Analysis
-
max time kernel
270s -
max time network
263s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2023 05:13
Behavioral task
behavioral1
Sample
053680ED933D58F4150FFDEFAC4D9F13.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
053680ED933D58F4150FFDEFAC4D9F13.exe
Resource
win10v2004-20230220-en
General
-
Target
053680ED933D58F4150FFDEFAC4D9F13.exe
-
Size
669KB
-
MD5
053680ed933d58f4150ffdefac4d9f13
-
SHA1
69c4a4ffb650a6fdfe343d6acca3b988647aee30
-
SHA256
af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
-
SHA512
4ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2
-
SSDEEP
12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DnKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWmKrKe
Malware Config
Extracted
\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html
Extracted
C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html
medusalocker
Signatures
-
MedusaLocker
Ransomware with several variants first seen in September 2019.
-
MedusaLocker payload 2 IoCs
resource yara_rule behavioral2/files/0x0009000000023131-944.dat family_medusalocker behavioral2/files/0x0009000000023131-945.dat family_medusalocker -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe -
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\EditRedo.tiff => C:\Users\Admin\Pictures\EditRedo.tiff.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\ImportRename.tif => C:\Users\Admin\Pictures\ImportRename.tif.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\ReadDeny.crw => C:\Users\Admin\Pictures\ReadDeny.crw.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\RenameDeny.crw => C:\Users\Admin\Pictures\RenameDeny.crw.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\ResolveCopy.raw => C:\Users\Admin\Pictures\ResolveCopy.raw.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File renamed C:\Users\Admin\Pictures\SplitDismount.raw => C:\Users\Admin\Pictures\SplitDismount.raw.FartingGiraffeAttacks 053680ED933D58F4150FFDEFAC4D9F13.exe File opened for modification C:\Users\Admin\Pictures\EditRedo.tiff 053680ED933D58F4150FFDEFAC4D9F13.exe -
Executes dropped EXE 1 IoCs
pid Process 4952 svhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1013461898-3711306144-4198452673-1000\desktop.ini 053680ED933D58F4150FFDEFAC4D9F13.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\E: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\F: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\H: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\M: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\B: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\J: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\L: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\T: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\K: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\P: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\R: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\Y: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\O: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\Q: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\S: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\U: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\A: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\G: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\I: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\N: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\V: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\X: 053680ED933D58F4150FFDEFAC4D9F13.exe File opened (read-only) \??\Z: 053680ED933D58F4150FFDEFAC4D9F13.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\6cbd5901-3bea-42d9-9d42-becb7dc78881.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230418071415.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 2924 053680ED933D58F4150FFDEFAC4D9F13.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4564 wmic.exe Token: SeSecurityPrivilege 4564 wmic.exe Token: SeTakeOwnershipPrivilege 4564 wmic.exe Token: SeLoadDriverPrivilege 4564 wmic.exe Token: SeSystemProfilePrivilege 4564 wmic.exe Token: SeSystemtimePrivilege 4564 wmic.exe Token: SeProfSingleProcessPrivilege 4564 wmic.exe Token: SeIncBasePriorityPrivilege 4564 wmic.exe Token: SeCreatePagefilePrivilege 4564 wmic.exe Token: SeBackupPrivilege 4564 wmic.exe Token: SeRestorePrivilege 4564 wmic.exe Token: SeShutdownPrivilege 4564 wmic.exe Token: SeDebugPrivilege 4564 wmic.exe Token: SeSystemEnvironmentPrivilege 4564 wmic.exe Token: SeRemoteShutdownPrivilege 4564 wmic.exe Token: SeUndockPrivilege 4564 wmic.exe Token: SeManageVolumePrivilege 4564 wmic.exe Token: 33 4564 wmic.exe Token: 34 4564 wmic.exe Token: 35 4564 wmic.exe Token: 36 4564 wmic.exe Token: SeIncreaseQuotaPrivilege 1956 wmic.exe Token: SeSecurityPrivilege 1956 wmic.exe Token: SeTakeOwnershipPrivilege 1956 wmic.exe Token: SeLoadDriverPrivilege 1956 wmic.exe Token: SeSystemProfilePrivilege 1956 wmic.exe Token: SeSystemtimePrivilege 1956 wmic.exe Token: SeProfSingleProcessPrivilege 1956 wmic.exe Token: SeIncBasePriorityPrivilege 1956 wmic.exe Token: SeCreatePagefilePrivilege 1956 wmic.exe Token: SeBackupPrivilege 1956 wmic.exe Token: SeRestorePrivilege 1956 wmic.exe Token: SeShutdownPrivilege 1956 wmic.exe Token: SeDebugPrivilege 1956 wmic.exe Token: SeSystemEnvironmentPrivilege 1956 wmic.exe Token: SeRemoteShutdownPrivilege 1956 wmic.exe Token: SeUndockPrivilege 1956 wmic.exe Token: SeManageVolumePrivilege 1956 wmic.exe Token: 33 1956 wmic.exe Token: 34 1956 wmic.exe Token: 35 1956 wmic.exe Token: 36 1956 wmic.exe Token: SeIncreaseQuotaPrivilege 3472 wmic.exe Token: SeSecurityPrivilege 3472 wmic.exe Token: SeTakeOwnershipPrivilege 3472 wmic.exe Token: SeLoadDriverPrivilege 3472 wmic.exe Token: SeSystemProfilePrivilege 3472 wmic.exe Token: SeSystemtimePrivilege 3472 wmic.exe Token: SeProfSingleProcessPrivilege 3472 wmic.exe Token: SeIncBasePriorityPrivilege 3472 wmic.exe Token: SeCreatePagefilePrivilege 3472 wmic.exe Token: SeBackupPrivilege 3472 wmic.exe Token: SeRestorePrivilege 3472 wmic.exe Token: SeShutdownPrivilege 3472 wmic.exe Token: SeDebugPrivilege 3472 wmic.exe Token: SeSystemEnvironmentPrivilege 3472 wmic.exe Token: SeRemoteShutdownPrivilege 3472 wmic.exe Token: SeUndockPrivilege 3472 wmic.exe Token: SeManageVolumePrivilege 3472 wmic.exe Token: 33 3472 wmic.exe Token: 34 3472 wmic.exe Token: 35 3472 wmic.exe Token: 36 3472 wmic.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe 3404 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2924 wrote to memory of 4564 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 83 PID 2924 wrote to memory of 4564 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 83 PID 2924 wrote to memory of 4564 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 83 PID 2924 wrote to memory of 1956 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 85 PID 2924 wrote to memory of 1956 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 85 PID 2924 wrote to memory of 1956 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 85 PID 2924 wrote to memory of 3472 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 87 PID 2924 wrote to memory of 3472 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 87 PID 2924 wrote to memory of 3472 2924 053680ED933D58F4150FFDEFAC4D9F13.exe 87 PID 3404 wrote to memory of 2184 3404 msedge.exe 102 PID 3404 wrote to memory of 2184 3404 msedge.exe 102 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 4416 3404 msedge.exe 103 PID 3404 wrote to memory of 2168 3404 msedge.exe 104 PID 3404 wrote to memory of 2168 3404 msedge.exe 104 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 PID 3404 wrote to memory of 4636 3404 msedge.exe 106 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" 053680ED933D58F4150FFDEFAC4D9F13.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" 053680ED933D58F4150FFDEFAC4D9F13.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\053680ED933D58F4150FFDEFAC4D9F13.exe"C:\Users\Admin\AppData\Local\Temp\053680ED933D58F4150FFDEFAC4D9F13.exe"1⤵
- UAC bypass
- Modifies extensions of user files
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2924 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\HOW_TO_RECOVER_DATA.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9308846f8,0x7ff930884708,0x7ff9308847182⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:22⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:32⤵PID:2168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:82⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:12⤵PID:4136
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:12⤵PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:2172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:3140 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6fdf35460,0x7ff6fdf35470,0x7ff6fdf354803⤵PID:3440
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,7943839034616828748,6742039913346101142,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 /prefetch:22⤵PID:2964
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5064
-
C:\Users\Admin\AppData\Roaming\svhost.exeC:\Users\Admin\AppData\Roaming\svhost.exe1⤵
- Executes dropped EXE
PID:4952
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5aaeb1f5e097ab38083674077b84b8ed6
SHA17d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2
SHA2561654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef
SHA512130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda
-
Filesize
152B
MD51db53baf44edd6b1bc2b7576e2f01e12
SHA1e35739fa87978775dcb3d8df5c8d2063631fa8df
SHA2560d73ba3eea4c552ce3ffa767e4cd5fff4e459e543756987ab5d55f1e6d963f48
SHA51284f544858803ac14bac962d2df1dbc7ed6e1134ecf16d242d7ee7316648b56b5bc095241363837bf0bf0afd16ca7deebe7afb7d40057604acbf09821fd5a9912
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD5cd0d05e6e78db00fd46c977f4a2cac59
SHA1b9b7014c3e34b7d6d99500974c47f7697cdd0f58
SHA256cf95f89e9cacdcd6761abc7214e9bea838391122bd237e7fb6b7833cf948a3bd
SHA512ee63c6ce4c65cb5a29732027982bdc2e8af8bf12ef506b9b21613537c2b6fe16599c9f27229e530d97d6326b1849a39937cfc73b74b9c19b05b2c43ba62080f2
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5262da57af55047c1401e3f232ed139aa
SHA12787eba07f520c28f6c599a96c0bf6417f231eb3
SHA2561816ba07dc7a2ac90f60ccf7eb15fbabbcede3e72d5c4b0ef5e2caf75dea946d
SHA51254a1c7175814d79cda92a950d0d04f8d885159d1bca0f26cf91710b6db37f87064a178225ba9d570aeec2c79195183d642990d941807635fc29da92a2285c9e0
-
Filesize
5KB
MD5716a1628dae76b9d828a0a965a9311d5
SHA15253a225cdabf9d616c66af1cd01e26f30489740
SHA256785d9682482586af9aecd49734d5e8250f18704215d3afedcb90ae583ab7f4f8
SHA512d8c610c06062ecd021f68edd4249d3ca7b1bc14ea908bee755b668014a4cf6c358230e2b57b7cee344af5dc239fdb34739cb67647ff4ea7d826201f04a7e89ec
-
Filesize
4KB
MD51dcc2e033ef540f3627ddb9f2c65e5ab
SHA1eb53cd9a97eb07f0a2ae34c474a201028b90db39
SHA2561964e83343e832d2906df6eb6d1da94b3c6608511884bf1f0d928842a944a4dc
SHA51247550b0892db96b0755c9124370b7f4a4d26aba94b6689c3720ae152952d095044297f79ee1448f66226862a4c535f7f0fa2e5284c4c58a794dc9b43ce882b9e
-
Filesize
24KB
MD547e94a96372e6f095b8a3fd7edc48ec0
SHA1377b68f34e5964ca8be1b1b0c1507dd7f0e5f005
SHA25615c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e
SHA5125bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD5e6e3d78662ad20a566804e29262151c2
SHA175465e344887b8c86732444c5781184036987cb6
SHA2565985fa1e0b4adc142f7c3d1a75bf4b0751298f688173d6d0599ae8bda24a22fc
SHA512138c1a31c1f48ae63abcf78bbe49a5f0972b2a17d1cd51b85d4caab656ee41c25dc1d161b8901319ba8d7f96ebdfc34ee1c730ad0e3d53b9976f8222f25c276e
-
Filesize
12KB
MD5e0b775e0be8f2e29a59209934988affc
SHA18a5532b8222a763db178ab231595c5a9d7b77559
SHA256d9ed302cadb9db746417c99d8ace58657b300f733aad32b878b3775e5993c3e4
SHA512f8f7e1d3ce382318183aded6ff4c22b3bb72a3dca8ccfa0c05b5193aec196a4c59ab37804ce559702f307d7d29729189fd9fc922ecd841daf36b8459b9fbceb7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5904dab7456c3af76791e0ef49455124f
SHA126a343e7988604accf2c9ddddb8d685ed85c635f
SHA256a2ae122259deb1aabd5b3f61de539380eaf48348c5ad6915073c491e9be312a3
SHA512413271c0a5ec3099f09c34fa8c32abe2f956d38b10947252e60b9e6ba4e0b9d40e06c8dad5c7b29376f6308b41d0b71c9e4bdf9cf2a13fb8bc3d7d0797e27d61
-
Filesize
669KB
MD5053680ed933d58f4150ffdefac4d9f13
SHA169c4a4ffb650a6fdfe343d6acca3b988647aee30
SHA256af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
SHA5124ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2
-
Filesize
669KB
MD5053680ed933d58f4150ffdefac4d9f13
SHA169c4a4ffb650a6fdfe343d6acca3b988647aee30
SHA256af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
SHA5124ed454e96f65c2a7cefbe27a499e2fb3eeea8512e704aae7de4245e0a0d38788ec7366937a68a57b714681da3f43ebddf32241756f0f0e6eb63488c8c3966de2
-
Filesize
4KB
MD51ebc3aa31f4bfbc94236db7ba0c93686
SHA164d9560d575c337882599d0817673a61abe3e807
SHA2562d3a07eb70d4da07294d5e63d1a136eeb090e85a0be0618599619cefa9ab4dee
SHA51234f53983f74d8c9da0342cd18af3bed90af6c7f492ef3b7e5351ffd5e4cf83694c3563b24d0db0d97ca5e0bf1892aeee75495dfeaf80e6fe08d68fed354720cd
-
Filesize
2KB
MD59cd2e84871a399edef6b2ec2a460e018
SHA13c46a996099f66cb2a5dc7e8cfc2127810f37b82
SHA25642de0f46f43b8dd9ec7561db322c9ae9f7673bf3ef68cac063baa66b694fdbf2
SHA512f62d44157e43faf55f93f5d63f0d0f07b8c23a2466d56bc0e7cb61d2102783d21b11fe8855904b4677f7ef8c89bcea648e5e39c4bdc13bdd000bbbc5d24b55c5
-
Filesize
536B
MD567947f6f217c1d8c2888103f7307bff9
SHA1daf3b5ce85cf6691d2de26fe1a23ac2463b62e60
SHA256e8c79033e90bde1dd6e2d7c5b5731b0b29e51f137a4b14988c33b89196f40127
SHA512d7272883539e801795218d9a7ea19a15e218c9a9ae3c4b453c5f63e94d633e17a8494a43b297ecd4a7141433e78026c62aa65e8ce285fcfa6ed9c2d058800b8c
-
Filesize
4KB
MD51ebc3aa31f4bfbc94236db7ba0c93686
SHA164d9560d575c337882599d0817673a61abe3e807
SHA2562d3a07eb70d4da07294d5e63d1a136eeb090e85a0be0618599619cefa9ab4dee
SHA51234f53983f74d8c9da0342cd18af3bed90af6c7f492ef3b7e5351ffd5e4cf83694c3563b24d0db0d97ca5e0bf1892aeee75495dfeaf80e6fe08d68fed354720cd