cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Analysis

max time kernel
131s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Score

10^/10

cryptolocker bootkit persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
3848	CryptoLocker.exe
3544	{34184A33-0407-212E-3320-09040709E2C2}.exe
1184	{34184A33-0407-212E-3320-09040709E2C2}.exe
1760	InfinityCrypt.exe
3404	PowerPoint.exe
1192	sys3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
80	raw.githubusercontent.com
81	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudt.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\SendMail.api.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Res.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt58.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.aff.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGM.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PPKLite.api.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.aff.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main.css.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\fillandsign.svg.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\version.js.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\large_trefoil.png.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB.txt.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\end_review.gif.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroSup64.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\japanese_over.png.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\WordNet_license.txt.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0	InfinityCrypt.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\61454011.pri	LogonUI.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	InfinityCrypt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	InfinityCrypt.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640709182360166"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
904	chrome.exe
904	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5040	LogonUI.exe
5040	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 792	5112	chrome.exe	90
PID 5112 wrote to memory of 792	5112	chrome.exe	90
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 2184	5112	chrome.exe	92
PID 5112 wrote to memory of 4268	5112	chrome.exe	93
PID 5112 wrote to memory of 4268	5112	chrome.exe	93
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94
PID 5112 wrote to memory of 228	5112	chrome.exe	94

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd77c9758,0x7fffd77c9768,0x7fffd77c9778
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:2
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:4268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2256 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1752 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5348 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5676 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  PID:3848
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3544
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2744 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=216 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4616 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4432 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3880
- C:\Users\Admin\Downloads\InfinityCrypt.exe
  "C:\Users\Admin\Downloads\InfinityCrypt.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Checks processor information in registry
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5660 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4580 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5604 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5500 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5744 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  PID:3404
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5556 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5780 --field-trial-handle=1736,i,15281961582171827537,4929403063985503924,131072 /prefetch:8
  2⤵
  PID:2928

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3696

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39a5055 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0

Filesize
16B

MD5
a42ba87038aab6cf1a993850887b04f9

SHA1
da65e295ff36b542232805b7672446d35f7ffd99

SHA256
c0b43d8a8d8012889549de1bbef68407fd48227d81a290a387399db4e548849d

SHA512
a48746187930a00a24e27e1c06b8689d7355b5141d9218e5fabd6fd3ce871827e4067ca9b074543fa643c7cdecf51123fb7184da2b48bd7bb3235023d761a6c2

Download Submit
C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt.6D59E49D1FDC0FBCEB02AF0C807C193D4182D292E86605A94DC1FF580106ECD0

Filesize
32KB

MD5
19f42d76444ac8cb07301b79afed3e20

SHA1
a917182c307a719ee5e778d69d9c7e6dc9170914

SHA256
fcbd835f68784732cd4355ba4acf8a7505ee8020caaa67db87f4584d35a39c38

SHA512
97a684bc1f185f0f1c24411389ae400db96cad28d45b0aa3438acbcc85adfc81e7d35a543d990bc9f933f043681900a9d8cdc6799d91d7144e271837c8591fa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e1fef3eab1f57ae280123052e1e4c01b

SHA1
674aa936c67ca55ec25efc322173fb24d6445105

SHA256
669e41546686f9252a0302678438fd5741586fd1b71f4915170bd2daea93edd7

SHA512
6614f0925ce1206b81fec0657dd206112decfc5c3b50a2e58055e9ce0085c5c52de0a4536e29ac562d6fff233a6984b37f591a0f1f81be3e57cae5007660edbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f974c234cf7ecf095e7329bf10bb163b

SHA1
6971999ea42d34d6ee622c6106602c058a4fcce4

SHA256
73edb6a7235758208d6b86efbbf243da257815ace63c27c96ee860777db373e7

SHA512
3670bd6f6a9b27a14e00e7583f3c0d27919af3f1416ea9c6859b20d900fd7b64db5e7f5076c78c8f44c1b0a0c4d7914d3fb17e19f5bcac01e61705810dd3a3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
98bd1c28fbcd4bbeafc49d6bbeed367e

SHA1
8d541b9d446ca0db871511b2cef129455f2b3ec4

SHA256
fd69cc2eb4d170ff1613b61ce452c1fe25852a5fb856d46ca1faf1411bb1e4f7

SHA512
1ca7f0bf8ae3e563bcf908ef06290077d9e5d529b04866453ba5233e35a8776ee8c1d0e27455514692f300045f7c0175101c1ae7727342062cf651bcf3806a45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
986B

MD5
da80ecaf65c1525a2b0a0858b6d7f466

SHA1
6b1cc989d0d980becffde734277353be3444b2ad

SHA256
0380690db92a3cc639d1c5115aeb836d7a38acd3d61c1ded02a12a72502338f2

SHA512
1cc16b1e2115c029a8e9ac3edfd68ab98eae52d34411b5b4383de946a0c265237bcf058558305b5f131c64654ef2478cadd1e6cf5ec44e5aa806a131d0153f3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f2ee7314d080c1676a25e717ebdef0e2

SHA1
26cf9f08f8829e4303fd438dd68ca1937dd908fb

SHA256
1d7ca43dce5cb20c6cd9e5479d719ce61626c320768af3498b3eec3a4b0aca37

SHA512
7198ba25c1a988901f9163d13732bd3b5ba82be81ae31e5e101151a46b136ddf625b4273a567df545c2cad53390489b320616d0422a360fe9280f62fb520143f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1eec24b2470549a7dd74cee372bd3143

SHA1
da36b9bfe596e7303bf2fec68393f44e330d6f86

SHA256
c369bcadea7e3f2195a499502779b1aea0113f067131d1f62a25c23e3cb8835d

SHA512
90e8e604dba8528b0bb05da6ba512d23ee249cd166768fe250ec15d8e7f489aaf4e4039ce2dd0676c5ea2a0d1cc3669a211844a069642283b1244e0c63eac57f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
50c6abb32bd98ad359f4741fa12f677f

SHA1
f05081cceadb06f6581222dc67a22b859a9f0410

SHA256
4da80ae52f83bc59597d7c262cdca9f975c207e072d21cb9f99ea871c8618683

SHA512
586f7c8de8f4db399997fcd2dac85b2126798c73f416c5c56478939ef7ca1b9bbad7aead908929d923136dab606094ebfd3687bee0da286868fafdb90c6c6574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
305f9bb86a30490640287ac847fc7534

SHA1
c97a0500e6af81d13b836846b26fbac90ba96e7d

SHA256
ec4a8bae8e1af45130980b3647f9b190c98ba213ca3b4575ffa5b935c4b715df

SHA512
51b5268aedddabbb1280b54ad9588da3cd2ce4284d129610bfc30045534aadffaff66b623efbaa2a265fc8ddb5b55c4feb135dbbd70c816450fc0aecb422e7e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b968003219416e32598450cc26bbffe6

SHA1
4933fc108ae6727e9e3ffbdc087b6f3ca22c0462

SHA256
cc6bde3b0d85f6a5398ed7ff271be542e79b12536ba0217c242069ab35f715ac

SHA512
060f5b50f16b60db5605f2021c62ed460277266bf4cf969e969340162a3aa065de95f8b3994bb03cb6e0f68bf4dc7dae5d3e9e36d7da08093ad0eab3477bfbcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
027c90aeca6631eff592f5bf016bc41b

SHA1
fdbabb5e6c2f46a9f1f05904a3f23438fe917284

SHA256
5611906522c901289b6e32dcd5734c10f78d08e446d448f64283c789218965b4

SHA512
88da3c2b6a0ddced9e43e37319bd05f659ebc4e33815194c41a4ead6704ba60711cb8462ebb6ada6f6753c8dc38879cadf5bc4d40973f793b1daaca7b20831ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a7500a2f7f71223f3f8afdf5f27fd220

SHA1
2b6b7a78f32712c8725ec87c5312c505e0ae1dea

SHA256
203052e6ec8c0371f3c09edbe7af4092745f7ce85ef1daea4ac3d6be94d0e06c

SHA512
80e9755917e8b9c02bcfa47acec6b232bf3817224444fea416cef1006c67a83e3d05197adc63f59d2571e8650ac896c85ad5f319b24bd4212ec601ebd813eb14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f1b79fdc8cf02da73b5a17f3ed00cc21

SHA1
5f248e230fef91be78987585a33472c1f14b6438

SHA256
e5a7a52e31ca029df3d7880c7b20ffb7eb631f95bccbe7ca331fd2d198817a9b

SHA512
0f5503ae9e2585a0589df89ddefba21e68af422b63447cefa383de58cd29ca1d832890453e1586480572c80accc889c658eceb4249516c99a0221c65a8485b6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3d3fec954bbed8b402782f1d043cdadb

SHA1
5fb81b16ff656cf55de849439a76239df914a3c5

SHA256
c882a336ab03d931a7db5d4ddc957a45c7e4c6544837581e1d0d6ae5e7292204

SHA512
96e003960bcdcc527be44c37bf33c94993b7d6f728ce46703221a7ae2431faeebacbffa1b5f14a72914f5d300dde6fbe13f385532a6563dd29f0280e689e2cb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e72c6a326a717f50c4984ab5b5352fe9

SHA1
122129347d870cf2323e171453e60cfc5e96a713

SHA256
2be2d77c0be2137c7a86223f7712f08c0575bf8f2827dbc986f0dc457c3e8ea5

SHA512
dbf1e15be405c9df8da4cfcb51e37725fc3fab3858ce662f0a9d40aa1440d69d7622f080fb80aa4c1d63d3b32ac84d2ac8a27228d88a18be1725ca3b19f0f982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
325f901a8f6cddf234d400cf5bfce2c5

SHA1
33d046a3041db0a73ff0f7d9f0c067ddbdbcd106

SHA256
4e23f450507f997bf37a721a3fa5b298db6280e7809414eeec406a83bc89c249

SHA512
a2dee633817a30eecbce8d5789f0711ec3311041e575e793572d78e0861e9ef37f8396148435a32b790bbfa008c1760da1e88b0d17ffa624cbfb269de260ba4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
128KB

MD5
b24baf024b3a42b8bb0a86bba43e787c

SHA1
4ce411f8936dcfeec6217ab978ea19e5ce5c1e53

SHA256
cb92bf8790d2668540303da078c89b5f8b3c695f9258f6bbc4ceb78cafee8189

SHA512
3ad199610ba0b0ea1109f378d4420b4429e2b14f2b5efd4ae43598bb9aaca1603da457274a743eda1f81d3f59d987dce6294690cb454d53e663b77b8c3b567de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
361bfa52688892bc1aa8573760a2643d

SHA1
66d01e265baa0d66c4d6474aa761f819e6edb562

SHA256
738e5ccebdaad015f577d36d36bd639067e7b794c1db7b4ca2993f61d5ff76ba

SHA512
d9e412da9e5a4ad073ba24aa604b9a0a2abaf8cf50b3388771154eb0e22afe61b2e83a229990a03e8869e84a026f530eb37497ead6bd37cb2cc5d67a9dc764d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591c58.TMP

Filesize
101KB

MD5
33c8e4df45ebcfc16fcf6d405fd5feb3

SHA1
a49d2cfd291c0802b80d9005450d70b2b6e67cda

SHA256
38e62d0407de5e6d8729cc95c968daf8d58953d09d75495318f98877b3c1eaee

SHA512
74add20a47d4cb39891036e3a86f30e8e8e6e4cd84f6e43b03c57b101095246f7f6131c20a27ffc0470e01a257f78b1cc939b2a7fcf2a8669e7f245e3443ec9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
39B

MD5
5bab23550d87f5289492508850e965b8

SHA1
753ba866033acefce32ce0b9221f087310bcc5ad

SHA256
092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474

SHA512
2518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\InfinityCrypt.exe

Filesize
211KB

MD5
b805db8f6a84475ef76b795b0d1ed6ae

SHA1
7711cb4873e58b7adcf2a2b047b090e78d10c75b

SHA256
f5d002bfe80b48386a6c99c41528931b7f5df736cd34094463c3f85dde0180bf

SHA512
62a2c329b43d186c4c602c5f63efc8d2657aa956f21184334263e4f6d0204d7c31f86bda6e85e65e3b99b891c1630d805b70997731c174f6081ecc367ccf9416

Download Submit
C:\Users\Admin\Downloads\PowerPoint.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
memory/1760-321-0x0000000005970000-0x000000000597A000-memory.dmp

Filesize
40KB

Download
memory/1760-322-0x0000000005C60000-0x0000000005CB6000-memory.dmp

Filesize
344KB

Download
memory/1760-318-0x00000000059B0000-0x0000000005A4C000-memory.dmp

Filesize
624KB

Download
memory/1760-320-0x0000000005A50000-0x0000000005AE2000-memory.dmp

Filesize
584KB

Download
memory/1760-319-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/1760-317-0x0000000000F40000-0x0000000000F7C000-memory.dmp

Filesize
240KB

Download
memory/3404-561-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/3404-566-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download