aa06417f7d938bee9238c03352be55526a9c26691912b1af39ad42d2cce59

SHA512
eb993f0813dda9224efb265b269438301241dc7875384c327d07dd7d989df28f8aad951275a1eb96e0076c81346313699b1d72fbb46d1884fb4ab5d2291f12b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
155B

MD5
204234df1496811856a8c0a6de7b2129

SHA1
0dd265f25a8cced6e2c55fe031a81b52725d573c

SHA256
b47cb59df8cad89a9286ada477b7ecd6b78104c740cf0bde56d7abaa646c9216

SHA512
aad551bfea1e0cc552de270b0de7de7072b47d438efb65c89d127401d85151dc595ddf76783d4e1e4577f027bb06b8bfa549db74d24f1bd9ceb6f34999de78e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0c246f5bc245caf9fe5f9ac3c95ef755

SHA1
1ca8ecc75cd1a04aaa1e28e6b8320687eed20c50

SHA256
ef8571da4f2a83c8b76cc0f3b8bac4872cb5ef186fe9c540dde66d52a9b64990

SHA512
ddc889134e6e8303a9d1994deb291df0141f745ecca471f08a041d1ea7f28fe86d8d0a8904fac2e6637e758762438e3d266ba7e6e70f9cea89f22fcd697228e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
c188e3ab6429ea94526e5d660076628a

SHA1
5cee34eec8f2efd8d2fb44722f06f1fa49cd3ecc

SHA256
7c61c375850eab2f0bc1e1377bc4449335ed2cfc94d904873e27cb13c758736c

SHA512
2c150effd74527a09e7084bcb497c3ead6e8c587367d699f03615885fe15c46ce085955f85c4ac2a78ade4e8808e919accf9fefffe0b2936bd62f60d6cfcefef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ced23044258fa5eb5482075e9c459348

SHA1
55a3cd8f52b201129b7b963e8e014e869c16983e

SHA256
199783460f577326f02b4f0f74b1e0c6acea92225b394b4afae361cb5fdc3e12

SHA512
184a04ee308470c95609506a665a1eda3d30e7a7adb2f5d1f9eca9e3b7cc4910dc0c731bd279c8736a2e95c857b30c06dd71fe658c55bef724f8212463df9706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57e186.TMP

Filesize
48B

MD5
e1713a781e8d67dc15ac0919b591bd18

SHA1
ec8f62f4c3658e1232d14fae85212b013cb26f8d

SHA256
dc6a569e5b60da83f59231437cb7176089f1cedd215e7b46d5486c37523524ff

SHA512
4998f69774209b7f4d0d2a8c7ae76fe64e7fc6590d049d152c65cc213245ec78fbdbabefb9608443c90e8139360e671c4698d81cc7bf28b663b6a52322bbb77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aa5ebfc2d872892de0b36c13eae04ce9

SHA1
ed159d6f56fd26d0bcee786a30882481ebabd893

SHA256
d723de4c9a98e01c86590e34f9d479cd079439e6b68e1354a97583f9120d776b

SHA512
e0fc30dca8639f2e73a3cf6601704a2cd8c573be9f7fc760de3689647aa142533b207c3a318a924b441f871acc1bfeec53e13402d29ec063715b9dfb5617ce73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4596e36d498d2444ace14a2572e51bda

SHA1
492986444da4d5e61c0e70871ea143a38cfa7dbb

SHA256
714f4cebb039d737f230e884d8f80501c7392e1e3ae95518a627e378b9bd5845

SHA512
d6bcc0e6ffa890463842a5e0b42178fd72591169826ae55a5319a25a0eb556d4a34caa7f64065268b9b3dcbe54e53f7992816990cb7978f1aecc38dd94d78c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
57fb3b7fd1f0118665ffaf7461822273

SHA1
904999ff380672a78235b1fb15cad88078b085e5

SHA256
3a51f1cf5846087f6e219d2403a5fc9320adec301645a2fea315f6640b24846c

SHA512
fe49dbd0111722ad9cf4390e3278848efaad3a2553cdb4522ba590b0345eeb09011756e20c5a68bed5cd2e5851552e3073021b6eb08cee92809da386c114e51c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d4f3.TMP

Filesize
1KB

MD5
037a3dc4c853b14ccc22a8d5319133cd

SHA1
d442b807cfa03e1547ddf16b6ff7d6739b012be5

SHA256
53aa491d69e086d1b59a02178806bf2446ac89a3e622cc84c47db4970e9249c6

SHA512
c8178db70079e52bff55daa32aec3bbf449059e33617f3e2dad033a2f326ec0c1dc3640802dfa52611b055a60acbe65fa2d57e08a1dd375c49d30f325288a2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
72ab2e182af3ce56552245c1a9263c63

SHA1
7b4394bda8012d53db8bc750c696f375b75a45a9

SHA256
c5d87c53ef1bc9d85037f93f02c7d9fd65a600711687b6128a13f29b15e865b6

SHA512
15a6b35baf54a15a5fb30cf1d81da92ef461f92314d6ab8540a6f70e6e0a783be4c64659c2d389ccafe82c775459ae2a39c2d6226fca3f8173490fe601604ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4e33153190edb53bd088077639da3e7b

SHA1
1c732dedc91e6a3a3fa6946128bbea8780657226

SHA256
14b6e2cc3f3405b51a08e2a7d282271f4c90caae326444dc55b81266add6c824

SHA512
18eae24e604af098facacb675e291b3471dc9da7feadef716cd4ff642a02f6a3fbea814f46f57a098712f5b47e0efa48fb58361f59e7fdd548abc1c7400c927a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0338ac5ecadd309157cfed2e723c717c

SHA1
bca3edd463dbddf44dfcabcf2a173d1e509c9c52

SHA256
ee08abaf41e4a069f63763db92d7bfc6f57e6bca442e67dd92e01524ccc92738

SHA512
26bf7a02144b7649a2aeab3e311927df10fa21a2d456d37dcefc5a3b3e1d56afa76563acf62792fb8c477c64909992d0e374c303ea7775a53aaf87de2087b098

Download Submit
C:\Users\Admin\AppData\Local\Temp\yonder_fivem.exe

Filesize
6.2MB

MD5
bc7128e9bc6cd871e9d2c287cd717d39

SHA1
b19ac0afaa4d93f9469a4367056b62e9ba49f094

SHA256
ed5b5ac658a134ad7f62d115510abca2850459b313d53e7d1742190a9ea60d14

SHA512
12dc613eda0f0372bc40c3ce74c3b5dd5cb1bf01d43e6786f7a11c7b9d89171aad85c9b2a813072cfdc73e511d192cb60be8effebd3c1c35d60a2a5ed20dd349

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Email-Worm\GMDSI-MANUAL.txt.deria

Filesize
8KB

MD5
224383c36f824c08051a1d1ab6bd0965

SHA1
dc9dae061b37f8a2c8e8f7c8690c69b6a19ac708

SHA256
9c40db837c35fb3d39112e06188c1f3ee3b971bb5a201b0cba3d026bb5f2a270

SHA512
1c808940570cfa16f1cfd13c133934c894211f4d1e512f5f4e043de743c2e65b79a81ec66a775649acb9efec61c0e8d88252c4148b895d65df3b44120fd71f51

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\MadMan.exe

Filesize
137KB

MD5
f39047750d1d8bf91b722db4eaee8cb9

SHA1
c7d67f16256f97d66735c9f94908e1bbd7448644

SHA256
29cae3cfd6e18490dfcf29384823887032a8ec2ca6d6e7214c0f2f917f19d5d9

SHA512
ffdd5b15cfb472e0711f2530a6b0389c662df6df15f8915e911701a5e398ccf762dcb9b13bac2387c9a74510c07cd8a1b051ac376e1f634e9acd4b26afb1a694

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\WinNuke.98.exe

Filesize
167KB

MD5
ce9fc09ceab51e64edcc60243991a31c

SHA1
0fb7e2f2aec3c761e1f7b1cea1920ad49ee82eb7

SHA256
e62f149d07fae0e27ea38e9408b5e1d4ae55f30984d69485f95d266ec3c554f6

SHA512
53dfb0c741d1b88abe7c4d11bba12d97d62c2ebdf49592c328fd7817b17dc57186d006a730521535f75a9c389c15a31fa274e7dbd9ba401d96860994fe4172a2

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\madman.exe

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Virus\winnuke.98.exe

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Pictures\GMDSI-MANUAL.txt.ANNABELLE

Filesize
8KB

MD5
46fbc6c2a27d012d48d8d8e84c60438b

SHA1
c893fc0e624aa31d585354806cb26bf195c24215

SHA256
ab0f93d4d76505335fbec9a45a24dd53dfb9bf3e265dbe14a567f2f392c4c686

SHA512
2db4bd7e8f974995577cb075b2a504dd99dee3bb17982a925f3e3db1d89de6f827720f449226536e33a23df61680b3adf41385a41f384a5f9701e5a5ab8cc6b5

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
04b781471edcfba0e841a7073ea2a144

SHA1
a5ef1c0b79b760769fee2b1dc1f19d3e45448b56

SHA256
6fa7d10b861793926f9a545a09deadbd8f745a1203935b308c3930ed39026d44

SHA512
209d9ee08c03ccfa30d19a84ab41d3a2a8392588f5661b4b5281975c7a8ce6e93142968fa239eb0a668502a1ec5c1d1e8f2fda8da03ea0239b007b0fcd1ff2db

Download Submit
C:\Windows\Resources\Themes\icsys.icn

Filesize
3KB

MD5
65d5d17ddb588fc99c67d617e99f3ddc

SHA1
81154f7e109080777684fbb2d3f588e745d1944b

SHA256
82921260500320edebd93fea95e14a05b966d5d41676c3bc162f118e79a6b7a0

SHA512
ca01b16410afd8ecaccc191071acdca8b8ddcfb7257b54693b64ad8647a007cc7dd18a26bc7d4198d78d6d7b88388e8fc204b741de3a746d098db89f06ceb72a

Download Submit
C:\Windows\Resources\Themes\icsys.icn

Filesize
3KB

MD5
2cd54adf7f384fe44ed66684d5afee28

SHA1
b55b3105dc8de07ada842c01fdcaf8b4ef993e85

SHA256
049c66560e11c1f6387c66be1c901393de9af41ecc1897431dfd50c308a55e12

SHA512
c6e59ed372dfcb1dbeadba7149f8a7350adb307c15c9a9fb0a3378858ca0aca15e42dcfc6393092dc06182cb019440a6c6877dd4ebcb6c5ef3ff516d1318d630

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
978ae55280e654a976ad5c783299bcab

SHA1
7c770eea670e19ee20ca85739f2ae7aa64df36b8

SHA256
26060149b4d3fd2303a771485c20603006eca325afd8cae3ea50b70b680c3445

SHA512
db674c677472b9d1f09747ee07ee111d9b346fd3d5a9f940fb07b7781d14a8a0a27a2bdca82a50929eb55dda9b83a437b5252313c071952eba2bbd2bcbe02b13

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
aa820e76df1908b43daf6ef9b35880e8

SHA1
bd493571035106f34eee5ca70bf5e2583a048548

SHA256
c936dbad66a86448a8448b4141be1340ffe4a0a84548c79c21c741b3319266fb

SHA512
fcaa78daf48140466fa19fc67ff57b958ad0d071a72383bea2c64a7805525ef18d454050c42c9744c60fd83d01a1366a5124185c6b56746f2cd0ac62fc5c3d37

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
76b1b9165203005c55d9c3b3f6d574e8

SHA1
ce9613da37162e68a46394c9e48afdb8e216fbd6

SHA256
2aca094ee8aab84c51452c9959584b50ace471c7631fb2b9c90621f6053c001b

SHA512
43d67116bdb036f0a7ece6f978d5d49487b0ef17b50bba9b1d69dcfafa75365c3ee76fbebc95924304ae8739bfa23e98ded68197eb53794a3d2438668f3e01e5

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
fb4e4594f97eca65974a0b1af9cbc1b8

SHA1
79d4f17e6ce5992854809ef08bb7899f61f46222

SHA256
d774f2abefc6d7748d89373f3dcacc388a4bb4882cbaf3b7d4ec1bc3b611b5ff

SHA512
b1c6632114d1ff72a42c698554d434cf2e7c0493d1980cffc90e26c04b7ec15a5bfbf44ada589fec5c4d945adb45617c6f507db567dec007842fc35beda636c5

Download Submit
C:\Windows\SysWOW64\ddraw32.dll

Filesize
22KB

MD5
f1ac5c806ed1e188c54e0861cbf1f358

SHA1
b2a2895a0eae5e2ef8d10ed0f079d0fcfea9585a

SHA256
87b7d23ab8720f1087d50a902244cbbdc25245b29da9bfa54698a4545b82afc4

SHA512
ddb61b46a71db7401984e1917f0ef1498883cff76f0a98ff8d65acb08b6d7181511ca57a1e23c7482fc9d26afcf48b662896375b80eff4b2e0d08b7b55d9b98f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4204450073-1267028356-951339405-1000\GMDSI-MANUAL.txt

Filesize
8KB

MD5
105b0e5e789d519bd233314a0198d6cf

SHA1
5699192f0e8e0bb7ebbceeac9e627819f838e216

SHA256
88296d877d82954bea1f0ce8bd28301bf7b39edbb3fc570595ddb7b4c3192e54

SHA512
1f52c7935b164a20ef08d4f4d54e4edd2cc2a9483d6f7c14237fe8ecbbd875902fbb30de5b6d289dfa62fe1cbfad6d7021ad3a60b38ee555502c253fa9be3e4c

Download Submit
\??\pipe\LOCAL\crashpad_3464_KIRFMDMQQRBRTOEC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/216-959-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/216-968-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/376-1013-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/552-45-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/652-991-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/668-2349-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/768-46-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-7700-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1180-30981-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1804-1953-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1804-1958-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1820-25025-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/1820-20561-0x0000000000400000-0x00000000052B3000-memory.dmp

Filesize
78.7MB

Download
memory/2020-1015-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2124-1082-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2332-1067-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2384-2551-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2384-2434-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2408-2147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2432-1968-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2436-1038-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-2337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2452-2372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-1959-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2492-1972-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3252-2554-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3392-47-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3392-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3556-1081-0x0000000000400000-0x0000000000AAD000-memory.dmp

Filesize
6.7MB

Download
memory/3724-1037-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4084-2336-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4084-2350-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4260-1976-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4260-1960-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4264-1806-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/4264-1398-0x0000000000400000-0x000000000066B000-memory.dmp

Filesize
2.4MB

Download
memory/4300-1068-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4904-1083-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-992-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4988-2607-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-2148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-2139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5240-1014-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5292-1969-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5396-967-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5524-1039-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5524-1021-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5564-2467-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5564-21209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5596-948-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5596-969-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5712-7699-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5712-2324-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5712-2613-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/5724-993-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5732-1970-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5892-2549-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6032-1053-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6032-1069-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6052-2146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6052-2128-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6184-2251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6548-2334-0x0000000005A70000-0x0000000005AC6000-memory.dmp

Filesize
344KB

Download
memory/6548-2333-0x00000000056E0000-0x000000000577C000-memory.dmp

Filesize
624KB

Download
memory/6548-2332-0x0000000000E80000-0x0000000000EBC000-memory.dmp

Filesize
240KB

Download
memory/6724-2309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6724-21212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6740-10409-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6740-2317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6752-19748-0x000002013A570000-0x000002013BAFE000-memory.dmp

Filesize
21.6MB

Download
memory/6752-2316-0x000002011F120000-0x0000020120114000-memory.dmp

Filesize
16.0MB

Download
memory/6772-2579-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6856-2565-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6856-30464-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6980-2525-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/6980-2535-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/6980-9966-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/6980-2545-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/6980-2547-0x0000000002DF0000-0x0000000002E4E000-memory.dmp

Filesize
376KB

Download
memory/6988-2543-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6988-2325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7044-2253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7044-2231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7072-2374-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7088-2241-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/7088-2238-0x0000000000F80000-0x0000000000FEE000-memory.dmp

Filesize
440KB

Download
memory/7088-2239-0x0000000005E80000-0x0000000006424000-memory.dmp

Filesize
5.6MB

Download
memory/7088-2240-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/7140-2244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7140-2252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7148-25592-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/7156-2373-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/10320-20830-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/10612-20838-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/13068-29505-0x00000000003D0000-0x0000000000452000-memory.dmp

Filesize
520KB

Download
memory/13880-30298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/14088-30460-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/17552-30987-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/17552-30972-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/22684-30295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/25940-30970-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/25940-25112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/25940-24892-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/26468-31016-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/29952-30463-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/31272-21210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/32692-33606-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/33548-10388-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/34488-25566-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/36596-25565-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads