cryptolocker | ddb9b850fa0eee2f62463728b07bffc11eaa9b241d215029eaddf1de4ec54936

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2023 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
Size

338KB
MD5

04fb36199787f2e3e2135611a38321eb
SHA1

65559245709fe98052eb284577f1fd61c01ad20d
SHA256

d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512

533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
SSDEEP

6144:sWmw0EuCN0pLWgTO3x5N22vWvLRKKAX5l++SybIvC:sWkEuCaNT85I2vCMX5l+ZRv

Score

10^/10

cryptolocker persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Executes dropped EXE 2 IoCs

pid	Process
1028	{34184A33-0407-212E-3320-09040709E2C2}.exe
3944	{34184A33-0407-212E-3320-09040709E2C2}.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230629131930.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a0174160-c9e4-4f7b-a858-cf9d6ccb286f.tmp	setup.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3956	msedge.exe
3956	msedge.exe
4572	msedge.exe
4572	msedge.exe
4120	identity_helper.exe
4120	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
5084	firefox.exe
5084	firefox.exe
5084	firefox.exe
5084	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5084	firefox.exe
5084	firefox.exe
5084	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5084	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 1028	1356	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	85
PID 1356 wrote to memory of 1028	1356	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	85
PID 1356 wrote to memory of 1028	1356	{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe	85
PID 1028 wrote to memory of 3944	1028	{34184A33-0407-212E-3320-09040709E2C2}.exe	86
PID 1028 wrote to memory of 3944	1028	{34184A33-0407-212E-3320-09040709E2C2}.exe	86
PID 1028 wrote to memory of 3944	1028	{34184A33-0407-212E-3320-09040709E2C2}.exe	86
PID 4572 wrote to memory of 2412	4572	msedge.exe	106
PID 4572 wrote to memory of 2412	4572	msedge.exe	106
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3592	4572	msedge.exe	107
PID 4572 wrote to memory of 3956	4572	msedge.exe	108
PID 4572 wrote to memory of 3956	4572	msedge.exe	108
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109
PID 4572 wrote to memory of 1684	4572	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe
"C:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\{71257279-042b-371d-a1d3-fbf8d2fadffa}.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
    3⤵
    - Executes dropped EXE
    PID:3944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RegisterSet.svg
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe2f7946f8,0x7ffe2f794708,0x7ffe2f794718
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff76c055460,0x7ff76c055470,0x7ff76c055480
    3⤵
    PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,8526844377184478146,13304907825881596235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5104
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.0.146520967\877786671" -parentBuildID 20221007134813 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3341ed08-c6c3-481a-a0ed-0f55f41924df} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1732 21686da5858 gpu
    3⤵
    PID:3832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.1.2145623984\1323230977" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14e5ee5c-e518-4e07-b934-449c2cd7059a} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 2300 21685c10758 socket
    3⤵
    PID:904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.2.255804026\889873718" -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3156 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fd21edf-a03b-4396-8f6d-b95660bd031d} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 3168 21689b06158 tab
    3⤵
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.3.753765324\1351587041" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8beb0be-b8f1-4ea3-86f9-39d48bace0a6} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 1460 216884a0458 tab
    3⤵
    PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.4.1052809996\686061097" -childID 3 -isForBrowser -prefsHandle 4024 -prefMapHandle 4020 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {98dd2602-0fc1-4783-9abc-3ba8a654e352} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 4036 2168ab8ec58 tab
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.5.1581730376\1044817563" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5096 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46805748-92d3-4293-b6b3-1da4a6651fde} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5016 2168be58d58 tab
    3⤵
    PID:1176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.6.1344079260\1983996942" -childID 5 -isForBrowser -prefsHandle 5224 -prefMapHandle 5228 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed4fb204-fb55-45d2-be05-1bcf9b2b9b56} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5216 2168c2aff58 tab
    3⤵
    PID:1196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5084.7.473313190\779268599" -childID 6 -isForBrowser -prefsHandle 5200 -prefMapHandle 5016 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1476 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {055c2d03-e3ea-46ea-80c4-9fa6822eef8a} 5084 "\\.\pipe\gecko-crash-server-pipe.5084" 5396 2168c2ae458 tab
    3⤵
    PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\5bf1950d-525f-4bb5-9a7c-96f839e6eef7.tmp

Filesize
13KB

MD5
44cddaf949f83854925ca7fd43306d8e

SHA1
8925e5ab2e7ad0e5f35eac55ac22dd1738c3ae4b

SHA256
ca175fa940690aef75c556180670db3894803db72d5ac48bb6798bd2fa5b8520

SHA512
9bb30e85cb61d4293566766641122cf0e97cd58feb9184fd80fd28df5b42208db01b68e410e99533c074a4a045657f063f1bc50e700b4c0449ea78cfa6f7e781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5577898093952163e585fc1356275cf9

SHA1
d46e9241b7e8e0b97598907a260c3c6ad7229b6a

SHA256
275315a835f78d1d40d3425488d1ed277924ddf5200cfc9635bf24afdf083cf5

SHA512
00a66c6a214f0a35144217c7738a237e41e7b9b5f66ecf9a94baf487e2b90533070092eb6930247532a7907f5415cc842d51758d3a76a48568f476ef30f1cb01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b092647394f1376f80bf2d4e8797d7b5

SHA1
1809389720e213a4733352f838cd1f16bd20d3db

SHA256
fa55709e752681e7d9f38d74a3376c06d31bd333fbf94f7aca17468f9d8fc85b

SHA512
9d70333ced82fa5ffcff47d6a25b3051916e8f5a069450dd86676315a15a94fd131a0d7973f19562e4807589249213dbf64ac374cd688e1ea17dd190f8e3761e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
42f45fe60d4fc7b74fca481a35dfb6dc

SHA1
cc94dbd2fc84990d3ca849deedbe78d37331c735

SHA256
0ff81bfe8be0518d8f0d6ac60e1782d0c04745701c9ec549404fddf3e0604f8f

SHA512
c8855091db9b73ca924a8d3c8c84edba9bc5cc4766816872561d7f2b0d09874636247db6f82815f3d8dfd7a2202e8d664f7b8668925af166cb3e4b01163a2bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
b4eca6ce78646ef51d6ee8a057aed06f

SHA1
64156f97acab975227680de7956f30cccac083a5

SHA256
1fa416fa94d3f3c84997e5e8608f5fee25e15ea1efc792e9362e164a47b7ebcd

SHA512
3beb2024d191c4ec4bd8a575b26d1f23d1e648e0e3ece9191cdf1c2f61d37e66566f6970d5ed11a69601cd45cd048567f72f5d66c4665749cab5486f404d1580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
40c441ac23a6137af158baf015b12502

SHA1
2ee5ace8d576be7a73c823be85b9e83992caccb3

SHA256
8586e23108dbee4efa70a565b678e6e6e17c52dc044c287f23844ac5b3df1a1e

SHA512
132806195a6f360f2bd267a22afe02ddcfad80f0f44c258f1245bbe3763f9693f0ecc9b3c7b034041559ce506a8d2eb6635c847bb6409dc4dd6e417c569bae8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcb28ab17714a630a0e3c5cb82317083

SHA1
d0e780cb1a12de531debd3c0e772d4146384a6d5

SHA256
054fbacbc713eeb33eddbff894ad3bf9f90cdf1a42f54face04098c2cfa9a18a

SHA512
fa6ce107dfe1b48a495f646afd1e7be07f8914cfada4a74672ac175e5823556ddb0d6f989102174bc4cd077345abdecd9901a22df97fda306822a99ce4b405e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
809b0cd53de2eb6dbf4f469edc77b66a

SHA1
aa2848f79def7cc41bcce96a15c362abb663562c

SHA256
daa87cfcd87db536e9db173fe4131996c9a9e8de0b0021d01b5508cc14b98132

SHA512
a45949bcbfd107e74d7c50126068eff4bed563110802008c715354411e1efddc6594710db6edc22ec1cf35e0b8bc3f43f368e0487df6a800d340be93833c88a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bfb396f724d87b5dc03bf360219fa3b0

SHA1
5c110515ef78880ca230a1d418b6ee92a3565e4d

SHA256
4a0f5896f8b14c1d99f37e76192d6d84c433000d50a7b5ec831d1ebecfbf2264

SHA512
8bdc70b2413a4e8ddc1b72fe4628106f76e7a5246c113575aca817ff6dce051f945016eac9e8bf342716c1a0862a737c015cc933c13e44a013555ddfff6f527f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
aefc5ee3f7d446e4f589d384871089fa

SHA1
f473772b9fad6deed5ac5ab67e21e80a32beea15

SHA256
cafbd5930c58521f476407f52bc923d7ad33b37e5dbff9be9b1d6b28249d0ad8

SHA512
697ff96fe24ee7016dcfead1ed557b89f2123306749939ac0bf8bc09eae97fbb040314d59991482dad192006a278343cd1176cecdd79a0cb98138611e81bb02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e5356f910dd693a595992ed21757d9e9

SHA1
db70fab4db0b1d25de165a5ce038e5f5681eacc5

SHA256
9eb098ebc7d6f48f7b15e6ae7bb516b9f00080e031b8488662ad92cfd5a01ab2

SHA512
1bda232f97067acb0414ec0e1a39d4485ba18d8184b46c8975d50fa24091801540b6269862a940e63462d88ec5dc216c5298c632548ee1d5b2b6694a7a511146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
4e8797a4e21d1d39bde87c6e02fa42e3

SHA1
158d0ad07fff2b8346f87192e4e2355d56666a08

SHA256
9c4e8b10fde0a9f4512f7d6717225980967ba29d3bdef63b66dbd8e49179892f

SHA512
26a02e133568d8c8598d275e90f610e11ad7b9f421f474e7f74256125686f2f71916771868c55500e7adcfa57e4242dadac8dc79a1c645bcdbbbae7a0e09a139

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1w5h9zvv.default-release\activity-stream.discovery_stream.json.tmp

Filesize
162KB

MD5
9886c131790218af1757e98aa10a53fc

SHA1
7637a59948ce1d95172287b9277f1d8b81144947

SHA256
c01afa22cca53bd4bb100caf58e69a39f7c71a710739ceee466c5589fbc67748

SHA512
56878afc02b0e36971decde74d562b73b248d38fb44a33d3c0629f966789f8daf32039319776f7fde6c3dbd31b932abaeced5875601be9cb2a4cd0c28b5d798a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
b4eca6ce78646ef51d6ee8a057aed06f

SHA1
64156f97acab975227680de7956f30cccac083a5

SHA256
1fa416fa94d3f3c84997e5e8608f5fee25e15ea1efc792e9362e164a47b7ebcd

SHA512
3beb2024d191c4ec4bd8a575b26d1f23d1e648e0e3ece9191cdf1c2f61d37e66566f6970d5ed11a69601cd45cd048567f72f5d66c4665749cab5486f404d1580

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WVJJL9GYUKX52QFNBN0S.temp

Filesize
3KB

MD5
4f5f19a359305cb21b771958bc32c0d4

SHA1
94e4b61f64a4b35c592b712bc1b3d56b1df3d860

SHA256
dfd847b4ae68336422d10c2ea847169532c455552ae68ff55fcf91016d2ebca7

SHA512
2dde2760748337dd7bd0a8779f54b8e9fef9e5cf09ba48df15b5b87b36de29ced6122d427841f81ab9abed8fbbf6f80256614875f41df7386fd6f81e6c10718d

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit