Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://www.sumiyuki....

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2025 00:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://www.sumiyuki.co.jp/js/test.exe

Score
10/10
gandcrabbackdoorcredential_accessdefense_evasiondiscoveryexecutionimpactransomwarespywarestealer

Malware Config

Extracted

Path

C:\$Recycle.Bin\DDHIICO-DECRYPT.txt

Ransom Note
---= GANDCRAB V5.0.4 =--- ***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVERED*********************** *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS***** Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .DDHIICO The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/1dc002511fcc13dc | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAB9iQwSiePXgmtMaFGlzOUuUfLHkA3lKK54B0kZvYqPZQvQN8OMvrt+FywQim8TYPTtbvdBRxdTos8MI84NUAqZeAeo5glR255WQbTxI4Ypufxa3hDjw21Cl6LIxld2ex5RjhBSjAydmGjpdM7nFgwQAezrTpueGmtARG2hTsYXl4AuOSyWaSouIncJM/D3/WY/bmGvExRui8abekWRzXuAQ65S4pvZ+8R2qb+33L0sJdKEjhlUIKoyiw3K9hbv+5j6WpDFiI9QzZuq5o5sJbP7n3rrq0pU5hqZWN0IKTqnU3t17MxJ8bcPx4i+x0/XalUKOOji7Cnh7y2ERQpIaUF3ohin2Ck7w5uOuACf0e/CH8iNeMJWoJpnK7Z1lKYZ368tGVwCgwaTjBfBZJF2DbbWm1H1pwnetdCyaXrqWLqE79opqX4I+Rl5JylOD2xkOFXqMxDsxyHrJ/mftF6fgYgN9sxuzKh4O+L3iDuc2qUToHo9DyjQ8bbQyxdF54DnJBI5vm7zzFiNh3z/eE0+oeVgZVnNsgews8GePPbBOCmNZ9nvVfBemaJBkfeviGUe98sOF1N1oc0d7Um3+9hiAFMaD5SD7GaRdZKuQ4GRPfMBATx8giuOJSVgdIqhnzCSW3uOrP2U1XDseLeuBH8newsrLy2sKs283TreTsi+pVMt2eFL0z1mc30r7HcXVtCbuZuCM8zVoR9ggXXOtnWTEF7G5GQVKGAaTIOx4uJVu0zyjBGcPXpJUzquEs9QYiFEGv0yC0hoNbMcIAp0x22/w3uq6D7wDEwyeKzEmUxxNj6pzXgwqKVu/0e5BZAxWMa5oGaCXxV9iIDsCejG+9PVDBY/G1OtAfYaMjlBqlSUGFyf9JmC+I/jF0wFMIVcqZGgSoUPI+bETasVBfTqWw0HDkCqAj0qUiM4I1l5cG2bN4BeBMlhHZwSlFivd8XJidghCtch28izWCqB5RD6ws5peMS/rLwLjTFWmJ+//egjBQe2gIZzg8pw4A01kjW2WgD8a1BAI4Gs1yQ2sabs/Gjqre1ExKxVKhfvufEdfIDmH1CwJXYjPJQqdTr+mdYNWplU0AzDmiddocn8FizEhUVEhgco5lcXXvBfLZMCH7Gogg707qvt08v+JiwA37LH57uelHPT4Q/b9+7zaestDuY3VsEgWdQ43Qq3H5wzwiyEZIBjThGysxK0gdvQTM6D+jY7axciAY1ADzjNEQpDbhL/Bd1y01Ri4CBBYNp/JXkqylu8EwcNDJYwHvYq8BBv2/IZdEn6DYLlitY5FdQTxovNfrj3rOqDDy0JBdDtB+KwlZb0LF2UapMJivuW66LF67PyLPX3tvf6LFOlFKyG6aXRSb/EwwuUzYUP0pm3Uadq59CRlbRjtbM81P6cWNGDMjcPd3xm+8pdPyGkhKoh+W/V4C0EChMnKOXbkiXm4vUj3GrjF9qtTc0PvHH4uSJMZA1/1zOL33E1nqOFv8336dVYCEgp99saDaGkmgLA8vMMzdeuOCT4DvBCSySA4nUlL8zNqcj6kIEAeWV+8E1+psQ5CFs86mgs1CGEkF3t4GSDEdiwwmz9TwUERnvBu395OHbboWXeiLwyzVorury+CEJoiDZ/P3iHj/YAHUXWKoC+FCwncQ2fhOJwX8Bskjw12j6eXahVwLuJ3jsFM3KOaktPlk1ZnsJuDvMzzA4qFgDf1IcO+qKReObG68yPhCPuR8knYRRbuoc6gNnWEN7lpYMpYSCVb9FNnFX5EtxdYdbNmC3bo9aQMI1DtmNsWJWPk3TsXAB+yZBfaav5VF9B7qYnR1ASlIom2BcqVz5zpv0tq85ikHdYFNlHlvKYNq1C78ZxptCHykPuxecOo9VKEzaHtMs7AE2r9CgFyBp2ylyq9Gdh830d+FjEKiWM1f7HkU1Og2LliKj1YA32Zo22ZjlqzcavcGipiuxlTf0YusRR336Uf9ZWb+iBvWlumgsYyXnUJ1Guig3/PVZA+E52QNjlybfnn00awUDv8spAnAZd1vfSLP1IgY2Sch3FGyBcxSYbbiRVUT4KjGjnqB317e0rERc/8PN/v0NDRjWZNUHi/7zERMJkOsg47mm9OFYgvz+uUrR2iLXBGooA/6rsHMAnS8tmWaBp4EMfAt/ElB0i+4EUClOBUhjTPB59Lm36fx1EHGqrMIA/W7dS1pkVUQD0ArqPJvGOiK65/QABp8JVn3SsBGgbdBjm/iZN3y9oXCasuoxl3L9c= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZOTptRuHYQ7n9WrLfaTGSHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wNmoQoAHZIP7k/TfrG1tVzlDb3jcZAB3gql9dnWN0lCD4xdg7bDNQrvH1xSi3FCw+6kfktKtizqdynr7r154JiurEmkUXB4eLw/zU2EesmGtlYaVqCBibt+xGFEYoboCcR4o24aKb3Y5NyPYz32XaispQRTRkqF1PXJPcJ15EHwNAoARPLnK8+Au5ZALyfhGEwg6hrKQ3vxBFKwg70Zi7pDxFM3vbLMuav1wAZM3QRRleKYDmn1lvgAn90mSDf7SyGQSZnn7Ivlsuw7HIKVYbpfzf2fBccdMBnP2lNhH9XQ3DC2qZAEuDtLkioBZ9MNJGhHpcOfr/KRdwPsok9V+butLOnzJ/9bHYIh8cz6exNRettGP+Pbn3W/eJIXs9ebdQm9EdhJFLd2qBglmnMLQYzygtAfj75QWEAiTIEnbJST+zbSAE= ---END PC DATA---
URLs

http://gandcrabmfe6mnef.onion/1dc002511fcc13dc

Signatures

  • Gandcrab

    Gandcrab is a Trojan horse that encrypts files on a computer.

    ransomwarebackdoorgandcrab
  • Gandcrab family
    gandcrab
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Renames multiple (293) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 25 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 37 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.sumiyuki.co.jp/js/test.exe
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4932
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7dda46f8,0x7ffc7dda4708,0x7ffc7dda4718
      2⤵
        PID:3012
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        2⤵
          PID:740
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1688
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
          2⤵
            PID:1848
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
            2⤵
              PID:2068
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
              2⤵
                PID:5088
              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
                2⤵
                  PID:1296
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4056
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
                  2⤵
                    PID:1680
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
                    2⤵
                      PID:3208
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
                      2⤵
                        PID:1508
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
                        2⤵
                          PID:4356
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5856 /prefetch:8
                          2⤵
                            PID:208
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
                            2⤵
                              PID:3984
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
                              2⤵
                                PID:4680
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6500 /prefetch:8
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4528
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,7299240471460593144,9827815908031215247,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2996 /prefetch:2
                                2⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:4016
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:4792
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:2568
                                • C:\Windows\System32\rundll32.exe
                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                  1⤵
                                    PID:3772
                                  • C:\Users\Admin\Downloads\test.exe
                                    "C:\Users\Admin\Downloads\test.exe"
                                    1⤵
                                    • Checks computer location settings
                                    • Drops startup file
                                    • Executes dropped EXE
                                    • Enumerates connected drives
                                    • Sets desktop wallpaper using registry
                                    • Drops file in Program Files directory
                                    • System Location Discovery: System Language Discovery
                                    • Checks processor information in registry
                                    • Modifies system certificate store
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3584
                                    • C:\Windows\SysWOW64\wbem\wmic.exe
                                      "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
                                      2⤵
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2160
                                  • C:\Windows\system32\vssvc.exe
                                    C:\Windows\system32\vssvc.exe
                                    1⤵
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1144

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Reconnaissance

                                  Resource Development

                                  Initial Access

                                  Execution

                                  Windows Management Instrumentation

                                  1
                                  T1047

                                  Persistence

                                  Privilege Escalation

                                  Defense Evasion

                                  Indicator Removal

                                  1
                                  T1070

                                  File Deletion

                                  1
                                  T1070.004

                                  Modify Registry

                                  2
                                  T1112

                                  Subvert Trust Controls

                                  1
                                  T1553

                                  Install Root Certificate

                                  1
                                  T1553.004

                                  Credential Access

                                  Credentials from Password Stores

                                  2
                                  T1555

                                  Credentials from Web Browsers

                                  1
                                  T1555.003

                                  Windows Credential Manager

                                  1
                                  T1555.004

                                  Unsecured Credentials

                                  1
                                  T1552

                                  Credentials In Files

                                  1
                                  T1552.001

                                  Discovery

                                  Browser Information Discovery

                                  1
                                  T1217

                                  Peripheral Device Discovery

                                  1
                                  T1120

                                  Query Registry

                                  4
                                  T1012

                                  System Information Discovery

                                  5
                                  T1082

                                  System Location Discovery

                                  1
                                  T1614

                                  System Language Discovery

                                  1
                                  T1614.001

                                  Lateral Movement

                                  Collection

                                  Data from Local System

                                  1
                                  T1005

                                  Command and Control

                                  Exfiltration

                                  Impact

                                  Defacement

                                  1
                                  T1491

                                  Inhibit System Recovery

                                  1
                                  T1490

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\$Recycle.Bin\DDHIICO-DECRYPT.txt
                                    Filesize

                                    8KB

                                    MD5

                                    85064f1a66cb36f36b4115f459c4c80e

                                    SHA1

                                    3e2d7939bd7b08f54c0b37300ffe36a0c5cb7d10

                                    SHA256

                                    f6e4021c6c34c217a52ac90c7bb76a68092fd2d857cf906fc81a25c4223a65a7

                                    SHA512

                                    40ac9cf6396a1c42ea49079026a452d7ca5d7ef9b84adde4c8b35817d3764fb64d4c180a28e0359083322a55b416b01eee02db934acc9977abefae0a1816273e

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    8749e21d9d0a17dac32d5aa2027f7a75

                                    SHA1

                                    a5d555f8b035c7938a4a864e89218c0402ab7cde

                                    SHA256

                                    915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

                                    SHA512

                                    c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                    Filesize

                                    152B

                                    MD5

                                    34d2c4f40f47672ecdf6f66fea242f4a

                                    SHA1

                                    4bcad62542aeb44cae38a907d8b5a8604115ada2

                                    SHA256

                                    b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                                    SHA512

                                    50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    5KB

                                    MD5

                                    efc33a12d407f2519f1d4d6d1f20c691

                                    SHA1

                                    e0981bbc242a953ff842965b14bc866a9cdb42b7

                                    SHA256

                                    00bd26023f89853adc30033e53dd6b7633c0814fd74151b3442018b952edb953

                                    SHA512

                                    8c75212d69cd554489924ef253f7c261dcf975bbe04e2d1e6c3cbb158ad4b7e9a7a757c2285b779b36283949259322131475c0434587b831ffb856e5ffa36f84

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                    Filesize

                                    6KB

                                    MD5

                                    4efcb3c1fcb195a5ba8ffe06955ccce6

                                    SHA1

                                    2d4d5c7c2a4c8f25de2f122acd04654d615b4a98

                                    SHA256

                                    c8f22ddc01c16fd5ea6bfc8d40d4c14659f8e4aed1af85fdd049e2f2f3e2e659

                                    SHA512

                                    bb5c80fda954a0d7121c47bc88f51c3193282e884a113fbb41312b63a90599529b14253926852b1bd70bd58afd6558de6d51f9f97946bfd2a7a960345f2809e5

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                    Filesize

                                    16B

                                    MD5

                                    6752a1d65b201c13b62ea44016eb221f

                                    SHA1

                                    58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                    SHA256

                                    0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                    SHA512

                                    9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    43525f1a0a94dbe6b1b0f4d467a667ca

                                    SHA1

                                    4688478ce6dc307d2fdd9cf08bfe4cbf6ebf9d23

                                    SHA256

                                    4946f740943e85d57f002701f3f7a9978cd48ee90c696a011132108c383ccb8b

                                    SHA512

                                    ad2db043ce57fa9d5c7a5ae014d9c28f54fd56bf41a66e4cf4556aea91141534aadacec1730fde1352d195845c46c07383cde8499df5268e024063dadce6fea6

                                    Download Submit

                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                    Filesize

                                    10KB

                                    MD5

                                    283217abbdeab04c218946318b13ae7c

                                    SHA1

                                    bed8c77b495445c7055c4902b032bff9ae01dc75

                                    SHA256

                                    7a6ec484ed0adc5332d2bfc8793fcb631512b0aef9dfe557ece93dc707fae42f

                                    SHA512

                                    44943db02ad5536f64b4c06b76eb9fdaf7559e9b80d46ebe430191db98a92ff271a76770cf068fd3f6f126e19b0dab13cdf938cf9590f3af65e3cca9df893d2b

                                    Download Submit

                                  • C:\Users\Admin\Downloads\Unconfirmed 942784.crdownload
                                    Filesize

                                    297KB

                                    MD5

                                    314558f9a6da39ffd12cba6c1064b3b8

                                    SHA1

                                    2c416cbfa8aeee687534b7c0888d411c0a837c59

                                    SHA256

                                    64a45b42204cf4412dc2891368a4b72670642a008b13f3d99f6d3d42de95a842

                                    SHA512

                                    41fdd3cff2e4620c0dfc7adca6a985ba5af69c1e72be409ae8d206534e32e1d3d34358f3f90521f57969c3cdf391442f4dfeba2a174b3abcbe72257d36706947

                                    Download Submit

                                  • memory/3584-863-0x0000000000400000-0x000000000044F000-memory.dmp

                                    Filesize

                                    316KB

                                    Download

                                  • memory/3584-880-0x0000000000400000-0x000000000044F000-memory.dmp

                                    Filesize

                                    316KB

                                    Download