gandcrab | d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0

Analysis

max time kernel
102s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2023 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

o.exe
Size

183KB
MD5

07fadb006486953439ce0092651fd7a6
SHA1

e42431d37561cc695de03b85e8e99c9e31321742
SHA256

d77378dcc42b912e514d3bd4466cdda050dda9b57799a6c97f70e8489dd8c8d0
SHA512

5b09a07371bb5350b22c78aa3e7e673ba61ce72a964e072749a4633e2c15f416c05953cc6e6f6c586df010aa7f2c9c0ab87a014e4f732e5fdb2d58778a1fb437
SSDEEP

3072:Ealy19emgKe0QuYS3UmWuDTEltI3S/7IarDrjCgrQp0M7W:EaqxxDwx/7IS40MS

Score

10^/10

gandcrab backdoor ransomware spyware stealer

Malware Config

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (279) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

o.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation o.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	o.exe

Drops startup file 2 IoCs

Processes:

o.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\GSLPY-DECRYPT.html	o.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\10c27aff10c27d1251b.lock	o.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

o.exe

description	ioc	process
File opened (read-only)	\??\Z:	o.exe
File opened (read-only)	\??\A:	o.exe
File opened (read-only)	\??\B:	o.exe
File opened (read-only)	\??\J:	o.exe
File opened (read-only)	\??\K:	o.exe
File opened (read-only)	\??\R:	o.exe
File opened (read-only)	\??\X:	o.exe
File opened (read-only)	\??\V:	o.exe
File opened (read-only)	\??\E:	o.exe
File opened (read-only)	\??\H:	o.exe
File opened (read-only)	\??\I:	o.exe
File opened (read-only)	\??\P:	o.exe
File opened (read-only)	\??\Q:	o.exe
File opened (read-only)	\??\T:	o.exe
File opened (read-only)	\??\L:	o.exe
File opened (read-only)	\??\O:	o.exe
File opened (read-only)	\??\U:	o.exe
File opened (read-only)	\??\W:	o.exe
File opened (read-only)	\??\Y:	o.exe
File opened (read-only)	\??\G:	o.exe
File opened (read-only)	\??\M:	o.exe
File opened (read-only)	\??\N:	o.exe
File opened (read-only)	\??\S:	o.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

o.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\pidor.bmp"	o.exe

Drops file in Program Files directory 39 IoCs

Processes:

o.exe

description	ioc	process
File opened for modification	C:\Program Files\UnregisterExit.xlsx	o.exe
File created	C:\Program Files (x86)\GSLPY-DECRYPT.html	o.exe
File opened for modification	C:\Program Files\SetRestore.xml	o.exe
File opened for modification	C:\Program Files\UninstallRename.wma	o.exe
File opened for modification	C:\Program Files\CopyClear.M2V	o.exe
File opened for modification	C:\Program Files\DisconnectConvert.wps	o.exe
File opened for modification	C:\Program Files\GroupClear.xls	o.exe
File opened for modification	C:\Program Files\LockComplete.gif	o.exe
File opened for modification	C:\Program Files\OptimizeDismount.bmp	o.exe
File opened for modification	C:\Program Files\RequestUninstall.ogg	o.exe
File opened for modification	C:\Program Files\ClosePush.pptx	o.exe
File opened for modification	C:\Program Files\ConfirmHide.xla	o.exe
File opened for modification	C:\Program Files\OptimizeUse.ram	o.exe
File opened for modification	C:\Program Files\StopSearch.xhtml	o.exe
File opened for modification	C:\Program Files\AddRestore.xps	o.exe
File opened for modification	C:\Program Files\JoinCompare.wdp	o.exe
File opened for modification	C:\Program Files\ExpandAssert.csv	o.exe
File opened for modification	C:\Program Files\MergePop.vdx	o.exe
File opened for modification	C:\Program Files\ResetWatch.ex_	o.exe
File opened for modification	C:\Program Files\ResumeHide.js	o.exe
File opened for modification	C:\Program Files\SearchReset.xlt	o.exe
File opened for modification	C:\Program Files\SubmitEdit.asf	o.exe
File opened for modification	C:\Program Files\CheckpointUnpublish.potx	o.exe
File opened for modification	C:\Program Files\ConvertEdit.3gp	o.exe
File opened for modification	C:\Program Files\UnprotectRead.csv	o.exe
File opened for modification	C:\Program Files\RequestDeny.vsx	o.exe
File opened for modification	C:\Program Files\SelectWrite.pptm	o.exe
File opened for modification	C:\Program Files\UpdateSwitch.wmv	o.exe
File opened for modification	C:\Program Files\UseDeny.crw	o.exe
File created	C:\Program Files (x86)\10c27aff10c27d1251b.lock	o.exe
File created	C:\Program Files\10c27aff10c27d1251b.lock	o.exe
File opened for modification	C:\Program Files\NewMeasure.TS	o.exe
File opened for modification	C:\Program Files\ExpandRevoke.wma	o.exe
File opened for modification	C:\Program Files\GetResolve.search-ms	o.exe
File opened for modification	C:\Program Files\WriteSelect.mpv2	o.exe
File created	C:\Program Files\GSLPY-DECRYPT.html	o.exe
File opened for modification	C:\Program Files\ConvertFromSet.wdp	o.exe
File opened for modification	C:\Program Files\CompressMerge.kix	o.exe
File opened for modification	C:\Program Files\ReadRevoke.xhtml	o.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

o.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	o.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	o.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	o.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

o.exemsedge.exemsedge.exeidentity_helper.exe

pid process

1364 o.exe
1364 o.exe
1364 o.exe
1364 o.exe
3060 msedge.exe
3060 msedge.exe
1900 msedge.exe
1900 msedge.exe
3356 identity_helper.exe
3356 identity_helper.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1900 msedge.exe
1900 msedge.exe

pid	process
1364	o.exe
1364	o.exe
1364	o.exe
1364	o.exe
3060	msedge.exe
3060	msedge.exe
1900	msedge.exe
1900	msedge.exe
3356	identity_helper.exe
3356	identity_helper.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

Processes:

wmic.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3528	wmic.exe
Token: SeSecurityPrivilege	3528	wmic.exe
Token: SeTakeOwnershipPrivilege	3528	wmic.exe
Token: SeLoadDriverPrivilege	3528	wmic.exe
Token: SeSystemProfilePrivilege	3528	wmic.exe
Token: SeSystemtimePrivilege	3528	wmic.exe
Token: SeProfSingleProcessPrivilege	3528	wmic.exe
Token: SeIncBasePriorityPrivilege	3528	wmic.exe
Token: SeCreatePagefilePrivilege	3528	wmic.exe
Token: SeBackupPrivilege	3528	wmic.exe
Token: SeRestorePrivilege	3528	wmic.exe
Token: SeShutdownPrivilege	3528	wmic.exe
Token: SeDebugPrivilege	3528	wmic.exe
Token: SeSystemEnvironmentPrivilege	3528	wmic.exe
Token: SeRemoteShutdownPrivilege	3528	wmic.exe
Token: SeUndockPrivilege	3528	wmic.exe
Token: SeManageVolumePrivilege	3528	wmic.exe
Token: 33	3528	wmic.exe
Token: 34	3528	wmic.exe
Token: 35	3528	wmic.exe
Token: 36	3528	wmic.exe
Token: SeIncreaseQuotaPrivilege	3528	wmic.exe
Token: SeSecurityPrivilege	3528	wmic.exe
Token: SeTakeOwnershipPrivilege	3528	wmic.exe
Token: SeLoadDriverPrivilege	3528	wmic.exe
Token: SeSystemProfilePrivilege	3528	wmic.exe
Token: SeSystemtimePrivilege	3528	wmic.exe
Token: SeProfSingleProcessPrivilege	3528	wmic.exe
Token: SeIncBasePriorityPrivilege	3528	wmic.exe
Token: SeCreatePagefilePrivilege	3528	wmic.exe
Token: SeBackupPrivilege	3528	wmic.exe
Token: SeRestorePrivilege	3528	wmic.exe
Token: SeShutdownPrivilege	3528	wmic.exe
Token: SeDebugPrivilege	3528	wmic.exe
Token: SeSystemEnvironmentPrivilege	3528	wmic.exe
Token: SeRemoteShutdownPrivilege	3528	wmic.exe
Token: SeUndockPrivilege	3528	wmic.exe
Token: SeManageVolumePrivilege	3528	wmic.exe
Token: 33	3528	wmic.exe
Token: 34	3528	wmic.exe
Token: 35	3528	wmic.exe
Token: 36	3528	wmic.exe
Token: SeBackupPrivilege	3372	vssvc.exe
Token: SeRestorePrivilege	3372	vssvc.exe
Token: SeAuditPrivilege	3372	vssvc.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe
1900	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

o.exemsedge.exe

description	pid	process	target process
PID 1364 wrote to memory of 3528	1364	o.exe	wmic.exe
PID 1364 wrote to memory of 3528	1364	o.exe	wmic.exe
PID 1364 wrote to memory of 3528	1364	o.exe	wmic.exe
PID 1900 wrote to memory of 896	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 896	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2824	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 3060	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 3060	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe
PID 1900 wrote to memory of 2312	1900	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\o.exe
"C:\Users\Admin\AppData\Local\Temp\o.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\SysWOW64\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\GSLPY-DECRYPT.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb612e46f8,0x7ffb612e4708,0x7ffb612e4718
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2184,7367951338613690973,13336537775242800300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d5af55f794f9a10c5943d2f80dde5c5

SHA1
5252adf87d6bd769f2c39b9e8eba77b087a0160d

SHA256
43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764

SHA512
2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d987d672bd9376f895d94cc16a7dc5a2

SHA1
20c3b038bd7971506b19cbc3081b248bf37dadd4

SHA256
7564f046d10324cd5d095d5c52e94397fa6b5c7037326b08d91b73e1c7620053

SHA512
d6d806194621ca911bcf456fd24cd9b207ddd4f669202119cac26b19322a75e7b70c75ce6865ee53dfc030bd261de9511d1bb5ae301bbeb964a3ee2902c0c334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
68f6f710806790beca0507fd8461519f

SHA1
e4d133434fc39697b421f434774aeb3cb7671517

SHA256
8cc0117fd3cd0d69bff598088f83fd5355529809c3304df54a164dfa5c351b04

SHA512
e2fd280c4202464fc75e80cfd9d492518a70a1f2b5e3cca5476f77523cc812e85ee5288bfddac6afacb996e3d29bc9256049c1964ced09eb938c0f9bd63e5d1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ea3eb562ae6832a2bf0785ceadcfec6b

SHA1
a55773b14d3350c6fdf9075dda3cba0f8d038247

SHA256
e27b73ea096a878a86c216f6903a35b06353f68379f9c9d000d9a32fe0d4def6

SHA512
a98bc0f24e22535bf59dee45e7aefbccd24ef9ee4bb9c866cb29653bda9bfe714405dabef18260b3209cd542f714df6e04c2d39478b0d22e98019a52b08b1649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bba2a1fe07e851920d796c3ba5e660fb

SHA1
3f3c634653fbf10aaca73598b4572fae6d8bab1f

SHA256
142f2d20191b3ceee34435100e756f527595409261980a9f479a4d8867223d85

SHA512
59557e12f27090e4fa4bdb2bc4b357b03d20c46e28ca684083416a83f9d771f62199a9612eb33efd6f8f54f96b7c9c568da7290abad3df2efe74f72c2b8b1e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\GSLPY-DECRYPT.html

Filesize
64KB

MD5
d0adf0ce158ea1ffd56359448143768c

SHA1
c892c1def10e6b518defe51fae0d6b48710ef675

SHA256
2487ede8a00ae5df50f3fbba8c09030a3fc70e850026a0c0a9dfba1528e27ab8

SHA512
2097e0e2f276a6193761c9923663aaf1711f87ec58e8be0f5d5fc33723ddd2e9c962c7feb2cfc1e3be70a02d7dbcb9421227989ba2c8d4678d65971ac24ebff3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\GSLPY-DECRYPT.html

Filesize
64KB

MD5
d0adf0ce158ea1ffd56359448143768c

SHA1
c892c1def10e6b518defe51fae0d6b48710ef675

SHA256
2487ede8a00ae5df50f3fbba8c09030a3fc70e850026a0c0a9dfba1528e27ab8

SHA512
2097e0e2f276a6193761c9923663aaf1711f87ec58e8be0f5d5fc33723ddd2e9c962c7feb2cfc1e3be70a02d7dbcb9421227989ba2c8d4678d65971ac24ebff3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\GSLPY-DECRYPT.html

Filesize
64KB

MD5
d0adf0ce158ea1ffd56359448143768c

SHA1
c892c1def10e6b518defe51fae0d6b48710ef675

SHA256
2487ede8a00ae5df50f3fbba8c09030a3fc70e850026a0c0a9dfba1528e27ab8

SHA512
2097e0e2f276a6193761c9923663aaf1711f87ec58e8be0f5d5fc33723ddd2e9c962c7feb2cfc1e3be70a02d7dbcb9421227989ba2c8d4678d65971ac24ebff3

Download Submit
C:\Users\Admin\Desktop\GSLPY-DECRYPT.html

Filesize
64KB

MD5
d0adf0ce158ea1ffd56359448143768c

SHA1
c892c1def10e6b518defe51fae0d6b48710ef675

SHA256
2487ede8a00ae5df50f3fbba8c09030a3fc70e850026a0c0a9dfba1528e27ab8

SHA512
2097e0e2f276a6193761c9923663aaf1711f87ec58e8be0f5d5fc33723ddd2e9c962c7feb2cfc1e3be70a02d7dbcb9421227989ba2c8d4678d65971ac24ebff3

Download Submit
F:\$RECYCLE.BIN\GSLPY-DECRYPT.html

Filesize
64KB

MD5
d0adf0ce158ea1ffd56359448143768c

SHA1
c892c1def10e6b518defe51fae0d6b48710ef675

SHA256
2487ede8a00ae5df50f3fbba8c09030a3fc70e850026a0c0a9dfba1528e27ab8

SHA512
2097e0e2f276a6193761c9923663aaf1711f87ec58e8be0f5d5fc33723ddd2e9c962c7feb2cfc1e3be70a02d7dbcb9421227989ba2c8d4678d65971ac24ebff3

Download Submit
\??\pipe\LOCAL\crashpad_1900_CBJKNLLOJJSPDUFJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit