Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

12/05/2024, 23:12

240512-268aqsge5x 8

12/05/2024, 23:08

240512-24jjlage4x 10

12/05/2024, 23:00

240512-2y6f6sbe99 1

12/05/2024, 22:56

240512-2w4jssbe92 10

12/05/2024, 22:52

240512-2tg8sagd8v 10

12/05/2024, 22:47

240512-2qptfsbe63 10

12/05/2024, 22:41

240512-2mlydsbe49 9

12/05/2024, 22:39

240512-2kxxwagd41 10

12/05/2024, 22:35

240512-2h1kzsgd4s 10

Analysis

  • max time kernel
    149s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/05/2024, 22:47

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\PEXSXU-MANUAL.txt

Family

gandcrab

Ransom Note
---= GANDCRAB V5.2 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .PEXSXU The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/77d4589c34950dc1 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAANzCBnSqNaLCzRyZWjPi5ExHOfzMZrhREPBfxbozUB3DqWAg+Lgu+s9rWNk6UHnOw7v2i9sJfbrIdr7Hz+xmo04sUulEQR02hQxZoASooWL6vspR3wCXU6LdwSHR/Rg5fCbacfU9Eo3abz5pl7vt/gUUte1ndJQ1bm8BAtiAT7SiUX/KY0wjkunWc9NtzQysFEofBYfKN6xLqVLp9SLj7ScYWjQzMiUew2MhqFAw3QIZE0mot88ZVpqDVQ0jEw02TZF+KYSotBgvIn6GLDerGCWafyNOqTxew6OSvr1bHd9a3ooKhsz5MY60crwnos0tx5SzYTNo3HDQOlmImO0qAGOWyHM4zBB9g6dSo0XVMEtWzBM+lRA/4qxaaYvsoGNJpH2OhTmzY7I7r3EsbySlWlAyGcyMKJNLmVIAek21i9Hlg1gcWe1Xwim3V+JkJkWQXMZja4lbA7o8NDReT7Oeg4YK8jh5T3jTxnVmOjS2cNM/LByXPDtzI9BE+BoxeVnuo8Omos1pU52sI4cqkBRf5+VRStHN35bVEp9wIs+5NW2xfppz1JTgmtpf5QjX4qJzp36k6U5dEn8bLpGnOEeW0WNUrYgIiVtOMXqp96P+l1QMBwYFATo5CduSS0mf/nGEwh5bigMq6IkRXC67yJWm2z0vy9Dj2GZ7k5pvoUEY1Z8FNIZrHgIUZd2pO/vNrQaKLJ6tZBY+oVkxLnUBDGGgDRgTSha/dUSASksyob7Yktr1etB6VSPhizy6/n0cFs4sY+F+s7FSOqsT8u+UC84drk8+EJ35iZVikBRxk/3Izz4M2uJ5gVD1MpN1UXkMjh8HHTnXM2nVfznbRoiosNOeOLqEI9Clg0sDu2fSdKGQnDMt5aAeMGqq3um/68wwQ4e+UTKGsrPjSnR9WFRo6JpxOotksCDKqS0KGF76/BO5SHh7mveQ4vVnh02EU2zsljH5/ZqQQFkaqOVH2/aAw3rBOZ0tshp3h2Umjl6eNh2lzgDxgyKLrqqAobfLcs6aa6UrWK9nmxv4dha3LUpnOQdGQ2fFnWuuE4evsP/5KTJhNOEm/2cQL7b3Iq+cC9mLLhwlM2TK34z8GdVvK5H2tH6wzpdFQscKGEkhhYGLX+mkwqB8ZX3TGLrWk5yt9p67kuAssa82tKh2Hhgbgg6OqaJAej5ylZmqTQyGlRR+qO2GeXFaHO8uNnK7squky4ZTVJRcc/NHsh8RUYlC+CbBRLGiCpVEENG9VbQCxR+WlUk+KUkieSWn5dOOyLKCOkDpQHYM+5JSVGtD72VWoIq/K7U9oq22Ln8uSMJKKK3NaDK8yH4t7JNEIG+khJKYbTyLx8O83PPOzYhXQd7OgRZtHSRCgEbZem0QYqABL7urjH19YHFoiRrQrRTIGuRsS6qQepyXpKUBl1Eo8QYyI5KZ1tnN+dtbMf4O4JJXVoD+se9MK7xbGqDbCiWx2yKIwzmnLo+cIYnn5/xcP3Y8EShZtaV2yXHqpVPztWLQG0L+MwMZDvK47O6l3xnUjhuKIavWx0Ho5I08K8KOnYwB34+fk5wYbDAhQZx+A8n6GKGORaPYBumvCfAVjxrKJt2BYSPEKLZVVsFlpQdgzUo0S1E43Q9OKNr/zfeOXY0YW8WI+694xSSQXhjJ/A8rixa+d1lOr66LFW9p0v/kp9uqOzlwyeo79xa6WKjbaS8Nr/HJaX+/AJlIxG+1tdT1NnxiV1F/VMzdCsWf5yW9ty0XL1PEa/SoCNpoYciwPUD1wDLI3ccsUE9vVQ4/iP9TnnYSklxuTEaxa9O4M4Jx6QT0G4Bj96ruw/a+5udWasW7WYZMwq6ihs4xGIc7mGiGyWrjsK+Rm6+B69A9jsxSzZ/jccsbxEqn0vb1SHjUjBuihBgngfe/M5uzNL2Hoj5T+v61jUwyaHNe97qHjSmocKwb6hdoRLPRNwfiU9sp9//2mEsZk8rPyutKzs7reyzrE120wbxJ1YJlvkcS+N6rDZdFNv4JEdPuvoBBWNPZ+eAsXUMrSMCn4mGwCunPailSqEvDlkwMUySQyQb8iDfnvuWCP8ds3kS1+VeGXw99/dmQvjeEujTtA4zjO5PVujIKmviIJeAh/jLQ2z+ncIVMPpbMZ9qH6vMtPgpaKyqBxlyC5hoQqPy+tzSDNwJ2MMgDmUHRydIso222UIQE3MZwNM1NDo/mVHpeyggvIElXXWVLWiMhddzv+uolJTKNT6LOQ8lhRiXc7cn5N+oM4dk= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- 7ftDEgLb/ZS0lcmZbHM61KDJ6AOtD78KkA7absMgUXYxWLsC+5+UYF9xVmD89MrJLpDRAu2VteDURXjIKnQXQzua3LPyzokSUuglaqKXwabsGM4pXku5In6gtMQMqg7sgEh1XW1iPMFgiUj/s1LdWpJHdiPjMpn7rCZNO/A31mak0K8RefoREu3BxtlAsseHWfVIIKN0U4NnA3w0Ga7XDLlF3iOIB6ImYbF6Z/7MBN2mgBr2rZ2gU1R7jNx2WKAyu4W+5zlHFnKwMISBi1CwemOo6FrxnP+Z5F9bSR7OvDBsmLj7oYD6GBgpBqj3RSAVfvfE0yZSXyCRtLeJetAKBnBqqsY7R+i3OLGfmdeRiEeJP9zy/PMxLOfjWKP0r1BW4eYoT03JrPa/L0B0wffnS0ez96BFoTHFq52HPDCx6yhEudvoPVoM6iaVy+mvqAdvYbwBrtoypS8G1fylWTmU7qZ4Auw9gT+wK0yub5gfz9wpLQCj3bimwDPi8jPeKPiggI2bWKz+7QkWvC2ihYFfEuZEsyM4ANvhxNQXIE31UkGbyf6MN51c1gY/++QRe2kEznTbCqfrOdcnPBOVfcolLq8b/gmccCeV7bCGEZisVbSQnNiaPkJ9b5I041HXc2vSx6IODB3F1IH8qANwhkbcxMPGvnUSm+rK ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/77d4589c34950dc1

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

  • Renames multiple (261) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of FindShellTrayWindow 42 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Ransomware
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:536
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf146f8,0x7ffcaaf14708,0x7ffcaaf14718
      2⤵
        PID:4216
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
        2⤵
          PID:1968
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:428
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
          2⤵
            PID:4748
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
            2⤵
              PID:2864
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
              2⤵
                PID:4004
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
                2⤵
                  PID:4968
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1384
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4108 /prefetch:8
                  2⤵
                    PID:5032
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
                    2⤵
                      PID:1612
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
                      2⤵
                        PID:3632
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 /prefetch:8
                        2⤵
                          PID:2592
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3492
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:8
                          2⤵
                            PID:4716
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
                            2⤵
                              PID:4220
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
                              2⤵
                                PID:3048
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
                                2⤵
                                  PID:4308
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
                                  2⤵
                                    PID:3664
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,13496141101697027896,9155802662401123348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5268 /prefetch:2
                                    2⤵
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:2660
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:4924
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:3920
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:1452
                                      • C:\Users\Admin\Downloads\GandCrab.exe
                                        "C:\Users\Admin\Downloads\GandCrab.exe"
                                        1⤵
                                        • Checks computer location settings
                                        • Drops startup file
                                        • Executes dropped EXE
                                        • Enumerates connected drives
                                        • Sets desktop wallpaper using registry
                                        • Drops file in Program Files directory
                                        • Checks processor information in registry
                                        • Suspicious behavior: EnumeratesProcesses
                                        PID:2864
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet
                                          2⤵
                                            PID:2984
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1652
                                            2⤵
                                            • Program crash
                                            PID:3720
                                        • C:\Windows\SysWOW64\WerFault.exe
                                          C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864
                                          1⤵
                                            PID:4972
                                          • C:\Windows\system32\NOTEPAD.EXE
                                            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\PEXSXU-MANUAL.txt
                                            1⤵
                                              PID:1684

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              ce4c898f8fc7601e2fbc252fdadb5115

                                              SHA1

                                              01bf06badc5da353e539c7c07527d30dccc55a91

                                              SHA256

                                              bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

                                              SHA512

                                              80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              4158365912175436289496136e7912c2

                                              SHA1

                                              813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

                                              SHA256

                                              354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

                                              SHA512

                                              74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              2KB

                                              MD5

                                              2349886fcd08076af45d9ac4b213afb1

                                              SHA1

                                              b4b74fba0f554a1f1453e7b56e10c73e3ee99ec7

                                              SHA256

                                              3184e90047aceaddcb99115f476f3b525f21f4abce421cadba65e3c8560b930c

                                              SHA512

                                              938454a58abf0b243e63f6b8f9c31d4548a2790e73739cf016cbdb601cbf186277d9effbb51671584d77fba566f57eaccfd01614d91461d96d7ee6378222d6c2

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              579B

                                              MD5

                                              d01be2bc277307bf760669a4f350a984

                                              SHA1

                                              64859376f5718ae3b4e6979a9f029ceaebf91fe4

                                              SHA256

                                              de4ea8f1d2393892282b2e5ed049c0817630e9350e541f75ac9e9dc832967d41

                                              SHA512

                                              a901a5b217e43b9553b2dd6edcafea6a97ad56ea0e94726e578e167409fb8218d7cd5b029788186a5ceacc2ea706f37a6d498ed6915d40e25e662501d02df94f

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              a14a70f3a6aa9e64dd4893f5a9facbdc

                                              SHA1

                                              afbae9d1b3ac65b5a21b8ebc09c3ff8a95238e06

                                              SHA256

                                              900bc7560f24d1c78db90f29c837e2602f0643fde23396919ff473d337dc6fd3

                                              SHA512

                                              e8172a2d28a24cdaa1ada7cfccb761f1affa0e78f5c39b5edef09caf72c8eb4f929fc86be535d9ba0d4d47316a5c693eb90916c84c3f5585d102754eafd02206

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              48daf337adce91225c861d42def4587e

                                              SHA1

                                              289e5d2d4da9b999c4014369194251ca0574afcc

                                              SHA256

                                              e6b53cb674f594351996f3591affca807c4b7ce32d1b519c650178044bec8a47

                                              SHA512

                                              91ac1b4c4ff601dc37dc8c552df21de46659aa5a89cdf60eacc101f27da7fd2c6b7019cd0c21f470bd47487a4d7b206268d7062604d0268d53eee4e8521afdcf

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              1df1ce2dbe37281cdc32e98fc243c0e4

                                              SHA1

                                              ee42c1ec781cd6d1c6d2b988d01bf105c3285f21

                                              SHA256

                                              404c8b9e4986e992c218028d8e5c117810cd2b30cdf5ed84998234abfbeae5ac

                                              SHA512

                                              37b658432aba07c537be9e0defdfd91c5345d98c1fd78dfeaabb21e4b4ae152bda29cdc0bdee9bc255f2c8f44b4850566bb7604d8345d7dc2521d87b0eb34df9

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              228b870d1006d04407557a6d9e98f06d

                                              SHA1

                                              25ae9c15ae0e099851f00b312c0f7bab6cedc7ec

                                              SHA256

                                              17c96164046fbb33abfac51ca51c85ca013b9ddb34c9845779ae8fec8bdbb322

                                              SHA512

                                              e60b2a3ecdddceb34828b53cdfc515c6091cc10f86d6e88df7433ae3e93ad4c4bfe250f4205d886b628399de73779e307bcff84d883b039b0a82963c6cec0888

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              743c3334b2cedf0feae12d20f96c20b3

                                              SHA1

                                              a299b68de959725aa1c8fe48f124a1bdf8242d0f

                                              SHA256

                                              5698b722ad285887840d93c5f20c7089eeb1c076533e11aba08f72f6942bba16

                                              SHA512

                                              313842acec9d6b78735d8a39522f706d2fe7e5d9768688e8253fd7eb9685e87d742741aec76dba69969a6c3a04c8ce8989b8d8c5682bcd48c0897db3733ce9f7

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              090a094b2a116ef9b32c18f85be65d4d

                                              SHA1

                                              1b0ee67368cbbe6c5946f14e3af20f364bb7a9ef

                                              SHA256

                                              8febebfc8933cfa75d85f586978d833a66579fecac34f30ab1e6901e931cfd98

                                              SHA512

                                              17ee428c19dfd2887396759c0e07124618f291be1635fdbf5de748502d1e399e1670d6aac17baa259c28ba3b3f9062d96ec2719d07725b165c406be738f0999d

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a0f3.TMP

                                              Filesize

                                              1KB

                                              MD5

                                              1a0d79d9bcc2e54d9bd4ae221fe1f443

                                              SHA1

                                              ec861b08a816e4f54d6a9791499ef09f3daba4b0

                                              SHA256

                                              cb3293d4a9b33d3567487ddb173621a9e8ebcd355e1a75456735995a1ce62774

                                              SHA512

                                              22f622f59d90499cd33441aa0a0a9b31c45fa1810bbe33a6073523e998dc5c3736b3ccd4a8654764ec25a084780f1464f8ac8626ae16d4003494d95e5270863a

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              206702161f94c5cd39fadd03f4014d98

                                              SHA1

                                              bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                              SHA256

                                              1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                              SHA512

                                              0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              46295cac801e5d4857d09837238a6394

                                              SHA1

                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                              SHA256

                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                              SHA512

                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              a6b38d8a341b8d8e1e89a3521fdd464a

                                              SHA1

                                              96da49eaa93cb9f0ab97ccf848b553d4b1a1166a

                                              SHA256

                                              4af0f81dc60e9b62b356ba18eef7e2ecdc339922df2437baa670e221a0715865

                                              SHA512

                                              08b48776597d52fd16b5c48a4c5816d94da181a06b335f1775646dcfec99189e5785ba6e748d1b8c0a5948b2302f82c72a0145dbddfcd15a3871fc1298a9e4d4

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              c6b071260fcb243868919c858a12ecbf

                                              SHA1

                                              9987c3c95d02427a201549dd367ca3eae25e1d3c

                                              SHA256

                                              778b7a2183d2d134123235930b29eddb67229ab0e23c3c37016c9cb129087358

                                              SHA512

                                              c63d6eed0cebc05d6ddae60932de860a3a89234463fd8b4ac51a579abe1cde4b181c19d0cbcbc44aba5bb0d0c8c73d798bf1faf164432ce97a536566e94fe17b

                                            • C:\Users\Admin\Downloads\Unconfirmed 288260.crdownload

                                              Filesize

                                              292KB

                                              MD5

                                              64242db5c926b6d5e96db8afdffcb944

                                              SHA1

                                              0db9a5a599bb72cd1926a3ea8803fadb09e61567

                                              SHA256

                                              df9423ab7015d3d750a1e403bba55532f93f34d5b7f6ecd1c5c7d2dc3267014f

                                              SHA512

                                              ae4d8ccf449de25fd534e353acab43c059f965856a3760201b46b0a470289db52348b6cb524c9237928d54cde5562d39d80a57f0dfba3a42e162ee7ddf192350

                                            • C:\Users\Admin\Downloads\Unconfirmed 388373.crdownload

                                              Filesize

                                              291KB

                                              MD5

                                              e6b43b1028b6000009253344632e69c4

                                              SHA1

                                              e536b70e3ffe309f7ae59918da471d7bf4cadd1c

                                              SHA256

                                              bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a

                                              SHA512

                                              07da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf

                                            • F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\PEXSXU-MANUAL.txt

                                              Filesize

                                              8KB

                                              MD5

                                              33c238859e5f24cb53acc5016c31b05e

                                              SHA1

                                              d11a363aaff5f521ef2ac495050329d078c18bc9

                                              SHA256

                                              52ae72a4c61387e99fefde7d4ecc84a7eef8288d047cdd71fcc3434f4f42ca7e

                                              SHA512

                                              0bc0180874b7b05093a0cc7194cc33b7b34fc7d31504aa7b78bbb50549c09419cd8e0a48f235a0420c6e61efa05556d1d45aed099d2a4c6647aa9fbf70e4ad98

                                            • memory/2864-938-0x0000000000400000-0x00000000052B3000-memory.dmp

                                              Filesize

                                              78.7MB

                                            • memory/2864-951-0x0000000000400000-0x00000000052B3000-memory.dmp

                                              Filesize

                                              78.7MB