locky | bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

General

Target

Locky.exe
Size

180KB
MD5

b06d9dd17c69ed2ae75d9e40b2631b42
SHA1

b606aaa402bfe4a15ef80165e964d384f25564e4
SHA256

bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3
SHA512

8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c
SSDEEP

3072:gzWgfLlUc7CIJ1tkZaQyjhOosc8MKi6KDXnLCtyAR0u1cZ86:gdLl4wkZa/UDiD7ukst1H6

Score

10^/10

locky ransomware

Malware Config

Signatures

Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1141987721-3945596982-3297311814-1000\{DB7D0851-2AAA-493B-9834-86182E612575}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exemsedge.exemsedge.exemsedge.exe

pid	process
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
2656	msedge.exe
2656	msedge.exe
1656	taskmgr.exe
1656	taskmgr.exe
3348	msedge.exe
3348	msedge.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
3384	msedge.exe
3384	msedge.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3348 msedge.exe
3348 msedge.exe
3348 msedge.exe

pid	process
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1656	taskmgr.exe
Token: SeSystemProfilePrivilege	1656	taskmgr.exe
Token: SeCreateGlobalPrivilege	1656	taskmgr.exe
Token: 33	1656	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1656	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
1656	taskmgr.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
3348	msedge.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
1656	taskmgr.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
3348	msedge.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe
1656	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3348 wrote to memory of 4348	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4348	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 692	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 2656	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 2656	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe
PID 3348 wrote to memory of 4888	3348	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Locky.exe
"C:\Users\Admin\AppData\Local\Temp\Locky.exe"
1⤵
PID:3372

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" "https://www.bing.com/search?q=Locky.exe Locky.exe (32 bit)"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc829646f8,0x7ffc82964708,0x7ffc82964718
2⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2412 /prefetch:1
2⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3548 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,5364932479546412623,5990931600198357315,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3368 /prefetch:8
2⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\Locky.exe
"C:\Users\Admin\AppData\Local\Temp\Locky.exe"
1⤵
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4d25fc6e43a16159ebfd161f28e16ef7

SHA1
49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4

SHA256
cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5

SHA512
ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1d0fa6c0-d21f-432a-ac41-fb57e78369ec.tmp
Filesize
5KB

MD5
d01efa81280d770fa1167bb862a359e0

SHA1
cc6b987b9eba2f0a70d18f71579972fa48c8ea74

SHA256
1ed03784ef73d84e1596fb983d1b2ae46b1973ecd5b16ef860d5f0caa10feed8

SHA512
f2e8606ccce1decc249f669cf8be2ac507bc38488c9db0911ee4073863fc7f4c097c4b2f16427a5c7c3ae43e5763d1c460821b69cae258280f71e81cbeabdbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
792B

MD5
581313e6bf50812c952bae0abfea4148

SHA1
0ce10ded4babe1c7a37cfdb5a7af3d951731f2d2

SHA256
f97375ea34564e694aa6a4bb5e26818c7b50ec6bab4cf743ebf45c68d58b702e

SHA512
50ffa302e1414f504fd0cc51099df260b7b7da997e053a2a6ae9aaeb5836a57f1ac3fb2154b19cfd19d1c9c8f7d3d599a17c0ca46704269c2367dc7a6f5c8bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
396B

MD5
3018569d745863d607c5555dff3e02fa

SHA1
952f887b8f005a49b6791cfda5412c15f5ae7a6c

SHA256
5fdf1e5665121e65621a4a9585688033fda56a94ab19acf5ef859521bef69cf4

SHA512
9bda8e1cff6ac7f44013f49313aa09569c78d618f3338ecb0c944e6a520739f85e3ded554be77eb0a06eb82a9a3ece23a9a5034d7f275b68d439d87c51f6327c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b8d6d38b3c7a4731734ebe331a53c438

SHA1
5126829f75d3c2a1822444a69d626fcd10e9414d

SHA256
c26b2689f87314dff02513f739dbc0ee006b7ff502403e8c31866630ac33175c

SHA512
d48760997c2cd94b028877b3dd546fac8775b42e1c19af77e4ca5ad4d5ca6e27578ae3d604a5be779b780cbc7230be7502add4c260a3bbca06c417143ea8a96c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
d7fc3bba51e07f5e716ba479c11a7a64

SHA1
d64093e3a541ea92382f968d532958436cfab1a5

SHA256
7281a477fe2ded08adc3f997c1763199dc6e40d3b2d665e95e42edec9b46cb0f

SHA512
00eb7511c75c091036bba900d8bbee150e782f9d3b2e23cc4b0f581ef1ae431a81718f7a1cca1fbb808137cde2d19521cdfe3c493c4a4a3a8065bd646ff096e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
3722a247a55a210a9f6dab4b50172b0b

SHA1
4241bd4a7de0fe1a29bea8f5c350a8b78b78beb0

SHA256
62cfc65fdb9837d89f9506277a65aadf7f123f62bc8ad8a91421aa83a147edeb

SHA512
a10621c0e7962c4eea8f444819769bba546e88b150c39e910d0b9a917e3ce85b996a03df2e1140a599fe02c355ffebdf990ce98ba92bcb1e4f62de8c235e4942

Download Submit
\??\pipe\LOCAL\crashpad_3348_ALDCTZGAWNSWKKIO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/212-225-0x0000000000860000-0x0000000000864000-memory.dmp

Filesize
16KB

Download
memory/1656-12-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-10-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-14-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-3-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-4-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-2-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-8-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-13-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-9-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/1656-11-0x000001D3DCEB0000-0x000001D3DCEB1000-memory.dmp

Filesize
4KB

Download
memory/3372-0-0x0000000000D80000-0x0000000000D84000-memory.dmp

Filesize
16KB

Download
memory/3372-1-0x0000000000D80000-0x0000000000D84000-memory.dmp

Filesize
16KB

Download
memory/3372-223-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/3372-48-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/3372-226-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/3372-228-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads