hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

24/08/2024, 01:43

240824-b5r91sygrh 8

24/08/2024, 01:41

240824-b4d11aygmd 10

24/08/2024, 01:34

240824-bzmgks1anr 6

Analysis

max time kernel
210s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

8^/10

discovery evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
74	raw.githubusercontent.com
75	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper	[email protected]

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5828	5484	WerFault.exe	119
2396	5880	WerFault.exe	124

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133689374585143407"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	[email protected]

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4244	chrome.exe
4244	chrome.exe
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]
5500	[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4244	chrome.exe
4244	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3964	[email protected]
3964	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4244 wrote to memory of 2304	4244	chrome.exe	92
PID 4244 wrote to memory of 2304	4244	chrome.exe	92
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 4764	4244	chrome.exe	93
PID 4244 wrote to memory of 1760	4244	chrome.exe	94
PID 4244 wrote to memory of 1760	4244	chrome.exe	94
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95
PID 4244 wrote to memory of 2244	4244	chrome.exe	95

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9742ccc40,0x7ff9742ccc4c,0x7ff9742ccc58
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2132,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2000 /prefetch:3
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1960,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4612,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5168,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:5980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,3030460380653802258,9546661793410209729,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:3744

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:8
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6000

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5484
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5484 -s 1560
  2⤵
  - Program crash
  PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5484 -ip 5484
1⤵
PID:5776

C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe
"C:\Users\Admin\Downloads\YouAreAnIdiot\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5880 -s 1532
  2⤵
  - Program crash
  PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5880 -ip 5880
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\Temp1_TaskILL.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_TaskILL.zip\[email protected]"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5500
- C:\Windows\system32\mountvol.exe
  mountvol c:\ /d
  2⤵
  PID:180

C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\[email protected]"
1⤵
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
93afa6a870962ea51faf321e792fe5ba

SHA1
33dec559b6d554c99326868e8536d7c7250f8ce4

SHA256
1c38006497fc65138e9ea1ad0bc9ae455c040ed76c935e986bd9bb8464de0329

SHA512
88277ba06ce5cfd88dd2a478e5e778a8107778a1f8fb4156aa0b6d72063a2dffa126c3137558c11c5509178bd801191fc4d428db9e1b6e8a1309f098212a1708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
2KB

MD5
7ef6f8b4cb2e34765adff3d7b92792e0

SHA1
9016e0c8402cb9de96892eb166ac0586c430f980

SHA256
50c5038053eb19bb5df64c38802ce56a2524212493586e323f98f7ac429277d0

SHA512
4d93ba5bd934cc7f00800e19d7d576505acd08b388bb74c2a6b5cd779e97065fc1c1d6ca3a5d5351df543461afa7850b549aa5db9ce3cc2c2445366e69026661

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
979c90ff8cdaa59acc6d26012bd47e09

SHA1
8932731dc3c047c4db4a1cc7636b733d440a831c

SHA256
3325c123fa6ca52c168693ff4c22427e6fcc0f6af2107bb1798a5567acb8c5c3

SHA512
616bbfc53940a24e3925e6d3de823a4cd18ab7097d857a29c946c6a77a09717ddd61cb40b2d49b3862d88158d624c2a0b59f5b134ab7c1e6d07fac38ce5c493a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\746d5ec0-c27c-409e-ac3d-356bc3061f2f.tmp

Filesize
1KB

MD5
cf217b4e6f0b55b96bb16cfb1182f38b

SHA1
edeec1dd986f3aabd753399e6cace3c1e1ca65e3

SHA256
112f362637f8d5a9a99af596161d3b813f61d223e5cdd3f56670a48ebc0adb52

SHA512
9b9b581758c7685c5c01390ef706860dfd54f5a7323b5c167ba2d73bc0384049237e532b3752c8f7940ee75b1e4493e5a0e218a6848cd85533daa873a2f2b96f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
38ef69c8433822ac4d09737c4cdfe2ce

SHA1
c5ff07ad3d3faf33264df88b259c046b39572f55

SHA256
af1db07f058c4ef91fd99f3c71e13c1d4a6d7ecdf6cc7626e1a04da63728618b

SHA512
c244b53507895eb99c3a02c0a83f945e0bfd44edb71348346ab775bb427f8b0f3a907a9ffa8b9a234ba8279b499727411cbaca402230dfc02a071bfab5bae3bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96d2ffb437eab67cdbd9a374db1d6622

SHA1
c07340b2a7dbe9d2e68b6d8bb3293054351bac4f

SHA256
2c69e15efd294a589a5961dbc11c7913e9021261fbf07b914f5582ccdfc1350a

SHA512
5f3d5eb2ae5831fef48e5844db921378fcf8aa38d03024a4b6828a277626e0b478bd8b37c6c0fe90b862255f54aecb28abb66dce368ac0750af220e73fe6fc69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e343a8d1dc13e73fc15ff61dcaa4ea98

SHA1
1f8691492594cb376e1bd72aff731402d5f47a2e

SHA256
f0d41505fe5551a7bb287bcf6299af35edd43c40b03972b29cdcc95b8a1bb3c8

SHA512
8602fff2afd124399f1fcc4362d1b72bd1be2d11e7d8efc64027778fbcd164ebfb522ee47c68458ffa5f85165e2a465cdc90a7490ce4a26d7e724e864f44137b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d14c950ae81202da82ce771957d8a452

SHA1
e52f736a3242f8d473409b42531d5f3d4b4d7ab7

SHA256
53edf4bef4f1dbfdbb96be0834afcafc8f8ec27cedb48473406290c456c50f22

SHA512
f7babc24a5d4f800422471f342dd4c2136d2087dc13a5b220e527adec96f50df72593fdf38d357f4293caacf2313c783b5be6247ed3251734585278e626640d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a43fdc8b5305b2c583410928b630796c

SHA1
d52683d9979c827a3186fddf6c4c40b9c467ae72

SHA256
83ae7c38d13b2ceb704a82ee51f6464b53bdb977830b7f057c55a59312fa46fd

SHA512
b41a119d3ba58187949c1fe7e37e581555fbad645983ecc2aa36d725177c5b9823064348afc3f4a4f4a246724b1e1f0780f2d2161b249b18e4beb933d89d6280

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
780af62d4235c095dd553918f76f0ac0

SHA1
bc0e1c2785df05033f66b3bf8e6baa488d08c6b5

SHA256
f47f6c46997fd7bb18a4d8c4ea30e78a9528fb23737dff02f067f5afba5194f5

SHA512
f06b932eaa43692c3e437f41f32c4402dd811a35452268b9f639d57db1061659c37407ddd4e97640c38390e025d78f97659c0a61650213e1274a639c5f693044

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8f46c8831d19c5236353c77d21066263

SHA1
ad7594b076647605a8bfc17197ca208d0e5166c3

SHA256
8320b4d0a91e5f440e2790854b09bbfeba7cad8e81b8254fea46f4f1ace42d4b

SHA512
07eebd1e96362cb5bccee43b0937a6732aebccf7d00309ee24d3676390169a87880b707733136142696b2259de59f3c49da25e34f8814f4f59d9b805e926f848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8c055c79aab1ab795e2ccfe4b69136ff

SHA1
b05dea55e2796d2e08868c90520fde703ccac44f

SHA256
f5f42b3990c5e06c74e6163710404ded05b1a6879c26aede55a66b742950ab9f

SHA512
cef7361e52a2efc0ac2c8ced8379999c413a4e097df4e24c0f606711f2c9aa916394aee87ba13a34153270861242f95e948afee77f092fb8a99d21d0ea57022a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
709359c7a6cb9abe5c6bc7165de9dac3

SHA1
0c862fde0da77ea78ae75e885fb3407d312a8e7f

SHA256
124926cde257317c08eba81a9e1bcbdf214e1177c0279bed3f25bb37436ad901

SHA512
701ca8f1fc14d726b45fdd01a658f55f229e51a1b57d6c65b4b3d3becb6557942d96c66e79722f53228ed057d5346f79f722cd069447fa2e2c9faaf09d987d18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
96484bf1b97e516ba5f99e36ab1a0beb

SHA1
d5d61197f6d6beddcdefe009867956b436303135

SHA256
05882886ef386eb05a7cbdb9c0eebd8871d0b381951286f75b8c67deaef91eb5

SHA512
7d59442199fc652b63b4a2735622283563b7a0edbad140b318b4b9a213182b64e4001dffac85a05a084707982d7bfdcba91b605b78d64310b14cf6e013f25ec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09e9c614fce0427a9b22cab563b66d3e

SHA1
0edc59510664e3d31a0c7bd3118cc683661e0ba6

SHA256
87342ee10e64a5dcbf87105b86c2d7109f2cb1391c15e217630f3a75281ba91b

SHA512
ec0e83ed752f420e9459d11a5c4ce120904c1776422aac14dc0fc7c040b4f31a700e555aa6c0b9ac0c39e899d7f4ff8445b69f78c4a2412c6471d84d6ede78af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fb1d04a9-c3e0-46d7-b7aa-d2f00ebdcf9e.tmp

Filesize
10KB

MD5
20e1906a43d22e38883d7216332f5767

SHA1
3260f5d64f73a5d21807553c988ccb60e757ce24

SHA256
77c5abbc17ca3761e94726758dc8d8b04d6ba54b2ee377c9dc3a31a6546eac84

SHA512
24d154b7ef3c96792ffd2bfde77ad4b9b154cd4c4aa3e7141fc0cb836735083ee147141f880e25ed8d32a06d34feb6b523beb05a621fbe61c3b20f35442b0d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
258ffd6291da8d60c918c8eb06101ecc

SHA1
4369d9089663b2322901d301c5246afc1d71e3b4

SHA256
064188b0639f440b94805f8104073429361effefda065f0b16912369d4e6420c

SHA512
a9542d46e73362468d37d5a427b1298bdbf59f33dd4a557f829d4b61f8f29b1408d6ee33ca8bba1135cefce3e2d03c60158c9cf5070d7da99efd5ad74ea92d55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4704dd6327100c0221c5fea2b892695a

SHA1
04df582b96b384cc8f8cb9c1458d604cc4c571e3

SHA256
98167b0a3c6229b47dfd233a6281a20f09fb63c54c89fb36b8f1f3631a6c2f0b

SHA512
040db0af72b852d87922c9b9d415ef823b583e89a4e93034cc67ac97b0d37279fbfbda2fba2ad709c63a526336243f94580be34b7380001f84e98b7cb1b1855e

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.zip.crdownload

Filesize
223KB

MD5
a7a51358ab9cdf1773b76bc2e25812d9

SHA1
9f3befe37f5fbe58bbb9476a811869c5410ee919

SHA256
817ae49d7329ea507f0a01bb8009b9698bbd2fbe5055c942536f73f4d1d2b612

SHA512
3adc88eec7f646e50be24d2322b146438350aad358b3939d6ec0cd700fa3e3c07f2b75c5cd5e0018721af8e2391b0f32138ab66369869aaaa055d9188b4aa38d

Download Submit
memory/3964-361-0x0000000000E00000-0x00000000014AE000-memory.dmp

Filesize
6.7MB

Download
memory/5484-280-0x0000000005470000-0x000000000547A000-memory.dmp

Filesize
40KB

Download
memory/5484-281-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5484-279-0x0000000005480000-0x00000000054D6000-memory.dmp

Filesize
344KB

Download
memory/5484-278-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/5484-277-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/5484-276-0x0000000005290000-0x0000000005322000-memory.dmp

Filesize
584KB

Download
memory/5484-275-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/5484-274-0x00000000051F0000-0x000000000528C000-memory.dmp

Filesize
624KB

Download
memory/5484-273-0x0000000000760000-0x00000000007D2000-memory.dmp

Filesize
456KB

Download
memory/5484-272-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/5500-319-0x0000000000A30000-0x0000000000A3E000-memory.dmp

Filesize
56KB

Download