hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

25-09-2024 13:13

240925-qf647szgqc 3

25-09-2024 13:08

240925-qc8hvsxamn 9

25-09-2024 11:49

240925-nzgbsaxbjb 10

24-09-2024 15:55

240924-tdaj1avgjg 10

Analysis

max time kernel
282s
max time network
283s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
25-09-2024 13:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

9^/10

bootkit defense_evasion discovery execution impact persistence ransomware upx

Malware Config

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Executes dropped EXE 3 IoCs

Processes:

niik.exeniik.exesys3.exe

pid	Process
1132	niik.exe
2160	niik.exe
864	sys3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\{C84788F6-23D3-741B-5056-89006DF8340B} = "C:\\Users\\Admin\\AppData\\Roaming\\Fycyu\\niik.exe"	Explorer.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

PowerPoint.exesys3.exe

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Explorer.EXE

pid	Process
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of SetThreadContext 2 IoCs

Processes:

satan.exeniik.exe

description	pid	Process	procid_target
PID 1572 set thread context of 4476	1572	satan.exe	127
PID 1132 set thread context of 2160	1132	niik.exe	131

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1124-526-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1124-527-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4768	1124	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

PowerPoint.exesys3.exeXyeta.exesatan.exesatan.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xyeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	satan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

Processes:

vssadmin.exe

pid	Process
1516	vssadmin.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717435583981937"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "244"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe

Modifies registry class 38 IoCs

Processes:

Explorer.EXEmsedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c200602000400280010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "3"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "2"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070800420061007200510065007600690072000a0041006200670020006600760074006100720071002000760061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000dbeb8b4efe4da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133670855649585230"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "46"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "646"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	Explorer.EXE

NTFS ADS 2 IoCs

Processes:

msedge.exePowerPoint.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:Zone.Identifier:$DATA	PowerPoint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exechrome.exemsedge.exechrome.exesatan.exe

pid	Process
4760	msedge.exe
4760	msedge.exe
2204	msedge.exe
2204	msedge.exe
4684	msedge.exe
4684	msedge.exe
3260	identity_helper.exe
3260	identity_helper.exe
4136	msedge.exe
4136	msedge.exe
4964	chrome.exe
4964	chrome.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3264	msedge.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
3248	chrome.exe
4964	chrome.exe
4964	chrome.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe
1572	satan.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exechrome.exe

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe
Token: SeShutdownPrivilege	4964	chrome.exe
Token: SeCreatePagefilePrivilege	4964	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

msedge.exechrome.exeExplorer.EXE

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
4964	chrome.exe
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE
3476	Explorer.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

Explorer.EXELogonUI.exe

pid	Process
3476	Explorer.EXE
3476	Explorer.EXE
2020	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 2204 wrote to memory of 2860	2204	msedge.exe	78
PID 2204 wrote to memory of 2860	2204	msedge.exe	78
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4056	2204	msedge.exe	79
PID 2204 wrote to memory of 4760	2204	msedge.exe	80
PID 2204 wrote to memory of 4760	2204	msedge.exe	80
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81
PID 2204 wrote to memory of 2768	2204	msedge.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2900

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e4d13cb8,0x7ff9e4d13cc8,0x7ff9e4d13cd8
    3⤵
    PID:2860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
    3⤵
    PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
    3⤵
    PID:876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:1088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6032 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
    3⤵
    PID:1112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:3176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
    3⤵
    PID:3724
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
    3⤵
    PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4648 /prefetch:8
    3⤵
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    PID:4136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,15071804831787699538,5043777083681120609,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4768 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d11ecc40,0x7ff9d11ecc4c,0x7ff9d11ecc58
    3⤵
    PID:568
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1820,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1812 /prefetch:2
    3⤵
    PID:2876
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2124 /prefetch:3
    3⤵
    PID:860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2208 /prefetch:8
    3⤵
    PID:2776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3100 /prefetch:1
    3⤵
    PID:2040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3380 /prefetch:1
    3⤵
    PID:5116
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3564,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4464 /prefetch:1
    3⤵
    PID:3148
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4436,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4572 /prefetch:8
    3⤵
    PID:2424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4628 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4576,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:4636
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5040 /prefetch:8
    3⤵
    PID:3048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5048 /prefetch:8
    3⤵
    PID:4012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4292,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5036 /prefetch:8
    3⤵
    PID:4736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=868,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4996 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3248
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4948,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:4484
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4880,i,3408042713129918252,8920845176375829083,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5320 /prefetch:8
    3⤵
    PID:4712
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Xyeta.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Xyeta.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1124
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 476
    3⤵
    - Program crash
    PID:4768
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- - C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe
    "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4476
  - - C:\Users\Admin\AppData\Roaming\Fycyu\niik.exe
      "C:\Users\Admin\AppData\Roaming\Fycyu\niik.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1132
    - - C:\Users\Admin\AppData\Roaming\Fycyu\niik.exe
        
        "C:\Users\Admin\AppData\Roaming\Fycyu\niik.exe"
        5⤵
        Executes dropped EXE
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp_299820e3.bat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1100
- C:\Windows\System32\vssadmin.exe
  "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4648
- C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe
  "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2140
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3624

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
1⤵
PID:3884

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3908

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3964

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2364

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc
1⤵
PID:3700

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1764

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1124 -ip 1124
1⤵
PID:3248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3980

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a3e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
498ed44ce9d3f429e34815d282188728

SHA1
65e95e74b2540a4ad46d94651ff5e2ac97a235dc

SHA256
a605e8a8555133c97a409b3a05ffd64ad8448f29dfc09bc31d3dd030448b6db5

SHA512
ece1c69f5740ff90c4671ebee28e156a51894c7f9def200868c9993bd87d2a601b7155548d044321322ec2de4818465a8b167fe381e5af19e0950a37f2a43ba9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
df682ea92f4635024f8602462e9b9879

SHA1
f4363abde6f6f487206a69b8abef888a60b2c7c8

SHA256
b8576cd15ad7e22473c489b6c78c81acd71e59612c2a80df310e6781dae6f6fa

SHA512
0b9687ffb11306540a453dc794888cb5edd0b43c0f2e22b9636b9bda38522bedd114b7632907a1d5d69f4e1519df07ef5bb4a5a283bd23f110bcd96fd7588e12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3a9544481e3cdb4030a9fef0f96bb0cb

SHA1
4ae7952e3736e2326d20ed4aa1827dad6dcded08

SHA256
a096cb09aab4d3419ff28283c8b23fa8597b5ff4ec495f0d9b5a8f0c3bb33da1

SHA512
ce9820fecd1de0ef2f621f9ef81a2d750ab4bba060dd0a7e9bbba92f389c84b1952898228d72db72189de0156490736dd9dafc0db7c861cb0a48f1b78015bb59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
17519ea1ab6a2df79270b498c39f97e3

SHA1
926edabe0711620363ed4bc238eba970bfb172c2

SHA256
2347556c72232b21fd91814c3d4f0befb44e4f00abf7454536a6bbad1e720c50

SHA512
0af5a16eba1252d08b72259f7140e6bf138819c71c5f13f38e6e15390d5ba11c20599f861ade696bd713991cca9aa819383b73194825c021b8394af480c85fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27e995025e7bf91701c19dff832d376d

SHA1
add9bc4028e094df1e19156de0177ebc670b9672

SHA256
5f2013be9e365e509a36a95d19efbebfebad7c5c6d00bb466444bfdc1ca458bc

SHA512
03f26d993a3727e71236dde2c60961394c70851138e497d90fa167514cad0e0e28320344f94481878e1220ae72d185d1d7e68b81235d35775ec281e519af88cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bdd70da06b1c19b06232952cb868e5ab

SHA1
9b78a4edc3d1cc2c896dc78a77d6cdda69bd60d8

SHA256
f6feb61fb65d586af6ff22eff77f5c8e591cf23d0248af79c9761c0d14c6387f

SHA512
e4cda8e1de2d30496a8fb83440dc7427121524c8dd95c4c50e7414319972c4a62a06d40a870ca0cd26a73de7d82267f6f557b8b2e15765a907fed5dbe63e2107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1ea94772d8e697340064f0fdfdeb8419

SHA1
0187e8e6e1bded0a963fde3b2651778c0c6c7692

SHA256
97851e0447abfc0174d145b8cf6ddad6a68ea79a717ba5ab6a2168b40e7df7ad

SHA512
a98bc0f5f2078a4bfdce7a53f995171962f82a5ae951583510296685cb57bc20645786323832e221b175deb6f4cd1dd0da70e0915fb7e9f031c6264808c1bc9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e16577043bf1c20f9ec831c4bb8e86ec

SHA1
68d4284b40511528da4d0417b8dce064e896d469

SHA256
529e2d77b067b757583752a19bcf1c90da9ef1f0143016cb3a7929b5251a4edd

SHA512
8081b7f6d57c12935f50738401d1aaf1384838ee05659d47dbed841fd37083a783fb21b90f34d6645382154041f53dc11cb561ba91f87b3490d8a3c46d36291e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8dd4d897befa62b020cc17eff5a7e68f

SHA1
96631e67a0cc2d22672b254afa7b542dd73834fa

SHA256
36636a16711a6ac4e4f0ff092aff8a539b9c24f78d4448652de42cd09d654275

SHA512
b0a4e26986ee10dcbf8f09ab63215198153b6f91db7fc4ec9b9551a14278226c2b43f73f86d21c33efa339c52cda6378df11c9efd8da1e0b8b4d135075e9db51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85a5130918aba4d879139e3c0c883244

SHA1
6f8ce4773278aed8dc6ab6c9d88eb8481686bfb0

SHA256
80f75ee12f360d0ea3309f13d99fa4db3320b8f14da8d5c031aa076e9eaebd3c

SHA512
53c2c178d4970c002706fbf54aaf4a776abf941e0a711e6867342716c135c081dff6c8effef2a05cda95274c5cf3aa0e4c099baefbaf605a0ac1a92b40b0c322

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18528d2d55991c7963746688589c4ece

SHA1
23fade9f1b8838887b74030b831a73aeb0c1ef26

SHA256
84dfbe292135e77d11312fe98e75ae0502091cd5c85cc73caf271216f78fbdef

SHA512
9a38f3e599bec3cd808c0c6d1597022b712b51c0fef304747cba9028a0634137a2f63d594cf28037236bf5e52514d5e0986a746e1b08626c039208858286137e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67b5ce93d5c595defc8804ab74a0c3dd

SHA1
7792fd8881088c5216e2b7be87f3c88192304da6

SHA256
41f7c5bb21f5bbbfafe0ed8ccb03b93e6cb6b7809a085a354557629687425c83

SHA512
95844a4dcb47d0070598b20bcae69364863c7b8e4972bf0ff323b229c77985deefca34741e0c8359b1c48af2714be3853ec320668b918150d936a36df63e9433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9452142d9b42459d38b7b9eb11ce8a43

SHA1
a3d755d9f46601019259fd2cfe9d1b0af78ffbee

SHA256
fca5e9c1d957b7b74fc40d358fe3cdff685b11f5779dc19e7c5a93cecfbc341d

SHA512
ab0832482be4a6d2f4642e6586d9eab30d0efe02cf6d53eaa2f1cf952b96e8d955b2660806984fc4c6566edebc8e8ed42d2378203c4244a6f8bcb7a8a93dcc12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c470192b66e79dd725f16d269c4f8ddb

SHA1
66b489fd7c55a3e3f037775e42850a9e38108cb6

SHA256
731d8dad1e6bd34cb17650dd24c8aaabd18e0f8e945e2378fb4e983e9ce090d4

SHA512
416d51c4a7493f561692db81381ed3d3f6aaae8d5acbc55daa83872660003e9f1d249e0bf74e9e565d2e061fe7a723de66cbfed4b3342ff10be6f79c8e177312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56de57ef9211760675772725c9238e83

SHA1
ee92a9300105343a5287cf121dab76741ae44d43

SHA256
90c9b8c34009858f6d9f3eb2aa3075fab4325514d38ec689d02f945befa9c3c5

SHA512
67be3bc2550a500eecc0de54963a0fb188fbc7b08a1dd7630b242977e450ae9c78d4dd30f06e8c886dfca44e8b6ca7b6dd818df6d2fc15dc382c24fb4c8657f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
874572107ec267b6977d986899e2e12c

SHA1
cdd638d1030aa0c5a10048c33f43eb803db5284b

SHA256
af9e6a721a6e3d1c85a3d42c7d9d7e5dc7109338cc9cb769048c4cf0ba4d1209

SHA512
547a353cfab0246c44e7a1c4fe85861b7304d05a22c1260574df644808c206a9bc4d32f54dc30e9e128959ee27b34c3bf303ebfd72d74900282f5e857c1078bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
65a791922caf70805a701b2b6090158c

SHA1
5dcc38d0e27bf7a9ea23b552b4f7faeb55ec14bc

SHA256
ff1ba94d9feea248e7d2ba6df3d445b6d1e7f9ecd82ae4234267dabdac3d4fa6

SHA512
4933d1674c245acdf56bb25c3062338f8aee26c6f27e296751b579945a06a448050968cf7c2be29630c67d1a9150581f18dbd06b94426c4330bfc892fcc3dd7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
547f43c9f0e1b91978b5b311817f4863

SHA1
5da6e8ee3195a34558e2e95dec7a090b0afc0989

SHA256
e9b705607b3749ac3033c7d39b29b0fa78ade6b15d5dd9e2a2959961cfee0778

SHA512
cee01a48bc52adfc40e26ae08c86c9834b6f181c34e0da1c6f8e335d8464cfbebd5a3d4d537b04d018ad6d20d4f3e370458fe8a85fe87c1a85cc58d81e6128f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
79fa615f1bec46724c0eff53144f3b12

SHA1
7dd311cc344e1059d28df2bcdec0f39af99421db

SHA256
6ca397bda990c6b47d6da70ba6574fdc9af1413467ae4f80f3110c1d380cd2e7

SHA512
54d8791d550f2b9ae689a3536efd52448c876cb809cad09cacec689e1edd9e779ee168be4ca92e47ff0c21df10e94776899cc436f455f979b3b032e76dffe6f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
c0a4a6f130a4176c0dbd4375932fb7e5

SHA1
1082db0787c7209da3a409fa6e828fad8547b2c7

SHA256
48a9398364065211bd2ae25f39825d9ec3f36eddbc3b11451f6f8d5c429c427e

SHA512
96f37051fc46b6b016c125d18379fcc24f147288992796627fc5cffccd7a4f9fd6ed4815872da4d22d4845d0fc0c82bb0c1509dfc04de275d0eed3489911a38c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
82e6da69fbcc215f9fcc698a0d2354ec

SHA1
ba1c42d7e2b033da17e1481d3d94caf8835700e3

SHA256
921994f172b10d6eaedc5e0693340ab0b29b04b758e1f66105c624a1468e6409

SHA512
55ffc1bd79672945962a0c97b1215b575e16eb91e5a287d2f66a9d3c58c90a805b2d3db5d9facef4dd443a2444e3415b2f0556555d217231aa326c3bcdc827d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
7bcdfd2d85f03185d3a51b21b6cc4094

SHA1
a67abe48836fde87a7b6cf6d27e4586645cffddb

SHA256
5e1aa14b6d6ad80204651ad71ef981a29d549e17de07cb6407544dea9ab56202

SHA512
87e5d59bccc03c0ef8f5947ff9a331ca23831cf608dcc676d39f8988f5a3b19c3ee6148e31706de5697eb2c9f61caf4eb41312e2c823504e6ea0fec88aee90da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
21e0d12dcff1b699215c8bda45efceb0

SHA1
ee2cebca02322e0969780c6584a6fcc992a4e4a7

SHA256
4bea2f8996ca77875bf169778b1a9a5011d3702dc6a5263e6617252e540335db

SHA512
abe8bb83a2e975c0b0b72012a025c19fbf77c8a9a4c76abd638d2d8fd4b34506290a3189a06207f633990622721258cd6c86b941f30e774458d11e62ed48371c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
1b7e3d69009ebef064eb3b4e0f06ede3

SHA1
d57dad2b5dc0756f6660dee52f3d795623975c7f

SHA256
41fd6bc447060b42ccddf0916091cf7f91622129cb2a30a19f310c40b4999bd1

SHA512
909b23826124ea9c8a3bc4210f2b4a55c3588ad925b9d4b9b9d9c0301d9b0f58cba06c9c73c1af30ca650edb98b1ca8c251aeb8be7cab3f227b64b2b145bfcc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e4d50652d00b4c44734f8f84757a67cc

SHA1
8509b52bcde2a04f0a325d7f63997f4f963b9ea8

SHA256
ee206a314a9189122ebf65f11294a1d11dad78ac6231cb53813f8ccca7885c3a

SHA512
3e03dd62fab97a01b44aeef88552baaea6a5f7c60475388789593c548b6226821a24a5ab7254bc7fba1afde0aa2c21103ebc18fe0b5f68b6b883d09760050604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
573B

MD5
463f615865d92339eb68e23cb603e539

SHA1
1caff5854dcc2665be53c36fafe53602f39fbadb

SHA256
a71ea36b4801d34a72d4cf2e6697acb39eb69abbf866461cc64d84133710759f

SHA512
f77f957a18753ea34c90d48bc81ed4a6ff65a8c42036d2ebc622ea4e5bb7a4d76eb1e9e6367d765edba69e83c973dac2670a97cbee3f95d08259ef667cc8b5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4dc7122a4f366b930413b46bb5b94813

SHA1
b4c437585eb2701200af13c1300ea56ff64270a6

SHA256
7a44c90625e8a6a5df75de8a59944fcd74c680840b875c3e7dd09e1d73966756

SHA512
514bb0947a379dd143454124d5598668c0cdd82f952e1002375e51d86fd291db65789e022fd40b59c5267ddb4f410fd86f718ae09932880878ba1fe5b53278ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
678c6386cac80666c578c8cdbc4eeb98

SHA1
39cbef7f9989c0ad5b4e05869e2dc5b2b1797565

SHA256
48c61621ab33391c116d0d1be67e93d8504508f7872328cb78caaf85fcbd2642

SHA512
d52ac2ca281e4fff112e169a326444486f97049b196db5476df44ff204b167ae7aeed2fcda3db04732bebb8d52044b6a974b73b4db97acc7b0c9cd0f4177cdd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94d402d768db5d4f9e84cfbedae9db41

SHA1
3e977a2990b0cdf66a5aa97e1d8486e15dac4482

SHA256
69b5b918be79a8c6f1b69f0be36a5b3a60719eab77c296c704ea8b2d0eda5233

SHA512
962be09357f96434a03475c2ef3f5b4f9d9bbee527ff716c25076944e4d4b970bd41ad8d26be8538e1459813f6679c750211903a2ea55ae37e9004265359ba67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad6078c07e8c43a5643b37d38745df79

SHA1
f62e2a48ac067fe9530ba0dcf3a987127278fd53

SHA256
af039d85365ff43985575b55b522e0b47a64fc7cd7578d4c65cd28b8b6b7dc91

SHA512
f87717cd2fe000fee2b14d866f62fde185867820eaba1568722beb3cd8cb826c14ff7de5e52cb12aef6fb6785fdf0aeb3ab266218fbd97bb8324db18f54c6099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c6487b6e33e47a83718b510dd94ef01c

SHA1
010ab43d1a462fdbcc53ffd01ad582e0a8f94717

SHA256
6bf11837ec7894a4846d2307e5d06946b5cff35092bde2acc1b17d50b6852f65

SHA512
14d77855c86a6bc3e306e90615cda1c207010005b2709252882e5c8816f4e22f27b65b6d8ea84942cd85ba1a4bfecc5b376eb37efc74c365e8023399a39546e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5801b1.TMP

Filesize
1KB

MD5
5b77f811c0c700921197613ea4f54dde

SHA1
477365ef667f06901b26da1cea63c1f727f5737e

SHA256
30f3b9501c134b767cf498ea9a386fa8663d3db315cef729cd9bcf4d6998d33d

SHA512
be3eb8d3d0c818c82edba18577bd8a3ff9380d1c352b90ca731a6b6fc1cdb4ed95e4898a1edfa56e8df756da828d5646969b1de30f4eaaf5c079a633731fcc23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
43d92a1ca87814ca95d0558423402507

SHA1
c35526f41b66adf7de29a94646abe43875c496ab

SHA256
63707f8b2c153ac68266d8626a2281288884c3bd28697a5f09c7af25bb03652a

SHA512
2f50cac7fd9097ba41693c82f1540d72ffe1e32c5d75e4ff811da60b45e935bcf840c192073c1c7a5b44da9789882e2d11c81a85d88c43bd043df57151ebe296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
afa541f08c35f4bc57b3957b471aaa37

SHA1
70ca21a35b3d00179370020b6a4bf168f8adbb93

SHA256
d692027a2d897642b72771e3fc4181f561796c2dcb2b9877fe245a6a2282fe4a

SHA512
6ed256c61378157afe189cfcae324c77e421f54e345e1cdbe1264747229295ff402f9457acc69aaa634b4edcbcec54ccc8965c5316ccce1c9b8a76e8ac8996e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a3f1c76b-cc14-48c9-91aa-d317f711a400.tmp

Filesize
10KB

MD5
54527234615b644b92fd04b4640d85d1

SHA1
1dd9fd81fb3daa76fadc474cb88f4ad61c2dc848

SHA256
a9c517551b4f090dd9d1ef6a4a3bb8aef29ba40d30f46f5d9c69837456dc919b

SHA512
52e7e109db17a098322c5c664dcf93a8482103e95fb09a427eecb5af22f0605f60ca1f6fd3dfc673b20de03b4e9def1fa7e52276f23843f01467da4a20a951a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
98B

MD5
2671b44933c49155e153242c601b1f65

SHA1
bd248015ff65c1b6d07c773111013f107c98c048

SHA256
8b93dcfe006da7c3fba43a9f8ae8bc4e7c77cbee15a95649c74da28667a60fe4

SHA512
1195fcbd5e18c2dc9556f89b4542ed65950400272bafa0ace3420b85ef31727e63829ab4befa513d18095a2659bf234296130575fbde2522c757f541db3e4b51

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_299820e3.bat

Filesize
290B

MD5
c14e870d80cc1313382c7e89fe622856

SHA1
dd079f9b5f25c14dde1a827d5ce41020a4434c17

SHA256
1933995cbb1af6d5e12e04e8cb83d57a9c0e699dac8147b1a890ba667338ed3b

SHA512
c567d009508ea7504e1b3075224a03b5ff611e4d539dc628afc1a008ef9c762faaa88e2e3fef7709d08544f6372f8e4c1622b6f82fa2e2ac009db40b9a5a19e8

Download Submit
C:\Users\Admin\AppData\Roaming\Fycyu\niik.exe

Filesize
67KB

MD5
73340a1e053ac5b5c435f533a624398d

SHA1
1fe148178d87ec5a48d7ef6b4e7fb9e76994a91e

SHA256
f7a684dfe8042fb79c3540f51b33eb334a328595ca3621af5b2aab39b357efc3

SHA512
d81539b40f9cb8966934787c87e566a4e3a26454119c8c862a567c9a241dcd0c4640dff3a895a9de93d5a46786bd1397d25536713b2b528ddca8793ec399c386

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_2204_TBDCCMWOKVTQQFZG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/864-638-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/1124-527-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1124-526-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1132-600-0x0000000003200000-0x000000000320C000-memory.dmp

Filesize
48KB

Download
memory/1132-588-0x0000000000E60000-0x0000000000E86000-memory.dmp

Filesize
152KB

Download
memory/1132-574-0x00000000005F0000-0x0000000000964000-memory.dmp

Filesize
3.5MB

Download
memory/1132-591-0x0000000000F70000-0x000000000100E000-memory.dmp

Filesize
632KB

Download
memory/1132-602-0x0000000003290000-0x00000000032B7000-memory.dmp

Filesize
156KB

Download
memory/1132-601-0x0000000003210000-0x000000000328F000-memory.dmp

Filesize
508KB

Download
memory/1132-572-0x0000000000410000-0x00000000004CD000-memory.dmp

Filesize
756KB

Download
memory/1132-583-0x0000000000A60000-0x0000000000AF1000-memory.dmp

Filesize
580KB

Download
memory/1132-584-0x0000000000B00000-0x0000000000CAC000-memory.dmp

Filesize
1.7MB

Download
memory/1132-598-0x0000000002D90000-0x0000000002DA8000-memory.dmp

Filesize
96KB

Download
memory/1132-586-0x0000000000CB0000-0x0000000000D5E000-memory.dmp

Filesize
696KB

Download
memory/1132-599-0x0000000002E80000-0x0000000002EB5000-memory.dmp

Filesize
212KB

Download
memory/1132-589-0x0000000000E90000-0x0000000000EB9000-memory.dmp

Filesize
164KB

Download
memory/1132-590-0x0000000000EC0000-0x0000000000F63000-memory.dmp

Filesize
652KB

Download
memory/1132-597-0x0000000002D40000-0x0000000002D82000-memory.dmp

Filesize
264KB

Download
memory/1132-592-0x0000000001010000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/1132-593-0x0000000001130000-0x0000000001242000-memory.dmp

Filesize
1.1MB

Download
memory/1132-594-0x0000000001250000-0x00000000012ED000-memory.dmp

Filesize
628KB

Download
memory/1132-595-0x00000000012F0000-0x0000000001401000-memory.dmp

Filesize
1.1MB

Download
memory/1132-596-0x0000000001620000-0x0000000001651000-memory.dmp

Filesize
196KB

Download
memory/1516-616-0x000001DDE79D0000-0x000001DDE79E7000-memory.dmp

Filesize
92KB

Download
memory/1516-621-0x000001DDE79D0000-0x000001DDE79E7000-memory.dmp

Filesize
92KB

Download
memory/2140-635-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/2140-630-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/2160-684-0x0000000000E80000-0x0000000000EDD000-memory.dmp

Filesize
372KB

Download
memory/2160-573-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2160-641-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2160-685-0x0000000000EE0000-0x000000000107A000-memory.dmp

Filesize
1.6MB

Download
memory/2160-646-0x0000000000C20000-0x0000000000DCC000-memory.dmp

Filesize
1.7MB

Download
memory/2160-569-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2160-683-0x0000000000DD0000-0x0000000000E7E000-memory.dmp

Filesize
696KB

Download
memory/2160-645-0x0000000000A80000-0x0000000000B11000-memory.dmp

Filesize
580KB

Download
memory/2160-643-0x0000000000530000-0x00000000005ED000-memory.dmp

Filesize
756KB

Download
memory/2364-608-0x0000018D4E2F0000-0x0000018D4E307000-memory.dmp

Filesize
92KB

Download
memory/2364-612-0x0000018D4E2F0000-0x0000018D4E307000-memory.dmp

Filesize
92KB

Download
memory/2836-575-0x000002B878B50000-0x000002B878B67000-memory.dmp

Filesize
92KB

Download
memory/2836-603-0x000002B878B50000-0x000002B878B67000-memory.dmp

Filesize
92KB

Download
memory/2900-576-0x00000228363C0000-0x00000228363D7000-memory.dmp

Filesize
92KB

Download
memory/2900-585-0x00000228363C0000-0x00000228363D7000-memory.dmp

Filesize
92KB

Download
memory/3080-613-0x00000255C18F0000-0x00000255C1907000-memory.dmp

Filesize
92KB

Download
memory/3080-609-0x00000255C18F0000-0x00000255C1907000-memory.dmp

Filesize
92KB

Download
memory/3476-577-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3476-579-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3476-578-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3476-580-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3476-581-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3476-582-0x0000000003360000-0x0000000003377000-memory.dmp

Filesize
92KB

Download
memory/3624-587-0x000002058B8A0000-0x000002058B8B7000-memory.dmp

Filesize
92KB

Download
memory/3624-604-0x000002058B8A0000-0x000002058B8B7000-memory.dmp

Filesize
92KB

Download
memory/3700-614-0x000001DA3FBC0000-0x000001DA3FBD7000-memory.dmp

Filesize
92KB

Download
memory/3700-618-0x000001DA3FBC0000-0x000001DA3FBD7000-memory.dmp

Filesize
92KB

Download
memory/3884-605-0x00000265AAE50000-0x00000265AAE67000-memory.dmp

Filesize
92KB

Download
memory/3908-606-0x00000168ED580000-0x00000168ED597000-memory.dmp

Filesize
92KB

Download
memory/3908-610-0x00000168ED580000-0x00000168ED597000-memory.dmp

Filesize
92KB

Download
memory/3964-611-0x0000019C28360000-0x0000019C28377000-memory.dmp

Filesize
92KB

Download
memory/3964-607-0x0000019C28360000-0x0000019C28377000-memory.dmp

Filesize
92KB

Download
memory/4316-619-0x000001C5282C0000-0x000001C5282D7000-memory.dmp

Filesize
92KB

Download
memory/4316-615-0x000001C5282C0000-0x000001C5282D7000-memory.dmp

Filesize
92KB

Download
memory/4476-567-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4476-561-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4476-560-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4648-617-0x0000028E0E010000-0x0000028E0E027000-memory.dmp

Filesize
92KB

Download
memory/4648-620-0x0000028E0E010000-0x0000028E0E027000-memory.dmp

Filesize
92KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads