Overview

overview

10

Static

static

3

787b6ed819...3d.dll

windows7-x64

10

787b6ed819...3d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 12:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    787b6ed81976ebc999a547dababccc6766723d3eaef1c5b004c4f327388e9d3d.dll

  • Size

    7.3MB

  • MD5

    a405656b13924871d376b08d65fddbc9

  • SHA1

    9cc98f605449f0ea0f20cdf25f390e477362e120

  • SHA256

    787b6ed81976ebc999a547dababccc6766723d3eaef1c5b004c4f327388e9d3d

  • SHA512

    0db0bc1e1608761399721ba13b9f9f0236eba3a47dda98111053e117fec817db948b7e9150203babfa13ec0f11908835f11b067dcedcf99f5c7a837c8784349f

  • SSDEEP

    196608:qHJafUyYAULRp/n/JqmucSzkoeSAFHysQ/V/447XvXMZ:q8ULLhlfyv7XUZ

Score
10/10
credential_accessdefense_evasiondiscoveryexecutionransomwarespywarestealer

Malware Config

Extracted

Path

C:\Users\QHGbHpQ3N.README.txt

Ransom Note
~~ LockBit 3.0 the world's fastest and most stable ransomware from 2019~~~ >>>>> Your data is stolen and encrypted. BLOG Tor Browser Links: http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/ http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/ http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/ http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/ http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/ http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/ http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/ >>>>> What guarantee is there that we won't cheat you? We are the oldest ransomware affiliate program on the planet, nothing is more important than our reputation. We are not a politically motivated group and we want nothing more than money. If you pay, we will fulfill all the terms we agree on during the negotiation process. Treat this situation simply as a paid training session for your system administrators, because it was the misconfiguration of your corporate network that allowed us to attack you. Our pentesting services should be paid for the same way you pay your system administrators salaries. You can get more information about us on Ilon Musk's Twitter https://twitter.com/hashtag/lockbit?f=live >>>>> You need to contact us on TOR darknet sites with your personal ID Download and install Tor Browser https://www.torproject.org/ Write to the chat room and wait for an answer, we'll guarantee a response from us. If you need a unique ID for correspondence with us that no one will know about, ask it in the chat, we will generate a secret chat for you and give you his ID via private one-time memos service, no one can find out this ID but you. Sometimes you will have to wait some time for our reply, this is because we have a lot of work and we attack hundreds of companies around the world. Tor Browser personal link for CHAT available only to you (available during a ddos attack): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion Tor Browser Links for CHAT (sometimes unavailable due to ddos attacks): http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >> Your personal Black ID: A58A500505762AE986A06CE99AB479E9 << >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> Warning! Do not delete or modify encrypted files, it will lead to problems with decryption of files! >>>>> Don't go to the police or the FBI for help and don't tell anyone that we attacked you.
URLs

http://lockbit3753ekiocyo5epmpy6klmejchjtzddoekjlnt6mu3qh4de2id.onion/

http://lockbit3g3ohd3katajf6zaehxz4h4cnhmz5t735zpltywhwpc6oy3id.onion/

http://lockbit3olp7oetlc4tl5zydnoluphh7fvdt5oa6arcp2757r7xkutid.onion/

http://lockbit435xk3ki62yun7z5nhwz6jyjdp2c64j5vge536if2eny3gtid.onion/

http://lockbit4lahhluquhoka3t4spqym2m3dhe66d6lr337glmnlgg2nndad.onion/

http://lockbit6knrauo3qafoksvl742vieqbujxw7rd6ofzdtapjb4rrawqad.onion/

http://lockbit7ouvrsdgtojeoj5hvu6bljqtghitekwpdy3b6y62ixtsu5jqd.onion/

https://twitter.com/hashtag/lockbit?f=live

http://lockbit5eevg7vec4vwwtzgkl4kulap6oxbic2ye4mnmlq6njnpc47qd.onion

http://lockbit74beza5z3e3so7qmjnvlgoemscp7wtp33xo7xv7f7xtlqbkqd.onion

http://lockbit75naln4yj44rg6ez6vjmdcrt7up4kxmmmuvilcg4ak3zihxid.onion

http://lockbit7a2g6ve7etbcy6iyizjnuleffz4szgmxaawcbfauluavi5jqd.onion

http://lockbitaa46gwjck2xzmi2xops6x4x3aqn6ez7yntitero2k7ae6yoyd.onion

http://lockbitb42tkml3ipianjbs6e33vhcshb7oxm2stubfvdzn3y2yqgbad.onion

http://lockbitcuo23q7qrymbk6dsp2sadltspjvjxgcyp4elbnbr6tcnwq7qd.onion

Signatures

  • Renames multiple (153) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Uses browser remote debugging 2 TTPs 10 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops desktop.ini file(s) 2 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

    Using AutoIT for possible automate script.

    execution
  • Sets desktop wallpaper using registry 2 TTPs 2 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\787b6ed81976ebc999a547dababccc6766723d3eaef1c5b004c4f327388e9d3d.dll,#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4332
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3884
      • C:\Users\Admin\AppData\Local\Temp\l.exe
        "C:\Users\Admin\AppData\Local\Temp\l.exe"
        3⤵
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4076
        • C:\ProgramData\C1F8.tmp
          "C:\ProgramData\C1F8.tmp"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          PID:4248
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\C1F8.tmp >> NUL
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4372
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 1240
          4⤵
          • Program crash
          PID:3144
      • C:\Users\Admin\AppData\Local\Temp\v.exe
        "C:\Users\Admin\AppData\Local\Temp\v.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
          4⤵
          • Uses browser remote debugging
          • Enumerates system info in registry
          • Modifies data under HKEY_USERS
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb66efcc40,0x7ffb66efcc4c,0x7ffb66efcc58
            5⤵
              PID:3792
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
              5⤵
                PID:3884
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
                5⤵
                  PID:4812
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2272 /prefetch:8
                  5⤵
                    PID:824
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
                    5⤵
                    • Uses browser remote debugging
                    PID:4404
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3264 /prefetch:1
                    5⤵
                    • Uses browser remote debugging
                    PID:1816
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4268,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4504 /prefetch:1
                    5⤵
                    • Uses browser remote debugging
                    PID:4780
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
                    5⤵
                      PID:4372
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4800,i,3183572800057926805,1264073473923342597,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
                      5⤵
                        PID:4748
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                      4⤵
                      • Uses browser remote debugging
                      • Enumerates system info in registry
                      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                      • Suspicious use of FindShellTrayWindow
                      PID:268
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb67a646f8,0x7ffb67a64708,0x7ffb67a64718
                        5⤵
                        • Checks processor information in registry
                        • Enumerates system info in registry
                        PID:2280
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
                        5⤵
                          PID:4412
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
                          5⤵
                            PID:3108
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2600 /prefetch:8
                            5⤵
                              PID:4488
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:732
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3020 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:888
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:932
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:5004
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9223 --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
                              5⤵
                              • Uses browser remote debugging
                              PID:2356
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10409614544559865700,2245522758906759385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
                              5⤵
                                PID:1368
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CFIEHCFIECBG" & exit
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:2940
                              • C:\Windows\SysWOW64\timeout.exe
                                timeout /t 10
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Delays execution with timeout.exe
                                PID:1816
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 2724
                              4⤵
                              • Program crash
                              PID:2508
                          • C:\Users\Public\mydark.exe
                            "C:\Users\Public\mydark.exe"
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:824
                            • \??\c:\temp\test\Autoit3.exe
                              "c:\temp\test\Autoit3.exe" c:\temp\test\script.a3x
                              4⤵
                              • Executes dropped EXE
                              • Command and Scripting Interpreter: AutoIT
                              • System Location Discovery: System Language Discovery
                              • Checks processor information in registry
                              • Suspicious use of WriteProcessMemory
                              PID:2440
                              • \??\c:\windows\SysWOW64\cmd.exe
                                "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\kgdfech\fhedhbh
                                5⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:2348
                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                  wmic ComputerSystem get domain
                                  6⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1360
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3728
                      • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                        1⤵
                          PID:3092
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:452
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4076 -ip 4076
                            1⤵
                              PID:2060
                            • C:\Windows\SysWOW64\WerFault.exe
                              C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2076 -ip 2076
                              1⤵
                                PID:1612

                              Network

                              MITRE ATT&CK Enterprise v15

                              Reconnaissance

                              Resource Development

                              Initial Access

                              Execution

                              Command and Scripting Interpreter

                              1
                              T1059

                              AutoHotKey & AutoIT

                              1
                              T1059.010

                              Persistence

                              Modify Authentication Process

                              1
                              T1556

                              Privilege Escalation

                              Defense Evasion

                              Indicator Removal

                              1
                              T1070

                              File Deletion

                              1
                              T1070.004

                              Modify Authentication Process

                              1
                              T1556

                              Modify Registry

                              1
                              T1112

                              Credential Access

                              Credentials from Password Stores

                              1
                              T1555

                              Credentials from Web Browsers

                              1
                              T1555.003

                              Modify Authentication Process

                              1
                              T1556

                              Steal Web Session Cookie

                              1
                              T1539

                              Unsecured Credentials

                              4
                              T1552

                              Credentials In Files

                              4
                              T1552.001

                              Discovery

                              Browser Information Discovery

                              1
                              T1217

                              Query Registry

                              4
                              T1012

                              System Information Discovery

                              4
                              T1082

                              System Location Discovery

                              1
                              T1614

                              System Language Discovery

                              1
                              T1614.001

                              Lateral Movement

                              Collection

                              Data from Local System

                              3
                              T1005

                              Command and Control

                              Exfiltration

                              Impact

                              Defacement

                              1
                              T1491

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\$Recycle.Bin\S-1-5-21-493223053-2004649691-1575712786-1000\AAAAAAAAAAA
                                Filesize

                                129B

                                MD5

                                096aa4a3a8c97a1fdb6de238c2ea692d

                                SHA1

                                538dd500e01270747f4d35e61f06bedc480702e3

                                SHA256

                                23c4e59b67a6b4d5b40a4dde2919ea9cf5dc2d1f562cf2f4dd79047503b981e2

                                SHA512

                                de8e6bcf0d4946e74cf74705566291b28b43a3113c3bb7b4331949271748962e5475978ba0ac284b6b5b0378c42080d80dd4c9d8073ce16e409ace8e51b5fd4a

                                Download Submit

                              • C:\ProgramData\C1F8.tmp
                                Filesize

                                14KB

                                MD5

                                294e9f64cb1642dd89229fff0592856b

                                SHA1

                                97b148c27f3da29ba7b18d6aee8a0db9102f47c9

                                SHA256

                                917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

                                SHA512

                                b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                                Filesize

                                649B

                                MD5

                                5a67ce8cf52308f9c380456021fb2ac8

                                SHA1

                                3516e3516be80f270d4de484b57fc99ce0210e53

                                SHA256

                                4f69f6430bf39526d805e1981debb2726ed29bcefcf2a1bd31084863f875313f

                                SHA512

                                fce93fe16cb49c024722fcc03b0cf0abfc8bebdbf472c41a00cd255515d49045ed88c436d74274a0301b8648087543ad71e6016b303933bc4b1357726cc42d4b

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                                Filesize

                                2B

                                MD5

                                d751713988987e9331980363e24189ce

                                SHA1

                                97d170e1550eee4afc0af065b78cda302a97674c

                                SHA256

                                4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                SHA512

                                b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                37f660dd4b6ddf23bc37f5c823d1c33a

                                SHA1

                                1c35538aa307a3e09d15519df6ace99674ae428b

                                SHA256

                                4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

                                SHA512

                                807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                Filesize

                                152B

                                MD5

                                d7cb450b1315c63b1d5d89d98ba22da5

                                SHA1

                                694005cd9e1a4c54e0b83d0598a8a0c089df1556

                                SHA256

                                38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

                                SHA512

                                df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                Filesize

                                5KB

                                MD5

                                f9132652d21a76a81b97e7c09313cd46

                                SHA1

                                aec13fef3f1ad1db3bc037e4d20c375d21fff1fd

                                SHA256

                                e986e749a785de1fe5d61740b6e1714c79378ce269bcfd3d88cce5c61203fb3f

                                SHA512

                                e9f2a7f3aa27d13c39c749ed6ae788f325e1388abcddbf3524aac9f7b8b0c6f93c61896131d65f6443cea409d6cefec386a47b252d9b8577bba9a70bed308d06

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\DDDDD
                                Filesize

                                264KB

                                MD5

                                10f5f36663d69ac8f380030a834382e6

                                SHA1

                                4285658bd1d00d8dc3a6b3f2cd1fe5e31fa82f83

                                SHA256

                                97326c2f88de214484f711e9aa30ff3ca1140047d6bbdeb74eed5ffeeec2a131

                                SHA512

                                92ee4d5616f62f03a3ba7962674db436518e171e5db8f1160b47d3d056ec44c84cc6be2ff7d0dd34c19416b344c66261f7a45b26af9438901b65f27276929a69

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\l.exe
                                Filesize

                                264KB

                                MD5

                                f03b13218cb720a087175198a67b831c

                                SHA1

                                bafad61b13f7b6d08a286e970c822f940b9135fb

                                SHA256

                                3a2b885fd306f3ccbab3ec7584a3769c048a475d790fda8818d21c596eda8e05

                                SHA512

                                42f9038be2b096b0468a5d05286fbfe2ec93dac08bdbb627b69722143a6db496de406abcd7c15d614e8bd68622ffc257ba02c6a489d4e9698ed02b0671a2541a

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\svchost.exe
                                Filesize

                                1.4MB

                                MD5

                                15bb67aec4ec337cfad207203cd593c6

                                SHA1

                                542b1839fcfb29e386eab1a8919f17f486408ebc

                                SHA256

                                7fb6af6b92b77fbcca3c98aa6566ff29af0fd3f538185610437514d075b7e963

                                SHA512

                                e64ff67acebfe76cfdbef33d70f783ce5b1343452c862013cc42e8a3992897259d6ff06a36ddab0be155cde85faef83318294a8ff33674a677c9f4c1a4b2aefe

                                Download Submit

                              • C:\Users\Admin\AppData\Local\Temp\v.exe
                                Filesize

                                372KB

                                MD5

                                931744642ba53a75c3008f30d8ea7183

                                SHA1

                                2ce31051b434bfdfa7447fd1acb1992485b7205b

                                SHA256

                                61d998e1c9c4c3d033e9214204f7c96ea09fd2580009094e66dd0a5a7998f754

                                SHA512

                                9f5f8beb8f9994c9af24d8acef470f8df0c9339358f245b651a95eb9d8d213b125f7f7ec6305cedcbf190e5396acc1eb12de0c4e0a3136d7505a14119efee2d2

                                Download Submit

                              • C:\Users\Public\mydark.exe
                                Filesize

                                2.0MB

                                MD5

                                dc0a046d715f645ef7f78b6b022f67a8

                                SHA1

                                e3a9622fc9a5016ade389aa98cedb38efa9aef4c

                                SHA256

                                80dab4dab91f87874bb3c41347a4441b2011bf87030ab5e0e59d214063ffa569

                                SHA512

                                7892573ecec7666cc4d73c8ad2be078fa41d3b8667b0ffc10450727875aee2a92ab3554f610ad97a32b33f1a965f9a39351aebd32616b8b0ca3a7efc98e95008

                                Download Submit

                              • C:\Users\QHGbHpQ3N.README.txt
                                Filesize

                                3KB

                                MD5

                                c694348dc4601463339fd735cfd19228

                                SHA1

                                993689109d7ffcd895f2ed82a8456f26d9840481

                                SHA256

                                91d11979baee4314b261cfb66b5cad3706418671330b66a901bab060df15029a

                                SHA512

                                23c2ff89d74bfbca1574bc7e8754a84181277a5d3c9057fa03efc42ddb99e685ff263d4679a3bc14f114ea3e814af1388b6a73663d82cf78ed59c566cea0a93b

                                Download Submit

                              • C:\temp\test\Autoit3.exe
                                Filesize

                                872KB

                                MD5

                                c56b5f0201a3b3de53e561fe76912bfd

                                SHA1

                                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                                SHA256

                                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                                SHA512

                                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                                Download Submit

                              • F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\EEEEEEEEEEE
                                Filesize

                                129B

                                MD5

                                d3c63a091b0cfa6d68c4e9591ea4fb0f

                                SHA1

                                db46ee68b62c358129efa9794145c400dc3df42e

                                SHA256

                                3f2f748cf14002ade682612a63a9bf35c0d34a043313b448ca1e197f3d7f5d8a

                                SHA512

                                acf0d2469a50e08686686554b07db8d27740601a853a90ea709ce8c94defa952a4e0b91fdb9e5ff220e6293f59003a31dd0f99ae26bbc1c340659dc6cb97dcc8

                                Download Submit

                              • \??\c:\temp\test\script.a3x
                                Filesize

                                1.1MB

                                MD5

                                6d0ba22651177f51271416be0280d1cc

                                SHA1

                                b07d421b386b7cc3affbd412008288021f219dd1

                                SHA256

                                d0ca6d8064faec38a998b957f40e87a4f9de47802f9137e32c5a6f8484ba893e

                                SHA512

                                0e7d10f71fb4e54a4e610fc68d95929f3d0260deb2981aed5febc53a3dad061f81aa258b780c27459f7b51dc20152a3c9439ffd83d3b803c4c3b07fb295da6fe

                                Download Submit

                              • memory/824-53-0x0000000000400000-0x000000000060E000-memory.dmp

                                Filesize

                                2.1MB

                                Download

                              • memory/2076-392-0x0000000000400000-0x0000000000834000-memory.dmp

                                Filesize

                                4.2MB

                                Download

                              • memory/2076-468-0x0000000000400000-0x0000000000834000-memory.dmp

                                Filesize

                                4.2MB

                                Download

                              • memory/2076-479-0x0000000000400000-0x0000000000834000-memory.dmp

                                Filesize

                                4.2MB

                                Download

                              • memory/2076-508-0x0000000000400000-0x0000000000834000-memory.dmp

                                Filesize

                                4.2MB

                                Download

                              • memory/2076-521-0x0000000000400000-0x0000000000834000-memory.dmp

                                Filesize

                                4.2MB

                                Download

                              • memory/2076-528-0x0000000000400000-0x0000000000834000-memory.dmp

                                Filesize

                                4.2MB

                                Download

                              • memory/3884-17-0x00000000002D0000-0x0000000000448000-memory.dmp

                                Filesize

                                1.5MB

                                Download

                              • memory/3884-16-0x00007FFB67663000-0x00007FFB67665000-memory.dmp

                                Filesize

                                8KB

                                Download

                              • memory/4076-391-0x0000000000400000-0x0000000000819000-memory.dmp

                                Filesize

                                4.1MB

                                Download

                              • memory/4332-55-0x000000006D080000-0x000000006D7D7000-memory.dmp

                                Filesize

                                7.3MB

                                Download

                              • memory/4332-0-0x0000000000400000-0x0000000000A8C000-memory.dmp

                                Filesize

                                6.5MB

                                Download