locky_lukitus | 509b7eacb051087d49d9357c354532cf1561f065f11d0c2b6bc24f53fb255e2e

General

Target

a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe
Size

517KB
MD5

a410188cf459e3beb5be623f1dc1ab75
SHA1

85615da588fe978d82c6bc06e2b0d7db58a4f913
SHA256

509b7eacb051087d49d9357c354532cf1561f065f11d0c2b6bc24f53fb255e2e
SHA512

a28a42ce5ecca6b6be0068083c7fba49c76050a0e6dd92b801a0fed281140679cf0b74353c3de2298dcb2e6bf906492d9ded6be080c7c3a81472d3ee0f0e9347
SSDEEP

12288:zVRm47ugq9QLXzNWVn4Fkl6BQ2yLhxPtIS4GudgBXllbXtdj:zVzzzjNO4FkUQ2yL7PtIdGudqlb9dj

Score

10^/10

locky_lukitus defense_evasion execution impact ransomware

Malware Config

Signatures

Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
ransomware locky_lukitus
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4636 vssadmin.exe

pid	process
4636	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\WallpaperStyle = "0"	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\Desktop\TileWallpaper = "0"	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1196	msedge.exe
1196	msedge.exe
368	msedge.exe
368	msedge.exe
4280	identity_helper.exe
4280	identity_helper.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe
760	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

368 msedge.exe
368 msedge.exe
368 msedge.exe
368 msedge.exe
368 msedge.exe
368 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2612 vssvc.exe
Token: SeRestorePrivilege 2612 vssvc.exe
Token: SeAuditPrivilege 2612 vssvc.exe

description	pid	process
Token: SeBackupPrivilege	2612	vssvc.exe
Token: SeRestorePrivilege	2612	vssvc.exe
Token: SeAuditPrivilege	2612	vssvc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe
368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exemsedge.exe

description	pid	process	target process
PID 1496 wrote to memory of 368	1496	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe	msedge.exe
PID 1496 wrote to memory of 368	1496	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe	msedge.exe
PID 368 wrote to memory of 4564	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 4564	368	msedge.exe	msedge.exe
PID 1496 wrote to memory of 4072	1496	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe	cmd.exe
PID 1496 wrote to memory of 4072	1496	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe	cmd.exe
PID 1496 wrote to memory of 4072	1496	a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe	cmd.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 280	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1196	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 1196	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe
PID 368 wrote to memory of 732	368	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\lukitus.htm
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffcf99746f8,0x7ffcf9974708,0x7ffcf9974718
3⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
3⤵
PID:280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
3⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
3⤵
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
3⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
3⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
3⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
3⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
3⤵
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
3⤵
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7871647918358711264,5698212659052669349,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5704 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\a410188cf459e3beb5be623f1dc1ab75_JaffaCakes118.exe"
2⤵
PID:4072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\system32\vssadmin.exe
C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
1⤵
- Interacts with shadow copies
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5786757eccfc931bce63756325bf616d

SHA1
c01f7549c0300f651907a7de3ab15dc2486462ed

SHA256
af1d810e8b81f8fda58259a56fc6502bda784b76e636b15f559c61b98f321b4a

SHA512
7176d0315a409ad67e4ba02ea45b2c72d7b170317a5c9f2d1d3982e160ed639defb848dd42a1f569c74b9e309aaba9e9785c27e45a2f50baad990b331887c0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
23bdb740fab3929892fc13def6c8c0ad

SHA1
95799ecef2c69a395fc8e96b4b5d230866a8eb8e

SHA256
027a575f47c21bbec6d446379168b97d4e17c4eeb1c2350e921d0d195231d3a9

SHA512
242243b0b9d9c689fd521025954769015c5a65d26a3280acc075147a9a97c62580a7fcf4154f58c3d6dde546a50c3df204665a6537d0d7933c2395c71b7e8027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9a7f59333d19754660cfc24ceb2671bd

SHA1
6242679b2be44c98889f7bd69fe55266a1d1942c

SHA256
32fc641ec6521e78f0f5be6c4663907483be2bd9c527c61870078310b83b718a

SHA512
beb896215b62bc461d108cd58289e52967d47b9c04b98fc140aca64b42e180f2cf91dd37e94b3d81bcd07aa386d6e19968e03cf826156f7e53210a2a2eec1fc3

Download Submit
C:\lukitus-9066.htm
Filesize
8KB

MD5
e4d06e352caa7f95d41695c326bb3a49

SHA1
94302f31be92526a8f6c01143a781b4e071c9cbe

SHA256
e88bf20c5466dbce946e1e69e951803be6c8dd462a52629f1cc77ec0c68fe1a2

SHA512
4b22a30363bce39fe75dda9f593ef43384e906ef5ec818ea981ca662b5a5edbc498f56145f8cabaad85b904ae92dde45d7e9c6cad70f4d01e04d4819bd638ace

Download Submit
\??\pipe\LOCAL\crashpad_368_BMNLVYCFPBLCCXPJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads