gozi | hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Resubmissions

14/10/2024, 09:58

241014-lzj2katclb 3

14/10/2024, 07:33

241014-jdpzkswgkp 10

Analysis

max time kernel
220s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

gozi banker bootkit discovery evasion isfb persistence ransomware trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SATANA (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	SATANA (1).exe

Executes dropped EXE 6 IoCs

pid	Process
4812	freebobux.exe
4412	CLWCP.exe
4460	SATANA (1).exe
2176	SATANA (1).exe
1872	2.exe
3644	2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\977E.tmp\\2.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\C4C8.tmp\\2.exe"	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
78	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2.exe
File opened for modification	\??\PhysicalDrive0	2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\-63gkj.exe	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "c:\\temp\\bg.bmp"	CLWCP.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000023b61-261.dat	upx
behavioral1/memory/4812-315-0x0000000000400000-0x000000000083E000-memory.dmp	upx
behavioral1/memory/4812-337-0x0000000000400000-0x000000000083E000-memory.dmp	upx
behavioral1/files/0x0009000000023d33-415.dat	upx
behavioral1/memory/4460-473-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/4460-497-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2176-499-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/4460-507-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2176-514-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2176-519-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1372	1872	WerFault.exe	213
1560	3644	WerFault.exe	221

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CLWCP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	freebobux.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
428	taskkill.exe
32	taskkill.exe
5064	taskkill.exe
4660	taskkill.exe
3448	taskkill.exe
1804	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0"	reg.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 513203.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 113904.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 180152.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3268	schtasks.exe
5020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
228	msedge.exe
228	msedge.exe
2296	identity_helper.exe
2296	identity_helper.exe
1084	msedge.exe
1084	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
1708	msedge.exe
1708	msedge.exe
1872	2.exe
1872	2.exe
1872	2.exe
1872	2.exe
1872	2.exe
1872	2.exe
1328	msedge.exe
1328	msedge.exe
3644	2.exe
3644	2.exe
3644	2.exe
3644	2.exe
3644	2.exe
3644	2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	428	taskkill.exe
Token: SeDebugPrivilege	32	taskkill.exe
Token: SeDebugPrivilege	5064	taskkill.exe
Token: SeDebugPrivilege	4660	taskkill.exe
Token: SeDebugPrivilege	3448	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	1872	2.exe
Token: SeDebugPrivilege	3644	2.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4460	SATANA (1).exe
2176	SATANA (1).exe
1872	2.exe
3644	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3912	228	msedge.exe	84
PID 228 wrote to memory of 3912	228	msedge.exe	84
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 2428	228	msedge.exe	85
PID 228 wrote to memory of 1608	228	msedge.exe	86
PID 228 wrote to memory of 1608	228	msedge.exe	86
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87
PID 228 wrote to memory of 4508	228	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd948146f8,0x7ffd94814708,0x7ffd94814718
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1084
- C:\Users\Admin\Downloads\freebobux.exe
  "C:\Users\Admin\Downloads\freebobux.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4423.tmp\freebobux.bat""
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\4423.tmp\CLWCP.exe
      clwcp c:\temp\bg.bmp
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      System Location Discovery: System Language Discovery
      PID:4412
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4423.tmp\x.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4116 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:4684
- C:\Users\Admin\Downloads\SATANA (1).exe
  "C:\Users\Admin\Downloads\SATANA (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4460
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\977E.tmp\977F.bat "C:\Users\Admin\Downloads\SATANA (1).exe""
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    PID:2240
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:4080
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:216
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:3428
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      Modifies Internet Explorer settings
      PID:2080
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:4596
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:3136
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:2200
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:4936
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:1392
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3784
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:1564
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:1368
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:4668
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:4004
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:512
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:2088
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4944
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4436
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:4696
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:1092
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:4224
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:3004
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:4568
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:4760
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:1896
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3764
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:2252
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:3540
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:1964
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:2816
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:368
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:2676
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:32
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\977E.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1872
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\977E.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1872 -s 524
        5⤵
        Program crash
        
        PID:1372
- C:\Users\Admin\Downloads\SATANA (1).exe
  "C:\Users\Admin\Downloads\SATANA (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2176
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C4C8.tmp\C4C9.bat "C:\Users\Admin\Downloads\SATANA (1).exe""
    3⤵
    - Drops file in Drivers directory
    PID:4080
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:1020
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:4596
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:5004
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:632
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:1488
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:4200
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:2364
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:4364
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:3784
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1760
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:948
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:1368
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:1536
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:5100
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:4300
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:4504
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2088
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3932
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:1116
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:4952
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:1080
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:2760
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:3984
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:1796
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:3004
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2844
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:4760
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:4480
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:4676
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:2308
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:1436
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:4376
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:1104
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4660
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\C4C8.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\C4C8.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 464
        5⤵
        Program crash
        
        PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,1840456006352603166,2314601105058257688,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1872 -ip 1872
1⤵
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3644 -ip 3644
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
106KB

MD5
e98af5555d9174b86254a186db60ba82

SHA1
cc6faef9e23a4ef9f4c4337fffc17c80c9ce2135

SHA256
2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d

SHA512
8eb26885c9699d9edb891df112e444d4a1758711ad02aa891f9483a608875b7819679ab826fa52cf803b372c6f05df6c82180775fa1bb6ca0d62acfa0020eeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8dc382fb8eac55379a6b30cbe27389de

SHA1
6f683142bf0500dc132f77a5c37f71f5d2032b59

SHA256
6217e86995b36f1e0b63d8beac2277a310947f99fa666f362995f6cc27def818

SHA512
14fc575d6ac9db34ae825ec68ea67613faf477602f1904ed286ee25f82a278a22e0c73a4b07f9606091561c3f131271a84da3c3add1d675ab81f85ba890bbf88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f59ebaa86f16297eb64915c8dc9f5482

SHA1
9511852a868b690eba4d0a22cb602a0868beb38e

SHA256
55127cdf1be0548dd8edb06d0bec685bf5a9ad75ee6404cfee79a6fabfc605aa

SHA512
e45ebfdd2ac6fa7774eb6fe7383532dc95fdba8f8d7cdfb516df1aa75649f7ecf08b27be558561039f029a42a0cbf3fef8229c376947241709e4cab1dc0c5f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
d22266ba3d8db30279b96944f0cec985

SHA1
44e288cdfe75a5e8299ce32e75dd9e0705cdbac9

SHA256
77873629fa695e434160c86ae9116906ff65a97666d7d35a3ed63221b627c0bf

SHA512
d463aecbdac835dace5544b4267c86c2ed7d3165ba95095db6dfc3a25655f2391fa202a81d37b4a76a36f04456ed86df137302ad0e456fd59ecdfee3c69c6c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e5fb5d58cc790ce83772c1d6a6535980

SHA1
3f827c83e08a3a46d6eb558fab21d45ec324e147

SHA256
1d8cfe625e3fdb5e69cb7ea2cfd19447ca6fc57058edcedc8ab988ea25bac926

SHA512
33368c6522da41243269c0cfb28c131450f3d88b89eb16820c8130196a19fb96c5e73b74a5d97ea4739d48b2de9b7bc169005e6b1d89546ed293990551fefbe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ff75d3b758d4732ee3ccef61abd5830

SHA1
a7c4e18b0c9037369e7c6ff22f9b2d32bbf8119e

SHA256
adb70bb794f296152fefcb2b654db3c9d021beadbf3c789f1c804cf7551f1fa7

SHA512
3d3cd4a691a8c99854ee23a2a3abc8d9787429ac075074853508e1bb5cc15a244720408e4484c9e610b9f96cbea9b512a52feb7e3c836d6439410b6059ac3723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ef22c390e75cb641b14e6734e6a3f182

SHA1
92137eb7bc4a4b51443fc672e6e51054b7c885e8

SHA256
f0b5febf36ed1f4405a67601f7bd73586b44005b112adc529a976dd93192650c

SHA512
0df0b70c3ef22d47e7f07662057918a80540af3157fc3d274994ac1188915cf62d940a63eea20da4b4a517404fedb763a1f0284044953ad481c8e2970d873ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
834fcc14cc4e36b913908ae684b2e861

SHA1
63f8f3d2f62ba443853b2524598fda4d50d7d6e6

SHA256
d235ef3edfe671ca279a898fc2722ae5e13a6ddfbd00544579748eb666076fa7

SHA512
ea39f3b5ecea8e5c8f1a91b98a315dcf06c9ff8ae6d01e680b8375edc99a2060a7c376fe8d3208a6dafffc3791edf4454c7d5fe465d9b791a168541a7973d12c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
299ac923a30d4a4d31b448e5d1f999c2

SHA1
1db505414548282cbb00a2d9d7877df02672a95d

SHA256
e43a2547ed35cf68a9651bae6454567d071dca72864d4c6addada97a03a6e69c

SHA512
a7cebd759dd956f3b03056835498823eacc091e50012ebf2e2dec13bb48e7e43d8cd5e2007d5d00347628ebc98d05b2158c42ba059b9a759e4c2c375bf41b452

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dbf028d4881232a61d144df30791bb61

SHA1
a360e70ad976a70c5b0262399aa8c0f9a5ddef4a

SHA256
a9e03f880e31c783727b9e333d078af7c210f6f0df29a1e2326abfe2b9d9260d

SHA512
e689f79cc8a7f5412431a89eecbb16a5383ff770524b693c26506c4bea418b2751bcfdaa5587c43af36f2aea43251f0ea874c0102c23482279cbc252f2c7dee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
61e1daec51d813bf0a55915248829860

SHA1
56e283e0d8b70c83b4c08e60e75ee596e3998d2c

SHA256
5b21bb9217a6e255cd2c4fa25e87947fbff884f548bdd6823077886df700a0a3

SHA512
a63abfbefbb1b1aef55c66bf06814883d171d70f6589c04903bf047e4c04185452a38b771d3dfe81461d877551bf4c1839bc576d2780e219a848bbfb4d8ecf85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3fb6f2e04229d16d9a94b5f7270012e6

SHA1
10518170f77a3713fece95da26d543f58d223b24

SHA256
273af9c80e867f0e27564f22ce17f9022975803d7446941238ad1bb5c0ccb290

SHA512
c357acfa6fb8efca1d736b646d5aba38b3755cecb8b3fd931085e6899ec3f3e992a2a5dbbe8732ae81c4d64eb744bf588f9be20a28994754beac721ed1f49b6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5910de.TMP

Filesize
874B

MD5
21c0db62074346f06e220d32ddb8f6f7

SHA1
7433a931d91ccd8d3ef1b28f8e420d041bb08d25

SHA256
def76682d03ea144029ec1c361cdad9b997be243a3b9a7a639fe006a531f7762

SHA512
74fb17c2dcc4014da0da48f9ffe9e151a1b85050e76bc23e1642ec179e0eb2740e4f80f18bdd81146a4cc4221cc4fc920baa8e4cb365d3a721aa5ed3b425cb46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ea042b145b351dc85dddd1666d5faf21

SHA1
4d1468bddf423d52fe7a3775a8e3735c726670a8

SHA256
c8489e086c3b35538128d477924ecbac269d25a7827bc161b3614f65412d8f12

SHA512
5f2ff2b6fcc0fc08c31a1270c8eba8ca00bb653ec51ba698643d853daa0f516ceb68afd83affd18dd4dc750901c4088d02e4828bded67a11a01b83f77e9619e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ad7de3bf2f3e914de148080333feaf82

SHA1
75a69bc1e078802ffe1298e2878abf5090f39057

SHA256
282084da4e6b2dc0b4e42ce875dd8591b82cf31bc83f59fdfa81fe51f494be91

SHA512
1fb7b9a1dc4d501e4b033829e868d9e4a54f005aee6392ce1e3759e1883e5b870bc2b99eaa5b62598812afc3ecae203745b007e9c5cfc6e53203b208a5b3b33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9de0c1bc6c9ffd0edda468dcf8d80db0

SHA1
02206c43232fcaef87b40fb993b54e47f1543454

SHA256
45bacc2fed0b78b4c36f66d8d86255befb1e118cb20aa1311662abed365511ef

SHA512
9653fa499e6fe874cf1fe046550511f07f2bc4827f58a58760c521245d711eea805ec4ac8f7fbbd0ac864a8d26f50062ce549c359e338bd743cb6960b986937d

Download Submit
C:\Users\Admin\AppData\Local\Temp\4423.tmp\CLWCP.exe

Filesize
505KB

MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\4423.tmp\bg.bmp

Filesize
3.0MB

MD5
2229bdea09783e544015db10917ea91c

SHA1
9d8fd01f98f6de2f2889bc441847f25146190660

SHA256
13ff1d9aee82f15e4df8621c0b68ca31844bea8a0a5e5b194dfeabac7a646521

SHA512
c1abd12398bf749fcc07de144ada40e23985cde634d7ba756f0199614ec4eec918c706f0d8af2f4fbec2539c256e638496e8c57cd18e2f5cbefe204d3770d089

Download Submit
C:\Users\Admin\AppData\Local\Temp\4423.tmp\freebobux.bat

Filesize
176B

MD5
202d76eb2952aeb2e241c13defe48045

SHA1
34e26a3407288c7ea63bd1cd305c27b06b163386

SHA256
9d99aa3263624e3a9434af76bac620f71598c082b35504de738d1c04af079fab

SHA512
6a78847878c3ee4ef82a61d03e4f61f681ad7c2d62d5ff10645f17fa2acf63bc76b5862043bb94eaf7d80ce0ab2c35a904ef6de178623d42111c453c5ee9f3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\4423.tmp\x.vbs

Filesize
65B

MD5
ab30794d761af418b216eab48d003536

SHA1
edd4c2f1813c70cb8739b5c3b8efa425072a4911

SHA256
a6154ba12e45de717c0f6cef752c68897ac80438d1ad60750b258f1d35a39e25

SHA512
96214a59bd691d2210a758d1679e2db7e6b186c2f0b8bd9a4286ea3a8aeaa1f35632c6c078371bf474e7dffca9e23bd0d6cc4e9c0c114c883ab3374be81f291d

Download Submit
C:\Users\Admin\AppData\Local\Temp\977E.tmp\2.exe

Filesize
150KB

MD5
4bc20c24fbea4588741203c77126c7b3

SHA1
5f2d2fec4e1d7c752be551363743069d9a4e7510

SHA256
4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3

SHA512
3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\977E.tmp\977F.bat

Filesize
4KB

MD5
1f7a5456ca38839ec9e112425e7fa747

SHA1
8019978db5a80de11bb32463aa7160bb4a4d6b8a

SHA256
f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6

SHA512
eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 513203.crdownload

Filesize
779KB

MD5
794b00893a1b95ade9379710821ac1a4

SHA1
85c7b2c351700457e3d6a21032dfd971ccb9b09d

SHA256
5ac42d75e244d33856971120a25bd77f2c0712177384dfa61fb90c0e7790d34c

SHA512
3774d4aed0cce7ed257d31a2bb65dda585d142c3c527dc32b40064d22d9d298dd183c52603561c9c1e96dd02737a8b2237c433cf7a74dccb0a25191446d60017

Download Submit
memory/1872-520-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2176-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-519-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4412-330-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4460-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4460-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-337-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download
memory/4812-315-0x0000000000400000-0x000000000083E000-memory.dmp

Filesize
4.2MB

Download