hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

max time kernel
107s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

defense_evasion discovery execution impact ransomware upx

Malware Config

Extracted

Path

C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Ransom Note

YOUR FILE HAS BEEN LOCKED In order to unlock your files, follow the instructions bellow: 1. Download and install Tor Browser 2. After a successful installation, run Tor Browser and wait for its initialization. 3. Type in the address bar: http://zvnvp2rhe3ljwf2m.onion 4. Follow the instructions on the site.

URLs

http://zvnvp2rhe3ljwf2m.onion

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (61) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Downloads MZ/PE file 2 IoCs

flow	pid	Process
67	4412	msedge.exe
67	4412	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	Rokku.exe

Executes dropped EXE 1 IoCs

pid	Process
5688	Rokku.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
66	raw.githubusercontent.com
67	raw.githubusercontent.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000232ed-277.dat	upx
behavioral1/memory/5688-313-0x0000000000400000-0x000000000058D000-memory.dmp	upx
behavioral1/memory/5688-539-0x0000000000400000-0x000000000058D000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rokku.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 348832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 106858.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5328	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
2052	msedge.exe
2052	msedge.exe
4728	identity_helper.exe
4728	identity_helper.exe
5232	msedge.exe
5232	msedge.exe
5380	msedge.exe
5380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	6004	WMIC.exe
Token: SeSecurityPrivilege	6004	WMIC.exe
Token: SeTakeOwnershipPrivilege	6004	WMIC.exe
Token: SeLoadDriverPrivilege	6004	WMIC.exe
Token: SeSystemProfilePrivilege	6004	WMIC.exe
Token: SeSystemtimePrivilege	6004	WMIC.exe
Token: SeProfSingleProcessPrivilege	6004	WMIC.exe
Token: SeIncBasePriorityPrivilege	6004	WMIC.exe
Token: SeCreatePagefilePrivilege	6004	WMIC.exe
Token: SeBackupPrivilege	6004	WMIC.exe
Token: SeRestorePrivilege	6004	WMIC.exe
Token: SeShutdownPrivilege	6004	WMIC.exe
Token: SeDebugPrivilege	6004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6004	WMIC.exe
Token: SeRemoteShutdownPrivilege	6004	WMIC.exe
Token: SeUndockPrivilege	6004	WMIC.exe
Token: SeManageVolumePrivilege	6004	WMIC.exe
Token: 33	6004	WMIC.exe
Token: 34	6004	WMIC.exe
Token: 35	6004	WMIC.exe
Token: 36	6004	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6004	WMIC.exe
Token: SeSecurityPrivilege	6004	WMIC.exe
Token: SeTakeOwnershipPrivilege	6004	WMIC.exe
Token: SeLoadDriverPrivilege	6004	WMIC.exe
Token: SeSystemProfilePrivilege	6004	WMIC.exe
Token: SeSystemtimePrivilege	6004	WMIC.exe
Token: SeProfSingleProcessPrivilege	6004	WMIC.exe
Token: SeIncBasePriorityPrivilege	6004	WMIC.exe
Token: SeCreatePagefilePrivilege	6004	WMIC.exe
Token: SeBackupPrivilege	6004	WMIC.exe
Token: SeRestorePrivilege	6004	WMIC.exe
Token: SeShutdownPrivilege	6004	WMIC.exe
Token: SeDebugPrivilege	6004	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6004	WMIC.exe
Token: SeRemoteShutdownPrivilege	6004	WMIC.exe
Token: SeUndockPrivilege	6004	WMIC.exe
Token: SeManageVolumePrivilege	6004	WMIC.exe
Token: 33	6004	WMIC.exe
Token: 34	6004	WMIC.exe
Token: 35	6004	WMIC.exe
Token: 36	6004	WMIC.exe
Token: SeBackupPrivilege	6060	vssvc.exe
Token: SeRestorePrivilege	6060	vssvc.exe
Token: SeAuditPrivilege	6060	vssvc.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe
2052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 4872	2052	msedge.exe	83
PID 2052 wrote to memory of 4872	2052	msedge.exe	83
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 1052	2052	msedge.exe	84
PID 2052 wrote to memory of 4412	2052	msedge.exe	85
PID 2052 wrote to memory of 4412	2052	msedge.exe	85
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86
PID 2052 wrote to memory of 1528	2052	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8293546f8,0x7ff829354708,0x7ff829354718
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5300 /prefetch:8
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,17363739337135658411,12702357068189706119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5556

C:\Users\Admin\Downloads\Rokku.exe
"C:\Users\Admin\Downloads\Rokku.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5688
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" shadowcopy delete /nointeractive
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SYSTEM\CurrentControlSet\services\VSS" /v Start /t REG_DWORD /d 4 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5988
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4176
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop vss
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4504
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop vss
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop swprv
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6120
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop swprv
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop srservice
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6112
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop srservice
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\README_HOW_TO_UNLOCK.TXT
1⤵
- Opens file in notepad (likely ransom note)
PID:5328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6738f4e2490ee5070d850bf03bf3efa5

SHA1
fbc49d2dd145369e8861532e6ebf0bd56a0fe67c

SHA256
ca80bbae3c392e46d730a53d0ee4cfecbbe45c264ad3b3c7ee287252c21eaeab

SHA512
2939edf5e6c34c9ea669a129a4a5a410fbbd29cd504dc8e007e9b3b3c7fbb9bea8c14d6177ac375d0c481995774a02d210328569231cb01db07b59452333b22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
93be3a1bf9c257eaf83babf49b0b5e01

SHA1
d55c01e95c2e6a87a5ece8cc1d466cc98a520e2a

SHA256
8786fd66f4602e6ed3fa5248bd597b3f362ffa458f85207eaa154beb55522348

SHA512
885b09dd3072921f375eedb5f0575561adc89700ecfbe999bc3e5ea1d7cb45e19d85c5e420f2c0a12b428742e1110e66f4ceecbe5a6badddd36cc9e0aff48e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e209aa5a0e9fadcf48c39c5bdc962b51

SHA1
5340ef46beb6fd0426b66d5161dec06d4e273ff2

SHA256
439cc3001ff5898a5d5c8836db220dd2ad628c46c9ed17403ebf18b97762bce8

SHA512
b0e65cedc7b356170b0dda8c82e6c0ac7f4e7a834839fbe3dec4f9b0060781b3568c480cd734092408a17684f66207e31285b45d8751e956b01c9aba20232a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
49c8405f7b641371c2c9bb3783578c1d

SHA1
3439af403c4c125fa058ec0edee8769213b03ffa

SHA256
1c07e79b8c1034f01a9b1d102090018264ca749f265fcc6a909982d684754ad3

SHA512
7121c90cc94dceb339e37f467b8ffc35efca5781a0623bad4ecd7de494a5ac620bb2e080ff2ba3609d4a26a6b326c1143f4b617d57c2970a7e0d8d646f48d01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f1b8e66bdf68d4004046632b7c0b0a8

SHA1
9208f512a9b20452ab87b8517c52f471870807e4

SHA256
1d02223200aaef67c7e01943aac53405f788ab3386d21c134c69649412d0dd90

SHA512
1d1ac2717507d718ad6f4d45a3b89eeefcd6ec5d9e9c659b904f7fa1292a00d8aa212b1c8a7e09dcc103c685feb056a76bea0e69fdd7d1140e0b80ccfafe70c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
153cd71b4e1cb58ca2dd95d66d09cd7d

SHA1
b1f9638a7c301cc0b84b72cfdb1ceecb961aae9e

SHA256
25b55ee08d00c8d07e7969dc215f1b6eba7db1201627168963d266a844662f94

SHA512
a98c20f5fa6e130ba52d8c3ac9c4e95d21356e17bb2f0a6e755e716d36124098357370046cccbb3bde33a8efdebbb1aa2701bd8e6074e404cfa49a805e5c0b42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0e181850d9eebed7daef4c08429029a

SHA1
2406372deeeb7f502c9e92c2b4b3a8222070de07

SHA256
3d24c338fa6dbbbf2ed3cc290bae9a7ae86e4d69474709ea9997184757ac493e

SHA512
e2b7d23e26e73ca35b501bbef1274f694793dc6c7fdc7c6d0d6d8ff34d414056c42d6e33f35ccd577af93e918f1d93ba8b2503753c4262cc06cad20d51f306f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6c9806b2eb432e1388dd896c4f0cf17

SHA1
691d46257ac75f92012f032182a2409079dc45a9

SHA256
15f27eac0cfdce93fa38ac32975414abc20ad7f8245d6791f280969a496d44bb

SHA512
167129083d146e27ea0100d30b057a62f854ec01471586b9786131dcda797ecb1d2d7412ac0501c190895f92f9687a0901fdca46c98576ca8236e943c0f36047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a3d1b15a74bb8702f5a19021f5c791ad

SHA1
d0ee635107fb66ec8a569c5d141a3cd13a7de408

SHA256
02c4751cf01afd74c1cbb45ef11e63a143da6201288d85186aa7798b8da2d23c

SHA512
b70bbd58d65ba714383b9498fc6a05ff6a9b0017bf2fb91ddb3e1cd5b4f8868e75e44efab81cc31c25c5e510d709cf7d89546d0ab299d2260df3c3f5df6c5e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e399.TMP

Filesize
864B

MD5
0906220b1e72aaedb0acfe3aaa8026f2

SHA1
e9b0cf7416ead6c170c05cee09710a57b484162d

SHA256
86a98041471c756ee29be3607075724a8642d9911a0ba863e60ccc281d770c12

SHA512
8a067dbd6dc24aa1da56fb8974cdb51f6d424f91eebd315f76f4e2b39ff9095b31693cd9ce334893e52cbcbe173a78028b287f06376d063ad9f46fa3f4009371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f97222b7a7f61602836f72ecb7a405e

SHA1
2272dec65b819b7dd2f600ae21cdc170c23aebd5

SHA256
d5b3014bef88a740278ea63ebfd10547cd24d2de45cc9fe79a239a63f07f053b

SHA512
77ad7c0f5f49f50a3d79a301846fa9f88ef96917ebacf86d4a2f918a3a4be1c36432700ba507a97ee49e99352899c989030128ef3a291b615d3452ba53018244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c11b85892569ce896618b02c5d470f48

SHA1
3cb1a9093527824fa89a375f85447e5cea4530f3

SHA256
5b31aa74c210422fd8f55e1b105921ca4dc5cb3d713d497bc339ab2a921c0e56

SHA512
357079b36a78496e4f6d1dec4177fbec8d3e3b11f22098889d5c774e8ba1364973076b1315383bcdc8e132300ed4ca15e83c1df9ca82a576943b1e29a3356c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
28cc8f386b0fbdc87d284ed0d1cfa526

SHA1
b831fcbde070205f0c16f918ff4d733647c7b6fe

SHA256
f8d069e071a5caea397ef637443f0b3deaca456580c36507d6041bc08be780ec

SHA512
c2bbcea7cca6d7002e77828b96f127db5eacfb203e8343017ba7a00ae12c67bbc0b793c50b1ecf16e4c2a0a252c8199d74b8321e7bc2cd83680cba5aa9b38bda

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 106858.crdownload

Filesize
666KB

MD5
97512f4617019c907cd0f88193039e7c

SHA1
24cfa261ee30f697e7d1e2215eee1c21eebf4579

SHA256
438888ef36bad1079af79daf152db443b4472c5715a7b3da0ba24cc757c53499

SHA512
cfbb8dd91434f917d507cb919aa7e6b16b7b2056d56185f6ad5b6149e05629325cdb3df907f58bb3f634b17a9989bf5b6d6b81f5396a3a556431742ed742ac4a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 348832.crdownload

Filesize
211KB

MD5
a933a1a402775cfa94b6bee0963f4b46

SHA1
18aa7b02f933c753989ba3d16698a5ee3a4d9420

SHA256
146581f0b3fbe00026ee3ebe68797b0e57f39d1d8aecc99fdc3290e9cfadc4fc

SHA512
d83da3c97ffd78c42f49b7bfb50525e7c964004b4b7d9cba839c0d8bf3a5fe0424be3b3782e33c57debc6b13b5420a3fa096643c8b7376b3accfb1bc4e7d7368

Download Submit
C:\Users\Admin\README_HOW_TO_UNLOCK.HTML

Filesize
1KB

MD5
c784d96ca311302c6f2f8f0bee8c725b

SHA1
dc68b518ce0eef4f519f9127769e3e3fa8edce46

SHA256
a7836550412b0e0963d16d8442b894a1148326b86d119e4d30f1b11956380ef0

SHA512
f97891dc3c3f15b9bc3446bc9d5913431f374aa54cced33d2082cf14d173a8178e29a8d9487c2a1ab87d2f6abf37e915f69f45c0d8b747ad3f17970645c35d98

Download Submit
C:\Users\Admin\README_HOW_TO_UNLOCK.TXT

Filesize
330B

MD5
04b892b779d04f3a906fde1a904d98bb

SHA1
1a0d6cb6f921bc06ba9547a84b872ef61eb7e8a5

SHA256
eb22c6ecfd4d7d0fcea5063201ccf5e7313780e007ef47cca01f1369ee0e6be0

SHA512
e946aa4ac3ec9e5a178eac6f4c63a98f46bc85bed3efd6a53282d87aa56e53b4c11bb0d1c58c6c670f9f4ad9952b5e7fd1bb310a8bd7b5b04e7c607d1b74238a

Download Submit
memory/5688-313-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/5688-539-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download