Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
31-12-2022 15:41
General
-
Target
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe
-
Size
473KB
-
MD5
f83fb9ce6a83da58b20685c1d7e1e546
-
SHA1
01c459b549c1c2a68208d38d4ba5e36d29212a4f
-
SHA256
e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
-
SHA512
934ec9073a28b90e8df785bef49f224789da59f83729208b92dba0503e2894b3f48ed04b20de1ba49374b1cd26f0c87e8e5ab79e817258135e3be2c171f3f396
-
SSDEEP
12288:v6l/7FpnaeoQbRLBYdunMCayql4YcQD+AgJbAWgjbgpQ:CDna43YAKl4Yci+AggEpQ
Score
10/10
Malware Config
Extracted
Path
C:\DECRYPT-FILES.html
Ransom Note
<html>
<head>
<script>
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
</script>
<style>
html{ margin:0; padding:0; width:100%; height:100%; }
body { background: #000000; color: #ececec; font-family: Consolas };
.tooltip {
position: relative;
display: inline-block;
border-bottom: 1px dotted black;
}
.tooltip .tooltiptext {
visibility: hidden;
width: 120px;
background-color: #555;
color: #fff;
text-align: center;
border-radius: 6px;
padding: 5 px 0;
position: absolute;
z-index: 1;
bottom: 125%;
left: 50%;
margin-left: -60px;
opacity: 0;
transition: opacity 0.3s;
}
.tooltip .tooltiptext::after {
content: "";
position: absolute;
top: 100%;
left: 50%;
margin-left: -5px;
border-width: 5px;
border-style: solid;
border-color: #555 transparent transparent transparent;
}
.tooltip:hover .tooltiptext {
visibility: visible;
opacity: 1;
}
p#base64{
-ms-word-break: break-all;
word-break: break-all;
-webkit-hyphens: auto;
-moz-hyphens: auto;
-ms-hyphens: auto;
hyphens: auto;
}
p#base64:hover{
cursor: hand;
}
</style>
</head>
<body>
<table style="position: absolute;" width="100%">
<tr>
<td style="width: 25%;">
<td style="width: 50%;">
<div style="text-align: center; font-size: 20px;">
<p><b>Maze ransomware</b></p>
<p>*********************************************************************************************************************</p>
<p>Attention! Your documents, photos, databases, and other important files have been encrypted!</p>
<p>*********************************************************************************************************************</p>
</div>
<div style="text-align: center; font-size: 18px;">
<p><b>What is going on?</b><br>Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system</p>
<p>You can read more about this cryptosystem here: <a href=https://en.wikipedia.org/wiki/RSA_(cryptosystem)>https://en.wikipedia.org/wiki/RSA_(cryptosystem)</a></p>
<p>The only way to recover (decrypt) your files is to buy decryptor with the unique private key</p>
<p><u>Attention! Only we can recover your files! If someone tell you that he can do this, kindly ask him to proof!</u></p>
<p>By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.</p>
<p>In order to either buy the private key or make test decryption contact us via email: <br> <u><b>Main e-mail: [email protected]<br>Reserve e-mail: [email protected]</b></u>
<p>Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
<p>If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one</p>
<p>Below you will see a big base64 blob, you will need to email us and copy this blob to us.<br>you can click on it, and it will be copied into the clipboard.</p>
<p>If you have troubles copying it, just send us the file you are currently reading, as an attachment.</p>
<p>Base64: </p>
</div><div style="text-align: center; font-size: 12px;"><p id="base64" onclick="return CopyToClipboard('base64')" class="tooltip">Zjy72xsQgv16la8fiWEBGBuI/41nYTdP3LQb0z+SyBg6fAdZlZClaWwvSctNp6dCgHrTI9m/Sm6T0fnqu0yLpthh5OU85ZeQ4iEXyrJIyKliSd4PK/jQ1syAZg8CKgr4u03y6RuQo20J8yGxkXvvbdIzBMNpUmfdG9c0aA88UU48qrdOn5mkE8276M5s+3R8BTXg4eOOf3rIn6jJeXAqmTONqEIlxBo5NAd/FkJK03CgohUFy0DwbkdwVGEcVjb6+/QLwlIAvRK6fmxLP4uFr8m4WZ44DFeoFsaV44eae0sfmGIDJlN6S7BmbiE3ArJmdw4N9+WUGMx7/z8LbgBGWbq4UL77AqdOmXDC4/NXSBZ5VjTEanph1MpAPLt61+BqDh7K4IsHEZklEZi9coyJexNdH5LcOwNU3dIBggf7rfZU6fDL1E6yuDh6OyBbf4gyyCEMCCEM1jBhnga7gL4gQgT6hdLhxKMqyjYrDQaoR+ZR6/RcmbriBwO4bDRHwJb/zNT3OrlBNrBtn1hx3UWLMIhvFNR+dDBGBgZmUYvcT3Csc3ByAT5yUu2q0NN03hhmTdh1C11n7TQPDI1w+K2aw8qsb09EaUILGBO8ytZnf1qVV0g5g6/NLW8kMKgHoKAc8sj25XX6mRWeNo6nWFZcCoDIBc/vHIFCdqOTOX43P7oT5gp4NBUmpqTCBltxlNUsqTEW+tKXe7Q7FAoHQ4QAnQlvE45ucfMU6HXycRtcrsnOAjl+BNmk93DQzCPF12ncOBgpEOMZHNewhV6bJ65av2E9UjiLskx7hvT1PAo3Gyl33QolfJJQdOmA8w3XGuecjKosWCKEa1e1FxARJWohBMACavRp2/XvkMbLTPpgNwW3jhkbWw8pctLWkGs42BvQRqz1aWGmASZqMuScPEf8+hzHr444yBuswmVZTV4TP13AnbS23kZ2y3eEFe46mPSNuwIrrVVktu57pwOp/iitMA15Nx6h/klU1Q1wQy3Jkr+vrEz7LlgAU13VM21xevn/+DpQeDcV+Sqn7lsNjAYKgp1XJU6GaP4Bbifr5uARxHwAsq8ykMCmpV5AQjIjkVY2+qwV23ACnIqwEaNXWWGPYeOyTZ/T09mDLT1MZ9s8fpiUq8PU6ccuvXrwMWuBlM03kD/xifERhZmvBkFA0SGyNpuWpbY0GnTvTX3hxz/1TRy+C03i49jTCHOQO8j1zwNQSQa57604BZsMTEYHbw8E9KEDTKuvX0Ja7hMBUNl5dfXg11nRyzg9M7iMuUwappqgquCpvQZPBl61uF9W1YuYrPfMZO/7e+rcFBOiEiiEzWDgqOOvL//SrNfI11cm+CcKEnsjhPX1NRvEC49P1YoDicoc58ZYy/zgTSyp4LsC4FOs379FQgAOgERdDgoFpONsN1ZUjCpYFUP/cCufCH3Wc1xAiUDwc8ilTHwevxA9MuFYupCgg3fI36We5HTpbXfPxWJ89eQr8UiRWm/jrbZ9QzVrfCSEYdo8c7qyww4yvOwFHPglQVJnJjAeIRpMD+Go/moj+UFnOeta2msyOUHB1nsIRKlJpFoXZ1byBnt6nc6zoGcnXAbsLYlB7vJ3TiAnp9gdDmmXieaZZBTB/deS8+EJ0sHmApeFzOE8DIwUCZ6w864kMXRtV2MbUxjpOKVRasz008idDD0mwc90BucdzJFk7ly0s3Q0qoqD8XGs8ekMTKQDN0SJ8Pu+smqBQEiXX1gy7bVqVEl/s9eZAss2RNBNiEN5f3rddF5qwtKNmfgbtxEsKTlrvbGLkUh4qbei8WN3fhDvf/yjtYAFJ67MAv2GnpuMQWZrjp/5zCZ3LJMLIGgL7Hu5+lsUImxxzxAOcY/AtdrDTSJx8Mn7AmJtQnBJYxkQnZdDErGIyj+gxAMcOuCNvcjdZOqsC9YChfAn4RMLAqY4PAyQzErpD+W9OeMCpDo1+VB9n5Y/6mvFkAbqDJmqMJf5doQj2sbJ1l1eO13Lyoi6etXrWITBqs2chqon8yDnBEGg7FHX7N9U4Qwp5flP801IgwT4A3d8mH89urPOOOB5CaOf8jgqk8oKkn4SWo+v0ijiQqEFHZsI97TFNBApAPCVjOmmAfRfnjEwXFbYlsO3Wz6lmlRxYodrCWzFVSeZUnWrXP3jyAJi9iRTtBOo1rzu39ibkeZ/b7P3aK/xcP8C7fxnQFr33Chue0DX5DQaPRCERNhVB4oaGSEzA1hrcc+GDDZZB+5KxeCla2tXRgoiOAA3AGIAMAAwADkAOAA4ADkAMwBjADkAYgBiAGUAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJXAEkASgBCAEYAUwBLAFQAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw69racngDgAECigEFMS4wLjI=<span class="tooltiptext">Click here to copy</span></p></div></td><td style="width: 25%; text-align: right;"></tr></table></body></html>
Emails
[email protected]<br>Reserve
[email protected]</b></u>
Extracted
Path
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\DECRYPT-FILES.html
Ransom Note
Maze ransomware
*********************************************************************************************************************
Attention! Your documents, photos, databases, and other important files have been encrypted!
*********************************************************************************************************************
What is going on?
Your files have been encrypted using strong reliable algorithms RSA-2048 and ChaCha20 with an unique private key for your system
You can read more about this cryptosystem here: https://en.wikipedia.org/wiki/RSA_(cryptosystem)
The only way to recover (decrypt) your files is to buy decryptor with the unique private key
By us you can decrypt one of your files for free as a proof of work that we have the method to decrypt the rest of your data.
In order to either buy the private key or make test decryption contact us via email:
Main e-mail: [email protected]
Reserve e-mail: [email protected]
Remember to hurry up as email address may not be available for very long as soon as law enforcements of different countries always trying to seize emails used in ransom companies
If you are willing to pay but you are not sure knock us and we will save your e-mail address. In case the listed addresses are seized we will write you from the new one
Below you will see a big base64 blob, you will need to email us and copy this blob to us.
you can click on it, and it will be copied into the clipboard.
If you have troubles copying it, just send us the file you are currently reading, as an attachment.
Base64:
Zjy72xsQgv16la8fiWEBGBuI/41nYTdP3LQb0z+SyBg6fAdZlZClaWwvSctNp6dCgHrTI9m/Sm6T0fnqu0yLpthh5OU85ZeQ4iEXyrJIyKliSd4PK/jQ1syAZg8CKgr4u03y6RuQo20J8yGxkXvvbdIzBMNpUmfdG9c0aA88UU48qrdOn5mkE8276M5s+3R8BTXg4eOOf3rIn6jJeXAqmTONqEIlxBo5NAd/FkJK03CgohUFy0DwbkdwVGEcVjb6+/QLwlIAvRK6fmxLP4uFr8m4WZ44DFeoFsaV44eae0sfmGIDJlN6S7BmbiE3ArJmdw4N9+WUGMx7/z8LbgBGWbq4UL77AqdOmXDC4/NXSBZ5VjTEanph1MpAPLt61+BqDh7K4IsHEZklEZi9coyJexNdH5LcOwNU3dIBggf7rfZU6fDL1E6yuDh6OyBbf4gyyCEMCCEM1jBhnga7gL4gQgT6hdLhxKMqyjYrDQaoR+ZR6/RcmbriBwO4bDRHwJb/zNT3OrlBNrBtn1hx3UWLMIhvFNR+dDBGBgZmUYvcT3Csc3ByAT5yUu2q0NN03hhmTdh1C11n7TQPDI1w+K2aw8qsb09EaUILGBO8ytZnf1qVV0g5g6/NLW8kMKgHoKAc8sj25XX6mRWeNo6nWFZcCoDIBc/vHIFCdqOTOX43P7oT5gp4NBUmpqTCBltxlNUsqTEW+tKXe7Q7FAoHQ4QAnQlvE45ucfMU6HXycRtcrsnOAjl+BNmk93DQzCPF12ncOBgpEOMZHNewhV6bJ65av2E9UjiLskx7hvT1PAo3Gyl33QolfJJQdOmA8w3XGuecjKosWCKEa1e1FxARJWohBMACavRp2/XvkMbLTPpgNwW3jhkbWw8pctLWkGs42BvQRqz1aWGmASZqMuScPEf8+hzHr444yBuswmVZTV4TP13AnbS23kZ2y3eEFe46mPSNuwIrrVVktu57pwOp/iitMA15Nx6h/klU1Q1wQy3Jkr+vrEz7LlgAU13VM21xevn/+DpQeDcV+Sqn7lsNjAYKgp1XJU6GaP4Bbifr5uARxHwAsq8ykMCmpV5AQjIjkVY2+qwV23ACnIqwEaNXWWGPYeOyTZ/T09mDLT1MZ9s8fpiUq8PU6ccuvXrwMWuBlM03kD/xifERhZmvBkFA0SGyNpuWpbY0GnTvTX3hxz/1TRy+C03i49jTCHOQO8j1zwNQSQa57604BZsMTEYHbw8E9KEDTKuvX0Ja7hMBUNl5dfXg11nRyzg9M7iMuUwappqgquCpvQZPBl61uF9W1YuYrPfMZO/7e+rcFBOiEiiEzWDgqOOvL//SrNfI11cm+CcKEnsjhPX1NRvEC49P1YoDicoc58ZYy/zgTSyp4LsC4FOs379FQgAOgERdDgoFpONsN1ZUjCpYFUP/cCufCH3Wc1xAiUDwc8ilTHwevxA9MuFYupCgg3fI36We5HTpbXfPxWJ89eQr8UiRWm/jrbZ9QzVrfCSEYdo8c7qyww4yvOwFHPglQVJnJjAeIRpMD+Go/moj+UFnOeta2msyOUHB1nsIRKlJpFoXZ1byBnt6nc6zoGcnXAbsLYlB7vJ3TiAnp9gdDmmXieaZZBTB/deS8+EJ0sHmApeFzOE8DIwUCZ6w864kMXRtV2MbUxjpOKVRasz008idDD0mwc90BucdzJFk7ly0s3Q0qoqD8XGs8ekMTKQDN0SJ8Pu+smqBQEiXX1gy7bVqVEl/s9eZAss2RNBNiEN5f3rddF5qwtKNmfgbtxEsKTlrvbGLkUh4qbei8WN3fhDvf/yjtYAFJ67MAv2GnpuMQWZrjp/5zCZ3LJMLIGgL7Hu5+lsUImxxzxAOcY/AtdrDTSJx8Mn7AmJtQnBJYxkQnZdDErGIyj+gxAMcOuCNvcjdZOqsC9YChfAn4RMLAqY4PAyQzErpD+W9OeMCpDo1+VB9n5Y/6mvFkAbqDJmqMJf5doQj2sbJ1l1eO13Lyoi6etXrWITBqs2chqon8yDnBEGg7FHX7N9U4Qwp5flP801IgwT4A3d8mH89urPOOOB5CaOf8jgqk8oKkn4SWo+v0ijiQqEFHZsI97TFNBApAPCVjOmmAfRfnjEwXFbYlsO3Wz6lmlRxYodrCWzFVSeZUnWrXP3jyAJi9iRTtBOo1rzu39ibkeZ/b7P3aK/xcP8C7fxnQFr33Chue0DX5DQaPRCERNhVB4oaGSEzA1hrcc+GDDZZB+5KxeCla2tXRgoiOAA3AGIAMAAwADkAOAA4ADkAMwBjADkAYgBiAGUAYQAAABCAYBoMQQBkAG0AaQBuAAAAIhJXAEkASgBCAEYAUwBLAFQAAAAqDG4AbwBuAGUAfAAAADIsVwBpAG4AZABvAHcAcwAgADEAMAAgAEUAbgB0AGUAcgBwAHIAaQBzAGUAAABCNnwAQwBfAEYAXwAyADAANAA3ADkALwAyADYAMQA4ADQAMQB8AEQAXwBVAF8AMAAvADAAfAAAAEgAUEBYiQhgiQhoiQhw69racngDgAECigEFMS4wLjI= Click here to copy
function CopyToClipboard(containerid) {
if (document.selection) {
var range = document.body.createTextRange();
range.moveToElementText(document.getElementById(containerid));
range.select().createTextRange();
document.execCommand("copy");
} else if (window.getSelection) {
var range = document.createRange();
range.selectNode(document.getElementById(containerid));
window.getSelection().addRange(range);
document.execCommand("copy");
alert("Base64 copied into the clipboard!")
}
}
Signatures
-
Maze
Ransomware family also known as ChaCha.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops startup file 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\tyj\ligqm\jl\..\..\..\Windows\up\rh\..\..\system32\us\..\wbem\qftbu\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\wbem\wmic.exe"C:\oph\..\Windows\n\..\system32\krg\xb\..\..\wbem\dv\..\wmic.exe" shadowcopy delete2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x468 0x4701⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Public\Desktop\DECRYPT-FILES.html1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff711246f8,0x7fff71124708,0x7fff711247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5988 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6424 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6936 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x200,0x248,0x7ff6f3765460,0x7ff6f3765470,0x7ff6f37654803⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,1982630202525967860,13523648486116796446,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD547ba151122d71ff04b3b09ef9bca4253
SHA127937124d6a86783e282efa5c826ef1d2382f3a9
SHA256b2e09e179d8ccd887c0378859d7e82e03886d211459247a4d7aec77ed8d95380
SHA51218f7edd0098a5483079fa8605cb3a878fd3fa0f7719c2d45676cf4de5089f993c88edff237f426ef5a2307016d5703eb099c60eb8a803ddaabe6f541a806bb09
-
Filesize
6KB
MD5c41677da6b8cfac84f6a4f3dee01b771
SHA151a1df179f3c2befeb5432c1d56f603b597e30dc
SHA256dce2057c4681209f2dbe91a7a9e927ac8f7f10e8bfbd9a4348def6cfcb4a5496
SHA512d3aefa6012628ac8c417ba585379cd7c52b14369c1a7fc2c0e44ad4f7dc3327d05393ddd1e39d982ba3b84e972ae4c01552addef76ea27fe0882eb3405a2d25b
-
Filesize
152B
MD564b3da833005ed30818b843fae5f4f8a
SHA1f362d2ec8554aada47782cb74ded1be6bfa5593d
SHA256932b42d6e106c96fc6bde9983859665983b1d8e0e3000fb22786f0448ac0ebd5
SHA512e0793cb48c399fee4d6fdc547af3e96139819e820def9f156899d066a90fe9ba3267523c060b90a1ee468cc68c9c0dc81663ce6a3ff3b1eff8baf7f74cb6b08b
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
6KB
MD5c41677da6b8cfac84f6a4f3dee01b771
SHA151a1df179f3c2befeb5432c1d56f603b597e30dc
SHA256dce2057c4681209f2dbe91a7a9e927ac8f7f10e8bfbd9a4348def6cfcb4a5496
SHA512d3aefa6012628ac8c417ba585379cd7c52b14369c1a7fc2c0e44ad4f7dc3327d05393ddd1e39d982ba3b84e972ae4c01552addef76ea27fe0882eb3405a2d25b
-
Filesize
288B
MD55835d341e8665d5495c027474fcd99f5
SHA1d41967bc3bb1b8635b2649b81950ad19b4a4db82
SHA2560438d8087ba448b8db5583932e1d34ec214b462cff1edca2914d38f6e06117bf
SHA5122dd288a779f41e5b18e2c2253c97bace75b6eabcf912653547c6c8f6702fbb62695cb5f0aad42a63ec39990c280d84e7b0b2676cdd0db2ea2326343a0bb71f3c
-
Filesize
671B
MD5a44354f13c61c571cec14e4e4044f51c
SHA1f403384277f1c5300b5092585f15692dc34669f2
SHA256959ef67fbf13cfb9929da0ce79b6f362a4bd018685aca9e4bb7bbff2fead75b5
SHA51250fe6e0cce391d08f1c3db5929435d5832628844bdf66dba81b665bfbb4da4b1443aa80f3f8fa47348320170a5e7e2e4d94d57e5d34b4dc1882d0a6b68825442
-
Filesize
6KB
MD5c41677da6b8cfac84f6a4f3dee01b771
SHA151a1df179f3c2befeb5432c1d56f603b597e30dc
SHA256dce2057c4681209f2dbe91a7a9e927ac8f7f10e8bfbd9a4348def6cfcb4a5496
SHA512d3aefa6012628ac8c417ba585379cd7c52b14369c1a7fc2c0e44ad4f7dc3327d05393ddd1e39d982ba3b84e972ae4c01552addef76ea27fe0882eb3405a2d25b
-
Filesize
6KB
MD5c41677da6b8cfac84f6a4f3dee01b771
SHA151a1df179f3c2befeb5432c1d56f603b597e30dc
SHA256dce2057c4681209f2dbe91a7a9e927ac8f7f10e8bfbd9a4348def6cfcb4a5496
SHA512d3aefa6012628ac8c417ba585379cd7c52b14369c1a7fc2c0e44ad4f7dc3327d05393ddd1e39d982ba3b84e972ae4c01552addef76ea27fe0882eb3405a2d25b
-
Filesize
6KB
MD5c41677da6b8cfac84f6a4f3dee01b771
SHA151a1df179f3c2befeb5432c1d56f603b597e30dc
SHA256dce2057c4681209f2dbe91a7a9e927ac8f7f10e8bfbd9a4348def6cfcb4a5496
SHA512d3aefa6012628ac8c417ba585379cd7c52b14369c1a7fc2c0e44ad4f7dc3327d05393ddd1e39d982ba3b84e972ae4c01552addef76ea27fe0882eb3405a2d25b
-
Filesize
6KB
MD5c41677da6b8cfac84f6a4f3dee01b771
SHA151a1df179f3c2befeb5432c1d56f603b597e30dc
SHA256dce2057c4681209f2dbe91a7a9e927ac8f7f10e8bfbd9a4348def6cfcb4a5496
SHA512d3aefa6012628ac8c417ba585379cd7c52b14369c1a7fc2c0e44ad4f7dc3327d05393ddd1e39d982ba3b84e972ae4c01552addef76ea27fe0882eb3405a2d25b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Filesize
364KB
-
Filesize
216KB
-
Filesize
356KB
-
Filesize
364KB