chaos | 3bab06619d98c8cc839d86da5e2af612527a161856bfdf1bc720e2424df25511

Analysis

max time kernel
57s
max time network
61s
platform
windows11-21h2_x64
resource
win11-20250210-en
resource tags

arch:x64arch:x86image:win11-20250210-enlocale:en-usos:windows11-21h2-x64system
submitted
17-02-2025 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SonyVegasCrack.exe
Size

5.6MB
MD5

55d7b767f0213d18e4de54350c3891a9
SHA1

d2b74d78591cedbd9b22de2cf4a155514cafbaca
SHA256

65bfacb5497982e5f9af9c76efc44509fb2629d85c636273d8c7d605a34e8522
SHA512

61b14063501afe53a88c0a8039476a27db5ab4d38b4037eb861355f816bc4f99db133d323cfc674cd691877ac0b9a4b6de9a37cb5f70b21fec37baace2cc3e8b
SSDEEP

384:/3MLWHn3kIsd+KYgCyJpVwjonJ7r91CzKlnnnnnnnu51RTZhpN0epN:rn3kInjryJpVCoJ7r9iwnnnnnnng0en

Score

10^/10

chaos defense_evasion discovery evasion execution impact ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral4/memory/4572-1-0x0000000000D70000-0x0000000001314000-memory.dmp	family_chaos
behavioral4/files/0x001c00000002aeb7-6.dat	family_chaos

Chaos family
chaos
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1028	bcdedit.exe
1040	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2920	wbadmin.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
28	1916	Process not Found

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overwritten.html	wininit.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wininit.url	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	wininit.exe

Executes dropped EXE 1 IoCs

pid	Process
4876	wininit.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	wininit.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1505343591-821288467-4101320450-1000\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	wininit.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wininit.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	wininit.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1505343591-821288467-4101320450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8qqpd0unl.jpg"	wininit.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4904	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1728	vssadmin.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4876	wininit.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4572	SonyVegasCrack.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4876	wininit.exe
4664	msedge.exe
4664	msedge.exe
4088	msedge.exe
4088	msedge.exe
4028	msedge.exe
4028	msedge.exe
3068	identity_helper.exe
3068	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	SonyVegasCrack.exe
Token: SeDebugPrivilege	4876	wininit.exe
Token: SeBackupPrivilege	3028	vssvc.exe
Token: SeRestorePrivilege	3028	vssvc.exe
Token: SeAuditPrivilege	3028	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3148	WMIC.exe
Token: SeSecurityPrivilege	3148	WMIC.exe
Token: SeTakeOwnershipPrivilege	3148	WMIC.exe
Token: SeLoadDriverPrivilege	3148	WMIC.exe
Token: SeSystemProfilePrivilege	3148	WMIC.exe
Token: SeSystemtimePrivilege	3148	WMIC.exe
Token: SeProfSingleProcessPrivilege	3148	WMIC.exe
Token: SeIncBasePriorityPrivilege	3148	WMIC.exe
Token: SeCreatePagefilePrivilege	3148	WMIC.exe
Token: SeBackupPrivilege	3148	WMIC.exe
Token: SeRestorePrivilege	3148	WMIC.exe
Token: SeShutdownPrivilege	3148	WMIC.exe
Token: SeDebugPrivilege	3148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3148	WMIC.exe
Token: SeRemoteShutdownPrivilege	3148	WMIC.exe
Token: SeUndockPrivilege	3148	WMIC.exe
Token: SeManageVolumePrivilege	3148	WMIC.exe
Token: 33	3148	WMIC.exe
Token: 34	3148	WMIC.exe
Token: 35	3148	WMIC.exe
Token: 36	3148	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3148	WMIC.exe
Token: SeSecurityPrivilege	3148	WMIC.exe
Token: SeTakeOwnershipPrivilege	3148	WMIC.exe
Token: SeLoadDriverPrivilege	3148	WMIC.exe
Token: SeSystemProfilePrivilege	3148	WMIC.exe
Token: SeSystemtimePrivilege	3148	WMIC.exe
Token: SeProfSingleProcessPrivilege	3148	WMIC.exe
Token: SeIncBasePriorityPrivilege	3148	WMIC.exe
Token: SeCreatePagefilePrivilege	3148	WMIC.exe
Token: SeBackupPrivilege	3148	WMIC.exe
Token: SeRestorePrivilege	3148	WMIC.exe
Token: SeShutdownPrivilege	3148	WMIC.exe
Token: SeDebugPrivilege	3148	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3148	WMIC.exe
Token: SeRemoteShutdownPrivilege	3148	WMIC.exe
Token: SeUndockPrivilege	3148	WMIC.exe
Token: SeManageVolumePrivilege	3148	WMIC.exe
Token: 33	3148	WMIC.exe
Token: 34	3148	WMIC.exe
Token: 35	3148	WMIC.exe
Token: 36	3148	WMIC.exe
Token: SeBackupPrivilege	4852	wbengine.exe
Token: SeRestorePrivilege	4852	wbengine.exe
Token: SeSecurityPrivilege	4852	wbengine.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4572 wrote to memory of 4876	4572	SonyVegasCrack.exe	86
PID 4572 wrote to memory of 4876	4572	SonyVegasCrack.exe	86
PID 4876 wrote to memory of 3604	4876	wininit.exe	87
PID 4876 wrote to memory of 3604	4876	wininit.exe	87
PID 3604 wrote to memory of 1728	3604	cmd.exe	89
PID 3604 wrote to memory of 1728	3604	cmd.exe	89
PID 3604 wrote to memory of 3148	3604	cmd.exe	92
PID 3604 wrote to memory of 3148	3604	cmd.exe	92
PID 4876 wrote to memory of 3128	4876	wininit.exe	94
PID 4876 wrote to memory of 3128	4876	wininit.exe	94
PID 3128 wrote to memory of 1028	3128	cmd.exe	96
PID 3128 wrote to memory of 1028	3128	cmd.exe	96
PID 3128 wrote to memory of 1040	3128	cmd.exe	97
PID 3128 wrote to memory of 1040	3128	cmd.exe	97
PID 4876 wrote to memory of 1216	4876	wininit.exe	98
PID 4876 wrote to memory of 1216	4876	wininit.exe	98
PID 1216 wrote to memory of 2920	1216	cmd.exe	100
PID 1216 wrote to memory of 2920	1216	cmd.exe	100
PID 4876 wrote to memory of 4088	4876	wininit.exe	105
PID 4876 wrote to memory of 4088	4876	wininit.exe	105
PID 4088 wrote to memory of 4984	4088	msedge.exe	106
PID 4088 wrote to memory of 4984	4088	msedge.exe	106
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 328	4088	msedge.exe	107
PID 4088 wrote to memory of 4664	4088	msedge.exe	108
PID 4088 wrote to memory of 4664	4088	msedge.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SonyVegasCrack.exe
"C:\Users\Admin\AppData\Local\Temp\SonyVegasCrack.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Users\Admin\AppData\Roaming\wininit.exe
  "C:\Users\Admin\AppData\Roaming\wininit.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1728
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3148
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1028
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1040
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:2920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\overwritten.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa4fbd3cb8,0x7ffa4fbd3cc8,0x7ffa4fbd3cd8
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
      4⤵
      PID:328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4664
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
      4⤵
      PID:3864
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
      4⤵
      PID:3668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
      4⤵
      PID:1232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
      4⤵
      PID:968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,17915031914452810444,16496277995514769123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:132

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTQ5QkMzNTQtNkVENy00NDkwLTlDMkUtRjYyRTdCRDE3M0JCfSIgdXNlcmlkPSJ7Qjc3NkRFNUYtNERERi00NUFCLUFEODItNjJCN0EzNzJFMDlDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkIzQzM2QkEtNkVBQS00NjU0LUI0MTgtNzREQzI2MzE0ODQzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUyNTc2MzQwODkiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed4da75b20e5d9cb86c2e0cef85b42ce

SHA1
b8bd00f4fbdbd07983c779be161086771b0455bf

SHA256
5832280892c7649938a6f38e412017e57eb7d2dc7a41f69a9ed9300c297aede1

SHA512
37f52d9243fee568ed6ceabf83fc6e010501bff1343135739f965dcd724ab0e39c36087cbc5136f433817b30aba73abf23f539ea860d5fb0f65f64ba7a8d9ad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2f4283ffec99b945c7a6167e8ff73eed

SHA1
05914fbf17e75edc9fb4603114045f99135a2014

SHA256
bef8d811c41c6009c80f9acffaad28b3992932986a63679b94e9bcfffec39230

SHA512
2af264d43f09025e0eb9661809ba4ad3a533f8af07e688c7dd90446900648a9a6a5d9890b3b023e0b5dd3af54e0f1a812ce8c517179946bd56426bbadf7adf18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed88f976f5f9cf132f4e7482ca8f54a8

SHA1
1879f4c35bf2a0e9d5387bce54a8ec76acc56ae1

SHA256
c466d206e6c5af91c5a0432b4086891805079c7e7ec5ef7793abe62c25f9f38a

SHA512
4f68496e85c3aa4a31a2a44fbdf40bbc42a0010a9b2208304d0ca245461bc18b9047e8b028e035fca79db0f00bfb74ba261bfc8de8515a8ca4fb2d15973ea674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6e34ce069b088a1921678d2f2570a96

SHA1
489ffa7c11a497a015529dcb177cc767c582bbf4

SHA256
8357d325862d1eb072a87f145289681d38097b006a8ed6143c8d7261a5cbf68c

SHA512
c646d9efae736e6c0a51217591ad66095e5a9b3b5d47fefc2de15f157a5fb6f93724f3535b4ea3688f9e6b7177574be1f28f00dec37d2a9ff9f40d71b044b87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b9aad220d8b484eb096dbe76b7349ce8

SHA1
1e73a6aafa3e7633cd1da51b839f8c8c0d7c1fb7

SHA256
426a26a386f7a4ac73186a839433f40b4a5bcf340df64f9bbf5a8c7f0ad1e581

SHA512
04d8a0b77404f8f5bfe01b77ec90b075568d135d65dcdaeb1a166466af3c2f37a37e61f66151a40d3c7f6d97f0ae6e9546747b80dd5a66f384cf65ec402f9f1c

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
5.6MB

MD5
55d7b767f0213d18e4de54350c3891a9

SHA1
d2b74d78591cedbd9b22de2cf4a155514cafbaca

SHA256
65bfacb5497982e5f9af9c76efc44509fb2629d85c636273d8c7d605a34e8522

SHA512
61b14063501afe53a88c0a8039476a27db5ab4d38b4037eb861355f816bc4f99db133d323cfc674cd691877ac0b9a4b6de9a37cb5f70b21fec37baace2cc3e8b

Download Submit
C:\Users\Admin\Desktop\overwritten.html

Filesize
82B

MD5
fa4a3a1d2ab22fa84d84ec6646c7885c

SHA1
4b9a1e8c6535a9d3e76eb773bb9c54bb852e1eac

SHA256
8fe31ddd89b9f3f9e5107d24d0a1184ab1047fe89142b66d1eba1e117eba2ba3

SHA512
bade982388c07caf9c2b8c967c9f38627b9511294022f710404ecbb18a6d36777b7df7668e175e79d7d642b682c2a3c9fac60d27d7dbc37672579d330d6a2145

Download Submit
memory/4572-0-0x00007FFA52293000-0x00007FFA52295000-memory.dmp

Filesize
8KB

Download
memory/4572-1-0x0000000000D70000-0x0000000001314000-memory.dmp

Filesize
5.6MB

Download
memory/4876-120-0x00007FFA52290000-0x00007FFA52D52000-memory.dmp

Filesize
10.8MB

Download
memory/4876-14-0x00007FFA52290000-0x00007FFA52D52000-memory.dmp

Filesize
10.8MB

Download
memory/4904-146-0x00000000745C0000-0x00000000745D3000-memory.dmp

Filesize
76KB

Download