globeimposter | d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e

Analysis

max time kernel
109s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
Size

55KB
MD5

6af267d388242b54a87d0d0b6eb0ccd8
SHA1

eeeec084ebf73ca9d6600452e2997a469b4996c9
SHA256

d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e
SHA512

270e9ee5ec4fd63045a8e6a704106e178bd20788b73e7e1a9e4db83eaa629b38dd55bf7a202d534c0d91a20ce76e7b21d14335f94366f4acbf8a20194cfadce2
SSDEEP

768:emtihjk9hlg4tBLuZuZJHe4ndXxnWlHznD/VwrEQYtqVi6S9JWvZ/KWwhQMNzLm9:eTjkfV+KJolntwrbDSTWvTwhQMhmpdL

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\Users\Public\Videos\how_to_back_files.html

Ransom Note

<html> <style type="text/css"> body { background-color: #404040; } { margin: 0; padding: 0; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ width: 800px; display: block; margin: auto; position: relative; } .tabs1 .head{ text-align: center; float: top; text-transform: uppercase; font-weight: normal; display: block; padding: 5px; color: #FF0000; background: #303030; } .tabs1 .identi { margin-left: 0px; line-height: 13px; font-size: 13px; text-align: center; float: top; display: block; padding: 15px; background: #303030; color: #DFDFDF; } /*---*/ .tabs{ width: 800px; display: block; margin: auto; position: relative; } .tabs .tab{ float: left; display: block; } .tabs .tab>input[type="radio"] { position: absolute; top: -9999px; left: -9999px; } .tabs .tab>label { display: block; padding: 6px 21px; font-size: 18x; text-transform: uppercase; cursor: pointer; position: relative; color: #FFF; background: #4A83FD; } .tabs .content { z-index: 0;/* or display: none; */ overflow: hidden; width: 800px; /*padding: 25px;*/ position: absolute; top: 32px; left: 0; background: #303030; color: #DFDFDF; opacity:0; transition: opacity 400ms ease-out; } .tabs .content .text{ width: 700px; padding: 25px; } .tabs>.tab>[id^="tab"]:checked + label { top:0; background: #303030; color: #F5F5F5; } .tabs>.tab>[id^="tab"]:checked ~ [id^="tab-content"] { z-index: 1;/* or display: block; */ opacity: 1; transition: opacity 400ms ease-out; } </style> <head> <meta charset="utf-8"> <title>HOW TO DECRYPT YOUR FILES</title> </head> <body> <div class="tabs1"> <div class="head" ><h3>Your personal ID</h3></div> <div class="identi"> <pre>��88 D6 79 D9 A1 26 B2 FC 9F F6 FC 3D EC D0 7F B7 91 80 98 ED B2 F1 D2 39 F2 59 83 C7 4B 03 2C B1 87 73 C6 2F 05 57 46 7B 49 13 84 5C CC C7 5A 6A 1C 14 F3 D5 AA 92 BB 73 EF 5C E6 5B 1E 11 B7 BA 76 38 9F 0A 2A 86 B7 62 9A 8F 4C 94 7F D8 2C DA A7 96 D7 37 FE CA 8E 16 3F 31 2B 25 FB 9D 06 FA 4C 84 2D 77 69 6D A4 E8 2B 89 8B 10 A5 D6 8A DD E3 B7 8F FC 31 29 8F 42 DE 0D 62 C0 4F 96 59 45 B9 F8 22 9D A6 AE 4A BB C8 B1 9D 91 A2 AF 59 67 D8 39 D4 EC A3 C8 81 4A 82 D2 A1 A2 4E 0F FF 4E 64 C1 A0 84 35 20 C5 C9 F2 FC BE 52 64 38 AC 5C DC B3 A0 0A 14 B1 26 0E 61 DC DE 4C F2 18 DE C6 F2 AE 82 8E F2 3A 29 08 5B B5 01 94 F6 66 B4 3E 51 A1 06 8D 92 A1 81 81 01 2E F0 49 51 CE 34 AB E7 D5 B0 A1 A7 1B 34 2A 51 D2 9B 18 7C F6 48 3F E4 15 B8 19 0C 55 D5 1C A5 9C 3D 8D 16 0C 21 4B </p> </pre> </div> </div>  <div class="tabs">  <div class="tab"> <input type="radio" name="tabs" checked="checked" id="tab1" /> <label for="tab1">English</label> <div id="tab-content1" class="content"> <h1>☣ Your files are encrypted! ☣</h1> <hr/> <h3> &#11015 To decrypt, follow the instructions below. &#11015 </h3> <br/> <div class="text">  To recover data you need decryptor.</br> To get the decryptor you should:</br> <p>Send 1 crypted test image or text file or document to <span> <font color="FF0000"> [email protected] </font></span></br> (Or alternate mail <font color="FF0000"> [email protected] </font>)<p> In the letter include your personal ID (look at the beginning of this document).</p> We will give you the decrypted file and assign the price for decryption all files</p> After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder.</br> <hr color=red> <center><p style="color:#FF0000">MOST IMPORTANT!!!</p></center> <center><p style="color:#FF0000"> Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected], will decrypt your files.</p></center> <hr color=red> <ul> <li>Only [email protected] can decrypt your files</li> <li>Do not trust anyone besides [email protected]</li> <li>Antivirus programs can delete this document and you can not contact us later.</li> <li>Attempts to self-decrypting files will result in the loss of your data</li> <li>Decoders other users are not compatible with your data, because each user's unique encryption key</li> </ul>  </div> </div> </div>  </ul>  </div> </div>  </div> </div> </body> </html>

Emails

[email protected]

[email protected]</li>

Extracted

Path

C:\Users\Public\Desktop\how_to_back_files.html

Ransom Note

Your personal ID ☣ Your files are encrypted! ☣ ⬇ To decrypt, follow the instructions below. ⬇ To recover data you need decryptor. To get the decryptor you should: Send 1 crypted test image or text file or document to (Or alternate mail ) In the letter include your personal ID (look at the beginning of this document). We will give you the decrypted file and assign the price for decryption all files After we send you instruction how to pay for decrypt and after payment you will receive a decryptor and instructions We can decrypt one file in quality the evidence that we have the decoder. MOST IMPORTANT!!! Do not contact other services that promise to decrypt your files, this is fraud on their part! They will buy a decoder from us, and you will pay more for his services. No one, except [email protected], will decrypt your files. Only [email protected] can decrypt your files Do not trust anyone besides [email protected] Antivirus programs can delete this document and you can not contact us later. Attempts to self-decrypting files will result in the loss of your data Decoders other users are not compatible with your data, because each user's unique encryption key

Emails

[email protected]

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Renames multiple (1360) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe"	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe

Drops desktop.ini file(s) 27 IoCs

Processes:

d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe

description	ioc	process
File opened for modification	C:\Users\Public\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1859779917-101786662-3680946609-1000\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe

Drops file in Program Files directory 64 IoCs

Processes:

d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\selector.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\framework-dev.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_sr.dll	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.dll	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\S_ThumbUpOutline_22_N1.svg	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIDE.dll	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_close2x.png	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\RDCNotificationClient.appx	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\cloud_secured.png	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\eu-es\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark.png	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.png	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\it-it\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_hi.dll	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\how_to_back_files.html	d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exe

pid process

4836 msedge.exe
4836 msedge.exe
3500 msedge.exe
3500 msedge.exe
2212 identity_helper.exe
2212 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4836 msedge.exe
4836 msedge.exe
4836 msedge.exe
4836 msedge.exe
4836 msedge.exe
4836 msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4836 wrote to memory of 2188	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 2188	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4712	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3500	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 3500	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe
PID 4836 wrote to memory of 4420	4836	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe
"C:\Users\Admin\AppData\Local\Temp\d16518abb5dc4d76f4f423d02b0b8c99fe5edb89edf3c60ca64ebb2a6879a15e.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:3816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Public\Desktop\how_to_back_files.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc43e646f8,0x7ffc43e64708,0x7ffc43e64718
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2320 /prefetch:2
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1968,2226215663867738658,11401381910204110635,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3368

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4d686809520430031d6ecf2c8de5f735

SHA1
64e3932e857e1b34077e1b7793f40ad35abaf6b8

SHA256
c5f61a0a6d91e818e9ada3e527de4a5975767d6425823b33ea107cec0c99874b

SHA512
8a5adfc8d90f0752672879cf18f55be8e80e36e2a7bdf281ee3967f9953413dc31c33a0b52ada169c3f628896a28caba1769d8d33874903260ad6c8d5a925e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41a956b8833f6f1819d91f859b1e7173

SHA1
9c213de6892f06a3698b3a2e30c70183b74ac958

SHA256
40a93cddb9b18b42942d2312fa71537d2dc5499e2e93aba30f115550c2360503

SHA512
3320cd34edb38b790b4fa152cc52d353c6cbd817b4d6ffe307c67387e433ee7fad44c5cb9f41c1530bdb9791e012428972e08a772f02121ad1f5a75bb3faddfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0bb23fd6f1e1507c838d95dbe9f683eb

SHA1
7e2b91b1b99ad5902926291ddd7b7e9f74f37f82

SHA256
e9b54c3aecc5e1a0769156c9c273fd2d21e6c734fe1d45ac330403bc52ee7698

SHA512
2bf42557b3d62b34a7d4773905ca377bf0150e6b298977fc15f91db1c3ff7efd1b3b5727ec889d39a55c8c974a6703047fe6a52d0c616c71e2aa225297d4213d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff819770b66e84eb720d9ec676842248

SHA1
337a3f7d9d60277adf5f1873506eb381aa755569

SHA256
650b58d0fd1167528f9d43e2cd1ab09175d07d6086843426b0b865e13d7c1b0f

SHA512
59472c267bdaf0f960e7216a4b50651e12bed47344736b79c96e99493caaf1b5d1bb08d624c684d03f300a2c662152b1b060b61acf7dafe33a679fb1ebdff771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0ea195b890a87594deb9c6aa963c1426

SHA1
4065f3fe0b70940a968f2ca342bac336be048082

SHA256
c51961b927f80537702a7ff5f77501c1e088cbfcc22199675400ea88876f4ef9

SHA512
59ae3e1e530b5c081089ee615fb5d227a1964068bcda421de1319e958438353bbed8ca275897deb097a564a6a60400e1faf6c3e1aa5764d1fbba15bdc1d9ddf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ab2e589ca6f75373d9ee07ad5d0dc22

SHA1
f699616bf60b1bb45eb762945dd4c1b186bcb0fa

SHA256
578a30311d17e17973d6f1e5b240f10a9b0b7d8455a2c8a95d11b32661d74855

SHA512
034d01bde15a1d76d03735d9e9feb6cd4a49d709a1806c2f8467a8894591a0948e5c4e56ae2153b6cdfe4e285ac80e49b8271f4a73a5f2d474e6842fa43df56e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8fb10be508c36813d1dce6cbc6cceef0

SHA1
6a9f8e153701dcabfcd741ba32da31d1f59020e6

SHA256
ae70787d76d495d7b40d675e4b501e8d867c587a49857aad276b3562777466dc

SHA512
07ce6635bad054a6aaf682a01005cfe35e7bd5cfe6deb69974c9fbf9bd722c63aabfad054dcae8e7a3392451ffe00e0d21c5e44a3390a4404b09e8a330940685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
55e5745276f34d4f9c1b10b82d94688a

SHA1
c85478847020a40233f061187405a48973f778b1

SHA256
a176b11a3cf5926ac75f602fd9eba1840d4799ea7d45836f14a34b09cb2cd2b5

SHA512
ef573cd51bd1280a80bf0144f3e327d960ea7410234ca7117e4ccff1f8b0557ddf58041441732168f8776999478b83833a7b0eac1006a1b3f414232ea560b6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
db0487e01df0e9160876d75ce52548f6

SHA1
56e9fcf5c462651bf3d9d7e29723dd1163be579c

SHA256
5bef4209481e6d296d07a07c5980c144af4fb1cb66a24d36dc205841819bf308

SHA512
d84907d9df8050d82b3c32357a5f34de28c222de9793967ae0223c90e2a984b6ea570d56d84cf53c452719a79a7b5ee5a82f2e25b4656062ff5b86cc16ccefaf

Download Submit
C:\Users\Public\Desktop\how_to_back_files.html

Filesize
5KB

MD5
292d5656c32c99c1e4f5500b51e66620

SHA1
5fd9d4960cf2bf1270b61a4e2ee62e10f15e4cc6

SHA256
b616b768f697e55eece513f78921ddd364770647e37e49e0768570655696bfc4

SHA512
3316909191f292006da000cc4c2d411410b8741e49196352f2143a85cab866882a78eb064baa82df02314970bfff5ac5bee137148e4334bd508d4efef735bb9c

Download Submit
C:\Users\Public\Videos\how_to_back_files.html

Filesize
5KB

MD5
292d5656c32c99c1e4f5500b51e66620

SHA1
5fd9d4960cf2bf1270b61a4e2ee62e10f15e4cc6

SHA256
b616b768f697e55eece513f78921ddd364770647e37e49e0768570655696bfc4

SHA512
3316909191f292006da000cc4c2d411410b8741e49196352f2143a85cab866882a78eb064baa82df02314970bfff5ac5bee137148e4334bd508d4efef735bb9c

Download Submit
\??\pipe\LOCAL\crashpad_4836_KWQXLYWCWPBLDIZM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3816-0-0x0000000000400000-0x000000000040EC00-memory.dmp

Filesize
59KB

Download
memory/3816-188-0x0000000000400000-0x000000000040EC00-memory.dmp

Filesize
59KB

Download