Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
12/05/2024, 23:12
240512-268aqsge5x 812/05/2024, 23:08
240512-24jjlage4x 1012/05/2024, 23:00
240512-2y6f6sbe99 112/05/2024, 22:56
240512-2w4jssbe92 1012/05/2024, 22:52
240512-2tg8sagd8v 1012/05/2024, 22:47
240512-2qptfsbe63 1012/05/2024, 22:41
240512-2mlydsbe49 912/05/2024, 22:39
240512-2kxxwagd41 1012/05/2024, 22:35
240512-2h1kzsgd4s 10Analysis
-
max time kernel
149s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/05/2024, 22:47
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Resource
win10v2004-20240508-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
Malware Config
Extracted
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\PEXSXU-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/77d4589c34950dc1
Signatures
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Renames multiple (261) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation GandCrab.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\PEXSXU-MANUAL.txt GandCrab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\34950a2c34950dc274.lock GandCrab.exe -
Executes dropped EXE 1 IoCs
pid Process 2864 GandCrab.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\E: GandCrab.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\J: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe File opened (read-only) \??\A: GandCrab.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe File opened (read-only) \??\P: GandCrab.exe File opened (read-only) \??\S: GandCrab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 49 raw.githubusercontent.com 50 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\bxmeoengtf.bmp" GandCrab.exe -
Drops file in Program Files directory 24 IoCs
description ioc Process File opened for modification C:\Program Files\DismountNew.xltm GandCrab.exe File opened for modification C:\Program Files\PublishSearch.ppsx GandCrab.exe File opened for modification C:\Program Files\ShowUpdate.rar GandCrab.exe File opened for modification C:\Program Files\SkipClose.ttf GandCrab.exe File opened for modification C:\Program Files\SplitRepair.jpeg GandCrab.exe File created C:\Program Files (x86)\PEXSXU-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\ConvertPush.xltx GandCrab.exe File opened for modification C:\Program Files\CopyApprove.xlt GandCrab.exe File created C:\Program Files (x86)\34950a2c34950dc274.lock GandCrab.exe File opened for modification C:\Program Files\SendCompare.ods GandCrab.exe File opened for modification C:\Program Files\TraceImport.xltm GandCrab.exe File created C:\Program Files\PEXSXU-MANUAL.txt GandCrab.exe File opened for modification C:\Program Files\MoveUnprotect.potx GandCrab.exe File opened for modification C:\Program Files\SwitchEnable.iso GandCrab.exe File opened for modification C:\Program Files\WaitRestart.vsdx GandCrab.exe File opened for modification C:\Program Files\PushWrite.wmv GandCrab.exe File opened for modification C:\Program Files\SelectUnpublish.svgz GandCrab.exe File opened for modification C:\Program Files\MoveSearch.temp GandCrab.exe File opened for modification C:\Program Files\RestartProtect.odt GandCrab.exe File opened for modification C:\Program Files\SearchInvoke.rtf GandCrab.exe File opened for modification C:\Program Files\StartCompare.tif GandCrab.exe File opened for modification C:\Program Files\UnregisterTest.tiff GandCrab.exe File created C:\Program Files\34950a2c34950dc274.lock GandCrab.exe File opened for modification C:\Program Files\ConvertRepair.avi GandCrab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3720 2864 WerFault.exe 110 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 388373.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 288260.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 428 msedge.exe 428 msedge.exe 536 msedge.exe 536 msedge.exe 1384 identity_helper.exe 1384 identity_helper.exe 3492 msedge.exe 3492 msedge.exe 2864 GandCrab.exe 2864 GandCrab.exe 2864 GandCrab.exe 2864 GandCrab.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe 2660 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe -
Suspicious use of FindShellTrayWindow 42 IoCs
pid Process 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe 536 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 4216 536 msedge.exe 81 PID 536 wrote to memory of 4216 536 msedge.exe 81 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 1968 536 msedge.exe 82 PID 536 wrote to memory of 428 536 msedge.exe 83 PID 536 wrote to memory of 428 536 msedge.exe 83 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84 PID 536 wrote to memory of 4748 536 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf146f8,0x7ffcaaf14708,0x7ffcaaf147182⤵PID:4216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:22⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:82⤵PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:2864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4108 /prefetch:82⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:12⤵PID:1612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:3632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:2592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:82⤵PID:4716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵PID:4220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:12⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5268 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2660
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4924
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3920
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1452
-
C:\Users\Admin\Downloads\GandCrab.exe"C:\Users\Admin\Downloads\GandCrab.exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet2⤵PID:2984
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 16522⤵
- Program crash
PID:3720
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 28641⤵PID:4972
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PEXSXU-MANUAL.txt1⤵PID:1684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
Filesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD52349886fcd08076af45d9ac4b213afb1
SHA1b4b74fba0f554a1f1453e7b56e10c73e3ee99ec7
SHA2563184e90047aceaddcb99115f476f3b525f21f4abce421cadba65e3c8560b930c
SHA512938454a58abf0b243e63f6b8f9c31d4548a2790e73739cf016cbdb601cbf186277d9effbb51671584d77fba566f57eaccfd01614d91461d96d7ee6378222d6c2
-
Filesize
579B
MD5d01be2bc277307bf760669a4f350a984
SHA164859376f5718ae3b4e6979a9f029ceaebf91fe4
SHA256de4ea8f1d2393892282b2e5ed049c0817630e9350e541f75ac9e9dc832967d41
SHA512a901a5b217e43b9553b2dd6edcafea6a97ad56ea0e94726e578e167409fb8218d7cd5b029788186a5ceacc2ea706f37a6d498ed6915d40e25e662501d02df94f
-
Filesize
6KB
MD5a14a70f3a6aa9e64dd4893f5a9facbdc
SHA1afbae9d1b3ac65b5a21b8ebc09c3ff8a95238e06
SHA256900bc7560f24d1c78db90f29c837e2602f0643fde23396919ff473d337dc6fd3
SHA512e8172a2d28a24cdaa1ada7cfccb761f1affa0e78f5c39b5edef09caf72c8eb4f929fc86be535d9ba0d4d47316a5c693eb90916c84c3f5585d102754eafd02206
-
Filesize
6KB
MD548daf337adce91225c861d42def4587e
SHA1289e5d2d4da9b999c4014369194251ca0574afcc
SHA256e6b53cb674f594351996f3591affca807c4b7ce32d1b519c650178044bec8a47
SHA51291ac1b4c4ff601dc37dc8c552df21de46659aa5a89cdf60eacc101f27da7fd2c6b7019cd0c21f470bd47487a4d7b206268d7062604d0268d53eee4e8521afdcf
-
Filesize
6KB
MD51df1ce2dbe37281cdc32e98fc243c0e4
SHA1ee42c1ec781cd6d1c6d2b988d01bf105c3285f21
SHA256404c8b9e4986e992c218028d8e5c117810cd2b30cdf5ed84998234abfbeae5ac
SHA51237b658432aba07c537be9e0defdfd91c5345d98c1fd78dfeaabb21e4b4ae152bda29cdc0bdee9bc255f2c8f44b4850566bb7604d8345d7dc2521d87b0eb34df9
-
Filesize
6KB
MD5228b870d1006d04407557a6d9e98f06d
SHA125ae9c15ae0e099851f00b312c0f7bab6cedc7ec
SHA25617c96164046fbb33abfac51ca51c85ca013b9ddb34c9845779ae8fec8bdbb322
SHA512e60b2a3ecdddceb34828b53cdfc515c6091cc10f86d6e88df7433ae3e93ad4c4bfe250f4205d886b628399de73779e307bcff84d883b039b0a82963c6cec0888
-
Filesize
1KB
MD5743c3334b2cedf0feae12d20f96c20b3
SHA1a299b68de959725aa1c8fe48f124a1bdf8242d0f
SHA2565698b722ad285887840d93c5f20c7089eeb1c076533e11aba08f72f6942bba16
SHA512313842acec9d6b78735d8a39522f706d2fe7e5d9768688e8253fd7eb9685e87d742741aec76dba69969a6c3a04c8ce8989b8d8c5682bcd48c0897db3733ce9f7
-
Filesize
1KB
MD5090a094b2a116ef9b32c18f85be65d4d
SHA11b0ee67368cbbe6c5946f14e3af20f364bb7a9ef
SHA2568febebfc8933cfa75d85f586978d833a66579fecac34f30ab1e6901e931cfd98
SHA51217ee428c19dfd2887396759c0e07124618f291be1635fdbf5de748502d1e399e1670d6aac17baa259c28ba3b3f9062d96ec2719d07725b165c406be738f0999d
-
Filesize
1KB
MD51a0d79d9bcc2e54d9bd4ae221fe1f443
SHA1ec861b08a816e4f54d6a9791499ef09f3daba4b0
SHA256cb3293d4a9b33d3567487ddb173621a9e8ebcd355e1a75456735995a1ce62774
SHA51222f622f59d90499cd33441aa0a0a9b31c45fa1810bbe33a6073523e998dc5c3736b3ccd4a8654764ec25a084780f1464f8ac8626ae16d4003494d95e5270863a
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5a6b38d8a341b8d8e1e89a3521fdd464a
SHA196da49eaa93cb9f0ab97ccf848b553d4b1a1166a
SHA2564af0f81dc60e9b62b356ba18eef7e2ecdc339922df2437baa670e221a0715865
SHA51208b48776597d52fd16b5c48a4c5816d94da181a06b335f1775646dcfec99189e5785ba6e748d1b8c0a5948b2302f82c72a0145dbddfcd15a3871fc1298a9e4d4
-
Filesize
11KB
MD5c6b071260fcb243868919c858a12ecbf
SHA19987c3c95d02427a201549dd367ca3eae25e1d3c
SHA256778b7a2183d2d134123235930b29eddb67229ab0e23c3c37016c9cb129087358
SHA512c63d6eed0cebc05d6ddae60932de860a3a89234463fd8b4ac51a579abe1cde4b181c19d0cbcbc44aba5bb0d0c8c73d798bf1faf164432ce97a536566e94fe17b
-
Filesize
292KB
MD564242db5c926b6d5e96db8afdffcb944
SHA10db9a5a599bb72cd1926a3ea8803fadb09e61567
SHA256df9423ab7015d3d750a1e403bba55532f93f34d5b7f6ecd1c5c7d2dc3267014f
SHA512ae4d8ccf449de25fd534e353acab43c059f965856a3760201b46b0a470289db52348b6cb524c9237928d54cde5562d39d80a57f0dfba3a42e162ee7ddf192350
-
Filesize
291KB
MD5e6b43b1028b6000009253344632e69c4
SHA1e536b70e3ffe309f7ae59918da471d7bf4cadd1c
SHA256bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
SHA51207da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
Filesize
8KB
MD533c238859e5f24cb53acc5016c31b05e
SHA1d11a363aaff5f521ef2ac495050329d078c18bc9
SHA25652ae72a4c61387e99fefde7d4ecc84a7eef8288d047cdd71fcc3434f4f42ca7e
SHA5120bc0180874b7b05093a0cc7194cc33b7b34fc7d31504aa7b78bbb50549c09419cd8e0a48f235a0420c6e61efa05556d1d45aed099d2a4c6647aa9fbf70e4ad98