gozi | hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2024 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

gozi banker bootkit discovery evasion isfb persistence trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	SATANA.exe

Executes dropped EXE 14 IoCs

pid	Process
5376	SATANA.exe
5616	2.exe
1316	Maltoolkit4.2.exe
5604	Maltoolkit4.2.exe
5764	Maltoolkit4.2.exe
5788	Maltoolkit4.2.exe
5860	Maltoolkit4.2.exe
2716	Maltoolkit4.2.exe
5912	Maltoolkit4.2.exe
5944	Maltoolkit4.2.exe
5992	Maltoolkit4.2.exe
3852	Maltoolkit4.2.exe
1388	Maltoolkit4.2.exe
4492	Maltoolkit4.2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88.tmp\\2.exe"	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
52	raw.githubusercontent.com
53	raw.githubusercontent.com
82	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ip2t47.exe	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000d000000023b87-225.dat	upx
behavioral1/memory/5376-278-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5376-297-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/5376-332-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5812	5616	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maltoolkit4.2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5152	taskkill.exe
5228	taskkill.exe
5288	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0"	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 764230.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 711384.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 102537.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 66635.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 735677.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4440	msedge.exe
4440	msedge.exe
3052	msedge.exe
3052	msedge.exe
936	identity_helper.exe
936	identity_helper.exe
400	msedge.exe
400	msedge.exe
5616	2.exe
5616	2.exe
5616	2.exe
5616	2.exe
5616	2.exe
5616	2.exe
5464	msedge.exe
5464	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5228	taskkill.exe
Token: SeDebugPrivilege	5288	taskkill.exe
Token: SeDebugPrivilege	5616	2.exe
Token: SeDebugPrivilege	5604	Maltoolkit4.2.exe
Token: SeDebugPrivilege	1316	Maltoolkit4.2.exe
Token: SeDebugPrivilege	5764	Maltoolkit4.2.exe
Token: SeDebugPrivilege	5788	Maltoolkit4.2.exe
Token: SeDebugPrivilege	5860	Maltoolkit4.2.exe
Token: SeDebugPrivilege	2716	Maltoolkit4.2.exe
Token: SeDebugPrivilege	5944	Maltoolkit4.2.exe
Token: SeDebugPrivilege	3852	Maltoolkit4.2.exe
Token: SeDebugPrivilege	1388	Maltoolkit4.2.exe
Token: SeDebugPrivilege	5912	Maltoolkit4.2.exe
Token: SeDebugPrivilege	5992	Maltoolkit4.2.exe
Token: SeDebugPrivilege	4492	Maltoolkit4.2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5376	SATANA.exe
5616	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 4244	3052	msedge.exe	83
PID 3052 wrote to memory of 4244	3052	msedge.exe	83
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4016	3052	msedge.exe	84
PID 3052 wrote to memory of 4440	3052	msedge.exe	85
PID 3052 wrote to memory of 4440	3052	msedge.exe	85
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86
PID 3052 wrote to memory of 5060	3052	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90bc646f8,0x7ff90bc64708,0x7ff90bc64718
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1800 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5464
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5604
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5764
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5860
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5912
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5944
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5992
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1388
- C:\Users\Admin\Downloads\Maltoolkit4.2.exe
  "C:\Users\Admin\Downloads\Maltoolkit4.2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,13339962906255420327,14684416513304608899,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:4260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5264

C:\Users\Admin\Downloads\SATANA.exe
"C:\Users\Admin\Downloads\SATANA.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5376
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\88.tmp\89.bat C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  PID:5544
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
    3⤵
    PID:5636
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
    3⤵
    PID:5660
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
    3⤵
    PID:5676
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
    3⤵
    - Modifies Internet Explorer settings
    PID:5696
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
    3⤵
    PID:5712
- - C:\Windows\system32\reg.exe
    reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
    3⤵
    PID:5728
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
    3⤵
    PID:5744
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:5760
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
    3⤵
    PID:5776
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:5792
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
    3⤵
    PID:5808
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:5824
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
    3⤵
    PID:5836
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:5852
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
    3⤵
    PID:5868
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
    3⤵
    PID:5884
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:5900
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:5916
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
    3⤵
    PID:5932
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
    3⤵
    PID:5948
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
    3⤵
    PID:5964
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
    3⤵
    PID:5980
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:5996
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:6012
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:6028
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:6044
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
    3⤵
    PID:6060
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
    3⤵
    PID:6076
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
    3⤵
    PID:6092
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
    3⤵
    PID:6108
- - C:\Windows\system32\reg.exe
    reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
    3⤵
    PID:6124
- - C:\Windows\system32\rundll32.exe
    rundll32 user32, SwapMouseButton
    3⤵
    PID:6140
- - C:\Windows\system32\reg.exe
    reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    PID:5164
- - C:\Windows\system32\taskkill.exe
    taskkill /IM explorer.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5152
- - C:\Windows\system32\taskkill.exe
    taskkill /IM taskmgr.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5228
- - C:\Windows\system32\taskkill.exe
    taskkill /IM notepad.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5288
- - C:\Users\Admin\AppData\Local\Temp\88.tmp\2.exe
    2.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5616
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\88.tmp\2.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:5692
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 520
      4⤵
      Program crash
      PID:5812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5616 -ip 5616
1⤵
PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c50a6c7856530d3c5d603b02b95538f1

SHA1
e82012ce016090d7f29829a7768fe204d11cd2b2

SHA256
0f4c4b52d24f6f0c002784bcca2c74379ac9f78553b3aa781c3705b854a41ca0

SHA512
341440a21a7954f4360a10a8e521bd3dee8f09d7b4b92563a1c55d7c9d9e1c4e545be1f896327b8b9c74b629527021ac226715685b5764177d15c529a7fdbceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
1a14307fc4670978b0289a7162717b4d

SHA1
fe6b086b11fe44f379e190c187929f1b3a1ec190

SHA256
aa065e63b1e39da1a99bef778ee8583fccf3f4cb250663ebdc665660be9213c8

SHA512
a86b9418f80e13936f748ed95f9d6dbf9281260db5cb805575b0619abdec2497b18e5d093478ad06026d968445d5c56afe642c737050b063651c2d65ec9018d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9941348d07e7994700cf5a61522d4cd9

SHA1
7f8e0932637873e4a94635e9f1b916cf1780057c

SHA256
99fd5b48bc1428d67adcb1296bad4bf3bc3709d88403788f66394e7abc1b4f31

SHA512
3b565ac08eaaaa7966cbb9e47767252a1f4358f388843984e152f82cc4543ae4b392e7d9bc6caecaaddbb5e1e8f32c620dae4d8b5e98d74283380dccf6aab2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4aaeae5f1a5df8c2253c098422ba4226

SHA1
dd89693cc68765b05bc32dc5fe651a79e68909cd

SHA256
d827f02a8d4593e349fb8775b4019511f2aa7f54e5b0e89f673785a54e8ba3db

SHA512
4561236636bb6e367b1b2329894f63fbdeeab65283b310d6c4d4b520b08e68d8879d07ee450233c63ff77afbc19d7e1ef6b1d00d437f222adfb6068e0bd7cc3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d585056467aac66ebe3c67e88b458aba

SHA1
2f920817fd2fa07e292047906e260337b74f410d

SHA256
d0c6445b6d4df56e621144ae225ad09bb9745c6888bade1e4c7fca998d048cdf

SHA512
6132a3f177e92582ac3a232728c058611ec4b41f30dde8ed8b127a39abced013411490d73ae307293320b7baa66225552522042fc0c473e136b77b92cd040806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e97a062b1dd182bbfac518ef2246715f

SHA1
79e4be9cf4ca1a0f1152eb4236a143a7568d277e

SHA256
4bfa134e9fd76b89f55e9ce902a740d28a5ecec8c040b2a135be6f7c1ef043ec

SHA512
c3851e89abdc5fe56a9f8e4e04aee679162b3afc42790d25f8aa8eebe451022fa3388385cf08857faac83b8570df2810258ce15ba5c24ba25b6e9c6b83ab59e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d42c44b0ad27d34154f230144c903c1

SHA1
180d3f32ec2ab5ed4143c492257a668fb0e40da5

SHA256
bedacb38f3a2371f65dbfb9eb70ae09ace33cb7af84a4c0f2dcb84e2c688cb7b

SHA512
3b036691e213098a3319cd0a58c1c0762bfa9ebce7ff7938fbfa1a5800f4b5e0322783687126c8079d3dcc7a97ed95f8f5458cfaa2f8ffddcbd2fd0460dc2e0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f60093a8af1f89cc6cfc7b6817b8da55

SHA1
cf76a315d071a1db2d679dc56e062fb5b4399864

SHA256
6fd0e11c37420e52d3cfa96ac6a5b5a17dd94fe91fce58fa669cf6d1332219b6

SHA512
1e2b016e6e8a2f9e315f1ba80e0c064422711ad3b20b9d334c52520b9e8f3446645677372f2518ec5e68864e2e1253bb5e5d3135a80abc5fb84283d3de39d474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8902c10ba8c1497636271c66f56125ab

SHA1
e5555b7641828b92899bb7e66dddc57ae951af12

SHA256
ade789e2d240a35cdbbe8144c0051fd13f461a2aa9be245699e1c26bda6aaca8

SHA512
0cc3f6b6f77f6f41a0603973a24c4a6581c8fcba1e1d5bb883c41a0b84cc13e67a556dae722d38fb332682120dbffd516fac5f3fb43b652b66e8fec83545e80e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1f4486d6da5e350451b7b0d5bdfa869f

SHA1
b8a66551fe2f5833f39879db5ccf2feb3a4280cb

SHA256
b6b904286e1198b6191075b55b4cdb57de8ef00c1cb1c32721a19bead7af0fab

SHA512
effd1b46e7831cc428d6e2a4fae6f3827557668ce123308794c27826035bc43d870f1fc8433d5f387de03f3be9e6ab0ee113d0d5e650824d011dc8c374c2c6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8163e93e463f68071e0d5b32290ce2c

SHA1
a9b37b33ccd8b973f4407ab0f940188a94daebd3

SHA256
f17d3246363a93540b804d4a8bb6e7af26eaab94d6daf02e469e9afb17047398

SHA512
1fd1e45515e752ad8d03c2d113c60de2ae1f7288103487ae5f6429bc1c497da3dcd4561cbda33246bf2a7b13aed5d8c7352cf98de04ee1a5b773915b3e3e1791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eefaa37175b993a37fe4a7b7b46c0dd4

SHA1
5a7571c49f5b043058f4ca717d94e803dbb98b9e

SHA256
2296cc1228c19dc9243da1521a8cfd3ad9f3134e26d156a2ea3550d1406829ee

SHA512
3aeb56201850df79c73ec1eb48cf782cf8e6fed96c43164261a2c339bb2ff477843dd4b648d9e6448ab50fbd729e6b1644fd9ed285f3f87e30d849a7fb74104a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a23e98e7a91fc91203099bfd6b057bf

SHA1
0b164042631fa95b4260faf0587c6dd01eb1f509

SHA256
8e01dcd1fd300ecb2b837770c7524551ebfdb5751922216d79dd021ca716cfdb

SHA512
c57bb7218e63e80cf98a4ff3ffdc9fbcea25acbc5e73b888a89cbba8467c16751a2251b86767095eec0d0b8dcec623c78d97710f348057fddadca5d6cf56d0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4e69dd7d09b6cbc57d4bff12eacd3c82

SHA1
f80ded8323bcbf80c424b6cbd34da9d77b5792bb

SHA256
c6d12b38ad132f1247016aabd35be52c40744324313bbe09e4aee5299094c08b

SHA512
51031b09c9a6a9b83ab0c555e8264c2294e6246058315743fd3d83ab32050b73ee509c0f722110cfe626749340e958becbc3c01b5ee40e009ec31094847ff087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bbce.TMP

Filesize
874B

MD5
baed3e2e1b63e155de4c0f9b2efeaaba

SHA1
4d01eb78e922bfa1131d524bd044d19fa54ed402

SHA256
cb57b07e60f94395ce2fb3bc36b507a75b7429b451616779caafb7a1ae996870

SHA512
7e6a136a59892654484b43f290cb71fdfac983ad915f8b84c4ddb66d90dab41fd857e16832391cb6deed8772347e19dd487b69783e8a723754897ee99aa8ddc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
45334f618fccb9e16d77308227335c4e

SHA1
7369ba9ab8ca0b153d3af5787457f7332c5ebf11

SHA256
492c0fd832f2ea9303e97986487a557d12dce06816c9cd21e7ed92561b572dbe

SHA512
b778315d7651c359e1929b96e36c4d73a62413b8bd9e9ee2373a6e503a2d120b23eded2ad69439e1226cac1df95985b042d9be04fb7a227504d1fa9ba7a82a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
646bc9da5155a103ad2d4c313f7e8241

SHA1
e9aefe2831ab116a73511b6ccfc1a344468c139c

SHA256
06dc4ca12cf024f9fdc930b70ad8ea3bbba1e2bc6c1d13ed360cfe92e8c8e29e

SHA512
6ca0f7338a00c9d36c5c9acedcf4b013910f911c3d4589888c63741f3fbe23d89645446d59832fc5f996518b57b7b16413f52275664e328b5249d76daae601ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c3c3e4f898061785da59a4c22ad07ce

SHA1
df9ce5fe85adbfeff3fcf2e9c163f76cf063381d

SHA256
f442643b1c65aeadbe096b6a94bac9c17832826de33e88fb7a0dfc16291021fd

SHA512
0f8f6e4827e2720912b916fd00accc1cba5b73b5d06d4ff4dde37295f19f60130fc15e05016c18ae4c9db09df838035542844558c6d6652ab716752394ced6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.tmp\2.exe

Filesize
150KB

MD5
4bc20c24fbea4588741203c77126c7b3

SHA1
5f2d2fec4e1d7c752be551363743069d9a4e7510

SHA256
4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3

SHA512
3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\88.tmp\89.bat

Filesize
4KB

MD5
1f7a5456ca38839ec9e112425e7fa747

SHA1
8019978db5a80de11bb32463aa7160bb4a4d6b8a

SHA256
f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6

SHA512
eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 102537.crdownload

Filesize
1.6MB

MD5
0698e624f5b9bea4d0fca1faf6acebf7

SHA1
a83502689b9ed0964c38e04d0a23cbce4fa32aae

SHA256
8aedcfe6c91dfdee8877fbbedf83a6ba0d02bdf0a11f1a6a35e0dea143bf5680

SHA512
f84586b368be8952c0a7d1c5d1b587b4510ae3dc384c4464de4b64212691ac101280080ae934b5f7af07a69853e5d4c192270b21382b94cc838c093b85e79f7a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 735677.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 764230.crdownload

Filesize
106KB

MD5
e98af5555d9174b86254a186db60ba82

SHA1
cc6faef9e23a4ef9f4c4337fffc17c80c9ce2135

SHA256
2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d

SHA512
8eb26885c9699d9edb891df112e444d4a1758711ad02aa891f9483a608875b7819679ab826fa52cf803b372c6f05df6c82180775fa1bb6ca0d62acfa0020eeff

Download Submit
memory/1316-443-0x0000000006180000-0x0000000006212000-memory.dmp

Filesize
584KB

Download
memory/1316-438-0x0000000000020000-0x00000000001B4000-memory.dmp

Filesize
1.6MB

Download
memory/1316-439-0x0000000004D20000-0x0000000004F6E000-memory.dmp

Filesize
2.3MB

Download
memory/1316-441-0x0000000004B70000-0x0000000004B9C000-memory.dmp

Filesize
176KB

Download
memory/1316-442-0x0000000006650000-0x0000000006BF4000-memory.dmp

Filesize
5.6MB

Download
memory/1316-444-0x0000000006370000-0x000000000637A000-memory.dmp

Filesize
40KB

Download
memory/1316-455-0x0000000004610000-0x0000000004632000-memory.dmp

Filesize
136KB

Download
memory/1316-456-0x0000000009D20000-0x0000000009DCA000-memory.dmp

Filesize
680KB

Download
memory/5376-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5376-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5376-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5604-445-0x00000000090F0000-0x0000000009444000-memory.dmp

Filesize
3.3MB

Download
memory/5616-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download