57cc7cae6afa102276b50bd702b867e08b26813d2205b0fc4b482f7bf891ac1f

Resubmissions

23-02-2024 18:34

240223-w72lpaeh43 7

23-02-2024 18:28

23-02-2024 18:24

23-02-2024 18:21

23-02-2024 18:14

Analysis

max time kernel
207s
max time network
205s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 18:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

311KB
MD5

cea20f062ebb4e5df6785854fceeeedc
SHA1

7b224ce16763c893f95c408d42b6024aa809a5c5
SHA256

57cc7cae6afa102276b50bd702b867e08b26813d2205b0fc4b482f7bf891ac1f
SHA512

791a3f41c6e8fecce047fea8151ea218bba54634f770fdcebf52248c5ab9599e920cd3f581f0cf9c91dca1952767a4579ccad073544888ed3cc846b8c819bb73
SSDEEP

3072:0idgAkHnjP/Q6KSEy/0HgPaW+LN7DxRLlzglK8hTr:xgAkHnjP/QBSEjAPCN7jB8hTr

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3648	NOTEPAD.EXE
3064	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1228	msedge.exe
1228	msedge.exe
452	msedge.exe
452	msedge.exe
1780	identity_helper.exe
1780	identity_helper.exe
5652	msedge.exe
5652	msedge.exe
5652	msedge.exe
5652	msedge.exe
4404	msedge.exe
4404	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5952	7zFM.exe
Token: 35	5952	7zFM.exe
Token: SeRestorePrivilege	1056	7zFM.exe
Token: 35	1056	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 5048	452	msedge.exe	50
PID 452 wrote to memory of 5048	452	msedge.exe	50
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 5008	452	msedge.exe	90
PID 452 wrote to memory of 1228	452	msedge.exe	88
PID 452 wrote to memory of 1228	452	msedge.exe	88
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89
PID 452 wrote to memory of 4648	452	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec1aa46f8,0x7ffec1aa4708,0x7ffec1aa4718
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7656 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1420 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1980 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8176 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,11213386401724854883,3171068528206519822,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4640

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_ch3t_Hub_latest.zip\ch3t_Hub_latest.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_ch3t_Hub_latest.zip\psw-2023.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3648

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_ch3t_Hub_latest.zip\ch3t_Hub_latest.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_ch3t_Hub_latest.zip\psw-2023.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
343e73b39eb89ceab25618efc0cd8c8c

SHA1
6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

SHA256
6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

SHA512
54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4c957a0a66b47d997435ead0940becf

SHA1
1aed2765dd971764b96455003851f8965e3ae07d

SHA256
53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

SHA512
19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
21KB

MD5
660c3b546f2a131de50b69b91f26c636

SHA1
70f80e7f10e1dd9180efe191ce92d28296ec9035

SHA256
fd91362b7111a0dcc85ef6bd9bc776881c7428f8631d5a32725711dce678bff9

SHA512
6be1e881fbb4a112440883aecb232c1afc28d0f247276ef3285b17b925ea0a5d3bac8eac6db906fc6ac64a4192dd740f5743ba62ba36d8204ff3e8669b123db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
17KB

MD5
2b4516f3b4765b079b6e2a05eaee215c

SHA1
00df26f1d743b1b7e085da8da8648b1b06fd7371

SHA256
2d31f3a280e72bc4639f3f4398f0966e8c185753b67d04b601cef2283294dc66

SHA512
3ffce5a8853efae7d6a2c014d2f1e3dacc899be6a84d4bcdd9f6e5439f03f8c0ab9316e461c834e8233b88549adae360513a18e04a66dfc75a916d9961b8f9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3df23c55f7f550d16d2b5a32302392e3

SHA1
291bc170daa346d20c448d3e7dbe530ff18aa139

SHA256
72a1a1de620f7f24896194bb1b0d76b5fa0065cc69f301e03f8e743d660f1a57

SHA512
a9e9ab8cd3d20346a4a2240b6cb758e3b9a324524b1e8307c6eca7812145fa996b53657330d2f4cf5fc0e0a6068260f66176805ae2f9f6cfc6dcdfa83c768bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f517b4fd987846481baac2980afe2f96

SHA1
a78171f7ccab305d8a004ff280249679e97b0f88

SHA256
41a08a391c69ce93d106e39a594a31e96771c739e1734f8b6da104599c7c0eb7

SHA512
f273f2019499339801ff9b99296434b99c2f756d7ae3fa21bc3f6687291932394566282936dfe215b8b3fb71d574cd9673bbded4cef7f3b222ca5846bbff21ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
0e1b49a88097e010c5b606cddacb6e6a

SHA1
9a95daa9fc4b44b80b9e5a6069a7a443713f66c6

SHA256
f1b1c25cf30ebc50bf198b3829948f361390d8106369b6bc128e76787a9fd3ac

SHA512
c5a0e2415d9514ea4d676532924ba205b2c7e6e2fc6b5a31a7a08beaaae94325fa54b04c93dfac6552d93f5b2620cbec304633573b5a3166000d7a26a2ecde8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
ded82bc262c32a2053e7a33a2df010c5

SHA1
9bf37e58fb63dc72b06cc36c85c82b6db025e31e

SHA256
853a78fa925ae720a90d26add1d817e961e3d6a9c7ca27f58beb2767462d0ed2

SHA512
663a6f3f821c16196a08b856cc23cbb0261a72db1a7584aeab01994ec428ec9d8f197ebbba984e4897bff5306392bf33b8b18426faa0bca822059d152e124a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d02740604c00ec7613b5e88b46a58748

SHA1
74ec01ad0eeade155a3e7ea5ce5fca99ce03b2e6

SHA256
189ad00a8e40d5e66a1802002c9d865ace42a6865c10a109266340da87b17ec6

SHA512
9f807ea9499146480b8e84871cd5371098c31a5b0f94c06e7dfa5d6daaa6a0fa748f576c61af1cb54bdc469dfa9f783991174c88df8a35de2ba0612fb7b23a32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
cc229099ad65887b1272b663afbb1c3a

SHA1
ba0fd0dc0cc2a2373fee89551d77d622e864d189

SHA256
46c57518be49b9d6c31f92642c521e35966150e838c80c2fbd46150d9b021668

SHA512
6b93f34881324bd775fa158b61c1838786155950bb4396df08061775e8653f6a1ddc4fc92a461ee76a1a7afc7169b2665e31239a5976d198fc28f818299afddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
42c62b022a25a5f1542747fbfd8d77f1

SHA1
438abefe7aefab38312c0e23807d94cc3672a88a

SHA256
50e5e10a3903b3aafffc195bc77ef0c5fd90bdb490cf9674dc9f4db880eb0fa7

SHA512
5210d7932b0aa1e2233ef82398eb23dd32e731cf68a918006449db69de3aac3134e78fed78dc911c2eb2c56d9e118704b001af5bb1cc5cfbe9cc2d9eb1cae666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ccf147e2067556ec82c6458900c9a9c4

SHA1
890d8073e689df6456e2be1a577ad473a274bd29

SHA256
198e3fbbee021178aa08027a40a7a5851814520e096c7236055daf9b591e25dd

SHA512
c42a54198c043f274bf45adeb2a61223b6e505b7c87a0305ff4c23b5963c290123e20364b5256a3f51680a5507605c0ddc6874dd31101f76cd4a5a4a0da84b5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
75bc561000cbb942dfea64d123fe311e

SHA1
1088cbdccd55def1e8451db887fb09e4a08d2e15

SHA256
eb2227e3c3edb522ea9c8987fddbdeea4830232365fe7e200ea4eb1dcf27586d

SHA512
d7f88e4d1bf52399835f1e1471375fb2ff6dcd15fb05306b6bff39c57c8df3b04af52ced4583430c5290410caad21315eda8445f07beb94f1c51b67835fc00b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
82c0d6bfd4d6c649a757dc43684c2962

SHA1
31f4666cb26b646de2ba5caf7218284e088b215d

SHA256
c1e7858659a955a5c2cbb5c3f0ef44de1cb8ce1def7a756d3b8fb4948a9cfb72

SHA512
b31f63cecf81e551234fadc539d546d1d2136b02697ae5adaff493b89b0f72ff3c43ce204d21c916f44b464331984cf63c19de2c12d285b4f6b9536305eca688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579b65.TMP

Filesize
2KB

MD5
2d15a5a7758920f0931210af3085ba7c

SHA1
3e50025553499333c55dad0868de6a0a06246d72

SHA256
1a3f9f6a9a13686af247c26d1863bc9e899684100e49180b1878739259f751ef

SHA512
ee84659032b5a62213245b55c5c025a5fbcdb163a9f1507ee6fef0296f1ca452bffc7d9eb106f18263fc670559618e29305c14e60067dd0397f62cd9eb88b2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8efe69bde2e4d1f13247d9a67ad7587c

SHA1
e344ce2c040bbf556ff759154f9748ca2e923faa

SHA256
a1077803d2d520d1940030c140be36b31eabaaf79ddc60d8dcdfca656b90d2de

SHA512
8274dbfc4fbb3b61fa56f50ec450b67cfd3811b075e60134bc2ea04c281ecb71c5844e19aa64debe90c932872fb9de45ae3f7af2dabcbbb6030b9c61d7089435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a45868d96c767c91ae1234b6cf96665

SHA1
5f89a866f1d4786af2a842de126147afbdd7f4c8

SHA256
328d264a187cabd6e1411b511c2c95464e22011bbdd4c573b7910f395b7179cc

SHA512
5ec321537a3add8f7f0813f1d74db8691ac63915e0ca09afd5e9e1b44c32aad28f4ec0870dfbca1e99b5dcad195b17e4c78796d7bd7ef6f619b23c7dfc060c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
49e4bb9fb031ed1e318bf3f0e28c3730

SHA1
c5571e6fc471de6c66c3114eee4482f44a3e635a

SHA256
1622f5a5b893ce8cbbc979353e0cd849f46246f5ee79b8b122f93abe0e5901b4

SHA512
19ffc3fcf3b3580b777794696357349bf9e7b815178ae26b5267f2ffd62c67de3bfa12bb554052abf928066cb6fe4cc90baee5ae59986c4ba1cb26af2b59d44a

Download Submit
C:\Users\Admin\Downloads\ch3t_Hub_latest.zip

Filesize
101.9MB

MD5
1913be82fb55df389379adbd1d75555e

SHA1
da47a131ebb60ad375c9b3c8b70d9418001e45e8

SHA256
2d049829761061ce8616753296c41acec7769903837002797d4846b2b621f71e

SHA512
0822a4c156ea0e82929833cb002226cb9ed77428be19fea63d5ead2de1ef9f88335b64e0f7e2f0cda011952d21d68c8963f1d546bb58ff98bd93f04f9de21e91

Download Submit