Overview
overview
10Static
static
100225a30270...24.exe
windows10-1703-x64
30225a30270...24.exe
windows7-x64
70225a30270...24.exe
windows10-2004-x64
30225a30270...24.exe
windows11-21h2-x64
305072a7ec4...7f.exe
windows10-1703-x64
1005072a7ec4...7f.exe
windows7-x64
1005072a7ec4...7f.exe
windows10-2004-x64
1005072a7ec4...7f.exe
windows11-21h2-x64
101fca1cd049...77.exe
windows10-1703-x64
11fca1cd049...77.exe
windows7-x64
11fca1cd049...77.exe
windows10-2004-x64
11fca1cd049...77.exe
windows11-21h2-x64
120bab94e6d...52.exe
windows10-1703-x64
120bab94e6d...52.exe
windows7-x64
120bab94e6d...52.exe
windows10-2004-x64
120bab94e6d...52.exe
windows11-21h2-x64
12704e269fb...66.exe
windows10-1703-x64
102704e269fb...66.exe
windows7-x64
102704e269fb...66.exe
windows10-2004-x64
102704e269fb...66.exe
windows11-21h2-x64
102cbb3497bf...2d.dll
windows10-1703-x64
102cbb3497bf...2d.dll
windows7-x64
102cbb3497bf...2d.dll
windows10-2004-x64
102cbb3497bf...2d.dll
windows11-21h2-x64
1037546b811e...f6.exe
windows10-1703-x64
1037546b811e...f6.exe
windows7-x64
1037546b811e...f6.exe
windows10-2004-x64
1037546b811e...f6.exe
windows11-21h2-x64
1049d828087c...2d.exe
windows10-1703-x64
149d828087c...2d.exe
windows7-x64
149d828087c...2d.exe
windows10-2004-x64
149d828087c...2d.exe
windows11-21h2-x64
1Analysis
-
max time kernel
1763s -
max time network
1713s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 15:47
Behavioral task
behavioral1
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win7-20240221-en
Behavioral task
behavioral3
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
0225a30270e5361e410453d4fb0501eb759612f6048ad43591b559d835720224.exe
Resource
win11-20240426-en
Behavioral task
behavioral5
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10-20240404-en
Behavioral task
behavioral6
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
05072a7ec455fdf0977f69d49dcaaf012c403c9d39861fa2216eae19c160527f.exe
Resource
win11-20240426-en
Behavioral task
behavioral9
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10-20240404-en
Behavioral task
behavioral10
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win7-20240215-en
Behavioral task
behavioral11
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
1fca1cd04992e0fcaa714d9dfa97323d81d7e3d43a024ec37d1c7a2767a17577.exe
Resource
win11-20240426-en
Behavioral task
behavioral13
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10-20240404-en
Behavioral task
behavioral14
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win7-20240221-en
Behavioral task
behavioral15
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral16
Sample
20bab94e6d9c8ed4832ce3b58f9150b16f9e5f40ffdcb747e10366cab5a30352.exe
Resource
win11-20240508-en
Behavioral task
behavioral17
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10-20240404-en
Behavioral task
behavioral18
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win7-20240508-en
Behavioral task
behavioral19
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
2704e269fb5cf9a02070a0ea07d82dc9d87f2cb95e60cb71d6c6d38b01869f66.exe
Resource
win11-20240508-en
Behavioral task
behavioral21
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10-20240404-en
Behavioral task
behavioral22
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win7-20240508-en
Behavioral task
behavioral23
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral24
Sample
2cbb3497bfa28d9966c1feeae96d452d.dll
Resource
win11-20240426-en
Behavioral task
behavioral25
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10-20240404-en
Behavioral task
behavioral26
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral28
Sample
37546b811e369547c8bd631fa4399730d3bdaff635e744d83632b74f44f56cf6.exe
Resource
win11-20240426-en
Behavioral task
behavioral29
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10-20240404-en
Behavioral task
behavioral30
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win7-20240508-en
Behavioral task
behavioral31
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
49d828087ca77abc8d3ac2e4719719ca48578b265bbb632a1a7a36560ec47f2d.exe
Resource
win11-20240426-en
General
-
Target
2cbb3497bfa28d9966c1feeae96d452d.dll
-
Size
1.6MB
-
MD5
2cbb3497bfa28d9966c1feeae96d452d
-
SHA1
9ef94c7d3fedc71bb3ed1abf542dfc7ec692883d
-
SHA256
85c3b718090144dadeb8035ac287d46b9d3458f9de409229217d42a475f42868
-
SHA512
eed7b210655030b3855f7a20f3bc7aecf8b927a33dfdaefe1d769fa42cbf7c88b1e8ab625f7258a79d2625e06005d25b03691fe911330876ae9e7f916ab2fe4c
-
SSDEEP
24576:KlQyNmMnq70NDxLOd0+UU1Thef1HrmP1D2:KlQyNmMq70NDROd0+UU1ThoHrA
Malware Config
Extracted
C:\Users\Admin\3D Objects\README_TO_DECRYPT.html
quantum
Signatures
-
Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 25 IoCs
description ioc Process File opened for modification \??\c:\Users\Admin\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\Camera Roll\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Saved Games\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Libraries\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Contacts\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\OneDrive\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\Saved Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Documents\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Pictures\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\3D Objects\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Downloads\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Desktop\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\Music\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Favorites\Links\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Searches\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Admin\Videos\desktop.ini rundll32.exe File opened for modification \??\c:\Users\Public\AccountPictures\desktop.ini rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\f: rundll32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created \??\c:\Program Files\README_TO_DECRYPT.html rundll32.exe File created \??\c:\Program Files (x86)\README_TO_DECRYPT.html rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell\Open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell\Open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4544 rundll32.exe 4544 rundll32.exe 2956 msedge.exe 2956 msedge.exe 5080 msedge.exe 5080 msedge.exe 5780 identity_helper.exe 5780 identity_helper.exe 2284 msedge.exe 2284 msedge.exe 2284 msedge.exe 2284 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeRestorePrivilege 4544 rundll32.exe Token: SeDebugPrivilege 4544 rundll32.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5080 msedge.exe 5080 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3440 wrote to memory of 4544 3440 rundll32.exe 83 PID 3440 wrote to memory of 4544 3440 rundll32.exe 83 PID 3440 wrote to memory of 4544 3440 rundll32.exe 83 PID 4544 wrote to memory of 1044 4544 rundll32.exe 98 PID 4544 wrote to memory of 1044 4544 rundll32.exe 98 PID 4544 wrote to memory of 1044 4544 rundll32.exe 98 PID 1044 wrote to memory of 1380 1044 cmd.exe 100 PID 1044 wrote to memory of 1380 1044 cmd.exe 100 PID 1044 wrote to memory of 1380 1044 cmd.exe 100 PID 5080 wrote to memory of 1980 5080 msedge.exe 104 PID 5080 wrote to memory of 1980 5080 msedge.exe 104 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2164 5080 msedge.exe 105 PID 5080 wrote to memory of 2956 5080 msedge.exe 106 PID 5080 wrote to memory of 2956 5080 msedge.exe 106 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 PID 5080 wrote to memory of 1728 5080 msedge.exe 107 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1380 attrib.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll,#12⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\\0E5777FF.bat" "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll""3⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\attrib.exeattrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2cbb3497bfa28d9966c1feeae96d452d.dll"4⤵
- Views/modifies file attributes
PID:1380
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\README_TO_DECRYPT.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca8a546f8,0x7ffca8a54708,0x7ffca8a547182⤵PID:1980
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:2164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:82⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:1748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:12⤵PID:640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:12⤵PID:1532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:12⤵PID:1604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:12⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:12⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:82⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6276 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:12⤵PID:5972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,3671708948759736298,17983375978358147011,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4012 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3456
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5867698a2f6e51b54a2c826e3c9600f07
SHA194cb5ed8f01225b02db259fb1d1908e687f53577
SHA256fb66e9dfa750c9043b58bbd4a38a83a48e58d1ae13ba989e164795f999e3a7dc
SHA512045cecd3e62078d2668ccac248f1842f9f2ba575efc859df1b982c6d1706551f1e8e5e425629aec9f1a8ae92ad5e9e402e2d832087aa3a66727c20cd344a3867
-
Filesize
10KB
MD58a33fd0f73fd8c65dadbb7792cb5b6dc
SHA133aa53a3ff6629bd87f8a8a8cbd776ccc3570345
SHA256eb66ca9fc5dc43c6fdfb36cce92c3a76eca28ce2837c4e071caad510345b47c2
SHA51204b9a3489acc25a8e4fc8058a0ba765a7125052bbd3f4f907210e18acda06ca20c5995572fc19ffd42e542591ff45c3291d2fbe9ac40aec40455da51fd9098e9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\BrowserMetrics\BrowserMetrics-663B6585-1244.pma.quantum
Filesize4.0MB
MD5db6a396499efe8bf347c95b50b035a42
SHA1069f3d44aca9ff625bc1d87b5b4d6efeadb2fca2
SHA256063b4def4dcb37d2dde2c6a806dcc3b2baf75214a7e92687ef14847171a1aa09
SHA512e90b079363db524e0a9a3accf1913c7a162c9e13631b0a3c3d3a810a9b97a2dae0fcfacb73e3ac7752c2552a69926259921fef4f4a0a1d23ec2a880f14a54d0d
-
Filesize
152B
MD5c7e37d16241d68c979f5e27c88a19801
SHA1934aa98dc16d8ca007f7119bf6087201b6c98c41
SHA256f10883b5faabc9e709ec3d6df5b4d4a3ae87931e36d30cf8de14552d2ad2341c
SHA512e64bf0bdef3db28946b81951a8e72cd4240019d419a2dea40dd23a1aa5976ddd8dbae8bcdae18bbf06feb84c32c8fc9ed2a10c306a40433bf1ec8012684947d3
-
Filesize
152B
MD50f438a3c22a3a53fbeda21a482b95b7a
SHA1954deffa5eb6785ef191a67c832e3b7ff39e9375
SHA2568f1d9bb7e050c512ad9ed77ce31dac8c7555e4bc5cb59764098507670aba987b
SHA5121aea30026d310c68d0892970d81add32b593c539ed2fc58244cb1a329837cd5aafca6b62f3f3f5a116b99ca894f8c7abf26bf6e3d138371a4cc122e540380c1c
-
Filesize
152B
MD5a6dffc5e76b21697a246243f175feaef
SHA10501c5a0e04a45f6d65af6a4563b2b857ba6ba90
SHA25616d58f4ad4fcf2ecc154e0f6f8984b8beaac3cc3180183e18552d0e3719327b7
SHA5124700890801d22c46e34587631c8b62bb6e8b359da730cba9e532fcb0ee780f53d8d5b7a97a75d30343ea4b4efe8064533527d9f9c8d271f36182e04f6893bda7
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22646e41-42ab-4f92-85a7-d059297410cf.tmp
Filesize4KB
MD553b6e64d4f73f7fd481b0f1e3423e815
SHA1a3eaafb3823618948c9b84ce8331f8b5833a4b80
SHA256cfd20e0d411a7c06b49de8231e9034a2fb1c0ff109a0e11bdaded9ea4c34b39c
SHA512038e2d3871cb83208b83afb498c40c1b711d2221d58f2b73dc846b9a33ff72c572aa99bfe9d43e255a3a5ce5b07d7a18164e5c8eca533a659fd61cced2053a54
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\44883cfa-eb98-4929-90a6-83450cf6a2b1.tmp
Filesize70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
4KB
MD5c959e4649f2f3e5272ee451b05ad9b9c
SHA1c1ce14ada4d1b18d0ed9907b9da7f66a9f2bc546
SHA2569913bc9fb15a0358da1e82a113d2981446e8be6ceeda2f56a98385af30b1d359
SHA51225e38c4d2d6b6ac97c5912eaf6c8b21397dd46d3633e1a10f6ccf6ce0d3ffb14a47a4b414602ab997591b10ea526bd4aff09b5ccdf0e74995bc08c2c0670e176
-
Filesize
5KB
MD515b963566f4e2d373c27ae5956e58f65
SHA1aab063ed7a2084e71a4043b019acba3563c50b99
SHA2560876e97f8f50c89630698ab66014ce58524566b93467eac7a4f71f0215a64093
SHA512065a282a4944cf2fb7607857b5033a65a5b09482071629de67eef899daf14f50065da0d81b893cf6b4f3214446c1029fca22ac74aa6013c02e49ff7156da8084
-
Filesize
5KB
MD5513248e5bcf55b3412a1d6174fa1ae8d
SHA14cf869375d31deecdc5dba2e07915eb983670dd5
SHA25603f6b165090a709c6ac12f45711280e2e30d45b68af0b088db6f5ddc8ac68cac
SHA5122bdafeafd449ef624836209dc6eed09ae57c1dec26e9c234043d9cb33d6881ad6bdfbb6d8b153f21f94311e95969b39678d0b15d415a82e8f008bf7dcba1a087
-
Filesize
24KB
MD5137b3b5ad46bbd468887b0d61277a7af
SHA16ac0b55e904f40cc3c5bea2909aaa6bc4968bc6f
SHA256df068702d2b3b62e6cc8c2683e7a57dd4188e7117d1d49f652517f48f76a8bed
SHA512b4d3d76fcc624b7099e5c840178376b98b59aa33d28f501aed35479de69ee062cafea482806b7e5553a53931c36f959d7a12468e6133310c88d37473a1b192e3
-
Filesize
24KB
MD551a3cfbd69983bfbde792363fc776873
SHA1fbc5f6ef81b563ba87b546689194362b4901b47c
SHA256802b2bf8cb0a20fd9f6b3489c44e9fa77c42ed34a8a94b080ab6d9e13660b361
SHA5126bc4b68ff98ec9b71641e652188b9c7059660e6d7b825cf9be3a39090d017869d05da9cbf90693eef620c04cc238d09555df35e61156aae8d0f460df8d6e35e5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
65B
MD5348cae913e496198548854f5ff2f6d1e
SHA1a07655b9020205bd47084afd62a8bb22b48c0cdc
SHA256c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506
SHA512799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611