Overview

overview

10

Static

static

10

medusa.exe

windows7-x64

10

medusa.exe

windows10-1703-x64

10

medusa.exe

windows10-2004-x64

10

medusa.exe

windows11-21h2-x64

10

Resubmissions

30-11-2023 10:51

231130-mx5qxsah79 10

29-06-2023 20:59

230629-zs72psfa95 10

29-06-2023 16:29

230629-tzp7ksec27 10

Analysis

  • max time kernel
    181s
  • max time network
    189s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30-11-2023 10:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    medusa.exe

  • Size

    235KB

  • MD5

    f6f120d1262b88f79debb5d848ac7db9

  • SHA1

    1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

  • SHA256

    1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

  • SHA512

    1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

  • SSDEEP

    6144:c5vMUmRTTgwnfeP+Jx1cLNAIyBcc9WrEWUC4wQh/6BeX:/U8Tgufnx1cLNncgQWUUQh/+e

Score
10/10
medusalockerevasionransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

\Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">60352F7E74503AD50DB9DE45F985B4A0747FD2812A3385ECEBB56C750C60B621D795EF0DD16955D20E52921F51111C535368D0622A34A5AC55C280D4EE6B2608<br>F11F02661CDD553E03A2F120D218730CE22D003A9F2FF55205AACFC8A75A15D5ECD1576E628EEF74019C24605989C0317C5A5672CD8EFC27AC9D499EB32C<br>E8A0B4DADEBB8B943A8F5399CB35FF572D0ED1A82CD01604FAAB2F2AC8683E9CE8C9747AB62D6242F63012B9E3D080E4A6D81CAC474AE26BCD4EB271E33B<br>EB387F478EF0F92ADC8D6D45823A259F2CBE7CE643A8809698B2CEC467297DE8E1D5FC8170394CF22ED35BD902104B073A48D7EB6D36F4F36900C549E670<br>12239540D27458D3DF157172838E08C65750F17FA08B43F4504FA16CBBDD71E394354F8531785F90036506CB08B62F619AF9DAE4350270CF992624CBA405<br>ADAE91465F128F097A09B18807D31BEA4CFB4554100AE21B56B54BA6AFA8799A8EF58C5D1804629B1A5A03D5116535B93388A5D1606C9B8E899A260E495F<br>B879892BD5E3A021E8F592AE9D0874E2DA1FE1094A6FAEDC8F6CB19E81CD85F88C0F367B1FAA9B642986E3A634549C6AB84BE7FF9D8E476C9CFFE1C87509<br>AF805145AA30683E38F43EE28156D836C2A23EDDB746DCBF188DE680F2FA80140B07921DE520F803EE0D0968B8CA1DCC052CC6DE7D1264231554D3EC79FA<br>174F47C664153383ABD7219D5634</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion<br> </a> 4. Start a chat and follow the further instructions. <br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected] ">[email protected] </a> <br> <a href="[email protected] ">[email protected] </a> <br> <p>* To contact us, create a new free email account on the site: <a href="https://protonmail.com">protonmail.com <br> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 13 IoCs
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Renames multiple (199) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of SendNotifyMessage 13 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\medusa.exe
    "C:\Users\Admin\AppData\Local\Temp\medusa.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4372
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4644
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2044
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1036
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.0.395363577\1952191459" -parentBuildID 20221007134813 -prefsHandle 1824 -prefMapHandle 1816 -prefsLen 20806 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91076471-b3df-478e-8419-5bf6600e1c70} 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 1904 1d09e2edd58 gpu
        3⤵
          PID:5780
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.1.964590804\1311873936" -parentBuildID 20221007134813 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 20842 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1107555d-a885-45f1-968a-683c8e1f09ab} 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 2288 1d09e1fde58 socket
          3⤵
            PID:556
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.2.951707978\625177218" -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 3052 -prefsLen 21660 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {004b0e90-73b9-4dbc-b7bd-b813e2226fac} 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 3064 1d0a2351758 tab
            3⤵
              PID:3760
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.3.273502383\1245654946" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3496 -prefsLen 21766 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d89ad9f-9426-4129-8584-84e19918485d} 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 3380 1d0a2f6a758 tab
              3⤵
                PID:4964
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.4.250515744\1120266382" -childID 3 -isForBrowser -prefsHandle 3508 -prefMapHandle 3512 -prefsLen 21766 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6171fc7f-af4e-4e3d-be32-a1fb0f38a2bd} 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 2916 1d0a2f6b958 tab
                3⤵
                  PID:1124
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1036.5.652860755\2033631756" -childID 4 -isForBrowser -prefsHandle 3700 -prefMapHandle 3704 -prefsLen 21766 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {047f65e8-7ec8-4c99-9819-9b9af0e0e511} 1036 "\\.\pipe\gecko-crash-server-pipe.1036" 3688 1d0a33eda58 tab
                  3⤵
                    PID:2600
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe"
                1⤵
                • Enumerates system info in registry
                • Modifies data under HKEY_USERS
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:1840
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff93cae9758,0x7ff93cae9768,0x7ff93cae9778
                  2⤵
                    PID:1640
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                    2⤵
                      PID:4052
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                      2⤵
                        PID:252
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                        2⤵
                          PID:340
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                          2⤵
                            PID:4532
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:2
                            2⤵
                              PID:3268
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                              2⤵
                                PID:5508
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                                2⤵
                                  PID:1896
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                                  2⤵
                                    PID:2000
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4504 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                                    2⤵
                                      PID:4260
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5160 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                                      2⤵
                                        PID:3092
                                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5312 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                                        2⤵
                                          PID:2264
                                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                                          2⤵
                                            PID:5756
                                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5680 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                                            2⤵
                                              PID:2912
                                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3472 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                                              2⤵
                                                PID:1656
                                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5344 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:1
                                                2⤵
                                                  PID:1116
                                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:8
                                                  2⤵
                                                    PID:2264
                                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=880 --field-trial-handle=1800,i,16823939531161408540,4424338954340834574,131072 /prefetch:2
                                                    2⤵
                                                      PID:4072
                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                    1⤵
                                                      PID:3952
                                                    • C:\Users\Admin\AppData\Roaming\svhost.exe
                                                      C:\Users\Admin\AppData\Roaming\svhost.exe
                                                      1⤵
                                                      • Executes dropped EXE
                                                      PID:588
                                                    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
                                                      "C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
                                                      1⤵
                                                        PID:4484

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                        Filesize

                                                        168B

                                                        MD5

                                                        ca41be183fc5d3b976435f4fe2fbc124

                                                        SHA1

                                                        e677eb7c62793b4fdfc1cdad279439ca8241c470

                                                        SHA256

                                                        b4aeae1ad79d419887b4edb420603001c6e05204941e48b477b0420e8003339f

                                                        SHA512

                                                        ae8012cb7e8a115560252b4452960140735f3d6ac4ea8340d1dab6040cb2493394db8709b0bc0043b8efb2ce8e633b6e1b01deab4e632b2dc4aead2304a743f0

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
                                                        Filesize

                                                        2KB

                                                        MD5

                                                        d86d99d97baacf5fb2d1faa70ec39cf0

                                                        SHA1

                                                        0471e8f50611056a00b0735175eeb351f85deac4

                                                        SHA256

                                                        cf2ddf969bd94d800a015a6c7ef9c0873c1f882c81a4c64b732fef2c97c92029

                                                        SHA512

                                                        6df86199d35b526e9f54f0a19e0a7249ae0cfacddfc0649a24bfad854f7c5b71cf9b14c24824e449cbce35e5e1518bdba8a6ea823091f45f2c617a83a94eaae5

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
                                                        Filesize

                                                        539B

                                                        MD5

                                                        6f0277cfa545f5e302113e5580a57bdb

                                                        SHA1

                                                        76ba4a8a5e6a5b4e3d1f53741914e2e8199e081f

                                                        SHA256

                                                        7e733907b3841c4cfa9737095b8a1be8a9a4e809aaa5583a02e7592256c3edab

                                                        SHA512

                                                        0e3dbb52b2c632fe0fc5839f69d8c4bda78ff6f1d3f11807c2e4b5b48ef0902780886c8fb5bebd2e20f37e443a0a24a81c45d2643f5c7cfd398a3a8825e56847

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        02f390d4cfa9387f0e5ccf87854d590a

                                                        SHA1

                                                        85a9ab430e6062fa249e1b81b80fa3093b445050

                                                        SHA256

                                                        0ce8cfb34678faa782dc0c8253f6ba0e6855d21d01c9680e94cec33bbea64e5f

                                                        SHA512

                                                        c501b612e529b5e877a43dc9225b5d0da9109d016d068ea8f686bc502429d3130abd8bef03c058bbc60346f2599223654076bb7936fe7f56cb583ab3f93af263

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        985e754176165eace81b997674c290d9

                                                        SHA1

                                                        6ba161a2d729c2b594bb32e777d8fc6505b5b541

                                                        SHA256

                                                        d08bfd3dbf0564c9055a074a69ed7a2c54320d0523f1fc958a97066bac169ffe

                                                        SHA512

                                                        10ad3d0d201f7021867a7fb7ab4cbaa38f72b3ffe54bd6c1c6a15dc5596fd2f2427764dcd84597f747e576e22cde662a6294e9b473c328c5635e1f2c75a755aa

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                                                        Filesize

                                                        6KB

                                                        MD5

                                                        128eae7ebf50aa203bd865697de70285

                                                        SHA1

                                                        335017db3bb911d42da88b6e332339e2e688e5c2

                                                        SHA256

                                                        765a98adc298e6874883ea76487c48ce3a4088f2134eb7fd530ededbaabfd129

                                                        SHA512

                                                        de9045d27f6ec9a56e5dfd744879627f5ad09ea479b4cd8906f3c2f55646d000f04dcfba057802ffe45113812d69a7bec56d57dae8c1f17b7f1359a572bb6e92

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                                                        Filesize

                                                        15KB

                                                        MD5

                                                        fa7fae8dc945b378302582f7776db220

                                                        SHA1

                                                        0399a0d6e46bb1796a702264dd8df6639089307a

                                                        SHA256

                                                        120bc047c87bd2458eae7eeed97858045d217250e64125aa12984c57b62d34ce

                                                        SHA512

                                                        160ee72f32e78294c06939209663112030288c39304273b2907716a3e2de67916dd8dd020509ce977f7ff887499d6cd25444fa47114a7c555a3185b1409d058b

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                        Filesize

                                                        115KB

                                                        MD5

                                                        9a0e7e03f3d9e1a9a49121fb4031e479

                                                        SHA1

                                                        59443f4b5aafaa21fbf327854d7cc7d9a5a17415

                                                        SHA256

                                                        eba839922c2bf4426a8435119db8e42b3a0826b67d27a64855d1f3492e958f92

                                                        SHA512

                                                        bab2167f739cf31c32f9803687a4051089b4e27b97881090452450051032d60209c67d8497d5680fa4cd15c6f01e5050e25c94ad83a5b88d00e6d44cd3374395

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                                                        Filesize

                                                        115KB

                                                        MD5

                                                        6c71fdd73ea1ad48072ea3b04653e983

                                                        SHA1

                                                        42561fb89d9de80cb79e5f095d612ca8a71c0366

                                                        SHA256

                                                        104a5fdcb7b1b559cf4ea77bfdab0ed2b070e3493abf4ad87017fca6de443c12

                                                        SHA512

                                                        e4534ab5144b81456eb14ac94086ec5a51fd7bc440a16764f0ad4200ba6404dd3d159e2e63405da7f31444fbff3ed7a1428443b1507977848d7f5f04fbb633cd

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
                                                        Filesize

                                                        91KB

                                                        MD5

                                                        b1c38ed17b14a071cd9b7a3b17c077a7

                                                        SHA1

                                                        77d208b99cffe25351c36e86bc5600417af9c12b

                                                        SHA256

                                                        a3e5e53d2ca0f50f0fd72c602d8415d9c493a471e5e338444cec4f1293c09dba

                                                        SHA512

                                                        8b85e7002bf375f23d2e38896d26a63f2dd01dcba5e86ebfcbb29c678e13c337dbb0bfeac4ca0b29ac2de70a548b715c5564a7aedd5d2d8abbfa3a2444abffcb

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59b905.TMP
                                                        Filesize

                                                        90KB

                                                        MD5

                                                        f630f0f6d6f4c19071c28fbf6ea17c9c

                                                        SHA1

                                                        4fe04e8c1d15fcbc6edd1c47bb83dac55c5bc074

                                                        SHA256

                                                        b1c2fa1c443a350d7e2bdcb0c4fdf31f61dfe1622a4c4e17472bb8316010ca89

                                                        SHA512

                                                        aef89e88a956798880b0db2f8309f6554b34bf5e994ae91143826139c6d43addb5e08509aed4e64ebfd5883260116f1c3dac79aa9dadbc4cca909975adb7e743

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
                                                        Filesize

                                                        2B

                                                        MD5

                                                        99914b932bd37a50b983c5e7c90ae93b

                                                        SHA1

                                                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                        SHA256

                                                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                        SHA512

                                                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
                                                        Filesize

                                                        2B

                                                        MD5

                                                        f3b25701fe362ec84616a93a45ce9998

                                                        SHA1

                                                        d62636d8caec13f04e28442a0a6fa1afeb024bbb

                                                        SHA256

                                                        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

                                                        SHA512

                                                        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zpmtdrel.default-release\sessionstore-backups\recovery.jsonlz4
                                                        Filesize

                                                        271B

                                                        MD5

                                                        534026b66496114919ee0d43704e62a7

                                                        SHA1

                                                        fc46cc6753b5a9bddf4bbe54bb2e97851eb13f01

                                                        SHA256

                                                        058438ec937c749043e6d72819d105de8bccd68e57413d73689b04ae83c3553a

                                                        SHA512

                                                        e06f9031142522b0ed4249b7210a6f4d17b77132adb1ce4ce3ad62fc3b1c32f8e2a7a0f77526e75ee80603597beb1790ae11130182ebd518a3ecc2ecf91027c7

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\svhost.exe
                                                        Filesize

                                                        235KB

                                                        MD5

                                                        f6f120d1262b88f79debb5d848ac7db9

                                                        SHA1

                                                        1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

                                                        SHA256

                                                        1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

                                                        SHA512

                                                        1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

                                                        Download Submit

                                                      • C:\Users\Admin\AppData\Roaming\svhost.exe
                                                        Filesize

                                                        235KB

                                                        MD5

                                                        f6f120d1262b88f79debb5d848ac7db9

                                                        SHA1

                                                        1339282f9b2d2a41326daf3cf284ec2ae8f0f93c

                                                        SHA256

                                                        1bc0575b3fc6486cb2510dac1ac6ae4889b94a955d3eade53d3ba3a92d133281

                                                        SHA512

                                                        1067c1a73cf891d651fa007f4ccc4452f32801fe3859933ef1bcc00985e35ce016fa6c601c0e3c10df2080fc9b8a776b2f18d40bd64dfb98177ab638c4b545bd

                                                        Download Submit

                                                      • C:\Users\Default\ntuser.dat.LOG2
                                                        Filesize

                                                        536B

                                                        MD5

                                                        3ed20df13367877eb8a955cdcdc1a42e

                                                        SHA1

                                                        36d220bc611e314278894048db71ff528c6ba1e5

                                                        SHA256

                                                        605d46567112f21cdeb704cc11f18cd94f48ff05b9c1f49a2b08b76fbd5b515b

                                                        SHA512

                                                        7b6146d9e7f16d3f76d828cc4986fe49c604b463e1d9f31838f24b29c9920b4ed3b5f489144a06d927058e81126fcb153c12ba9766d59307ce64320fe9a63214

                                                        Download Submit

                                                      • \??\pipe\crashpad_1840_DMDSKJOLNOHYPQUF
                                                        MD5

                                                        d41d8cd98f00b204e9800998ecf8427e

                                                        SHA1

                                                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                        SHA256

                                                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                        SHA512

                                                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                        Download Submit

                                                      • \Device\HarddiskVolume1\Boot\HOW_TO_RECOVER_DATA.html
                                                        Filesize

                                                        4KB

                                                        MD5

                                                        7c882eb47ce467cebb35d025e0bdd9c7

                                                        SHA1

                                                        1cb4fc9ebd1c27d9893c794f15fe30e76647c8bf

                                                        SHA256

                                                        40034a55fe9884c08eccf8febd1e346dbb3458b17a0d5facb86426c4ce48f504

                                                        SHA512

                                                        3f5569414b809427849dd05ba61b7110213d5ff611b35eaa894c13995cdf6b0a843763e72f4a5b0b59abe20ca4157d314e67535dd16d88c5ad897788683d9436

                                                        Download Submit

                                                      • memory/588-687-0x00000000005F0000-0x00000000006A2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/588-675-0x00000000005F0000-0x00000000006A2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-781-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-755-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-0-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-767-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-632-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-741-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-784-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-631-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-623-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-622-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-811-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-309-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download

                                                      • memory/4372-662-0x0000000000600000-0x00000000006B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                        Download