mountlocker | 85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d

Resubmissions

30-04-2024 05:29

240430-f6xncade75 10

11-04-2024 13:06

240411-qb4taafb9w 10

11-04-2024 12:33

240411-pq9seaeg2z 10

Analysis

max time kernel
1745s
max time network
1749s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
11-04-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll
Size

56KB
MD5

ed6e7169456ef1f41f6a45812dda7d98
SHA1

c82733e2d394b272db6cbf49aa8a1207c8d9fb87
SHA256

85b53edb2e3476bdb29f98bd19c56baa0205e6620917e654cbe81c9745d6193d
SHA512

0e7d3dbe68de4301501df68b1eeb36bf68ca3ea61091710352f68f09f8f9b8b96888ccb2419330b2fbd7b592bd98b583aaea818345c87d591b9b0a96845b8d87
SSDEEP

768:65h+QW4yKs5INTjabOSQwrPG12nFb5GnVWs6k:63XWNKQ2jnSQyNnFbgN

Score

10^/10

mountlocker ransomware spyware stealer

Malware Config

Signatures

MountLocker Ransomware
Ransomware family first seen in late 2020, which threatens to leak files if ransom is not paid.
ransomware mountlocker
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 24 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\AccountPictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\OneDrive\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	rundll32.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	rundll32.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

File opened (read-only) \??\f: rundll32.exe

description	ioc	process
File opened (read-only)	\??\f:	rundll32.exe

Drops file in Program Files directory 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	\??\c:\Program Files\RecoveryManual.html	rundll32.exe
File created	\??\c:\Program Files (x86)\RecoveryManual.html	rundll32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 6 IoCs

Processes:

rundll32.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\.F30D4911\shell\Open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\.F30D4911	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\.F30D4911\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\.F30D4911\shell\Open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\.F30D4911\shell\Open\command\ = "explorer.exe RecoveryManual.html"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2567984660-2719943099-2683635618-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

rundll32.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2436	rundll32.exe
2436	rundll32.exe
4776	msedge.exe
4776	msedge.exe
1932	msedge.exe
1932	msedge.exe
744	msedge.exe
744	msedge.exe
4824	identity_helper.exe
4824	identity_helper.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe
4948	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

rundll32.exe

description pid process

Token: SeRestorePrivilege 2436 rundll32.exe
Token: SeDebugPrivilege 2436 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1932 msedge.exe
1932 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

3624 MiniSearchHost.exe

description	pid	process
Token: SeRestorePrivilege	2436	rundll32.exe
Token: SeDebugPrivilege	2436	rundll32.exe

pid	process
3624	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.execmd.exeexplorer.exemsedge.exe

description	pid	process	target process
PID 1080 wrote to memory of 2436	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 2436	1080	rundll32.exe	rundll32.exe
PID 1080 wrote to memory of 2436	1080	rundll32.exe	rundll32.exe
PID 2436 wrote to memory of 5088	2436	rundll32.exe	cmd.exe
PID 2436 wrote to memory of 5088	2436	rundll32.exe	cmd.exe
PID 2436 wrote to memory of 5088	2436	rundll32.exe	cmd.exe
PID 5088 wrote to memory of 1620	5088	cmd.exe	attrib.exe
PID 5088 wrote to memory of 1620	5088	cmd.exe	attrib.exe
PID 5088 wrote to memory of 1620	5088	cmd.exe	attrib.exe
PID 1048 wrote to memory of 1932	1048	explorer.exe	msedge.exe
PID 1048 wrote to memory of 1932	1048	explorer.exe	msedge.exe
PID 1932 wrote to memory of 4048	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4048	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 3456	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4776	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 4776	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe
PID 1932 wrote to memory of 1364	1932	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1620 attrib.exe

pid	process
1620	attrib.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll,#1
  2⤵
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E57703E.bat" "C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\ed6e7169456ef1f41f6a45812dda7d98_JaffaCakes118.dll"
      4⤵
      Views/modifies file attributes
      PID:1620

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3624

C:\Windows\explorer.exe
"explorer.exe" RecoveryManual.html
1⤵
PID:2264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RecoveryManual.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffea5b93cb8,0x7ffea5b93cc8,0x7ffea5b93cd8
    3⤵
    PID:4048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
    3⤵
    PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
    3⤵
    PID:1364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
    3⤵
    PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
    3⤵
    PID:1316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1
    3⤵
    PID:2324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
    3⤵
    PID:2192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
    3⤵
    PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4288 /prefetch:1
    3⤵
    PID:4984
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
    3⤵
    PID:2100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
    3⤵
    PID:4316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7436 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,18398526303744310459,8995226487912169525,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2872 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\RecoveryManual.html

Filesize
2KB

MD5
8cb3c62991fadb310f541c44adc77321

SHA1
698b4ffbe757a1cfac80eff1ef3c70fbf99b7024

SHA256
a35d583b16ef8f7fb2c1f59b0034dbc0c3112886ac53028f05c00fdb8ad8c83f

SHA512
e007ef243b9335d7433ada241697b2e836b6526e65ce74f690015a0dd37bed42e79d6e65d5007550312637c63357ad8af81997d74f35f9da1ba037387ac7af3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba1c5b9adde1c63093e16360c36d5ec8

SHA1
f701c2984b3c76b6fa7c4e10689bb2cf5c1de3fa

SHA256
e38528af753eee5c8ebab6bc0758b95b59b532a905657709c440e332dcd3f49b

SHA512
912efca5a576792c9f668a65c4a427a7045ced04e91736b61e2fd3bc35d64d4b0720d8ad13457bf052e2582fad71637e48daa39ce7ce2ac26c2199aa29de79b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
beb8cd349a8d874a2a757857b4b2525c

SHA1
e309aad4d5b5f43651e08500ca6ce6bbf1765d3a

SHA256
f307c80780521bb0ca2e8debd908ddf9e566cd162c630a69f70e8528e29822b0

SHA512
8f5dd0be927defe5aaf0e5fdc0c0cf22fdfb9e5d4966eaf00e54e56c76395f35eae187ccc3fb74c93d70f74cce8bf2d4f2c1583273f432bd8d5087b29da24f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
28737a876e5de68abaf2eb678f8eb05a

SHA1
eaa2f6b6014ecd9e0bb48a9bf13ec4d98e9a360f

SHA256
ccc3fa35c8bc0502a0950ff4aa41c6a6f278c9389582d17b9bea1bce1c0c0cac

SHA512
b10de513c5ddf9fdf1aa1629877b886e24446b10708e04593b8225c892d869a9897c9f6f17714ec738627193aabeda55a1887de81261230aa3eb640f7dfcf6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\52acc10d-d656-47be-9815-a003129803b1.tmp

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
1bdfe28ca4dc0a541860c640ef53ff11

SHA1
1f081c6ecc8dd31182d32b38971c11515428881f

SHA256
25808d516b3afeed46630ed0fb34000a4978c8e800942c296d2e5d7d06dda625

SHA512
15a7b5fbe1e4013c38e3cb160bfebde3d9050226b03456043e2d3d3fbcc91ab032265d174908b5000c4a41adfecff4c95f6ac641de4fdf82649cc6af01d2bf5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
ca0a5d545bee31bb82bb242e0f79a665

SHA1
09e17cb109dfe68e3778e79a8a1e45dcefa5a255

SHA256
172c8ad77b374395199395fa432bbee14ef5a3da74fd4ddbcdc48e46eab19a08

SHA512
429d9e5052817e271db67e7e3874ea2af119c54a1bcf02c60e739b545805adfabaa366af28603e40bb997b684b00bbfbc973a182e0fe41d84e3f703bcdeb105d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
777758347084bcb42123e65808e4487c

SHA1
47da1943bcb9b45d00909dcf68a722c96a4c6ddc

SHA256
46cf0369812b5804841ff0e15b83a11f35262b8db87fcf1288f6f1337052ce94

SHA512
9773b442a635f6c689656cdc96e1d78a2b868b953e517b73ba780d418b0206875b9818a1655a3c38992d51c37be0dcce20bfa3d66f04fed19a00825e2125e2f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
19fc9ec722fc3656a4cc0a5ccf70fca8

SHA1
e2e74a940a5a38bf2bd1b248179a75536b57455b

SHA256
1300102a40b5dab33a7fb8da20f3cc0dac29708c55e1e96c410c0f693cd6ce56

SHA512
017501d9e3ab2d4fc104b7c051b8568fd7b5a6946646d31df5e7023a98c3e3b12ac54738800a7055145de1e7ed64811cf431d20119c9e0dd3b20b50f2ef2ef9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
26KB

MD5
f7814f4a61d8972df089d6affdfb5f85

SHA1
ac54c437efc794c005206205364f68ae184f8651

SHA256
1a2234e052a9534739a0790ec601eb45507f800697c37610421fe3231105637f

SHA512
b6fcf79d27455c6a7a8cb073034b5f300482cced779b77d6fb11c0776495b1253060eff4403339cb1c8bb7145b7f954aeafeafa20455513e0122000ea5970f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences~RFe5860c8.TMP

Filesize
25KB

MD5
542ad2a945a70cde0e63f344e1163dbb

SHA1
33d3f0d370fc6c243b79c39d76975a534a849673

SHA256
e1e26dc36fe80df3792c399fa916d16dc56f8033c305dfb65dba1e33b3664998

SHA512
a3b2911c5a01a3becb12e600ad0f22e8be4f337447d935dffc89b6648370583538f2ff86bb159449c902d95bd5debaa5fe1c433e43f5abed8d053f8897c536e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Storage\ext\ihmafllikibpmigkcoadcmckbfhibefp\def\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e4acb7a7-6711-49b0-bbd9-06130c83089c.tmp

Filesize
4KB

MD5
d21ee6b7a7e5a4d02c31db9fdf5ee985

SHA1
63c8a46b72b14f101c0ba297d0e5a479a56bb3c2

SHA256
e9d0484c49a3f190fd52d22f3ada81d4155b05ad92aa43f6b2df0974303c3f7b

SHA512
937bbd4b372e60b8faad3d1ba973c771028cbf055c9ec38cc0913a12e7fa22d87f7133aa003d69cd10d0e062a5c99e6acb1fbedffddbbd193480c8cf1719ca7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f9d74c648b03c2b542a85eacf557dbf7

SHA1
641c1208687050edcd9c89ad6f40764ab81500ed

SHA256
12d0f2782e15fbc2363ce55446cbf97968f5fa6daa9fba7522fc9ba136c82586

SHA512
ad2581e4f031f60f38a18e1c96f66a56e66a57782d383aa09ee255cf9045986ce688fe22fdb63fcaa96e860e06c7705e6863aa407e1aee74894b6b19844140eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State~RFe588548.TMP

Filesize
9KB

MD5
da33b1dd137fcfb4beb21a46724711ba

SHA1
dce860200090b94d79168e2faf6411e2bed0af7a

SHA256
422f32b0de3397b8f5d9cb3d2bfc9f9c98db8860d8db8369595430938b8ff49e

SHA512
349690a3994898f52af2b0557d4136cf5a296b899f5e323c6de52dc504c72db2abf4cabf66a90e726b60d44977b44bf9ad20b4d6e7b1b31bef3554238717adde

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
e3b6a0110df2c31bfea0b9c962b5931d

SHA1
dd63409db214a27374a41e3e5966e3768e991488

SHA256
a32cf451972383871afd3a27103036c96f29848612e39436441e023fdd22c28d

SHA512
9e55495ac0c179cf30cc0b563958bda98e15dde4eeeb61f600a59a09ef3fbc8eec959bc7792f876bce43ac0e252f9b3a83360e503c1cf012d795243a21134161

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
3c0b1b1f6326a3e62d45ca5721f8ff7d

SHA1
7eb8620130617d3efaab96ee505d1cfa3252e4b6

SHA256
f5dad65983772d2e7732adf38262d3ebd1ec0bc0fa8b284fc37c0be671496d69

SHA512
802b390c1888f9192a6256c399aef5602c0b7eed264355ee302206ec51c64d5d1bd60743f213572c2f946cc03ed873fe614988f4e583c0ba563ca705f75399dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0E57703E.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
\??\pipe\LOCAL\crashpad_1932_KTNYBWMYYOLMRNMZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit