Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
116s -
platform
windows11-21h2_x64 -
resource
win11-20241023-en -
resource tags
arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/01/2025, 19:54
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/enginestein/Virus-Collection
Resource
win11-20241023-en
Behavioral task
behavioral2
Sample
https://github.com/enginestein/Virus-Collection
Resource
win7-20240729-en
General
-
Target
https://github.com/enginestein/Virus-Collection
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral1/files/0x001900000002abb3-272.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Modifies visibility of file extensions in Explorer 2 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" reg.exe -
UAC bypass 3 TTPs 45 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten (1).exe Set value (int) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten (1).exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file 5 IoCs
flow pid Process 34 2188 msedge.exe 34 2188 msedge.exe 34 2188 msedge.exe 34 2188 msedge.exe 34 2188 msedge.exe -
Executes dropped EXE 55 IoCs
pid Process 1584 CrimsonRAT.exe 2952 dlrarhsiva.exe 3316 Fantom.exe 3088 PolyRansom.exe 2528 XSEEsEAU.exe 2036 oWUQUIYY.exe 1768 PolyRansom.exe 2252 PolyRansom.exe 3644 PolyRansom.exe 724 PolyRansom.exe 1932 PolyRansom.exe 1512 PolyRansom.exe 1996 PolyRansom.exe 4436 PolyRansom.exe 4316 PolyRansom.exe 440 PolyRansom.exe 4068 PolyRansom.exe 236 PolyRansom.exe 3648 PolyRansom.exe 3560 PolyRansom.exe 240 PolyRansom.exe 3040 PolyRansom.exe 2792 PolyRansom.exe 4508 PolyRansom.exe 1608 PolyRansom.exe 2984 PolyRansom.exe 3936 PolyRansom.exe 2796 PolyRansom.exe 3980 PolyRansom.exe 3720 PolyRansom.exe 3040 PolyRansom.exe 2700 PolyRansom.exe 3416 PolyRansom.exe 3476 PolyRansom.exe 4908 PolyRansom.exe 2000 PolyRansom.exe 3452 PolyRansom.exe 3956 PolyRansom.exe 4104 PolyRansom.exe 228 PolyRansom.exe 4912 PolyRansom.exe 2068 PolyRansom.exe 3108 PolyRansom.exe 3436 PolyRansom.exe 3520 PolyRansom.exe 4660 PolyRansom.exe 1176 PolyRansom.exe 1248 PolyRansom.exe 4452 PolyRansom.exe 4424 PolyRansom.exe 3248 PolyRansom.exe 3108 Krotten (1).exe 4908 PolyRansom.exe 1496 PolyRansom.exe 4176 PolyRansom.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\XSEEsEAU.exe = "C:\\Users\\Admin\\ukIIkoAo\\XSEEsEAU.exe" PolyRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oWUQUIYY.exe = "C:\\ProgramData\\dGUAUIQs\\oWUQUIYY.exe" PolyRansom.exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Windows\CurrentVersion\Run\XSEEsEAU.exe = "C:\\Users\\Admin\\ukIIkoAo\\XSEEsEAU.exe" XSEEsEAU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oWUQUIYY.exe = "C:\\ProgramData\\dGUAUIQs\\oWUQUIYY.exe" oWUQUIYY.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Krotten (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Krotten (1).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 1 camo.githubusercontent.com 3 raw.githubusercontent.com 34 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Krotten (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Krotten (1).exe -
resource yara_rule behavioral1/files/0x001900000002abba-346.dat upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\Web Krotten (1).exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 5 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\website ip grabber.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Krotten (1).exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XSEEsEAU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Krotten (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PolyRansom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies Control Panel 6 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop Krotten (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\WallpaperOriginX = "210" Krotten (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\WallpaperOriginY = "187" Krotten (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\MenuShowDelay = "9999" Krotten (1).exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\International Krotten (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Krotten (1).exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Krotten (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten (1).exe Key created \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main Krotten (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten (1).exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten (1).exe Set value (str) \REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten (1).exe -
Modifies registry class 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND Krotten (1).exe -
Modifies registry key 1 TTPs 64 IoCs
pid Process 1764 reg.exe 3180 reg.exe 3344 reg.exe 1040 reg.exe 444 reg.exe 4740 reg.exe 1424 reg.exe 884 reg.exe 3996 reg.exe 4144 reg.exe 3108 reg.exe 1248 reg.exe 2624 reg.exe 3856 reg.exe 3468 reg.exe 1800 reg.exe 2740 reg.exe 3100 reg.exe 3100 reg.exe 1012 reg.exe 4156 reg.exe 2820 reg.exe 1152 reg.exe 1092 reg.exe 4472 reg.exe 2796 reg.exe 896 reg.exe 3580 reg.exe 1964 reg.exe 3980 reg.exe 408 reg.exe 1888 reg.exe 2880 reg.exe 692 reg.exe 2640 reg.exe 4880 reg.exe 1076 reg.exe 3100 reg.exe 4612 reg.exe 1372 reg.exe 4412 reg.exe 1888 reg.exe 1164 reg.exe 2624 reg.exe 232 reg.exe 1600 reg.exe 2668 reg.exe 2796 reg.exe 2592 reg.exe 4816 reg.exe 3456 reg.exe 2448 reg.exe 4544 reg.exe 4104 reg.exe 3720 reg.exe 5072 reg.exe 4120 reg.exe 4512 reg.exe 2508 reg.exe 232 reg.exe 2836 Process not Found 908 reg.exe 3536 reg.exe 1288 reg.exe -
NTFS ADS 11 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\CrimsonRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\DDOSER-APRIL-PATCH.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\DDOSER-APRIL-PATCH (1).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\DDOSER-APRIL-PATCH (4).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Krotten (1).exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 254667.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\DDOSER-APRIL-PATCH (3).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\DDOSER-APRIL-PATCH (2).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\website ip grabber.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\PolyRansom.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2188 msedge.exe 2188 msedge.exe 764 msedge.exe 764 msedge.exe 4076 msedge.exe 4076 msedge.exe 1708 identity_helper.exe 1708 identity_helper.exe 440 msedge.exe 440 msedge.exe 2000 msedge.exe 2000 msedge.exe 3344 msedge.exe 3344 msedge.exe 2032 msedge.exe 2032 msedge.exe 3736 msedge.exe 3736 msedge.exe 3512 msedge.exe 3512 msedge.exe 5092 msedge.exe 5092 msedge.exe 3000 msedge.exe 3000 msedge.exe 2984 msedge.exe 2984 msedge.exe 3088 PolyRansom.exe 3088 PolyRansom.exe 3088 PolyRansom.exe 3088 PolyRansom.exe 1768 PolyRansom.exe 1768 PolyRansom.exe 1768 PolyRansom.exe 1768 PolyRansom.exe 2252 PolyRansom.exe 2252 PolyRansom.exe 2252 PolyRansom.exe 2252 PolyRansom.exe 3644 PolyRansom.exe 3644 PolyRansom.exe 3644 PolyRansom.exe 3644 PolyRansom.exe 724 PolyRansom.exe 724 PolyRansom.exe 724 PolyRansom.exe 724 PolyRansom.exe 1932 PolyRansom.exe 1932 PolyRansom.exe 1932 PolyRansom.exe 1932 PolyRansom.exe 1512 PolyRansom.exe 1512 PolyRansom.exe 1512 PolyRansom.exe 1512 PolyRansom.exe 1996 PolyRansom.exe 1996 PolyRansom.exe 1996 PolyRansom.exe 1996 PolyRansom.exe 4436 PolyRansom.exe 4436 PolyRansom.exe 4436 PolyRansom.exe 4436 PolyRansom.exe 4316 PolyRansom.exe 4316 PolyRansom.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
pid Process 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3316 Fantom.exe Token: SeSystemtimePrivilege 3108 Krotten (1).exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe 764 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 764 wrote to memory of 2420 764 msedge.exe 77 PID 764 wrote to memory of 2420 764 msedge.exe 77 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2876 764 msedge.exe 78 PID 764 wrote to memory of 2188 764 msedge.exe 79 PID 764 wrote to memory of 2188 764 msedge.exe 79 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 PID 764 wrote to memory of 4020 764 msedge.exe 80 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Krotten (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Krotten (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Krotten (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Krotten (1).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Krotten (1).exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/enginestein/Virus-Collection1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc89f83cb8,0x7ffc89f83cc8,0x7ffc89f83cd82⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:22⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:82⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5812 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:2800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:2380
-
-
C:\Users\Admin\Downloads\CrimsonRAT.exe"C:\Users\Admin\Downloads\CrimsonRAT.exe"2⤵
- Executes dropped EXE
PID:1584 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"3⤵
- Executes dropped EXE
PID:2952
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵PID:648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6480 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6672 /prefetch:82⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6180 /prefetch:82⤵PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3308 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
-
C:\Users\Admin\Downloads\Fantom.exe"C:\Users\Admin\Downloads\Fantom.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"3⤵PID:1932
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:12⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:12⤵PID:1608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:12⤵PID:4668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7020 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,274504980983842605,15945927672206987678,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4068 /prefetch:82⤵PID:3196
-
-
C:\Users\Admin\Downloads\PolyRansom.exe"C:\Users\Admin\Downloads\PolyRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:3088 -
C:\Users\Admin\ukIIkoAo\XSEEsEAU.exe"C:\Users\Admin\ukIIkoAo\XSEEsEAU.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\ProgramData\dGUAUIQs\oWUQUIYY.exe"C:\ProgramData\dGUAUIQs\oWUQUIYY.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2036
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"3⤵
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1768 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"5⤵PID:3492
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"7⤵
- System Location Discovery: System Language Discovery
PID:4016 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom8⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3644 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"9⤵PID:4436
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"11⤵PID:3468
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"13⤵PID:3236
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom14⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"15⤵PID:3856
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom16⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"17⤵PID:724
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom18⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"19⤵PID:2504
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom20⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"21⤵PID:3336
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom22⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"23⤵PID:884
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom24⤵
- Executes dropped EXE
PID:4068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"25⤵PID:5052
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom26⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"27⤵PID:2000
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"29⤵PID:1044
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom30⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"31⤵PID:3200
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom32⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"33⤵
- System Location Discovery: System Language Discovery
PID:3412 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom34⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"35⤵PID:2052
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom36⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"37⤵PID:3912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV138⤵PID:1612
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"39⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom40⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"41⤵PID:4656
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"43⤵PID:4140
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom44⤵
- Executes dropped EXE
PID:3936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"45⤵PID:4544
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom46⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"47⤵PID:3996
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom48⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"49⤵PID:1936
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV150⤵PID:5052
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom50⤵
- Executes dropped EXE
PID:3720 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"51⤵PID:4316
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom52⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"53⤵
- System Location Discovery: System Language Discovery
PID:672 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom54⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"55⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom56⤵
- Executes dropped EXE
PID:3416 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"57⤵PID:1472
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"59⤵PID:2484
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom60⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"61⤵PID:1600
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom62⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"63⤵PID:3720
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom64⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"65⤵PID:5096
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom66⤵
- Executes dropped EXE
PID:3956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"67⤵PID:408
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom68⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4104 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"69⤵
- System Location Discovery: System Language Discovery
PID:4900 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom70⤵
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"71⤵PID:3608
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom72⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"73⤵PID:3148
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom74⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"75⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV176⤵PID:3116
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom76⤵
- Executes dropped EXE
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"77⤵
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom78⤵
- Executes dropped EXE
PID:3436 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"79⤵PID:3364
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom80⤵
- Executes dropped EXE
PID:3520 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"81⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV182⤵PID:408
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom82⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"83⤵PID:3964
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom84⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"85⤵PID:3912
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom86⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"87⤵PID:232
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom88⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"89⤵PID:4912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV190⤵PID:236
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom90⤵
- Executes dropped EXE
PID:4424 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"91⤵PID:3996
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom92⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"93⤵
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV194⤵PID:2796
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom94⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"95⤵PID:232
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV196⤵PID:884
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom96⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"97⤵PID:3236
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom98⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"99⤵PID:2340
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1100⤵PID:1076
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom100⤵PID:4660
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"101⤵PID:4424
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1102⤵PID:2700
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom102⤵PID:4016
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"103⤵PID:3912
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom104⤵PID:3720
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"105⤵PID:3608
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1106⤵PID:3936
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom106⤵PID:4140
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"107⤵PID:4936
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom108⤵PID:3760
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"109⤵PID:1312
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom110⤵PID:888
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"111⤵PID:4500
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1112⤵PID:2332
-
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom112⤵PID:8
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"113⤵PID:1480
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom114⤵PID:1364
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"115⤵PID:240
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom116⤵PID:3344
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"117⤵PID:1376
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom118⤵PID:3188
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"119⤵PID:2592
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom120⤵PID:3324
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\PolyRansom"121⤵PID:1480
-
C:\Users\Admin\Downloads\PolyRansom.exeC:\Users\Admin\Downloads\PolyRansom122⤵PID:1320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-