Analysis
-
max time kernel
185s -
max time network
207s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2023 02:53
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
strrat
giveandtake.mefound.com:8081
-
license_id
RKA0-KES0-EPPK-UDRO-JNCG
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Signatures
-
Drops file in Program Files directory 24 IoCs
Processes:
javaw.exejavaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb javaw.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings OpenWith.exe -
Opens file in notepad (likely ransom note) 4 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXENOTEPAD.EXEpid process 5108 NOTEPAD.EXE 4696 NOTEPAD.EXE 3456 NOTEPAD.EXE 1732 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 772 msedge.exe 772 msedge.exe 2852 msedge.exe 2852 msedge.exe 5020 identity_helper.exe 5020 identity_helper.exe 2888 msedge.exe 2888 msedge.exe 2204 msedge.exe 2204 msedge.exe 2204 msedge.exe 2204 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exepid process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2852 wrote to memory of 3884 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 3884 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 4592 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 772 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 772 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe PID 2852 wrote to memory of 956 2852 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filebin.ca/7djc5uU10NKk1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d72046f8,0x7ff9d7204708,0x7ff9d72047182⤵PID:3884
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:4592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:82⤵PID:956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:680
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵PID:2312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:12⤵PID:2160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:180
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:4240
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:416
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵PID:2136
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:82⤵PID:1388
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:2436
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:3288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:4812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:82⤵PID:2776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:12⤵PID:3424
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\SHIPPINGDOCS775674.PDF.jar"2⤵
- Drops file in Program Files directory
PID:2844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,4496258396966407161,715370631312822058,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5564 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:876
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:836
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4424
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\SHIPPINGDOCS775674.PDF.jar"1⤵
- Drops file in Program Files directory
PID:920
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
PID:2596 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\SHIPPINGDOCS775674.PDF.jar2⤵
- Opens file in notepad (likely ransom note)
PID:5108
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hs_err_pid920.log1⤵
- Opens file in notepad (likely ransom note)
PID:4696
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hs_err_pid920.log1⤵
- Opens file in notepad (likely ransom note)
PID:3456
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\Downloads\SHIPPINGDOCS775674.PDF.jar"1⤵PID:4536
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\hs_err_pid2844.log1⤵
- Opens file in notepad (likely ransom note)
PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
50B
MD512a3d2b572b7ed1ee9bac7ff79e58d1f
SHA1c6361fd7246d8c2b3411da9c16f3551772afa4f4
SHA256025d8a71ff56d62a2686153299097147e53da62b043869b4f05ef5f5bc4dfa97
SHA512e8640f6c32d5dd4986aef6e894be566f5c5a043acaa042e4b48a11eb0e70be30c8e51210988c74128ada353d90989b4e9be4411249c023a98dfcc770700a373b
-
Filesize
50B
MD5c65e1f65dde7d73de8ffc3617027604f
SHA1cf53966e092bb3051f68b503d48e867b9cc07180
SHA25642719a4e5faf4a4a060521a8b691fb5a5ec64b2cb60fee0360369a6f22703a74
SHA5127b64a1da2fb8bbe33298e0971f7494bdefcf8bcaae8d9f0a73de66aa02ed42174047d50c39182cd93a31415cbf2271f47563ea52caeafbdbb62a0c15e1301604
-
Filesize
152B
MD5bf009481892dd0d1c49db97428428ede
SHA1aee4e7e213f6332c1629a701b42335eb1a035c66
SHA25618236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5868dac041f63829c2499ac332e5ca8f2
SHA14432871bd1552c8c2faea1a1bf2ff8590cb7f912
SHA25673189abd232894ccee75a4422903d6223f81e754e491783df062622f797e1a46
SHA51238120e904f5a8e962df59e68425be79e02deb4079cc2c8e3a4231599c62986fc0f00bdbdc96dd07d8bef0a4bf0b75bb0708389569fa37b1a8e4c9b32bcdff26b
-
Filesize
551B
MD56ef3a98cbed09a79e067c1c6e0918f9c
SHA1bbd370143695c09c17f108c8673f0127c757b81b
SHA256291808f9cb3ffaffae39a7b4b78353227a3c49cca987963d239193ef099b94c0
SHA5124e43dc367cb8faced1f983af9b52847023bf065dbf9c8322d54f54b32948c41caf8497e8d46adbe54d5beb4257e89e39caa31894b03afe1e8ce6b266aa7c296c
-
Filesize
551B
MD552a2cb8471f055178b8844eb299c19b5
SHA1e3e404f43f9c04c116093aa2ce9b75ce0b222af4
SHA256368fd6ed58a78726709ee0f39423434ec4d4986a03f2b6b0ea1ff215fb5eae66
SHA512b853160b98de2837a660aabdbe746243ce8124500327fc5dc16f5f77c8eef00fc98476266ae4f36e258e2008fdd8293e04b591c5ee7b814bf33970f72d73fead
-
Filesize
5KB
MD5a4af1aae49264d56df02b3ba7a6c0015
SHA11e061a1fe65b66a40d25aacac98129a331214074
SHA256bb13d37325fec1bf489dde8b4aa894e33ed73e4999da7d102ddf2523e0b9ce53
SHA5121d182b98f660f48bdfb5457f673ebbcfefc84d7ae3adf6d5a4ef2c94f068de71a1955b80ec130d997828cb591b05f70383b4d006dd46791308bf5e147199e858
-
Filesize
5KB
MD55d8ac9b61bc4512960cc7e63d5f36280
SHA110a299f8b9b41be2123ed86e59fa9c397b6b9005
SHA256fe5ea4c263777cbe30f5993c87b5a0fa81e1eeac4344b20e1d4d92e6b36ee32c
SHA512e1510fed7c5b88281f4095e5ea07762b3b52991c0e42ad58d9667dae29d94ce51a64a1a085f06a00e1c5833a5e31f5584214c7249059c554747545d38cf12177
-
Filesize
24KB
MD525ac77f8c7c7b76b93c8346e41b89a95
SHA15a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA2568ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6e62b0c-d391-49da-a4c7-afdbec79a91c.tmp
Filesize111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
10KB
MD56a790f499536f7aaf5a93e67d2b26d1a
SHA16ea0c0208d00f4d8132e6463c9b32580fab4e635
SHA2561a2be257082852e5567946856273649960278465e0d19268f62c450d9924c019
SHA512d0e43909b12d6322583a99994c14c28dce8efde1c843b34edb42300f7c5a7d2e5c93fe6255e8e300f4f34532a83a2cafd6fe0c1feab02b2a959e31924804a123
-
Filesize
10KB
MD59594789c568eddb5069d7f3e2b3897fe
SHA16e26c2d6dc4e88aa34b011dfe2244bcc00d84888
SHA256c041e2eb7095086c97d79b7283f27ffdeaa604c0dd27e48b89317152dbc48238
SHA51298f92dff8cb7b5484c68de262b92b0f9f138b99f858f5708740108a9cd7d106d2a933aded6b40cd05641a929dfdfcb338ef36a21fa64d651e6d60adc6ec4eae3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3027552071-446050021-1254071215-1000\83aa4cc77f591dfc2374580bbd95f6ba_87d750a5-3031-4fa3-b099-3164d7f4f528
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
164KB
MD52867995420fa528e036e135bbe9ca3b5
SHA13ce3a3f5f980739d970db7bff5efa564fc93571f
SHA2562f1ae19f5a471ed865f9045872b8c7e22c31287562fad799fab090b6adced0bf
SHA512c20eb06c2fef55448b0c1bf9391556a4bd16e6e101ac0657ac31e11f1d52d3233d98e36576d314c2fe8c68b7f4fd1ead5589f8f61552f2fc8c30c0f5ee9bdcef
-
Filesize
164KB
MD52867995420fa528e036e135bbe9ca3b5
SHA13ce3a3f5f980739d970db7bff5efa564fc93571f
SHA2562f1ae19f5a471ed865f9045872b8c7e22c31287562fad799fab090b6adced0bf
SHA512c20eb06c2fef55448b0c1bf9391556a4bd16e6e101ac0657ac31e11f1d52d3233d98e36576d314c2fe8c68b7f4fd1ead5589f8f61552f2fc8c30c0f5ee9bdcef
-
Filesize
18KB
MD5d7c0ab47e1dc98460868cecccef00fea
SHA117e83779f53ff98b258610f5d703efc67ede7ea6
SHA25618b54de8dbf7700a09ecaad5e5ac7ca1abf4f7bb58c6d08f73db72e0ce91671f
SHA5128dda253ae59d72adafa684fb060c17eecbd04d2b6a0f926d8d43b18d25c1d27e09443b60d0a402dfd7f8e40afdaa4606d0a927e5ff1a1917bb059b916ec1fb53
-
Filesize
18KB
MD50ce3ea12c8cb10b5d0b66b1065c3bf2e
SHA13b90e0454c1c011b7be332ad1f5e58efce569182
SHA256434bece03cfabb66fd36407988cdb51e68050772a1bb4ede8c773201b4c61cab
SHA5126ac1247cb90fd08cd73998f3222bdd9da6953e13c01722d0d7b6727f1ccca544881df358cff5d7344016a22494c0e03a46240d5aaac01da440b02e56fa6601fd
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e