hxxps://github[.]com/mategol/PySilon-malware

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/mategol/PySilon-malware

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
30	camo.githubusercontent.com
37	camo.githubusercontent.com
38	camo.githubusercontent.com
39	camo.githubusercontent.com
40	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
4508	msedge.exe
4508	msedge.exe
3508	identity_helper.exe
3508	identity_helper.exe
4428	msedge.exe
4428	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5824	OpenWith.exe
5208	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of SendNotifyMessage 56 IoCs

pid	Process
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe
4508	msedge.exe

Suspicious use of SetWindowsHookEx 56 IoCs

pid	Process
5668	OpenWith.exe
5736	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5824	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 3400	4508	msedge.exe	84
PID 4508 wrote to memory of 3400	4508	msedge.exe	84
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 2864	4508	msedge.exe	85
PID 4508 wrote to memory of 3540	4508	msedge.exe	86
PID 4508 wrote to memory of 3540	4508	msedge.exe	86
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87
PID 4508 wrote to memory of 1176	4508	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/mategol/PySilon-malware
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc8c046f8,0x7ffdc8c04708,0x7ffdc8c04718
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4068 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,11274862411644654605,7907664938821436519,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5668

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5824
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\PySilon-malware-main\PySilon-malware-main\README.md
  2⤵
  PID:5876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\PySilon-malware-main\PySilon-malware-main\PySilon.bat" "
1⤵
PID:464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\PySilon-malware-main\PySilon-malware-main\PySilon.bat" "
1⤵
PID:2084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
77e3644e95a021fd178f8265bda7205e

SHA1
68326c77e74f45f79feda842fc6807d36137af0c

SHA256
586cd4f6884ca98250b29a3e4e7fc95f7356f8208d9c04271863a2ca0f049873

SHA512
a3e3a984e2030b12384f39147d9021a8231abe8134e8400598cea3145e680f085ac36c153b6166d8b473d3ab8681419d5be4942ee173775603f36b23d72840a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
748B

MD5
91d82624fc52f23ffa3832f67b61cd70

SHA1
1dd90403702abb7ce80bb4c08387b9046164b225

SHA256
f5bacce4418597a9bf5bc4731a692686557e14564939d59810e053cb2d393869

SHA512
2c65642689e377064ef0f7b5faf2e396d983b47270963c73dc9920a4d8981a0c91d7b69701a752a517f6c12c41f21cde11dab408529c0ceca21784e10f841570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cc36add3c758266e893a109d6e3f097c

SHA1
ebc0f51d5ea4c09a8857e359e39514efe17c59b0

SHA256
8a26af0fbaa066c286eb5217f2d053e549741f3681e04f710c34e4786191b46d

SHA512
b5665ddfd2733c748f8e3416561e6093bc8107fe2d5dc557726ae67937bffb4625b2f1b0abe79c27efeb5cee124e8958c4cd4bcdb2738fbdac31f80cd24c1876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a875902c2134dec56f7fa99c89805bf

SHA1
798e3b5d7942a796eb1c0ae326408c5903974281

SHA256
24d754bddf0f68a7b286254e28c5ba512d5e60912f63f99ba89a32130c4487ba

SHA512
d953578a5aee59d23ee589a2df4fe91dc023347df37c25530320ca32e383a72faf975891ec8bb6c628949ef809148ae6b0a7d9b84559a3aa19488b57db9968ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07a7e3d878d6c1edb126e0ae6c327f49

SHA1
a931e75c7c8abb2c958a415f92f218a417050eca

SHA256
6bf1963a5614bd8754b179fa8bfa8860c7c0d97b6c5cdae5f77d9f48e95e463a

SHA512
69a5e24e708c1f7ff1fbc3bca6062fdd68f641f197934002b61b21ec96a0216d52d4e3cd633228e2c765e7073575419bbfd886712248d030299cab40c9894056

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
545ed7645151eb7e6992cc174bf78167

SHA1
978c985e6adf5d08596ea530c6cb0ccd89a0d68c

SHA256
8357990b8cda23dd58e61732f6f79d9a04dc8bc9efac6433abb89493be9c9963

SHA512
2563854aba6c10cb015ecfe7286816575e59428f84c92ef3b2717480f98a3da7bf5d9b379a3c22b6278953aba812e91d4216fb1eafbf1c9e1e8388dfd1d3d2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e484.TMP

Filesize
1KB

MD5
25401fa319958b59b863426801fd8046

SHA1
5f76b08343c2704ad7e687901468c9e9561e8690

SHA256
543f87334cea36f5360c3848aee26d97216ff4b1fa519bc84744c95a53541a02

SHA512
e452f9d60f56a92c44ba54e9471cdcfa3ff2d0431f8556ffa5b6a6463ab8cad44d0a5985e60c1c20504200b54c05595f6a3223ec8f163e2c0e0efcd6680e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c5c6e3dfcd1d91b4fbd732fcd53d0370

SHA1
3a5e4263e577c093337831d4fa8f1214988a19f7

SHA256
cff4658e712bc68ea23d71c73071ccea8992889e451f78505918e185b5dc0d42

SHA512
c9eeac7e17c4dc902685eabd2182ef69117dbb3fa3412831ab558c33cc8ca4f32d3e8d7b7dab5852fe8f23eaec391bfd5e629bf51f390f169c3fcfed82049d19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b28d29b8caa90c05c0006c24d08bdbae

SHA1
911e3a7c37eb9bb879ffb50fba2c7856df81f5ef

SHA256
78dd8f892a7b2b3917669e4d5fc7729e3b6150bdf8195059bea3c424e4591fed

SHA512
3641d84a663db31e10223ed28874cfe20d0c83c4d101031cfc3f2eb5f9e9070929643decaf65494ce4e5383baa2cd61055b3c91e6c4a070fbee6f33b50c00db9

Download Submit
C:\Users\Admin\Downloads\PySilon-malware-main.zip

Filesize
2.0MB

MD5
4dd99d359a4113d284bb4f8315a96e2a

SHA1
4cb3a11eac95e4716ec722dae0f02510255dfa14

SHA256
a9ccafa9381d1c3efb451eab4bdc476e113560d155587957dc78c7c86a8c8754

SHA512
468f2b55578ce2e4f39e06d4ae559f13f73dbd3ddecdf00c13e28a417275552b55f4050d0d41ca66074478ece36a9a2b6b4b117b59563556200025bd012b7d51

Download Submit