3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
114s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
Size

217KB
MD5

406cf11bdb84c3eae3e61f66ea596a46
SHA1

b6acd4fd42b3dca2c2cb75faf48025c2f4880184
SHA256

f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f
SHA512

c34a97b5d2854d862ca165136269302cda613833d83b8c9ec1d72774dd8717b5174a3077b69654435459a94d2d3f1111b9b3973bb3ab35c8826075fca0e126af
SSDEEP

3072:PhXD6M9my8NbPYOBLujYx5I8XDZW0956w/J+UdSZWa/rnV9Yxcqz3:PhT6+mntYOJ9FR60hd/a/rnV9q

Score

7^/10

discovery persistence ransomware

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discord = "C:\\Users\\Admin\\AppData\\Local\\discord.exe"	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\imageWTwkEOdGBTpfSbYzZYLyNqYjHfKKaa.jpg"	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_813449288\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_813449288\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_837196958\safety_tips.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_813449288\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_813449288\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\keys.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_837196958\typosquatting_list.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_837196958\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_837196958\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_837196958\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_813449288\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\manifest.fingerprint	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873819706768133"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920955164-3782810283-1225622749-1000\{D892DF56-5144-491B-A6E9-2E60D293BF0E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000_Classes\Local Settings	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5612	msedge.exe
5612	msedge.exe
5612	msedge.exe
5612	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
5612	msedge.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 4708	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe	91
PID 1620 wrote to memory of 4708	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe	91
PID 1620 wrote to memory of 4708	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe	91
PID 1620 wrote to memory of 4716	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe	92
PID 1620 wrote to memory of 4716	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe	92
PID 1620 wrote to memory of 4716	1620	f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe	92
PID 4716 wrote to memory of 5612	4716	cmd.exe	94
PID 4716 wrote to memory of 5612	4716	cmd.exe	94
PID 5612 wrote to memory of 4124	5612	msedge.exe	96
PID 5612 wrote to memory of 4124	5612	msedge.exe	96
PID 5612 wrote to memory of 5584	5612	msedge.exe	97
PID 5612 wrote to memory of 5584	5612	msedge.exe	97
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 4372	5612	msedge.exe	98
PID 5612 wrote to memory of 6060	5612	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe
"C:\Users\Admin\AppData\Local\Temp\f354148b5f0eab5af22e8152438468ae8976db84c65415d3f4a469b35e31710f.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\Read Me First!.txt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c @echo off & echo github: https://t.me/temon_69 & start https://t.me/temon_69
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/temon_69
    3⤵
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Modifies registry class
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2a0,0x33c,0x7ff97a36f208,0x7ff97a36f214,0x7ff97a36f220
      4⤵
      PID:4124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1828,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
      4⤵
      PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2180,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:4372
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2624,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=2760 /prefetch:8
      4⤵
      PID:6060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3416,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3436,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5048,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:1
      4⤵
      PID:1236
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4768,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5172 /prefetch:8
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4792,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=3640 /prefetch:8
      4⤵
      PID:3164
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5568,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:8
      4⤵
      PID:5780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5760,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
      4⤵
      PID:4904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5760,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
      4⤵
      PID:4156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5852,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:8
      4⤵
      PID:1444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5808,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5856 /prefetch:8
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5844,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:8
      4⤵
      PID:2956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5268,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5748 /prefetch:8
      4⤵
      PID:2688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5484,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:8
      4⤵
      PID:5616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5332,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
      4⤵
      PID:4444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5356,i,14829949775508568976,11318408193944098065,262144 --variations-seed-version --mojo-platform-channel-handle=5612 /prefetch:8
      4⤵
      PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5612_1605279966\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5612_837196958\manifest.json

Filesize
72B

MD5
a30b19bb414d78fff00fc7855d6ed5fd

SHA1
2a6408f2829e964c578751bf29ec4f702412c11e

SHA256
9811cd3e1fbf80feb6a52ad2141fc1096165a100c2d5846dd48f9ed612c6fc9f

SHA512
66b6db60e9e6f3059d1a47db14f05d35587aa2019bc06e6cf352dfbb237d9dfe6dce7cb21c9127320a7fdca5b9d3eb21e799abe6a926ae51b5f62cf646c30490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
c37f9d2c357647fca20f2eaa89c18edd

SHA1
cfd1035ed2d057c317b48546f467209cbbe15f2e

SHA256
2ea3a0b7e6145fd110653b1a77cb827ad7e4a145c29378344bd3d28f595b2072

SHA512
3563f4aca9e47f35de8cb38e42a3c0448bb3ec4c9183fa392abc28fee4ca08bf16da028ffbf31cf0c0f8301ed810238961e745590e5c71621bc5a2a889dd12f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7353fae524161e94a27e1167d09dea26

SHA1
9239681b077d562b1e472634a8a1bc63aa49430c

SHA256
3815c4c0b369b506f3ecb88630158b046eb6cb8bffd0cb9df2c3d4027216208b

SHA512
70d61bcc0f50c39997c0f93340e329ec3a24be20cb6aaaf57701348751063b1590db165bb865810958ee9cbe657c1cd6f93318fe54b90fb1455e8659b8f63d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe579a5b.TMP

Filesize
3KB

MD5
b77791e21d1a9c113e9ad745e3492660

SHA1
d8439900fbbe96954680aaf3f33433f0d7bb7865

SHA256
ccbe971b48fcae2a22b01ed6589bfecf8dd42773432699d31e611be6790db30b

SHA512
c5cbc61f5eb866d4e7ff6d38f606c3d6bf80ced88b29c1dd66d9eeb679ca492acdd6a1f393226a129eda1fc78232fedeb5c4a25e66438378131aa6b38c04d763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
61a2d188791f70ace8640c7c6ef8194d

SHA1
7bd8896dc7950045c2c9badb4b1db955585951bd

SHA256
8a648edb6615b86803281308b48227fe094f53f33796c126338ec19ef0381367

SHA512
52c12a2eeb4ce6f7f4a2e74abdb5eb0c773904ce8cbf5bcdb879178da75929578213f717b1d546e587598903cb91387c9cd69e90a294364867abc994674f1fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
7c45e51521abc7dfb189e424ca4bcdbc

SHA1
d28b5eec7eae159180d82d6cf4e701637111a066

SHA256
92780c011a9d689697541952d8c7c6eb4e1419b3e2f65e419c956022dca96cfe

SHA512
e0669d57011a400a0e6f57d692bb5cfb7f79d7bb4c66236d1108c8776cbd1f416b32de0f73bbd6c30451c77b54fa656d999815380a8c7a41efe23e68d351ac7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
a6879cd3369c5a776ddbfe26f9dea1ac

SHA1
6c2b07c57e0f5ce1d10ea362a17e8e5e1de8172e

SHA256
83101d62c98b28e5f6f13ef7c9d1728af8ed94b9e9036e0427a5195c4dc34647

SHA512
b0b4b68c9ab0cc36ba4fca9d340c1d7cd8fa4067e0e34c85a77180a154d6e9ea1ab9ec76ccd1491b0bcebd75b415fc8bf59a040869d6587835a7eecf9422b266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
c67ac0a5487df6f1ac62cecd9f566673

SHA1
66f6240f51f34ba40761dc1911eddea62b6a81e2

SHA256
096406a16eaefbc6aca5c271d4b4b96b8eb9f18812f3325b4096da050d36e797

SHA512
7b9a41dd14678afbe4ffe5139de64f358c9e1d22ffe044d497eed44ba906b91c510344d0163636d59383ec6425997c9ff80f124d7484734908c785302c001aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
465B

MD5
4e5a2ec0e479198c0b80463124d59632

SHA1
8c0d9877be3677dce5a3e1d15ace9228602ed1c3

SHA256
2b82ff5a5e35173821d42ab2b342d0721126de5a38299b22925a329c9fd25959

SHA512
9fad923c36c2f909a78049e096c0e96340ae82ec57346135da459a58d29dbe59fe557dd5938a186e4368c56eff8cfa6d269b3fdc5a2d7ccee5fa7ce30cfa5726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
0ab413a8fc73dffdacaf9d18068a5561

SHA1
554ebefd0afac09385c3b23a77651da38704b848

SHA256
64aeecd20defd9f4f6487794bfc3ab6c02db16faf8fcda054d661705ab761a9b

SHA512
f3a91046a1012cbd57c8121a8901f239372694ee101131f05920f5f566ba565330beda35f388aa5d1b4c16a8617fce0e61531bb7a41159d4e71da576cca90c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
898B

MD5
8ed9e2ecf6aa6755bf4dac84e6e107b7

SHA1
64be6a4aad1f8009e83dfac71a1f8c1c16e43e6b

SHA256
e26090f9dde3534a492bd55853da8fb0866d90cae99ccfb8b9c8168d97deda92

SHA512
be770bc2127c8f256ca8b50871c511a53f8da13c23dd0de8d39ba6f2e535cee4ffa5a9c15e408ed6a3d7dcbd02c922900018563abe338baa41d6126b5a71a74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
cf879a80cd84fd8febd52be66d67a7ef

SHA1
fb9f4e29e47ed3085d215badaa182afbf337c2db

SHA256
18c972e21bdf6f1bcc72ea4dc7a01cd04533868f8f637ab60e9afd86e46b4db8

SHA512
de0ed44084531d5576ad1102b1887bae77a29d7d5e19ef61e006abdc2d01488eef9af1734e74475dfd2d61c9730b20f8eb8a105c323a24659aabc4b109f113d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
97b37e1e3247c911c15974cf1b0989f6

SHA1
445d8d40d548ba48405b0e55fcea567a825fa71e

SHA256
19742f8461a450f90c1a72c286ea143da6b69130f1c2668d38a33a382fd77b3f

SHA512
4d1029b7868033f10833b143275d9c10a3ba9e2eb2259382d6231bd339b61078e2d6e7dde943a33cacf25fd1d14987e189a294aea45aa10604f2230d68a63cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
0bb99ee5fce2ec9e4262551dfd3b6696

SHA1
a6afba591bd0bdba77b1d24d9391439150e64c45

SHA256
23c9ce5326935ef3ee806a6466633dbda5c737f6557e8cae1b636c37a850d0ad

SHA512
8287bb2bbc0d95df7b5c46c22d8a5aa89a3fba210225d6b4af45eaed7fe7aaf81160cbfa52a19d51361a46f2f8e28e582feb35976768d1917ea22c707d86d265

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\safety_tips.pb

Filesize
163KB

MD5
bd6846ffa7f4cf897b5323e4a5dcd551

SHA1
a6596cdc8de199492791faa39ce6096cf39295cd

SHA256
854b7eb22303ec3c920966732bc29f58140a82e1101dffe2702252af0f185666

SHA512
aa19b278f7211ffaf16b14b59d509ce6b80708e2bb5af87d98848747de4cba13b6626135dd3ec7aabd51b4c2cfb46ed96800a520d2dae8af8105054b6cd40e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SafetyTips\3057\typosquatting_list.pb

Filesize
3KB

MD5
17c10dbe88d84b9309e6d151923ce116

SHA1
9ad2553c061ddcc07e6f66ce4f9e30290c056bdf

SHA256
3ad368c74c9bb5da4d4750866f16d361b0675a6b6dc4e06e2edd72488663450e

SHA512
ad8ed3797941c9cad21ae2af03b77ce06a23931d9c059fe880935e2b07c08f85fc628e39873fb352c07714b4e44328799b264f4adb3513975add4e6b67e4a63c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
cbe8af1c44c30e492240330ae3eccb2c

SHA1
7e87baf8fb86e9a064b960b610acd6ec3e4fee04

SHA256
9299479dcc403ca7ab0502192360567e36a133b149f879545641a324d5b5d4e7

SHA512
a7ec3e7d57e82cfbe6c5a5f187bc762b63a6bb0e4fc1c4007b281594d96a939ac2b03e16bdd8710610b2820ab4b6f9a162ed4eedf95c1f2129d676ef8a4a0c0e

Download Submit
C:\Users\Admin\AppData\Roaming\Read Me First!.txt

Filesize
99B

MD5
1a17a3c217bc5f504586af0ec4caee22

SHA1
dfb396fb5cc735411bed8e75832315f796acc024

SHA256
db6180dca4a18393ff9ffdf9d1e9f1d0ace1fdae44b4f4ba712164ab63cebe24

SHA512
627ca1d41bddbf2f5885e431536217e711b75c17cdaa1265d257a71e370e4f3adbbce92d47a28df956e05fb6967e1d2f08b39115527a0a1a303d651d70f595e5

Download Submit
memory/1620-16-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1620-4-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1620-3-0x0000000004D10000-0x0000000004DA2000-memory.dmp

Filesize
584KB

Download
memory/1620-2-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/1620-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1620-5-0x0000000005120000-0x000000000512A000-memory.dmp

Filesize
40KB

Download
memory/1620-0-0x0000000074A1E000-0x0000000074A1F000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads