locky | b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
Size

169KB
MD5

98562209465bec53327e65649a2b8829
SHA1

3a47656ed3df213bd934aa01078a863568fe9f2b
SHA256

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe
SHA512

c11ce14f9cb75df2bc9bd81971c1f8fa885815715f389eb8e796e0f657de59756b36a6f896c216a03c7be7bb3ddff9b8a47aee71146760e4f4d9c6bdc0ff2cc3
SSDEEP

3072:iFgiMd04bHHr/QFDtaruNyXgs7WL61fXbEiVkYELY2P+gA/PF:UE3bHL/ngsu61kYELNmhF

Score

10^/10

locky evasion ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Favorites\!!Read_Me.3C430.html

Ransom Note

<!DOCTYPE html><h1>#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK</h1>Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: [email protected] Reserve e-mail: [email protected] [email protected] Device ID: AAwX1YjLw4yNyEjLwEDLTR1TYZVTSREL5MTMwYTN5gzM0cDRBNTNGdjR4kTNwUERCZURFJTNzMDOEJzNyQjQ1YDMwU0NCJDNFRTNERUNzEzMBRzNGJ0M5UjN2EDN5QzN2IjQwYjNEljR4ITRBJTRBJERyQjQwQkQ1gTNCdTM4QjR4EjNEZkQ0UUM5EzQ0EUOBR0MEljQwYjNDZjN1ETOzEUN3YERDZTOyADR4UzQBBDN2gDRxUjM2YkQGJDMEZEODRUO0EjN3IEMGFDRwUTOEZDMDJENEFjN3YzMCFUO0kjM5ETMwYUM2E0Q5YDM4YkR3QjNxczQ1EDRzIEMxITM0QjNCJUN5gDRCZUOCRTQ4MUR1EzNGBjQDZ0MxITNxcjQ2IzM5UUMFNUOzQzN1kDOCJTM5kzN0QzQ4cjQwI0Q3cjR3gTR2QkMwEUN1kDMBlTMEBjRDlTODdTOER0M2I0N2MTQ1YjR5gDMEdjRyIUMxQkRxEEO0ATODZjR5UTRzMkRDJjQ5IkNyUTNwITO5kTOxITRFJzQDhzMxgTN5ETR3U0Q3MkM4cDNEFkN2AzMGVDN2UTO5QTNxUUR3UDN4MzN4UTOyQzQ5QkM5MkMDljMzczQGRTRxQUQFhzNFhDR3YjMxETN5IUQ3kjN4MEOBhTO2IkRDJjRxIjR0MTMENTO4Q0NCJTRwQjQ4MkNCZEOFJUNwQUQ3YUNCNUOFVEM1EER2MkR5MjN3YTMFFEM1YjMxMUREZTRwIjRzEEO0IjN1AzMxU0QzETMFJUOxATMFFENzMjM0EUR0IEN4UTMxETRENDNGJEM4IjRyQDO4YTODFzN5Y0MDBTR5MTMBRzN4QUM0YTQxQDNDRzQDJEMwUERCZzMDNzQxYTMwIDRCVTQ5QUN5UUR3I0MChzQxQzQCJER5MEO1MjMFVUQ3QjQ4EzQGZTMERjR1czNxIkRxMEN5ITQBlDOxkTQycjMCVERxIjMzU0MzEjQzgjQzIDRFZUR3YUQDFDOyIjMxkTQ0IEO5IEM0EENwgTO5ETM1AjQChTO1gjMFVUREJzNDZUOGZUQ3MzQDFjM5gDN4gDM1EzQCRTO3YERyYkN1cTQ0YURCF0QzEDNCRER2YkQ5UjNDFjR1QDN4czQFFDNGdjMzkzQ3kTQDZDODZTM5UDRBhzQ2UTQwgDMDJDMCNUODF0MxgjN0MDO4QDO2QkM1cTQEFEOxI0M5AzM1QzMycTQFFTOENUNGBjNFZUR1UjM5IUMwkTN5QUN3MEN4MENxgDO1UkR4EENygjRwgTODNzQykTQ1UjRxMUR4UjMCZUQ2kjNzkzQEFkMDBzQ0EEO4MUM4EEN0IUOBRzQ0gjRChDR1EjQ3MzNBhTR1gTNEJDOyEkM5gjMBRTOxYTQ5cjQ1wCM2UjN2MUMwkDN5kDN2ADN5EUN3cjNFFUREJDN5ETNxMzNGhzN3UjR5UUNFV0Q1QjM2UkR1ETQBVUOEJDNFBjR3QzQ1MERGRzNzYkNDVkR4QjQDhjNzkDOFFzN5YDMBNkN1ETN5QzQBJjQ4YzQ0ITRDRjQzYENxYDMzADO3UjREZjN4IjNyQjR1QTQDVTRGljRzIEN2cjN0ITN2gTR2gTRwMUN2QTNFRURDZUNFFkR1IzQBdjRCdTOERENwIzQFhjRFV0QwgzNBdTQ3UkQCNTM0UUQ2gDRCVUQ5MUR5kzN5cTN0czMCJER2ATNxQEOwIzMBFEO4IERzIzQ2QzMDFjQ2QzN5ITRyUkQ5UTQ1kTQ3cTN4cDNDVjQxMkM0QTNwQERyUkR4kTMGhDMxQDNwIEO4UkQ0UUN5cTOBVTQwIEOGNjN4EzMGljN2UjN1IzQEFUM0ITN2MjM0QTMwATRFRDN3cDNwE0NzEzMxYkQCZjQyQjN0QEMxMjQxATO1IkMFJDOxQTNDBDOCZUQEFEO5YDNFRTMEFTR0MDMDBDM2IzQGVEMCBTMxIENDVzNERTRxkDMGJjRzAjNDljMCdTQCNzMxUUO4IzM5QzNCFTQGBTMFRkQ5IDOGFUR2AjRGZEM5ETN5QERFRDRzUkQ3QkR0UUR0ADOwYTNBFTOGhDRyM0NyIURzUDRCVzMFZUN2QENCVDNBNjM0YkQxEzM5AzN1QkR1gDMDBzMCdDR0ITRyITRGFjMEZzNCdTM3QTM0IkQ2kjN2gzM0MkQElDO3IDRyEjNDR0MGZzQyATNzYTOBJzNDRjQFlDMxcjM4EjMDZzMENkQFdTMycjQxIEM1gDN2IjQFVUQyY0N1QTRykDM4MUQwYEMDJzM0I0N3UUQzMEOERTMCZDMzUEO5Y0NCNTR5MjQ4QjQDJzNClzM4I0N5MTQxUUMyEUN5IkQFNDR0MkQ5UUR3IjN0M0NxEDOxQkR0QjRxUDMFdTOGFUOzkDM1UjN2MjQGFUQ5cTRxUUQ1IkNDlDM0MjQBZzNDNkM0M0NFBTM0Y0QEFzNxUEO3IDR0YjRFJTOxQTNFVkQ1ADOwIDMDVEO0IjNzMTRCZDNykTNCRTOChTN4EDR5QkNxAzNFNEOwkTMxYERzQDM1MkQ4gjQ1ETO0EENGF0N0czNDFkN1MENBVTR1gjMzETMEN0NDBDO5MEOBRjMERDM3MzMzcTNzATMxM0M4IERCNDRFFTOxUUQ4YDN2YTM2MTO3M0QGNzM4EEOyUkMEJUM3QUR3YkN4IzN5UDRDFjQBlTOBJTQ3I0QFJ0M1M0MyQUM1QURyMUOChzQwUDOGFkQ1U0N1gjNDJjN1EDO2QjMEJ0Q5ITOCJDO

Emails

[email protected]

e-mail: [email protected] [email protected] Device

Extracted

Path

C:\Users\Admin\Desktop\!!Read_Me.3C430.html

Ransom Note

#ALL YOUR FILES ARE ENCRYPTED AND STOLEN BY RAGNAROK Dear Sir Your files are encrypted with RSA4096 and AES encryption algorithm. But don't worry, you can return all your files!! follow the instructions to recover your files Cooperate with us and get the decrypter program as soon as possible will be your best solution. Only our software can decrypt all your encrypted files. What guarantees you have? We take our reputation seriously. We reject any form of deceptionYou can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain any valuable information. When hiring third-party negotiators or recovery companies. listen to what they tell you. try to think. Are they really interested in solving your problems or are they just thinking about their profit and ambitions? By the way.We have stolen lots of your company and your private data which includes doc,xls,pdf,jpg,mdf,sql,pst... Here we upload sample files of your company and your private data on our blog : http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion We promise that if you don't pay within a week, we will package and publish all of your company and your data on our website. We also promise we can decrypt all of your data and delete all your files on internet after your payment. Such leaks of information lead to losses for the company. fines and lawsuits. And don't forget that information can fall into the hands of competitors! For us this is just business and to prove to you our seriousness. Our e-mail: [email protected] Reserve e-mail: [email protected] [email protected] Device ID: AAwX1YjLw4yNyEjLwEDLTR1TYZVTSREL5MTMwYTN5gzM0cDRBNTNGdjR4kTNwUERCZURFJTNzMDOEJzNyQjQ1YDMwU0NCJDNFRTNERUNzEzMBRzNGJ0M5UjN2EDN5QzN2IjQwYjNEljR4ITRBJTRBJERyQjQwQkQ1gTNCdTM4QjR4EjNEZkQ0UUM5EzQ0EUOBR0MEljQwYjNDZjN1ETOzEUN3YERDZTOyADR4UzQBBDN2gDRxUjM2YkQGJDMEZEODRUO0EjN3IEMGFDRwUTOEZDMDJENEFjN3YzMCFUO0kjM5ETMwYUM2E0Q5YDM4YkR3QjNxczQ1EDRzIEMxITM0QjNCJUN5gDRCZUOCRTQ4MUR1EzNGBjQDZ0MxITNxcjQ2IzM5UUMFNUOzQzN1kDOCJTM5kzN0QzQ4cjQwI0Q3cjR3gTR2QkMwEUN1kDMBlTMEBjRDlTODdTOER0M2I0N2MTQ1YjR5gDMEdjRyIUMxQkRxEEO0ATODZjR5UTRzMkRDJjQ5IkNyUTNwITO5kTOxITRFJzQDhzMxgTN5ETR3U0Q3MkM4cDNEFkN2AzMGVDN2UTO5QTNxUUR3UDN4MzN4UTOyQzQ5QkM5MkMDljMzczQGRTRxQUQFhzNFhDR3YjMxETN5IUQ3kjN4MEOBhTO2IkRDJjRxIjR0MTMENTO4Q0NCJTRwQjQ4MkNCZEOFJUNwQUQ3YUNCNUOFVEM1EER2MkR5MjN3YTMFFEM1YjMxMUREZTRwIjRzEEO0IjN1AzMxU0QzETMFJUOxATMFFENzMjM0EUR0IEN4UTMxETRENDNGJEM4IjRyQDO4YTODFzN5Y0MDBTR5MTMBRzN4QUM0YTQxQDNDRzQDJEMwUERCZzMDNzQxYTMwIDRCVTQ5QUN5UUR3I0MChzQxQzQCJER5MEO1MjMFVUQ3QjQ4EzQGZTMERjR1czNxIkRxMEN5ITQBlDOxkTQycjMCVERxIjMzU0MzEjQzgjQzIDRFZUR3YUQDFDOyIjMxkTQ0IEO5IEM0EENwgTO5ETM1AjQChTO1gjMFVUREJzNDZUOGZUQ3MzQDFjM5gDN4gDM1EzQCRTO3YERyYkN1cTQ0YURCF0QzEDNCRER2YkQ5UjNDFjR1QDN4czQFFDNGdjMzkzQ3kTQDZDODZTM5UDRBhzQ2UTQwgDMDJDMCNUODF0MxgjN0MDO4QDO2QkM1cTQEFEOxI0M5AzM1QzMycTQFFTOENUNGBjNFZUR1UjM5IUMwkTN5QUN3MEN4MENxgDO1UkR4EENygjRwgTODNzQykTQ1UjRxMUR4UjMCZUQ2kjNzkzQEFkMDBzQ0EEO4MUM4EEN0IUOBRzQ0gjRChDR1EjQ3MzNBhTR1gTNEJDOyEkM5gjMBRTOxYTQ5cjQ1wCM2UjN2MUMwkDN5kDN2ADN5EUN3cjNFFUREJDN5ETNxMzNGhzN3UjR5UUNFV0Q1QjM2UkR1ETQBVUOEJDNFBjR3QzQ1MERGRzNzYkNDVkR4QjQDhjNzkDOFFzN5YDMBNkN1ETN5QzQBJjQ4YzQ0ITRDRjQzYENxYDMzADO3UjREZjN4IjNyQjR1QTQDVTRGljRzIEN2cjN0ITN2gTR2gTRwMUN2QTNFRURDZUNFFkR1IzQBdjRCdTOERENwIzQFhjRFV0QwgzNBdTQ3UkQCNTM0UUQ2gDRCVUQ5MUR5kzN5cTN0czMCJER2ATNxQEOwIzMBFEO4IERzIzQ2QzMDFjQ2QzN5ITRyUkQ5UTQ1kTQ3cTN4cDNDVjQxMkM0QTNwQERyUkR4kTMGhDMxQDNwIEO4UkQ0UUN5cTOBVTQwIEOGNjN4EzMGljN2UjN1IzQEFUM0ITN2MjM0QTMwATRFRDN3cDNwE0NzEzMxYkQCZjQyQjN0QEMxMjQxATO1IkMFJDOxQTNDBDOCZUQEFEO5YDNFRTMEFTR0MDMDBDM2IzQGVEMCBTMxIENDVzNERTRxkDMGJjRzAjNDljMCdTQCNzMxUUO4IzM5QzNCFTQGBTMFRkQ5IDOGFUR2AjRGZEM5ETN5QERFRDRzUkQ3QkR0UUR0ADOwYTNBFTOGhDRyM0NyIURzUDRCVzMFZUN2QENCVDNBNjM0YkQxEzM5AzN1QkR1gDMDBzMCdDR0ITRyITRGFjMEZzNCdTM3QTM0IkQ2kjN2gzM0MkQElDO3IDRyEjNDR0MGZzQyATNzYTOBJzNDRjQFlDMxcjM4EjMDZzMENkQFdTMycjQxIEM1gDN2IjQFVUQyY0N1QTRykDM4MUQwYEMDJzM0I0N3UUQzMEOERTMCZDMzUEO5Y0NCNTR5MjQ4QjQDJzNClzM4I0N5MTQxUUMyEUN5IkQFNDR0MkQ5UUR3IjN0M0NxEDOxQkR0QjRxUDMFdTOGFUOzkDM1UjN2MjQGFUQ5cTRxUUQ1IkNDlDM0MjQBZzNDNkM0M0NFBTM0Y0QEFzNxUEO3IDR0YjRFJTOxQTNFVkQ1ADOwIDMDVEO0IjNzMTRCZDNykTNCRTOChTN4EDR5QkNxAzNFNEOwkTMxYERzQDM1MkQ4gjQ1ETO0EENGF0N0czNDFkN1MENBVTR1gjMzETMEN0NDBDO5MEOBRjMERDM3MzMzcTNzATMxM0M4IERCNDRFFTOxUUQ4YDN2YTM2MTO3M0QGNzM4EEOyUkMEJUM3QUR3YkN4IzN5UDRDFjQBlTOBJTQ3I0QFJ0M1M0MyQUM1QURyMUOChzQwUDOGFkQ1U0N1gjNDJjN1EDO2QjMEJ0Q5ITOCJDO

Emails

[email protected]

URLs

http://wobpitin77vdsdiswr43duntv6eqw4rvphedutpaxycjdie6gg3binad.onion

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

548 bcdedit.exe
3776 bcdedit.exe
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Processes:

netsh.exe

pid process

3016 netsh.exe

pid	process
548	bcdedit.exe
3776	bcdedit.exe

pid	process
3016	netsh.exe

Drops file in Program Files directory 1 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Configuration\configuration.sqlite	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4632 vssadmin.exe

pid	process
4632	vssadmin.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3080	taskkill.exe
2272	taskkill.exe
1208	taskkill.exe
4940	taskkill.exe
3892	taskkill.exe
3972	taskkill.exe
3108	taskkill.exe
4776	taskkill.exe
5024	taskkill.exe
4416	taskkill.exe
3364	taskkill.exe
5052	taskkill.exe
3888	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3420 PING.EXE

pid	process
3420	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
392	msedge.exe
392	msedge.exe
880	msedge.exe
880	msedge.exe
1540	identity_helper.exe
1540	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

880 msedge.exe
880 msedge.exe
880 msedge.exe
880 msedge.exe
880 msedge.exe
880 msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

WMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: 36	2492	WMIC.exe
Token: SeBackupPrivilege	4372	vssvc.exe
Token: SeRestorePrivilege	4372	vssvc.exe
Token: SeAuditPrivilege	4372	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2492	WMIC.exe
Token: SeSecurityPrivilege	2492	WMIC.exe
Token: SeTakeOwnershipPrivilege	2492	WMIC.exe
Token: SeLoadDriverPrivilege	2492	WMIC.exe
Token: SeSystemProfilePrivilege	2492	WMIC.exe
Token: SeSystemtimePrivilege	2492	WMIC.exe
Token: SeProfSingleProcessPrivilege	2492	WMIC.exe
Token: SeIncBasePriorityPrivilege	2492	WMIC.exe
Token: SeCreatePagefilePrivilege	2492	WMIC.exe
Token: SeBackupPrivilege	2492	WMIC.exe
Token: SeRestorePrivilege	2492	WMIC.exe
Token: SeShutdownPrivilege	2492	WMIC.exe
Token: SeDebugPrivilege	2492	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2492	WMIC.exe
Token: SeRemoteShutdownPrivilege	2492	WMIC.exe
Token: SeUndockPrivilege	2492	WMIC.exe
Token: SeManageVolumePrivilege	2492	WMIC.exe
Token: 33	2492	WMIC.exe
Token: 34	2492	WMIC.exe
Token: 35	2492	WMIC.exe
Token: 36	2492	WMIC.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	1208	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	5052	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe
880	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3912 wrote to memory of 3144	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 3144	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 3320	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 3320	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4092	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4092	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 2192	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 2192	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4924	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4924	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3320 wrote to memory of 2492	3320	cmd.exe	WMIC.exe
PID 3320 wrote to memory of 2492	3320	cmd.exe	WMIC.exe
PID 3144 wrote to memory of 4632	3144	cmd.exe	vssadmin.exe
PID 3144 wrote to memory of 4632	3144	cmd.exe	vssadmin.exe
PID 4092 wrote to memory of 548	4092	cmd.exe	bcdedit.exe
PID 4092 wrote to memory of 548	4092	cmd.exe	bcdedit.exe
PID 2192 wrote to memory of 3776	2192	cmd.exe	bcdedit.exe
PID 2192 wrote to memory of 3776	2192	cmd.exe	bcdedit.exe
PID 4924 wrote to memory of 3016	4924	cmd.exe	netsh.exe
PID 4924 wrote to memory of 3016	4924	cmd.exe	netsh.exe
PID 3912 wrote to memory of 768	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 768	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 768	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4596	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4596	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4596	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4220	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4220	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4220	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4460	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4460	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4460	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 2572	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 2572	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 2572	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4188	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4188	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4188	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4160	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4160	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4160	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4576	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4576	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4576	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 5096	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 5096	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 5096	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 448	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 448	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 448	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4944	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4944	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4944	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4728	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4728	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4728	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4144	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4144	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 3912 wrote to memory of 4144	3912	b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe	cmd.exe
PID 5096 wrote to memory of 5024	5096	cmd.exe	taskkill.exe
PID 5096 wrote to memory of 5024	5096	cmd.exe	taskkill.exe
PID 5096 wrote to memory of 5024	5096	cmd.exe	taskkill.exe
PID 4596 wrote to memory of 3364	4596	cmd.exe	taskkill.exe
PID 4596 wrote to memory of 3364	4596	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
"C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4632

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c wmic shadowcopy delete /nointeractive
2⤵
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete /nointeractive
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} bootstatuspolicy ignoreallfailures
2⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:548

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit /set {current} recoveryenabled no
2⤵
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\system32\bcdedit.exe
bcdedit /set {current} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:3776

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c netsh advfirewall set allprofiles state off
2⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:3016

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im note*
2⤵
PID:768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im note*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im tomcat*
2⤵
PID:4160

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im tomcat*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im mys*
2⤵
PID:4144

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im mys*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im post*
2⤵
PID:4728

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im post*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im vee*
2⤵
PID:4944

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im vee*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im python*
2⤵
PID:448

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im python*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im java*
2⤵
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im java*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im apache*
2⤵
PID:4576

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im apache*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im sql*
2⤵
PID:4188

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sql*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im Exchange*
2⤵
PID:2572

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Exchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3972

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im excel*
2⤵
PID:4460

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im excel*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3892

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im winword*
2⤵
PID:4220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im winword*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im powerpnt*
2⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im powerpnt*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 127.0.0.1>nul & del /q C:\Users\Admin\AppData\Local\Temp\b5466ce462df16b3a29f22192b1291d70479cacf35bd5e937f35b2567da948fe.exe
2⤵
PID:1556

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\!!Read_Me.3C430.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8640446f8,0x7ff864044708,0x7ff864044718
2⤵
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
2⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
2⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
2⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9654966756379403102,10511398174785863725,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
db9dbef3f8b1f616429f605c1ebca2f0

SHA1
ffba76f0836c024828d4ff1982cc4240c41a8f16

SHA256
3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1

SHA512
4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0e770f78-67cf-4612-bd82-24105ff37c59.tmp
Filesize
24KB

MD5
6dcb90ba1ba8e06c1d4f27ec78f6911a

SHA1
71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9

SHA256
30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416

SHA512
dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
939780e3cdde761b8207301d327786f0

SHA1
4055c96aeab4a42c7eaf4e52684fc4e9a659913e

SHA256
6c95916f3d6ef260129a782c177e2ef007584ae3f45762686599634b970e4d4c

SHA512
f706b4571a20e30b9bcb952cf508ee73ab59d1a70dd9e1ecc110fd7863061407817212abc4524c717a14b8b61f6ecbce84ceb657ba99a176e23a9b6f49e60576

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4caf81896022e43841f496b29af7c766

SHA1
1d8ba1f6bd08f7aa92a5785a5cb3b3590789f261

SHA256
1b6f67630a28c2d90d6829db6b6734f0659043a02f6869e4e7b1a7acacec51cc

SHA512
456312f659738999d48797ec71a5a88c4af2536d370b3433e646f53becc6c1373fc502019c9fa274ad94e37065c4543f5731267d5bf5d4fa0edf30f796e469d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
aa3d9e4480b4284370d385e6a60de9f4

SHA1
ec4e8b0c144a1aabe9bc60e15d2357e7985ff257

SHA256
478f0744cda0bd9721c84ffb4aa80a71fd5e3c8e24c39792fcaef94ce61f85a8

SHA512
ad3fa0ad03df52cef75f0aed8fd9bf3e8b9d5fef94c63458ae70a29db6cbc2e955a22e8b830b4bdd5cdac9ddae0c9d532fafb5e69a1fd1162abf61867e153efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c5f8a101262aae211c6825531b5c27fa

SHA1
67fee464915e3260d9c7962c92e82e07d53b56cd

SHA256
8d03f6fcbca169a0ee6ad2ce5166d2e3243d6936b9ebaa580b3c6071008f66a9

SHA512
51acb12beac6d59cb68a8b1848d563f8ebddc6562bd5560e25a0176a0c3ed2b7de6a196f848595684b0a1aa1a9f4515429387e869079d0b1788410059864819a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
6e2276a23cf05bc731b064bc529ff907

SHA1
9d17dbb21adbe51515767757de1686c755340b4a

SHA256
b198bce8739a23af69ded3a17a21f89dbcb6925f9cbdb3fe008cca012438797c

SHA512
9c305de2573dbea60b0538f7ff01dee0bcca122ad8b6ce95874f282df60e42d2073096e322c0836d5ebb5a2a6d938d0c67d378c2f2bca6e0a0926f254178b6b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
3572e75ad30846b79c00688dbf93e4a6

SHA1
8b149edd993ac7f01c201f6aabca36467aab2afe

SHA256
45ef3ed9932ed22cbcdb5331beef0d7afcc884ddb7b682bc683bd7e3e4c54f6a

SHA512
bcf9747ef0920e7f5f84d9e71fabd96cbd19da8ab14358df3340de8e5bcb1e1ab624a73a2b8908bb9c5d09bb55df61f873fb7c4582731f815b295dac8ac4ade5

Download Submit
C:\Users\Admin\Desktop\!!Read_Me.3C430.html
Filesize
4KB

MD5
ac57a3e6cfc5509927e6a1835d0d6491

SHA1
9c5b5a7db69031d96a49bb67868223caa9e146f8

SHA256
3896acc659853879c41ba9a261cf3e84bee41391f9df8e9e5b48cd0b32e2bc6c

SHA512
1c4e92c7215836e31b01ee3d77eef8a86adf265346e4953fc93a6d24b532f42aa8cb81ef762642a9f220884cb0a50059bbb7b2240b244352e1687d145839cf81

Download Submit
C:\Users\Admin\Favorites\!!Read_Me.3C430.html
Filesize
4KB

MD5
ac57a3e6cfc5509927e6a1835d0d6491

SHA1
9c5b5a7db69031d96a49bb67868223caa9e146f8

SHA256
3896acc659853879c41ba9a261cf3e84bee41391f9df8e9e5b48cd0b32e2bc6c

SHA512
1c4e92c7215836e31b01ee3d77eef8a86adf265346e4953fc93a6d24b532f42aa8cb81ef762642a9f220884cb0a50059bbb7b2240b244352e1687d145839cf81

Download Submit
\??\pipe\LOCAL\crashpad_880_FGGOKKLJAXBVXDGK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3912-0-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download