medusalocker | 125a179c650cc77d612c4b95ba81f89cf2b718e086fec884a71e742d65c8e8d9

Analysis

max time kernel
143s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Size

235KB
MD5

f6f120d1262b88f79debb5d848ac7db9
SHA1

1339282f9b2d2a41326daf3cf284ec2ae8f0f93c
SHA256

1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281
SHA512

1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd
SSDEEP

6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e

Score

10^/10

medusalocker evasion ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">15E4515ABB000EA2A968F84D80793BEDB812372D9E4A6039B78429FD66437A32809962B231B1D65AA1AF7237D1D9CFA2053F35D8C8F642DF17A684B0A88AAC40<br>94785B88DF40C2542A4D66FB4DC59748296449FD353D56CF79E65CEB1A901A2ED245FE7AACBDFCF7FC9756764ECEBFAED77AC1835517F7B26024D6597B22<br>C5A6F09CE0B7E52A17EF96AF8C168D204F3B7E9D326881AD4D4C6018179F331461B041F335B09CEF1C51F5FE868BE534E56048A677D5791059A3890D5569<br>867E62AD188C08DBE7434E1CEE322E7C60D247DDA3395ADD5993B228825DDFD39F48790A63AF14722D100C993C46DBDCFCA9139827B37CBB7D92054378E0<br>050186A215331868D522A9C9D4754B7B47E511840E531136FB51FF7877C3FC5D59DBAB021BF7E41B8BA823F77AFA632DDE25C183792975C830B86E5835D7<br>859639104F2675E879BB62090957D9F71189D86E5B5C03DF49E3CED2EEF37BA047C5E894C8ADF940149E419F52F5DA9F39EC8EA0F4FC0B380BA111B91930<br>2E724D31BE0C221A535F0D9AEC7D63822C9DC6FC74BC2B35CEB9900F8593E4D05F5B348DF02D7F236B4E7621AA891C3344982A4E3869594951177DA632D4<br>590D50EEA324D88F794D664AF602C09C1AC206DAC03E479D8F6C7DA396D2775377ECAF3AED79DE0E9BC9C2D874FE78408669241E9AA0937634320766221A<br>49883E6302F453CDDA861FFD0239</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]

">[email protected]

href="[email protected]

">[email protected]

Extracted

Path

C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

Family

medusalocker

Ransom Note

Your personal ID: 15E4515ABB000EA2A968F84D80793BEDB812372D9E4A6039B78429FD66437A32809962B231B1D65AA1AF7237D1D9CFA2053F35D8C8F642DF17A684B0A88AAC40 94785B88DF40C2542A4D66FB4DC59748296449FD353D56CF79E65CEB1A901A2ED245FE7AACBDFCF7FC9756764ECEBFAED77AC1835517F7B26024D6597B22 C5A6F09CE0B7E52A17EF96AF8C168D204F3B7E9D326881AD4D4C6018179F331461B041F335B09CEF1C51F5FE868BE534E56048A677D5791059A3890D5569 867E62AD188C08DBE7434E1CEE322E7C60D247DDA3395ADD5993B228825DDFD39F48790A63AF14722D100C993C46DBDCFCA9139827B37CBB7D92054378E0 050186A215331868D522A9C9D4754B7B47E511840E531136FB51FF7877C3FC5D59DBAB021BF7E41B8BA823F77AFA632DDE25C183792975C830B86E5835D7 859639104F2675E879BB62090957D9F71189D86E5B5C03DF49E3CED2EEF37BA047C5E894C8ADF940149E419F52F5DA9F39EC8EA0F4FC0B380BA111B91930 2E724D31BE0C221A535F0D9AEC7D63822C9DC6FC74BC2B35CEB9900F8593E4D05F5B348DF02D7F236B4E7621AA891C3344982A4E3869594951177DA632D4 590D50EEA324D88F794D664AF602C09C1AC206DAC03E479D8F6C7DA396D2775377ECAF3AED79DE0E9BC9C2D874FE78408669241E9AA0937634320766221A 49883E6302F453CDDA861FFD0239 /!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\ All your important files have been encrypted! Your files are safe! Only modified. (RSA+AES) ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE WILL PERMANENTLY CORRUPT IT. DO NOT MODIFY ENCRYPTED FILES. DO NOT RENAME ENCRYPTED FILES. No software available on internet can help you. We are the only ones able to solve your problem. We gathered highly confidential/personal data. These data are currently stored on a private server. This server will be immediately destroyed after your payment. If you decide to not pay, we will release your data to public or re-seller. So you can expect your data to be publicly available in the near future.. We only seek money and our goal is not to damage your reputation or prevent your business from running. You will can send us 2-3 non-important files and we will decrypt it for free to prove we are able to give your files back. Contact us for price and get decryption software. qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion * Note that this server is available via Tor browser only Follow the instructions to open the link: 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site. 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it. 3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion 4. Start a chat and follow the further instructions. If you can not use the above link, use the email: [email protected] [email protected] * To contact us, create a new free email account on the site: protonmail.com IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Emails

[email protected]

Signatures

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 15 IoCs

resource	yara_rule
behavioral2/memory/5104-134-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-163-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-452-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-729-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-730-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-731-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-732-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/616-735-0x0000000000570000-0x0000000000622000-memory.dmp	family_medusalocker
behavioral2/memory/5104-736-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-737-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-738-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-879-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-905-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-915-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker
behavioral2/memory/5104-916-0x0000000000990000-0x0000000000A42000-memory.dmp	family_medusalocker

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\PushConvert.tiff	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File renamed	C:\Users\Admin\Pictures\PushConvert.tiff => C:\Users\Admin\Pictures\PushConvert.tiff.marlock07	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened for modification	C:\Users\Admin\Pictures\LimitMerge.tiff	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File renamed	C:\Users\Admin\Pictures\LimitMerge.tiff => C:\Users\Admin\Pictures\LimitMerge.tiff.marlock07	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

Executes dropped EXE 1 IoCs

pid	Process
616	svhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5104-134-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-163-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-452-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-729-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-730-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-731-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-732-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/files/0x00030000000230de-733.dat	upx
behavioral2/files/0x00030000000230de-734.dat	upx
behavioral2/memory/616-735-0x0000000000570000-0x0000000000622000-memory.dmp	upx
behavioral2/memory/5104-736-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-737-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-738-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-879-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-905-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-915-0x0000000000990000-0x0000000000A42000-memory.dmp	upx
behavioral2/memory/5104-916-0x0000000000990000-0x0000000000A42000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-144354903-2550862337-1367551827-1000\desktop.ini	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\Z:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\H:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\J:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\Q:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\M:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\N:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\R:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\T:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\V:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\A:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\E:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\G:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\W:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\X:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\Y:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\B:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\L:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\P:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\O:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\U:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\F:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\I:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
File opened (read-only)	\??\K:	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\906d1afb-9bd6-4389-a5f8-214cdf6efe73.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230406213128.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	372	wmic.exe
Token: SeSecurityPrivilege	372	wmic.exe
Token: SeTakeOwnershipPrivilege	372	wmic.exe
Token: SeLoadDriverPrivilege	372	wmic.exe
Token: SeSystemProfilePrivilege	372	wmic.exe
Token: SeSystemtimePrivilege	372	wmic.exe
Token: SeProfSingleProcessPrivilege	372	wmic.exe
Token: SeIncBasePriorityPrivilege	372	wmic.exe
Token: SeCreatePagefilePrivilege	372	wmic.exe
Token: SeBackupPrivilege	372	wmic.exe
Token: SeRestorePrivilege	372	wmic.exe
Token: SeShutdownPrivilege	372	wmic.exe
Token: SeDebugPrivilege	372	wmic.exe
Token: SeSystemEnvironmentPrivilege	372	wmic.exe
Token: SeRemoteShutdownPrivilege	372	wmic.exe
Token: SeUndockPrivilege	372	wmic.exe
Token: SeManageVolumePrivilege	372	wmic.exe
Token: 33	372	wmic.exe
Token: 34	372	wmic.exe
Token: 35	372	wmic.exe
Token: 36	372	wmic.exe
Token: SeIncreaseQuotaPrivilege	3732	wmic.exe
Token: SeSecurityPrivilege	3732	wmic.exe
Token: SeTakeOwnershipPrivilege	3732	wmic.exe
Token: SeLoadDriverPrivilege	3732	wmic.exe
Token: SeSystemProfilePrivilege	3732	wmic.exe
Token: SeSystemtimePrivilege	3732	wmic.exe
Token: SeProfSingleProcessPrivilege	3732	wmic.exe
Token: SeIncBasePriorityPrivilege	3732	wmic.exe
Token: SeCreatePagefilePrivilege	3732	wmic.exe
Token: SeBackupPrivilege	3732	wmic.exe
Token: SeRestorePrivilege	3732	wmic.exe
Token: SeShutdownPrivilege	3732	wmic.exe
Token: SeDebugPrivilege	3732	wmic.exe
Token: SeSystemEnvironmentPrivilege	3732	wmic.exe
Token: SeRemoteShutdownPrivilege	3732	wmic.exe
Token: SeUndockPrivilege	3732	wmic.exe
Token: SeManageVolumePrivilege	3732	wmic.exe
Token: 33	3732	wmic.exe
Token: 34	3732	wmic.exe
Token: 35	3732	wmic.exe
Token: 36	3732	wmic.exe
Token: SeIncreaseQuotaPrivilege	3512	wmic.exe
Token: SeSecurityPrivilege	3512	wmic.exe
Token: SeTakeOwnershipPrivilege	3512	wmic.exe
Token: SeLoadDriverPrivilege	3512	wmic.exe
Token: SeSystemProfilePrivilege	3512	wmic.exe
Token: SeSystemtimePrivilege	3512	wmic.exe
Token: SeProfSingleProcessPrivilege	3512	wmic.exe
Token: SeIncBasePriorityPrivilege	3512	wmic.exe
Token: SeCreatePagefilePrivilege	3512	wmic.exe
Token: SeBackupPrivilege	3512	wmic.exe
Token: SeRestorePrivilege	3512	wmic.exe
Token: SeShutdownPrivilege	3512	wmic.exe
Token: SeDebugPrivilege	3512	wmic.exe
Token: SeSystemEnvironmentPrivilege	3512	wmic.exe
Token: SeRemoteShutdownPrivilege	3512	wmic.exe
Token: SeUndockPrivilege	3512	wmic.exe
Token: SeManageVolumePrivilege	3512	wmic.exe
Token: 33	3512	wmic.exe
Token: 34	3512	wmic.exe
Token: 35	3512	wmic.exe
Token: 36	3512	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 372	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	84
PID 5104 wrote to memory of 372	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	84
PID 5104 wrote to memory of 372	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	84
PID 5104 wrote to memory of 3732	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	86
PID 5104 wrote to memory of 3732	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	86
PID 5104 wrote to memory of 3732	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	86
PID 5104 wrote to memory of 3512	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	88
PID 5104 wrote to memory of 3512	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	88
PID 5104 wrote to memory of 3512	5104	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe	88
PID 1464 wrote to memory of 2160	1464	msedge.exe	103
PID 1464 wrote to memory of 2160	1464	msedge.exe	103
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 1916	1464	msedge.exe	104
PID 1464 wrote to memory of 3312	1464	msedge.exe	105
PID 1464 wrote to memory of 3312	1464	msedge.exe	105
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106
PID 1464 wrote to memory of 3556	1464	msedge.exe	106

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe

C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe
"C:\Users\Admin\AppData\Local\Temp\1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281.exe"
1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5104
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3732
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3512

C:\Users\Admin\AppData\Roaming\svhost.exe
C:\Users\Admin\AppData\Roaming\svhost.exe
1⤵
- Executes dropped EXE
PID:616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffd9a6646f8,0x7ffd9a664708,0x7ffd9a664718
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1232
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff680ac5460,0x7ff680ac5470,0x7ff680ac5480
    3⤵
    PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,6115735695810496974,17975434105127301115,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
cf69cb035bac1bac1bcec596e5526be6

SHA1
b6f7e331bb364866c64198c43ddb16089ea879b8

SHA256
b99addf8b06a652c354ff5094574196e30bb6fd51d55087ecaa5d600b2426e2f

SHA512
a6a36265ac8c2966906948e416c4ffe568189a1d0f19ee3b55ea8e87b21102914a0c6736e6fccddc264542b3b834a5db78312421c2bae505449892f46f2a4671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
9ee39dcefadce5ea9ce9ee99afc70141

SHA1
c6de35b312fd4e93f28c430dff0f17681d8f461f

SHA256
f395c1b483390770c58ad482dfd1233cb4825a05e2b32c3fee409e831d5ed446

SHA512
cc5672053cb78cb97a1a7baefe36f542d5d82d7a7d04a08dbd03412d6322da820435712335fc53b5941dce3328601b8286d1a581e3c4994e44a80e452d069d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d421e00a081c0b60d23ff9ed48ddccb0

SHA1
64daa7b8abfd31476a5d3208532832bcb85deb5c

SHA256
e0815c0069d2e06621d0f16270de5fd4b222ee2779cd95bd74e964e82d7ab700

SHA512
8133534c5484af2c55768c6f78bf13e33890ebb62ffffa7ebf6afcc2e16193da222ce4a3537d075664dabdbabc87782012a152340af783cf1e5b152ecf14d827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c1ec8951dc16770556f55da145821db

SHA1
432eeaa00562ec9c39ae4590bc82189fbc547028

SHA256
a23466b690502ef49574ff1ab2b0c3049f49e91af6d104214161bd45b88cc757

SHA512
aa2bbecf85c8b490407c6fc70470f47ef41ee84022def808f3949cf911588c9977e279c40d58a0b48f1b6829abc07ceb0d511acec32c375f247940d20f64f56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
23a8f644aa16b7976a5f1f97a5c6ccdd

SHA1
c5bd9a301171677ea1523a4e3ca204da1872d805

SHA256
6b21a0b1ecbf90e4f87be4e1de415cf63a422a4546c19ae1ae7c9b4eb8e5096b

SHA512
f3eea25c205b570b0367112e6b3472158d27ef71fe432146892f5f954e160fe392d9e0f5ecd467ac75cd14e95d10b65ebf10b03983641f7851bde226c5934306

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
cdc697f2060e7e9a47cd278ffed99a26

SHA1
f526c2f4b0ba92211239eceac99dbfccff8042e0

SHA256
cdc7b618051ba70c2e0439fb18fb352144d4d62283bc15b817579387134923c8

SHA512
ce2684515048a9c1d99394d53cc2d31b9ae6ac0f04a5fa5ea64ce8d09b4778a76315b88b727a1a3da6c3176b7614cd47d4c510fc1a95b159882bc6e9e3a780cc

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
235KB

MD5
f6f120d1262b88f79debb5d848ac7db9

SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
235KB

MD5
f6f120d1262b88f79debb5d848ac7db9

SHA1
1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

SHA256
1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

SHA512
1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

Download Submit
C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html

Filesize
4KB

MD5
6b0a4eacb986f635d905058fac427b56

SHA1
0ba68d90cee553991ff6ecd4f3ff08ca215c59a1

SHA256
36fce2e27fd55e8d2ff9adff8c81661e6641cac7cb55f406d4833838ef246e54

SHA512
806e343ed87e08530367eaa4036c357e62acf3ac24e59bcd75574a57ae7f42a4aa1ee9d63fce349a21b6fd3bffe2451004b41fbf7de251dc5dfbc59b6af65cf5

Download Submit
C:\Users\Default\ntuser.dat.LOG2

Filesize
536B

MD5
1eebbb29d17efce86fa50a45457904bb

SHA1
532e4e92cc17e8651ac64a8e84aa3ccdac5ee612

SHA256
61136fe7dc30b952d927fc16075c52b22c21bc1a3e7ad16664fe64d4fd082e3f

SHA512
8d5ab3e3841dcaaa0498db1143584676fa604ac34f1b3880b677cac817631ad2ad267c294787d3a44cd3b5b75547de376cea82746c89f21466c5ceda90d1736e

Download Submit
\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Filesize
4KB

MD5
6b0a4eacb986f635d905058fac427b56

SHA1
0ba68d90cee553991ff6ecd4f3ff08ca215c59a1

SHA256
36fce2e27fd55e8d2ff9adff8c81661e6641cac7cb55f406d4833838ef246e54

SHA512
806e343ed87e08530367eaa4036c357e62acf3ac24e59bcd75574a57ae7f42a4aa1ee9d63fce349a21b6fd3bffe2451004b41fbf7de251dc5dfbc59b6af65cf5

Download Submit
memory/616-735-0x0000000000570000-0x0000000000622000-memory.dmp

Filesize
712KB

Download
memory/5104-879-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-729-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-737-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-732-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-731-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-730-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-134-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-736-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-452-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-163-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-905-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-738-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-915-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download
memory/5104-916-0x0000000000990000-0x0000000000A42000-memory.dmp

Filesize
712KB

Download