mimikatz | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master[.]zip

Resubmissions

17/03/2025, 08:46

250317-kpcdasvyhs 10

17/03/2025, 08:43

250317-kmnzbaymv3 10

17/03/2025, 08:41

250317-klen9avycv 4

17/03/2025, 08:37

250317-kjddeavxfw 4

Analysis

max time kernel
137s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
17/03/2025, 08:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip

Score

10^/10

mimikatz troldesh bootkit discovery persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Troldesh family
troldesh
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b4c7-1069.dat	mimikatz

Executes dropped EXE 2 IoCs

pid	Process
5428	476F.tmp
1544	sys3.exe

Loads dropped DLL 1 IoCs

pid	Process
5844	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-1106-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2604-1107-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2604-1109-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2604-1108-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2604-1140-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files\CompareMerge.dwg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\manifest.fingerprint	msedge.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_902651763\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_902651763\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_902651763\manifest.fingerprint	msedge.exe
File created	C:\Windows\rescache\_merged\425634766\2159469816.pri	LogonUI.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\manifest.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerPoint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sys3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866746065372638"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "177"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{CF3C76F3-799D-49C0-9882-AA11BA7F43B4}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
5844	rundll32.exe
5844	rundll32.exe
5428	476F.tmp
5428	476F.tmp
5428	476F.tmp
5428	476F.tmp
5428	476F.tmp
5428	476F.tmp
5428	476F.tmp
5456	msedge.exe
5456	msedge.exe
2604	NoMoreRansom.exe
2604	NoMoreRansom.exe
2604	NoMoreRansom.exe
2604	NoMoreRansom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5844	rundll32.exe
Token: SeDebugPrivilege	5844	rundll32.exe
Token: SeTcbPrivilege	5844	rundll32.exe
Token: SeDebugPrivilege	5428	476F.tmp
Token: SeShutdownPrivilege	1544	sys3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3148	NotPetya.exe
1868	LogonUI.exe
1868	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2656	1496	msedge.exe	78
PID 1496 wrote to memory of 2656	1496	msedge.exe	78
PID 1496 wrote to memory of 3348	1496	msedge.exe	79
PID 1496 wrote to memory of 3348	1496	msedge.exe	79
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3376	1496	msedge.exe	80
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81
PID 1496 wrote to memory of 3788	1496	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/archive/refs/heads/master.zip
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffc75f4f208,0x7ffc75f4f214,0x7ffc75f4f220
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1920,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=2340 /prefetch:11
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2288,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1892,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:13
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3372,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3380,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4928 /prefetch:14
  2⤵
  PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4900,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:14
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5548,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:14
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5556,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5836,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:14
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6284,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:14
  2⤵
  PID:1068
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:14
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6356,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:14
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6460,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6788,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=3680,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7096 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=7188,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=3620,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7524 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:14
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7156,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:14
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5600,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7172 /prefetch:14
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=7328,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7564,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=7492,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=6156,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7652,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7204,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7300 /prefetch:14
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5544,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=7348 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7348,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:14
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5880,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4532 /prefetch:14
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7332,i,7714401277941798121,6914554688310655062,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5732

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NotPetya.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NotPetya.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3148
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 09:48
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6040
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 09:48
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3028
- - C:\Users\Admin\AppData\Local\Temp\476F.tmp
    "C:\Users\Admin\AppData\Local\Temp\476F.tmp" \\.\pipe\{60BF20B1-9422-43FD-B386-884A39E3607C}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5428

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\PowerPoint.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3436
- C:\Users\Admin\AppData\Local\Temp\sys3.exe
  C:\Users\Admin\AppData\Local\Temp\\sys3.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1544

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d1855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2b616cd9-d914-43bb-b6a7-a96abd44c7de.tmp

Filesize
55KB

MD5
e8c5f09dd0b04c805f966d1898c393fa

SHA1
ed190e343b675b0a9a5d110e1f16c52a268fb46b

SHA256
24736a29607e978e8d304dec9dee7fa924c780c46b8397761e828202847d240d

SHA512
5e38868d8daf43c7c30f1a0eac45d9b38de4b13f3afef515054fd15bc765d585a9ae9d166f8496d0f481a1916de90cf825afbe293c8417dcd0fa949516e02129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
49df6cd696e8ee5a5956f93188cb0973

SHA1
42c3b7dd9e393cb941201fe76731453969a2053c

SHA256
915429565c40eac335559fc237aa6e695c5120445a613f591672d06d3a85881d

SHA512
4ff5f78d9ab7bfecbaebbe5e70238aa261fe91f054879096138ee56b66ac385cafb254be0d9bf2cefbcfc680925af44c9707d63ec843ce602be56a7dd620a788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe588c8b.TMP

Filesize
3KB

MD5
b502baa6133d541a9885ea02069337a2

SHA1
6b32d0f58df7a37eca08cd0211b3fb00768ada09

SHA256
7df83304de0693a19b66f85daacbb2b716009b14f755ac8755b50f4d7aafae01

SHA512
7b02b3b9eb7c152b95d75d76a626952bfed0b2b7288fa1d35d2aa64947c7e8ed0567a41c299ea48edaf919f5d35358e0dda70da441425e7ad3bcc0cc6a51cff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
affa335d2c0cf866e232ebff935d067c

SHA1
0fbeb8d00b4354aa99af4882a0de605db877fcab

SHA256
2c8f397fa7dba0d48f336d6583eb3ac9e038e556822f3e89d08ff1bb18765d74

SHA512
e4932abb2ab4f85c0d8a3733470b7c4e305abb05d2078aa6886c53635cbefcb1486e7892af1a16e05e3fbaf7e8c4f63224af00fbf25de885f8da9032eb993aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
2f3f807c62d3fd7e81bcbec6dab22326

SHA1
9afac4ad6fd29f20a4b23eac55341abc69f25470

SHA256
23a9053342b794a4418421a2b573bd4e1a91276bf8c0831e039029e4af95d7ad

SHA512
0774437570164d7a58d9f5ae29865fb19a160f6fe3d4847015a3641ab5166169c6eaf726545558e5f4983cd9e666d0a0568b3fb9e3223f487616e40f6be1c9e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
0267016e6f9f5b878ba981bf61880110

SHA1
9c53546355f02a5c86cc6be4bc20c826f3a306f7

SHA256
b312b30d6aec6c2d90db639f55ab8b39772ffda19e3c00965e08a15780ddb596

SHA512
d3649546b57b80ee0f3b7685dbf061c653853ba1a61bfba5bd70dcb5620e4886aab00bf6b62c6df1d80e2a37cffb0d25bf24c9c8b5b4ed9d3ab6f7cd1d7f0d04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
0a662b03dbcd903210dd8074c342fadf

SHA1
791959c22d5d55979589aeccc201b953d089e41f

SHA256
58097fe3ab9f5db961caab4496b8d2f85236b19c6606be775a3baa51d6371857

SHA512
9703ff12ff7126dccb74a873df45a48a6f7d0fed8880c9f4c198dc06388d0ade06e749c372d6b6fbfc8e041ea88d73b6605eea04608d9622f09066a83cd4f915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
584812cdd9f4e37b340023537197bb89

SHA1
e6e6a03514816102a134b4e59f4ec6813ce28ca5

SHA256
4710e62e1361127eef18885e7a9337705adfbf7a98f92b2344aafeefc804a6e4

SHA512
f2e51e56b04fadd432d0620296f71319619a8a19e6a166a633bd46cd65c576d06b7dc8140f4b691f9901b776ad57e3c432155204cfc9aed1f9dba003bfafd62b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
95a7c615b97b757558c7882fd46833af

SHA1
2d4e1c163977aad084d534c41afbf0c3ea43cece

SHA256
498fa4434e64f70a533d90398ce3e92a9602ee16f6f7c9c22ef101fa4edba74f

SHA512
fc8983b60766fce79f04f1d9d77686b535ae786dc739f521aa0fd87c6e213524f5e7bd716e50cdb4aee701e915814b948a6e0b759d9d4b048420e11fcbb0563c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9b15c52b-06bb-4033-b874-cbecbf92a6fc\index-dir\the-real-index

Filesize
72B

MD5
7ca74dfbb7ee31423d74102b290dff41

SHA1
0f3786feb2a6284b9edb47ce03d21cf2f1841512

SHA256
b2a8a4915bc866523f49bbedcae879730f33bdc4d6dc0cff7de6421a09abf6be

SHA512
0247dadd17732224ba8f5a260bccc0ec317e89d0f8b80b795fe6ce2ecbae86179f94d8e17806d43e4c902491e0d810246a4e81405024d9870f38863ce06940b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9b15c52b-06bb-4033-b874-cbecbf92a6fc\index-dir\the-real-index

Filesize
72B

MD5
43ddc9742e26d2ff78561fbed4b2b14b

SHA1
96927143b7119948c2063a2b661fb4184ad02733

SHA256
2e90cb7889944a61af3934cabf294daf4a3279dfc0ed6af0a138f4959ad4c81f

SHA512
ecd619a37618ba11464a1b02a17eb84d1374251c47b270d40d973e032a329e8ece74ac7e9c62fd58c3a16be86f13631f90fe432beafa6e7917e8d8eb827a3c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

Filesize
1KB

MD5
000a9e06538bbeb3b43f6d0d9d5b9f23

SHA1
55cb50fe8bccc84f01000b112f140799730b9e9c

SHA256
bbcfe622c85e0cb6803ef9df3223a5b8767fa32cd60c5a2d7df96cafc188bbc4

SHA512
304e98febc5d2ac4d11d42078cfeb20ea9262124e1543213aa22349b9cf0cadbc89014ee227a3700e46c6438c1c32d32f8dc9242d558351d79dcc6d517e462b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

Filesize
2KB

MD5
40d504490350c47a1897ac953204ce98

SHA1
84a785d9d5f5fdc3c16e7b1e8170a721854fd53f

SHA256
90d13716b7689800c4387dff57e6bfd10e45286e8e5fcb411095214b7d490a6a

SHA512
c5272f85688f9ddafb925754605a82379785e593eaad1deca0f4d5685831b5c1e1a62b4f592140a8fdbe1a95a6ebba05788b8494d64effce2ad8f5d4ef2df3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index~RFe57cf75.TMP

Filesize
1KB

MD5
42a0e6dddac7d56ee10b67c846d4962b

SHA1
749fe1889454d780b84dbfcda6130352e4c2f15c

SHA256
56a438caef8ae41ca77c858a6d8cd12d251f1ac21a5b8077f4992d9979944a62

SHA512
8c8e52f9e18ef3edc58934352930d5f6576dec44d3c535523b80684e6e5481d5fb32f1b91f8705e79141907f70252c1efb44b023d87cd6517b113d43416a57e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
bf131dc9de85e384c49144c9755e7557

SHA1
f751351aa017cf9327551d85742ed416c67f7ce1

SHA256
f6e56b1016221d260467417d62cf327b0d3e184e7ce885b26fcc5aa1eb9f0193

SHA512
6558785ef74ca2163be07b7873f938ba115dc7d0bc5d0f67661f78ee674b8466dc4f5476ea4f6c9f544d0b8fc5dc56458fce77236a6fa3cf2e55b89f8f5f66c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f7bf107f2d1a5fa0482819ffe7c059a1

SHA1
efd993eea3b0c81e3d26a92a683b0f2da7bac097

SHA256
c14bb82d7304ea1b370ede79c2622c1611107c73e67b19c99e0700dd69b92d6c

SHA512
229af81d470a4a7498d0ad4498f0c5f3856a26c30c0ef6a8b88e633cb81a74432c3257456b71b0ef787ec4fbc9cc3d3acfd5fd8a6a6063688b5342a32977d9bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
192B

MD5
80cf4593acdc581b2dfb619a0552dedd

SHA1
30ceab7658c93bdfcc95a714ad5578bfdbc139a3

SHA256
36e46a5c314ef017a2f9c752d0d0e07e16f660c78e611583bca5bcf4e40ecfad

SHA512
e27a0f8f0efa975624eecaf6235de9c011c474474e4ac8c184797e1124ccd67ad13cdb1976979acd717664bf4165f9964cdfd2af148667b8d5b5f2dc6a26073e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5825f2.TMP

Filesize
48B

MD5
eeceac048e0e6019094eb8181cc78a72

SHA1
d77f6dbc6d2d12e4086f234f4912b9363872008c

SHA256
62179555ab1d84c71519cac94f6a6057f54b970515edddf85bd915be7f077ce9

SHA512
2a17d166ba44bd2a24a29b39b76e84c2cac64eb810e22e4073c4b534d0e8d962c2672f8bb792878cb095faa266661df89a11bcc7735713cc3c2dab5d8c861a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
23KB

MD5
92a31bb2eef25b497c0a4a9b6c4a074b

SHA1
ef5c06b784a92796fae1736d45c211f2a8f483b9

SHA256
be7f19299f0d62751bb3f738a0308f70e88d124744cacd649d556409b9795140

SHA512
6bc162b37c253e7716db62f30c75fe0d0267493fe83ec905d433782603e69e63aac7d5960be0cef87223b100a6631ec478127815138b8e86f5bcd2f005ef167e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
462B

MD5
7c2c36d136f4eda8ab3ff7885a6d56a5

SHA1
adc1005b896fc0ee8e013e85d57448dcd79a7732

SHA256
9531e7e1fec34a3414a3422d0a3fb23f3c427bcf4b19c40cb9ae359f856bb1a9

SHA512
a3fc8ffa767e1c237ebb83453ac5805cd17b25560b8f8ea1e4146a215ce6dafe1e70e83e39502d48d8fbb7d2a7b10034f90eb9e451bf2b3fc5d3407a59c40865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
1d0c2977f0e62ad3df570695c70ee2c3

SHA1
344e6003901b850a1788162268f855fd183e6951

SHA256
d3a8a7e7de224f0502a6d8002297774170fa235df33412cd43baf04001434436

SHA512
d3da7919ee87601be19f10530d46e98d277cfc5948e5b77b425c258e2c1ca8faa3e2f4ec46d8b2466835557d95367827185049ba7b69121e877ad6ed586288a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
46ec649fed3693ff1da955d51bd71123

SHA1
885ee4d5caffc30246d464d6931c2fe851e60076

SHA256
24c8c85b4dc7bf12f3d24f7b4be10508f7c0aec564d628f740199ce6b657fa86

SHA512
43f459c9768d567e9bbd828f01c1fe7dde19c99c724f9b0def1d67e88d1939313426885f8374f1816fd293f7982b8f3428c6cf9950ef6d4c3c1027f40be6ce3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
39dd8d215622c8d84162a97432f4aee4

SHA1
6081a48d62a80ca85085aea98aa5050c3ce01ca8

SHA256
b0c7facb595f3a21ea2ebf1913386668869e4284808ae5ca126eed4e6ef52c2c

SHA512
70571d26319d266e5788eb953b38fc46fcf46468bd086db7785684866462944ce57c660ee90c28b52e1a195c23834a1b60a66337add51b1ca8e69243840bae4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
598318093c8867805d6841222e342bf9

SHA1
0bde29a849e408f71f7f67b52f9ca1bd7870b13d

SHA256
5f79bc33cd8fb2cc04870d6ba9013326b45a47ced4310bd18719c0fcc7731956

SHA512
3768f1f9a0d599043211a9a9a1f85761e6b8cbffdd42c9168080f329069bef174f51e5da840b5b782aebff8b303e831f103e1fc616c3b830a9851fc897d39de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
dad9b6270ee397e2b8e7d0ae3c8ca5b9

SHA1
9943d4a62443725801169a1279f933a0eaa1dccb

SHA256
3dac1a7fcd1288106df7ffef656bf3cdb70f7a73cbf1a77f841ddd9a66f94717

SHA512
84854fda1a345d2f8c3be23831ba6596ba561674c186542fc0545203e8564a1bd10065b59ae41200f6b952c15b0b0bf3511bbbf02fd2f72fc4f7880100ee74b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
f8737d6abac49dab2bd61522f2694ea5

SHA1
9455454336f167fd2f89f67b2d6dc1d7bfde44b8

SHA256
a0a7adf4759366fd70b5f2d18b35142586eae1ef0233ce2b65e4c262c39d1c4e

SHA512
538e5f3ffd6cadb728680c0c9d86cfbac60df4479f414179b84dceda8f46bf474aef192786b38e2b993b94f016a00269df4f365e183d2a60c9426e3c0a16d4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe580eff.TMP

Filesize
392B

MD5
a94078c036215885f6a423d5ea64902e

SHA1
d8e65734e2a31922e92e09c1ec49115a7e6bc384

SHA256
293b72d07fdaea83f96098e245797cac6dd9cc4dc3d275fdf1a9c8a6da027810

SHA512
74848bbbb7fc3d94d62dea2a64b8fd5286294f8cefc1105d1a09889a75b52bcba20a09873efe1e4c32d6b6f5f563671b61b706753a61c395f2904e78acea2ab6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.17.1\typosquatting_list.pb

Filesize
631KB

MD5
094ca661fb20ae7e5c26df780e0f7ecd

SHA1
0cc79e2fdf43962d9597b7eec7b34c8983c3562c

SHA256
76f100a3d96cddfbad67460eb0db1a8877a53c8a1881888b208011cd3a9d5726

SHA512
088ca8996eb3bd02f5561b026a9e36755c915d19eb9ae768ee3949491059b1c7e34117b72828d843131df50456c6a162eb2cffe74fd38c273708cd4ac6fda53e

Download Submit
C:\Users\Admin\AppData\Local\Temp\476F.tmp

Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\AppData\Local\Temp\sys3.exe

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
98B

MD5
2671b44933c49155e153242c601b1f65

SHA1
bd248015ff65c1b6d07c773111013f107c98c048

SHA256
8b93dcfe006da7c3fba43a9f8ae8bc4e7c77cbee15a95649c74da28667a60fe4

SHA512
1195fcbd5e18c2dc9556f89b4542ed65950400272bafa0ace3420b85ef31727e63829ab4befa513d18095a2659bf234296130575fbde2522c757f541db3e4b51

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_1496089480\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1496_902651763\manifest.json

Filesize
118B

MD5
acb8ebb43624ece8dd7964092455d2b7

SHA1
7c61f04b419f927f98120afa18d8553513e2a0f6

SHA256
55b2b1fd2a563b240179fde6335370f5e22068ada77b5dc5af50bbc379c72953

SHA512
8e6c135aa19d6d21b32c6e9c0727ccf3df7e8dfcaf49e3f0ce55af9b53748188949746d69d17cdafd9d77511b1550d970289912a33b3d9c4daed8837762d91c3

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
memory/2604-1109-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2604-1106-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2604-1107-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2604-1108-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2604-1140-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3436-1131-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/3436-1135-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/5844-1077-0x0000000000820000-0x000000000087E000-memory.dmp

Filesize
376KB

Download
memory/5844-1066-0x0000000000820000-0x000000000087E000-memory.dmp

Filesize
376KB

Download
memory/5844-1064-0x0000000000820000-0x000000000087E000-memory.dmp

Filesize
376KB

Download
memory/5844-1063-0x0000000000820000-0x000000000087E000-memory.dmp

Filesize
376KB

Download
memory/5844-1055-0x0000000000820000-0x000000000087E000-memory.dmp

Filesize
376KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads