gozi | hxxps://raw[.]githubusercontent[.]com/pankoza2-pl/malwaredatabase-old/refs/heads/main/SATANA[.]exe

Analysis

max time kernel
147s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/pankoza2-pl/malwaredatabase-old/refs/heads/main/SATANA.exe

Score

10^/10

gozi banker bootkit discovery evasion isfb persistence trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SATANA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SATANA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SATANA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SATANA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SATANA.exe

Executes dropped EXE 10 IoCs

pid	Process
1876	SATANA.exe
3680	SATANA.exe
3216	SATANA.exe
3888	SATANA.exe
4840	SATANA.exe
1212	2.exe
740	2.exe
1544	2.exe
2128	2.exe
4380	2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\37E4.tmp\\2.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4E98.tmp\\2.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6491.tmp\\2.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\172D.tmp\\2.exe"	2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\24B9.tmp\\2.exe"	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
4	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2.exe
File opened for modification	\??\PhysicalDrive0	2.exe
File opened for modification	\??\PhysicalDrive0	2.exe
File opened for modification	\??\PhysicalDrive0	2.exe
File opened for modification	\??\PhysicalDrive0	2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hnaorh.exe	cmd.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023c9f-40.dat	upx
behavioral1/memory/1876-71-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1876-105-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3680-107-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3888-110-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3216-115-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3888-126-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/4840-131-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1876-153-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3680-250-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3216-287-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/3888-292-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/4840-297-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
4348	1212	WerFault.exe	323
2356	740	WerFault.exe	331
2328	1544	WerFault.exe	336
3872	2128	WerFault.exe	341
2436	4380	WerFault.exe	346

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 15 IoCs

evasion

pid	Process
2844	taskkill.exe
1588	taskkill.exe
4712	taskkill.exe
3880	taskkill.exe
5068	taskkill.exe
1716	taskkill.exe
3700	taskkill.exe
2968	taskkill.exe
1356	taskkill.exe
3216	taskkill.exe
2304	taskkill.exe
3612	taskkill.exe
3576	taskkill.exe
3856	taskkill.exe
3616	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0"	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 810550.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1028	schtasks.exe
3912	schtasks.exe
3324	schtasks.exe
3824	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2256	msedge.exe
2256	msedge.exe
3504	msedge.exe
3504	msedge.exe
1592	identity_helper.exe
1592	identity_helper.exe
2844	msedge.exe
2844	msedge.exe
1212	2.exe
1212	2.exe
1212	2.exe
1212	2.exe
1212	2.exe
1212	2.exe
740	2.exe
740	2.exe
740	2.exe
740	2.exe
740	2.exe
740	2.exe
1544	2.exe
1544	2.exe
1544	2.exe
1544	2.exe
1544	2.exe
1544	2.exe
2128	2.exe
2128	2.exe
2128	2.exe
2128	2.exe
2128	2.exe
2128	2.exe
4380	2.exe
4380	2.exe
4380	2.exe
4380	2.exe
4380	2.exe
4380	2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3616	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1356	taskkill.exe
Token: SeDebugPrivilege	1212	2.exe
Token: SeDebugPrivilege	740	2.exe
Token: SeDebugPrivilege	1544	2.exe
Token: SeDebugPrivilege	2128	2.exe
Token: SeDebugPrivilege	4380	2.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe
3504	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1876	SATANA.exe
3680	SATANA.exe
3216	SATANA.exe
3888	SATANA.exe
4840	SATANA.exe
1212	2.exe
740	2.exe
1544	2.exe
2128	2.exe
4380	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 3208	3504	msedge.exe	85
PID 3504 wrote to memory of 3208	3504	msedge.exe	85
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2156	3504	msedge.exe	86
PID 3504 wrote to memory of 2256	3504	msedge.exe	87
PID 3504 wrote to memory of 2256	3504	msedge.exe	87
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88
PID 3504 wrote to memory of 4928	3504	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://raw.githubusercontent.com/pankoza2-pl/malwaredatabase-old/refs/heads/main/SATANA.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb03046f8,0x7ffbb0304708,0x7ffbb0304718
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1876
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\172D.tmp\172E.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    PID:2016
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:1940
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:2952
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:4772
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      Modifies Internet Explorer settings
      PID:4076
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:3812
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:748
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:4572
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:3168
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4712
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:2512
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:1716
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:4076
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:3340
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:3168
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:372
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4772
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:4076
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:1940
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:4712
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:4332
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:2512
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:4332
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:2512
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:4712
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:2320
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:2512
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3216
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\172D.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1212
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\172D.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3324
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1212 -s 520
        5⤵
        Program crash
        
        PID:4348
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\24B9.tmp\24BA.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    - Drops file in Drivers directory
    PID:4196
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:3204
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:3364
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:3892
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:1412
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:3168
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:1140
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:4076
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:3128
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4684
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:3800
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:4712
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:4304
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:3712
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:3460
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:2720
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2432
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3364
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:4672
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:3852
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:1420
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:2512
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:4148
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:3700
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:4732
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3532
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:2436
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:4932
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:4496
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:3560
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:3392
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:4484
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:4152
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3880
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2304
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3612
  - - C:\Users\Admin\AppData\Local\Temp\24B9.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\24B9.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 524
        5⤵
        Program crash
        
        PID:2356
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3216
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\37E4.tmp\37E5.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    - Drops file in Drivers directory
    PID:4916
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:2432
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:4484
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:4028
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:3880
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:1500
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:3568
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:1204
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:3852
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:2896
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:2696
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:544
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:4484
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:4028
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3880
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:3412
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:4532
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:3856
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:3852
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:1600
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:2896
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3532
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:668
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:2432
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:3556
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:2668
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:1020
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:4672
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:3880
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3576
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3856
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\37E4.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\37E4.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2136
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 520
        5⤵
        Program crash
        
        PID:2328
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3888
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4E98.tmp\4E99.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    - Drops file in Drivers directory
    PID:1204
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:4820
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:544
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:3616
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:4988
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:2936
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:3892
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:2304
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:2084
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:4568
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4684
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:3616
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:4988
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:4284
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:2484
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:3484
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:544
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4544
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:2388
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:1356
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:3568
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:2484
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:1140
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:1716
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:1500
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3700
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:544
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:460
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:4924
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:2936
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:3892
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:2696
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3700
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3616
  - - C:\Users\Admin\AppData\Local\Temp\4E98.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2128
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\4E98.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 520
        5⤵
        Program crash
        
        PID:3872
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4840
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\6491.tmp\6492.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    - Drops file in Drivers directory
    PID:1020
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:460
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:3616
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:1688
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:2036
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:3704
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:4312
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:392
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:5004
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:4820
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4544
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:768
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:1756
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:3568
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:4012
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:1140
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:4460
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4544
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2036
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:632
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:4496
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:3628
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:2304
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:3956
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:3568
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:4012
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1140
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:1356
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:768
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:2936
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:4484
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:632
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:2284
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:3628
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1588
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1356
  - - C:\Users\Admin\AppData\Local\Temp\6491.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4380
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\6491.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3912
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 464
        5⤵
        Program crash
        
        PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,13199861466113159138,9596475205773911757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1204

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1212 -ip 1212
1⤵
PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 740 -ip 740
1⤵
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1544 -ip 1544
1⤵
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2128 -ip 2128
1⤵
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4380 -ip 4380
1⤵
PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
193B

MD5
62fc8758c85fb0d08cd24eeddafeda2c

SHA1
320fc202790b0ca6f65ff67e9397440c7d97eb20

SHA256
ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248

SHA512
ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
060bdd6c2ccbea6df0cbd0c2c98e696b

SHA1
ad6004f8d1a0ca2640086df2b4d7585ed4855df6

SHA256
0e59e0bb2c5298d96038636593df9a48c9079d5742d7f75a31e9870fa3a3ddb1

SHA512
5e97a2d2c3ebadbd88a35c1c431b072570baadb0512b430476079eca4b192792018ef21470ee3522cddcf0756c640d5d14284c578cf97677ba68b70b87674ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6a4f208d7364673463b285dc45d0142

SHA1
f2b0c0237a249098000d89a3f9f0d9798049ac7f

SHA256
ecf4042b7b22e6a78c3bd7e19aefd43124f40cf8904c639a22910f43040e095f

SHA512
23e8d94b4cf19b28a26d5c6309d2c9bfb3c8e094d83809095b9f492ab255cecf35943a7e421cdd3b8d6910a96df25591d4f4af4407a3de970660bdd17fdfe61c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ae6e49d2e74be74fbc0fbd7f60540be

SHA1
bdddc62de8789ae33197c2076e62f5ac8ff8a2a2

SHA256
e13898d320a489e9c70f799804c06b26e8c7eac602e8213c96d3f7845f24c8da

SHA512
424019e287624c17d6658e0c892db5a19d2e1068ce9d5b119d029afdf7403b018a732e9b852fe30b571c9611a1e4d764eced1084c44990031dcd9373c1da7dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e83a96a58c828209fe3a0fe5863ec4a

SHA1
41fe184671df249c6b9a424e82215a404bc8c5fd

SHA256
1d682a7e938988b4571b60c1c13462bb882fb3cd78a6078c237207a6244a355f

SHA512
426db140ee756ba29ed9de262626cc4a470dbf80a336e305dd23bc75d12b0987e73c2b74a229a472cd11eb42529fb0472e8fe8bee7ae2c61b4980c91c8886af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efef010769cbc5997438cffd72cf3356

SHA1
7986c1a57b11ead8bc5d4e631c47c8d03d918bbb

SHA256
3af4cee1241e32d0f02f7564045536037c86513ea7ff101658f6bcc7c885c7e1

SHA512
e1a073aa0d0e7c54c68bbbbe61a05631a68f592383e1f848894cf88195186e83cda7f098835dbd98bcb7fab4c0b0c55bdc1d0d5d7abe9fe107918987deed7e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
95a6c3338fa4d2a371e29d50b9ddc66a

SHA1
1c517dfd3ddc1d5bb4cb05089b3520b7bc90878f

SHA256
9763b0ca2fbbda90dd8151846848c78f2666a3789435c3aeb950b89a87b7233a

SHA512
03b19b8389fffcd08728ef689233924552ea35148b4fcc9c1a0402ec12f3e42870f4493b45a7f0abb79b55d137b87420b8b7c89189a982578cb879e0743a24a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2967c97079a0d04a75538021c47c5c02

SHA1
7fa68d32cb385036bf71021152f0a93dc133d505

SHA256
ac13f12d7a81b898841e7aeb94fa6df609623436ea8a17c635ef7f50f28b1252

SHA512
90e7b1f8cae9e47d177137aa9b80a9e074c836a780301b1b48655581bbb29da9fa8b9211f99cac9f43c3f783145e6ceb8f87aa5ff790af2a12d2e889036e3527

Download Submit
C:\Users\Admin\AppData\Local\Temp\172D.tmp\172E.bat

Filesize
4KB

MD5
1f7a5456ca38839ec9e112425e7fa747

SHA1
8019978db5a80de11bb32463aa7160bb4a4d6b8a

SHA256
f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6

SHA512
eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

Download Submit
C:\Users\Admin\AppData\Local\Temp\37E4.tmp\2.exe

Filesize
150KB

MD5
4bc20c24fbea4588741203c77126c7b3

SHA1
5f2d2fec4e1d7c752be551363743069d9a4e7510

SHA256
4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3

SHA512
3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 810550.crdownload

Filesize
106KB

MD5
e98af5555d9174b86254a186db60ba82

SHA1
cc6faef9e23a4ef9f4c4337fffc17c80c9ce2135

SHA256
2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d

SHA512
8eb26885c9699d9edb891df112e444d4a1758711ad02aa891f9483a608875b7819679ab826fa52cf803b372c6f05df6c82180775fa1bb6ca0d62acfa0020eeff

Download Submit
memory/740-298-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1212-162-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1544-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1876-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1876-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2128-301-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3216-115-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3680-107-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3888-110-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-302-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4840-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4840-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download