quantum | 8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede

Analysis

max time kernel
36s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Size

75KB
MD5

e6069bc78167d8da9639314064898331
SHA1

1bb64d0a37b671c39fff479939bf4f8f0fe0f8d2
SHA256

8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede
SHA512

7fdb2e0f4e89ad1ba09c4b08888cb1244a947916759929a730794b5b944d757eaf6880ef6b3553be7d35da0b360ae3819e8792a0db8c9594d6b156224ca0e2f7
SSDEEP

1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJGtGB9NK/A:OfJGLs6BwNxnfTKsGtG9K/

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Ransom Note

ALL YOUR DATA IS ENCRYPTED by QUANTUM What happened? All your files are encrypted on all devices across the network Huge volume of your data including financial, customer, partner and employees data was downloaded to our internal servers What's next? If you don't get in touch with us next 48 hours, we'll start publishing your data to the Data Leaks Portal How do I recover? There is no way to decrypt your files manually unless we provide a special decryption tool Please download TOR browser and CONTACT US for further instructions Hours Minutes Seconds

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WatchCopy.raw => \??\c:\Users\Admin\Pictures\WatchCopy.raw.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File renamed	C:\Users\Admin\Pictures\WatchResolve.png => \??\c:\Users\Admin\Pictures\WatchResolve.png.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\3D Objects\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a8813d45-c980-41df-8453-d4ea6ed17144.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230301152218.pma	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\.quantum\shell\Open\command	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4160	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
4160	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
1840	msedge.exe
1840	msedge.exe
1636	msedge.exe
1636	msedge.exe
4492	identity_helper.exe
4492	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	4160	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
Token: SeDebugPrivilege	4160	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe
1636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4160 wrote to memory of 3556	4160	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe	92
PID 4160 wrote to memory of 3556	4160	8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe	92
PID 3556 wrote to memory of 4436	3556	cmd.exe	94
PID 3556 wrote to memory of 4436	3556	cmd.exe	94
PID 1636 wrote to memory of 3612	1636	msedge.exe	99
PID 1636 wrote to memory of 3612	1636	msedge.exe	99
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 3480	1636	msedge.exe	100
PID 1636 wrote to memory of 1840	1636	msedge.exe	101
PID 1636 wrote to memory of 1840	1636	msedge.exe	101
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102
PID 1636 wrote to memory of 1492	1636	msedge.exe	102

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe
"C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E569B0C.bat" "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\8fe49892d510470e049d8c2e5523fa1841b20ccc89406fd91055950f90a5eede.exe"
    3⤵
    - Views/modifies file attributes
    PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcb2f746f8,0x7ffcb2f74708,0x7ffcb2f74718
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ea5f5460,0x7ff7ea5f5470,0x7ff7ea5f5480
    3⤵
    PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,15757075887919378363,13733813019847811781,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\3D Objects\README_TO_DECRYPT.html

Filesize
7KB

MD5
b88bbbac194b0267f4a5f1428abc840b

SHA1
bee3553e688e7c4137df57579930d1f42375402f

SHA256
c15b6dc8e4bac27c8d304d4c42c255593e755b6d3f6f1060c49e28a0f64a27e8

SHA512
f0ca555a7b41444fe0d28847fcdcc600b503345fc6f46f776dc3c169df9c9ab3e3093ad4a8bb5c103c6c5839f8211fe2d246213d1a97445c385f8ce460e87afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0820611471c1bb55fa7be7430c7c6329

SHA1
5ce7a9712722684223aced2522764c1e3a43fbb9

SHA256
f00d04749a374843bd118b41f669f8b0a20d76526c34b554c3ccac5ebd2f4f75

SHA512
77ea022b4265f3962f5e07a0a790f428c885da0cc11be0975285ce0eee4a2eec0a7cda9ea8f366dc2a946679b5dd927c5f94b527de6515856b68b8d08e435148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
425e83cc5a7b1f8edfbec7d986058b01

SHA1
432a90a25e714c618ff30631d9fdbe3606b0d0df

SHA256
060a2e5f65b8f3b79a8d4a0c54b877cfe032f558beb0888d6f810aaeef8579bd

SHA512
4bf074de60e7849ade26119ef778fe67ea47691efff45f3d5e0b25de2d06fcc6f95a2cfcdbed85759a5c078bb371fe57de725babda2f44290b4dc42d7b6001af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
b297e2915e13a755a4c2e0f6ab3c791c

SHA1
53d742ed2140a65452922e583cb6be9932d6b1e7

SHA256
e5036af8b559edd6192a0a5411ad8924b8d82e66f381dc5c88f1ad58a318d3b8

SHA512
c0e6c8e9a865957fd6f5adbd1373442f3ed5f65629bcaadfe737f2a6a3b2e65d639a88a88157723fbfe9de276d5aa10a033f921e904482561a4d793b7eb7a096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9568eb3b6de45223e15545abb76297b4

SHA1
216d3fb5ec83b580368befa89e7339779eb9e9ef

SHA256
90d54179c6ea11c90dd5b2a879ff5e74a0825747a9ba2a7dfc75ac3e617e18c8

SHA512
31c10a08bb56889fea7a6cfae3745e325a39bd02c2c363c161cd882e900696149d19604a7091cc4c3f9f7c11ebf3a2b024f7347d2546a5334e8eabc4a04e4a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
d53ac35ab3976e67caeed75c4d44ffc1

SHA1
c139ab66d75dc06f98ada34b5baf4d5693266176

SHA256
647867c7236bcb78b7d585b476d82a101a077fac43c78dc59e612253fbf69437

SHA512
391355c71734ded913239a6db10a3202087e756bccc8e29411108f21b3f2460d9a9c606619aadd785285be70eddcf61ef9519441cd387cd3823c1399a6967cc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
510850c7bdb439526e1c26359ed1f793

SHA1
629c78860c532c691d69069b0f878c4640f18c83

SHA256
7b8c9d25c7d876619c25525e261d6e9666255dcefcc094cd20b06dd867cdecc6

SHA512
75953dd3a70c73613d62d10de8c04f534eaf1383a655f4778d2a4659b77ba1333ebd06c5e05ee8673156e7d7d26cc0a247f975189de2f05f9e44f61c9c4d28c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E569B0C.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
16675236d232267cda61f6b0e7641f43

SHA1
0d54cd0bec0ca8096e8ece1a6cdc9006e6133171

SHA256
aebf57669695f595be10e968d234483b06a1d9e6b27c66843de42b8d51bac0ac

SHA512
2760ddf0e5e6f191d7146a90ab7c27c85dd92b28cf20f0403d9086e79874c094411270aa90e3e13f5707ed841f4e72c101cb0d35962acd2056f604c49ba40c44

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
7KB

MD5
b88bbbac194b0267f4a5f1428abc840b

SHA1
bee3553e688e7c4137df57579930d1f42375402f

SHA256
c15b6dc8e4bac27c8d304d4c42c255593e755b6d3f6f1060c49e28a0f64a27e8

SHA512
f0ca555a7b41444fe0d28847fcdcc600b503345fc6f46f776dc3c169df9c9ab3e3093ad4a8bb5c103c6c5839f8211fe2d246213d1a97445c385f8ce460e87afc

Download Submit
memory/3480-365-0x00007FFCD1250000-0x00007FFCD1251000-memory.dmp

Filesize
4KB

Download