hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

max time kernel
56s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2025, 22:42

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
70	3832	msedge.exe

Executes dropped EXE 2 IoCs

pid	Process
4644	PowerPoint.exe
852	sys3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	raw.githubusercontent.com
70	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "19"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 306307.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA	PowerPoint.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3832	msedge.exe
3832	msedge.exe
1296	msedge.exe
1296	msedge.exe
4812	identity_helper.exe
4812	identity_helper.exe
5348	msedge.exe
5348	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	852	sys3.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe
1296	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3200	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 5968	1296	msedge.exe	88
PID 1296 wrote to memory of 5968	1296	msedge.exe	88
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 4112	1296	msedge.exe	89
PID 1296 wrote to memory of 3832	1296	msedge.exe	90
PID 1296 wrote to memory of 3832	1296	msedge.exe	90
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91
PID 1296 wrote to memory of 3384	1296	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed15746f8,0x7ffed1574708,0x7ffed1574718
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,5795501284351682203,4941870970180351950,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2992

C:\Users\Admin\Downloads\PowerPoint.exe
"C:\Users\Admin\Downloads\PowerPoint.exe"
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4644
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:852

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3977855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:1508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:5804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe6fb7ffeb0894d21284b11538e93bb4

SHA1
80c71bf18f3798129931b1781115bbef677f58f0

SHA256
e36c911b7dbea599da8ed437b46e86270ce5e0ac34af28ac343e22ecff991189

SHA512
3a8bd7b31352edd02202a7a8225973c10e3d10f924712bb3fffab3d8eea2d3d132f137518b5b5ad7ea1c03af20a7ab3ff96bd99ec460a16839330a5d2797753b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1bed6483de34dd709e03fd3af839a76b

SHA1
3724a38c9e51fcce7955a59955d16bf68c083b92

SHA256
37a42554c291f46995b2487d08d80d94cefe6c7fb3cb4ae9c7c5e515d6b5e596

SHA512
264f6687ea8a8726b0000de1511b7b764b3d5a6f64946bb83a58effda42839e593de43865dafeeb89f5b78cc00d16f3979b417357fa2799ca0533bdf72f07fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b6c5e3de0e0d9f70ae1c7d304eb3f9e5

SHA1
e4aadeef143baa9f88687c76c9bb2681abbeeb93

SHA256
dc533501999bb8e9c9cb7227f6549402f320fee7b1642fe4c3ef59877cf11bc2

SHA512
0d39ac21fb9df5ab3eca59368a0f1385662b26d5e8dfd301a4965b6a2e066eddc0d92bdfa0a3c89acb011c816a24b2031a64ba89442f7e4891773f6c19cf8fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
245e372cbfd7c4e50093dfd460b0d71d

SHA1
38d6ce9834875fb2d3f0adb6e457efbb4a792d34

SHA256
53eb726f7d05baef2340b1087f74e8a6c94a9a43c0dc651d7291e721db86c0c4

SHA512
7e34517e75a84979732d91dfe404a9ebe5460be364609ebd6569a22953d8c7cb5a07e57bbff721076187d937a2193f6788fcc834885caaf3c5a057c1d2f8ba0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
71151a797fce7a5815cf80d770d795cb

SHA1
8047d7c91ee1a626e9343305c6d709cd9494e32a

SHA256
f0adc9207194a2ca22d78b1651fc0001f75aca03e5ee0d0b7882bd9ff60cf59a

SHA512
9aa05fd3960d8026d1e671a17042ce73c8d09f01a69d32298f690652d54f58b19d8210b8a68c1a29d1ae4d1ac166cac4e1842ddb2bc1d017d3ce3d72cabbae3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dca5d751e1d50e1c5160b1aeda7678ff

SHA1
785f3574a7e88d3e507e703490169a6f56f8afed

SHA256
231a23d9d0f9e414aa708928f2b61426af6ed77bff87b2b4c945d23396930331

SHA512
e82a01de87c89c2ab4475e7c722efb52e04b6336e7e6fa006a45ccd83f9d11496f34dd184f1b9c3df2ff88587c881f3a4504ea36f0973a597758963afbb31fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfedeb73d012853d066c91f26302039f

SHA1
fc3766f9db071e5b8be1c327fbe5cdb5cdfb52dd

SHA256
9ba23636bd5bcedd1e81d20013f441db6b8931dfccff62b4712d2f6ea744ec24

SHA512
4402b1ce5398d08365b6006ddedcf4366a4be39c5c172467abd7dd12925818c30ae893372f00cd6de0e200ccc2ec481f34f7ee7a0e35eaff5bc59989b20b7d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
acaa71ce525e027e3593413ed7cf5a3d

SHA1
693f894f51ebd945e00d962056693156eecae066

SHA256
1de8b2fb4b0993e8957f674cd35e0017aba44d0fae66b5738d748723d59f13d1

SHA512
998ca288024acd9f15e76c32b592fc85c581df94ed52d06ac96b200e97a5619db44f16934606cc73ea0deccf11ae50eac75d51782c1ff583b173f04376824f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582342.TMP

Filesize
874B

MD5
ae13ea49723aa28f7daa27de6feedae6

SHA1
322aba950142f0dbcada4960541bf051ecea5af8

SHA256
ceefabf5088f2536e71e1ffd38a607d597e62fff59ded1133980341a0bf3825c

SHA512
246b8f76f3dec2a0e5da500e7e809229923c4a7c8e978fe631eabc4be4565a07b01804317974554b5ee91950b522575b854d80c026c321a8d5de6a2bd62a85a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ee89bd69c0c968b334cc30cbc5f79ac

SHA1
ca15c1344a6fe611057982e86095e4f2fbb532b8

SHA256
ac70612401601bd18a284ce1c1364a70f484e3783e94c190ba27536491db6556

SHA512
c2985ff982f163057c81edd92c25777959f9f155e726c21a4b6f8d401bb6654c9f93ddf8dd0d6994a48c7bdbdbdad148af9090c1a30354855a284fae5823c76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
39B

MD5
5bab23550d87f5289492508850e965b8

SHA1
753ba866033acefce32ce0b9221f087310bcc5ad

SHA256
092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474

SHA512
2518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 306307.crdownload

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
memory/4644-284-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/4644-291-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads