troldesh | hxxp://net[.]geslo[.]com[.]ar

Analysis

max time kernel
292s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 08:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://net.geslo.com.ar

Score

10^/10

troldesh bootkit discovery persistence ransomware trojan upx

Malware Config

Signatures

Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Renames multiple (409) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
3780	protect.exe
1796	assembler.exe
4028	overwrite.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ipapi.co
22	ipapi.co
33	ipinfo.io
34	ipinfo.io

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000023ed8-662.dat	autoit_exe
behavioral1/memory/1732-1089-0x0000000000E20000-0x00000000010AE000-memory.dmp	autoit_exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3412-624-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3412-625-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3412-626-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3412-627-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3412-631-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3412-632-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2796-634-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2796-635-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3412-636-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2796-637-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1732-640-0x0000000000E20000-0x00000000010AE000-memory.dmp	upx
behavioral1/memory/3412-1009-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1732-1089-0x0000000000E20000-0x00000000010AE000-memory.dmp	upx
behavioral1/memory/3412-1108-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assembler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	overwrite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedBoot.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
2496	msedge.exe
2496	msedge.exe
2064	identity_helper.exe
2064	identity_helper.exe
3148	msedge.exe
3148	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3256	msedge.exe
3412	NoMoreRansom.exe
3412	NoMoreRansom.exe
3412	NoMoreRansom.exe
3412	NoMoreRansom.exe
2796	NoMoreRansom.exe
2796	NoMoreRansom.exe
2796	NoMoreRansom.exe
2796	NoMoreRansom.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe
3780	protect.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1732	RedBoot.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe
2496	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1732	RedBoot.exe
3780	protect.exe
3156	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 1856	2496	msedge.exe	83
PID 2496 wrote to memory of 1856	2496	msedge.exe	83
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 4944	2496	msedge.exe	84
PID 2496 wrote to memory of 1764	2496	msedge.exe	85
PID 2496 wrote to memory of 1764	2496	msedge.exe	85
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86
PID 2496 wrote to memory of 2904	2496	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://net.geslo.com.ar
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa803c46f8,0x7ffa803c4708,0x7ffa803c4718
  2⤵
  PID:1856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2528 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,10420801054614252543,13983167711798223358,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6252 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1368

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3412

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2796

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedBoot.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedBoot.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1732
- C:\Users\Admin\41532392\protect.exe
  "C:\Users\Admin\41532392\protect.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3780
- C:\Users\Admin\41532392\assembler.exe
  "C:\Users\Admin\41532392\assembler.exe" -f bin "C:\Users\Admin\41532392\boot.asm" -o "C:\Users\Admin\41532392\boot.bin"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Users\Admin\41532392\overwrite.exe
  "C:\Users\Admin\41532392\overwrite.exe" "C:\Users\Admin\41532392\boot.bin"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:4028

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ed055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\41532392\assembler.exe

Filesize
589KB

MD5
7e3cea1f686207563c8369f64ea28e5b

SHA1
a1736fd61555841396b0406d5c9ca55c4b6cdf41

SHA256
2a5305369edb9c2d7354b2f210e91129e4b8c546b0adf883951ea7bf7ee0f2b2

SHA512
4629bc32094bdb030e6c9be247068e7295599203284cb95921c98fcbe3ac60286670be7e5ee9f0374a4017286c7af9db211bd831e3ea871d31a509d7bbc1d6a3

Download Submit
C:\Users\Admin\41532392\boot.asm

Filesize
825B

MD5
def1219cfb1c0a899e5c4ea32fe29f70

SHA1
88aedde59832576480dfc7cd3ee6f54a132588a8

SHA256
91e74c438099172b057bedf693d877bd08677d5f2173763986be4974c0970581

SHA512
1e735d588cb1bb42324eaff1b9190ec6a8254f419d1ba4a13d03716ff5c102a335532b573a5befb08da90586e5670617066564ef9872f8c415b9a480836df423

Download Submit
C:\Users\Admin\41532392\boot.bin

Filesize
512B

MD5
90053233e561c8bf7a7b14eda0fa0e84

SHA1
16a7138387f7a3366b7da350c598f71de3e1cde2

SHA256
a760d8bc77ad8c0c839d4ef162ce44d5897af6fa84e0cc05ecc0747759ea76c2

SHA512
63fda509cd02fd9d1374435f95515bc74f1ca8a9650b87d2299f8eee3a1c5a41b1cb8a4e1360c75f876f1dae193fdf4a96eba244683308f34d64d7ce37af2bb4

Download Submit
C:\Users\Admin\41532392\overwrite.exe

Filesize
288KB

MD5
bc160318a6e8dadb664408fb539cd04b

SHA1
4b5eb324eebe3f84e623179a8e2c3743ccf32763

SHA256
f2bc5886b0f189976a367a69da8745bf66842f9bba89f8d208790db3dad0c7d2

SHA512
51bc090f2821c57d94cfe4399b1f372a68d2811ea0b87d1ac1d6cf8ae39b167038ac21c471b168f1d19c6b213762024abb7e9e5ca311b246b46af0888289e46c

Download Submit
C:\Users\Admin\41532392\protect.exe

Filesize
837KB

MD5
fd414666a5b2122c3d9e3e380cf225ed

SHA1
de139747b42a807efa8a2dcc1a8304f9a29b862d

SHA256
e61a8382f7293e40cb993ddcbcaa53a4e5f07a3d6b6a1bfe5377a1a74a8dcac6

SHA512
9ab2163d7deff29c202ed88dba36d5b28f6c67e647a0cadb3d03cc725796e19e5f298c04b1c8523d1d1ee4307e1a5d6f8156fa4021627d6ca1bbd0830695ae05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c0ea7fab6ea80e4f9d01591122b9017d

SHA1
960f1896358eca3eb08d88615e227026b8a1d644

SHA256
05489564fdfb5746eb273a43e2ab26b87cd2209fff6cf11d735671cd31eee632

SHA512
a3ce5dc332fae8d6cb5c28e05c52e9d54fd2871b4427681ddb28852f018c376a8a1cf22ea0fe151c1c0e4b4a7b4c604c70b50fdb29706c4b4477efd1c5dc8297

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b2c4bc2a69a2c0e64a14ce2194ba31a0

SHA1
89693518af79d73499a61379f0b92b874b6c160e

SHA256
a4b862939b5ab6f6cb6186911eedeec3879ac9511523746973170ce04fe7d115

SHA512
26de3369b035b18a26ec44ecb78f02cad788f51d483a5b336e486c818e65ec41836f2867dca2fcdd3dff1c4ccd082db425da0a9b797ada04e8ed3462e2ba80cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
96B

MD5
3aa87c29104e10900254b84226e9db5e

SHA1
fb1df2ebb8cebe4fa4d639c36911a98f3130ede4

SHA256
6d2e90be57ec9755eb841dfda4b230363b282e4660aa5bf42604b96f39001166

SHA512
cc9149ee3baca32c1bdd7430647bfc7712f681fb0e248f5d04913014ca0f126c905dc36999f49c5d0a383ef94d6ca206a468f423874b9800d15ecebddd4f6028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6b60741323ae9aec8552ab639dd4d848

SHA1
6973756d91f745f2c84c5f069a51c67c67491126

SHA256
6c2b7be70be9bc9f06692f8eb8ea6a965eeab3fad189548d66d74d5dd7a58aab

SHA512
788b171c4ad9b0af464559aef9afef74d3295b78e23a6919a634b5d567df2d030bd6b4efacfdcc79f58007b1260eafccdbd54789ca8c1a666e89ca00b30550f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ff58b5390dc42f18eb23fea77a711279

SHA1
1f6b0a0f754d807351931156c365a31bf2bd93a6

SHA256
6f7a3fcaf8fabceb9637df85f400427fad5cbb3c631adb399b7a593a8b3f3ba7

SHA512
a1fde0c1597a859ee2bf0e166ab7645715520136c96c38abf2d438144d21204793bd1f4dc51fda3a354a158d01cdcff6d276b59d8ba0eb7d0973012d84a60f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bca4489cc355fa9899081a1d21494751

SHA1
a85f1d68f6f4b445e5f2d33a48b3486983b539d4

SHA256
51445da92829d8caf98fbd77ab93fc0b5d801a65ac59a9ad22eb08409dc6c9f6

SHA512
dafbf94478079a168e1912a28c9492c075e36f2c25decd0d661d62ce6dfa9a60de630597aad3e1190e9de60f5f4bf3935f3f47bffedf3b5def08bad5e7d656ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9dcc873ba43b4df58ab97a43b79cd89

SHA1
d22a51fcf2a4a2ed89e0749612b87ba203a83aae

SHA256
fedc520848881ee86ffe73f63ea589b50833ec6af616a5ab5c69559eb1f1ee0c

SHA512
aa68a0bb9d7c252efc2fbe12e5027db5dd24df54ca065c47b46a9aea55d1c22d725c095d0e54cc98db548066583a8b1dd29e8a3acdcdd21208c5ad876017d4a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6246b4668267ca0321da54e7c8763d1f

SHA1
3a434592f9aa6442c276366d27dbddd2536fcd5e

SHA256
189d95c2a8bcb5754a498f15c92259de446c89692658167bc0cb9f51bcbb3e58

SHA512
acef870bd5a6b6b442023b6a39be1d0c693a6c1bec0508e0ce0a3f00a43d589e9b1039df091d88bc95bb2174781884011f6bb7e402e55d1ebe09471731b986f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
08685681d59a3d8279e65ebd97084bbd

SHA1
05b09c887443489a6080168e81bf0cbd6fe47914

SHA256
fb712cb418e38a7f27b9bba69b3e6aef5d4195a18de8e8925f0513a75353ebf9

SHA512
a15c998ed0984bd5489a216908da476603d83ccaf1474eb46572658c50f0d141666f20123b277c3ea3d9787ef34b083a53a254ebde862fd23cc81c5caac7e7e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
45d20b1552797800dbca7a82d1ba3109

SHA1
0ca85b3eca5cb449553c25b407169a1621190b92

SHA256
d13935600f6859d2a4bd7e10ed49324de19774db948fe7f4e7af326f72595357

SHA512
5848f9b9f494faab84e788c3d09c9075d5ce14d93ed1efab1cef62652436ae9ca62c061a01a7bbe9b233c54a90a10b24e27eb7f4c54eb39bc35e52b28cba8b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
643b47fc1f5355f1f503b6be2eda64da

SHA1
1cb070f01d5b2c9082962ea3943490b48a70b0e0

SHA256
240a653c5f48e6def692c52f2c5ce9374b5275ccc02f3df0858deaf4efbeeac5

SHA512
eaea55998783682ce78e12cae8dde830409383a7381774e7de81aa4683e3f26d4539b00a1734922e4fa7a68c22284e4535fcd093178a605d083df388e44c26d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
726acf0a479ea095cb6776bcac92e03f

SHA1
4ac98cf4d0ac7e6248c949b383d5c594724db0ea

SHA256
2fd43778a4300a5f7c08f6a91b1936d55ab42dc56963c91c2a286e0cc9ce9b0e

SHA512
620e8b83da24f6949d014125a354222f1bb468f75b60338c40399e77bc6697361daaf3de15668e93b6df57e2d9b7509c23bde11bff49393fcbbfab498b87a63a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5bec49fafd9bd0aff75f625bbfe73c2

SHA1
0af0378bb6a3735cd92fa6957dfea7bc77795dc1

SHA256
b635d163abf88773f5fce6edac8d72a24da85c974747df50ee922ad9be4f8785

SHA512
312d042523f2b508ae1880073b8671daaeccdaeb51b553dfc857180a0a25f7d770a8a041c625ab9d8efed9f4fa0647251f52d1da873be57bfcc639713b3320a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74cfa94e3ae6b67504bb0723b29e925b

SHA1
b20bebfda343ea2232f4e6dadb4c4ead073f48bf

SHA256
293f8f5566a248dd75d9ff596a032507d5638aa08a510c2b9f68e031851febb3

SHA512
e73dfa3b55fa9e3813d951e87c396567715893738bd9e3db3460ac1a2845471f9c2af8fbb36c3cf29e60810b85978eff6f8aadff634aee7d080114ea15fa35c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
539B

MD5
21b0eaca6de45bf1ce3b21260b8bf94b

SHA1
c7d452a3f70a36ae3e38eb4872eb9d02ceac9971

SHA256
996765b6cefc3492350b86e92c861d6e41b410f5ede13c84ed70fc5b032bbab1

SHA512
69ba128f9f1d0e13e65a8864403fdd309fe72b571af211824039677eea668ad90fb8e99a31ae44b3d2c7b4eadc4622ecd85e382a567c5aa796150997f43d7433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5af3957f7a3892ab28ba5ed9d610b517

SHA1
6c1b3360e7c13b7638f5f258f003ea1bcf37aa4a

SHA256
e66ca025177667156add0d110e649d1257f61d4160178ba563730cc5d0176dc9

SHA512
f46862d64570e50e6f3a2a84b6a7340ac22613a8180bea1ca1bd549f5ac82ccbefb3f1f086da78a54f06deef76a7000922e6e00e7f23e90c31e7a326963af3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5819dc.TMP

Filesize
372B

MD5
2af2f7d16eabb04cc1906b966699e8b1

SHA1
64c51b5b6de1ac26454d6ef5ecea0b4c15f54cac

SHA256
275ccf69e4e9f6479fcdc125788169bf263c01751839309501ceacf20586dc9d

SHA512
ad051d6a03fcf439a2bd52ce6ef7a0d677774cf59107eba96e607df6f971a77702fe75d6d9944797d38a9fb592402f2ad30ecb0b731f5bb15549bd7c6bc71e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f40fd998376705d2fd73b6456f7f985d

SHA1
63153b2f2f5c9ff208edb1b14a1f6f2b7d6465bc

SHA256
b4882f9e1397e6385cfba91aba6a93b9b81b4c8010d1c6c52d559a07ca2c27ad

SHA512
7b3b0c664180fedbae6f44ca752a8a2e5dd2fecc5fa9e5114f6357f24ed8cdf31eaaf7682bce632dd614103c7624c8c30a23cb379b36331823749e2bc332ca77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9bf2d23cbd2ff1e499a5abf06c5456db

SHA1
99c6b3229abd4fcf3afb9039d8c6ef3729c3bf7a

SHA256
1f0ddfbf28361d9b37ba95b108f76f6fb349ee15e0f933a418a2d49ccba2cec7

SHA512
5384eff97ac0a2394d3a6953a6b444075acaff8a14ca7d10b695f79953657b85101e3e392143a7235cf642444564e9304fb763b5f195b0055d3963fc8602b2f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\satan.exe

Filesize
184KB

MD5
c9c341eaf04c89933ed28cbc2739d325

SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

Download Submit
memory/1732-640-0x0000000000E20000-0x00000000010AE000-memory.dmp

Filesize
2.6MB

Download
memory/1732-1089-0x0000000000E20000-0x00000000010AE000-memory.dmp

Filesize
2.6MB

Download
memory/1796-672-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/2796-634-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2796-637-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2796-635-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-636-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-632-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-631-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-627-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-626-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-625-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-1009-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-624-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3412-1108-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4028-677-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads