44caliber | hxxps://disk[.]yandex[.]ru/d/JN-LxzQEH_gfVg

Resubmissions

02/03/2024, 14:48

240302-r6p42sec9w 10

02/03/2024, 14:48

02/03/2024, 14:39

02/03/2024, 14:30

02/03/2024, 14:29

02/03/2024, 14:13

Analysis

max time kernel
169s
max time network
166s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/JN-LxzQEH_gfVg

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1213470089370800169/n0cIp20zmoXW96bm3kmEEDF8S6ayukwO6fCeFq-6ll6NW6LsRhdA972MVTaBHlihjCVc

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3704	extend.exe
4012	extend.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	freegeoip.app
41	freegeoip.app
45	freegeoip.app

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	extend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	extend.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	extend.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	extend.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 102726.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\extend.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1524	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
908	msedge.exe
908	msedge.exe
3620	msedge.exe
3620	msedge.exe
4144	identity_helper.exe
4144	identity_helper.exe
2344	msedge.exe
2344	msedge.exe
3704	extend.exe
3704	extend.exe
3704	extend.exe
3704	extend.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3312	msedge.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
4012	extend.exe
4012	extend.exe
4012	extend.exe
4012	extend.exe
3016	taskmgr.exe
3016	taskmgr.exe
4012	extend.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1420	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3704	extend.exe
Token: SeDebugPrivilege	3016	taskmgr.exe
Token: SeSystemProfilePrivilege	3016	taskmgr.exe
Token: SeCreateGlobalPrivilege	3016	taskmgr.exe
Token: SeDebugPrivilege	4012	extend.exe
Token: SeBackupPrivilege	3968	svchost.exe
Token: SeRestorePrivilege	3968	svchost.exe
Token: SeSecurityPrivilege	3968	svchost.exe
Token: SeTakeOwnershipPrivilege	3968	svchost.exe
Token: 35	3968	svchost.exe
Token: SeRestorePrivilege	1420	7zFM.exe
Token: 35	1420	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
908	msedge.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe
3016	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3960	908	msedge.exe	80
PID 908 wrote to memory of 3960	908	msedge.exe	80
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 2076	908	msedge.exe	81
PID 908 wrote to memory of 4668	908	msedge.exe	82
PID 908 wrote to memory of 4668	908	msedge.exe	82
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83
PID 908 wrote to memory of 4532	908	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.ru/d/JN-LxzQEH_gfVg
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc35403cb8,0x7ffc35403cc8,0x7ffc35403cd8
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 /prefetch:8
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Users\Admin\Downloads\extend.exe
  "C:\Users\Admin\Downloads\extend.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,10521674854973540102,13690869216354798896,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5552 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3760

C:\Users\Admin\Downloads\extend.exe
"C:\Users\Admin\Downloads\extend.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\extend.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\extend.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\extend.exe.log

Filesize
1KB

MD5
bd520220fcaef7f848df54fe66d33efb

SHA1
8ecd31afb68ce5f8587c74872e6730b29bee15e2

SHA256
7f52ab16ad7365b5e32983c89292ab2dad0b77e1b8a27c7b1c6100ec75df2e9d

SHA512
b6b3bb0f2d0684ab1d2087896e74d5edf72f245a6f595e886295895793cdf9efb49e8d0b2ca170434b4003aa72e93875ee4594bca82ac111f56b5f509a0b0ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
55KB

MD5
6d8f9921a63536dedcf15750034246a0

SHA1
21341ce07711d86386f6b12cdeede8e277c94ead

SHA256
ce6ad02ba3020a190452d69867165ed73230d2108c74f608fbb7cc7ada4c3f72

SHA512
2fdd4929f8dbcc57ddb2d3328bebe58dd46cf8edfdee54ce3cf81e115172a164c60b79f648442e5940cc7848ae67efe9ddcba48e012542e533835718874d9a51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
14aa3751977780d19003ecb7117db04a

SHA1
bf1903f128e7511602fd9bf7a1e52ccff45f3e03

SHA256
3ded494238bb271477e8cbcad28bb64c8a629f0c78478f3851c703bebfd76ec2

SHA512
1d61d2af7be5c8ce78cda68f39bd3c71362d79a4da3e11a022d5d120e3e12ee520ea45d4193f851d3cc3c6f2aa6d88570976ad93db56b47e7063019fd13266b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
58061d54d7beaa8035066ed192d7aa67

SHA1
ec708583c246035d419149aa704fe51b54ed1619

SHA256
f185c8655a662a895e4263504da1d8e5474e2618813d51cc04703dd29ff84689

SHA512
4ab41bb39eaf59312065a8f9b6ed7565088be38876e87f971b414dd49372c4376194d9a35f9d1f1fa27740851f100cb927523f4869ae304949c8b4bac4f33097

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\001\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
550B

MD5
0ae7f7c18f29ade066845031c93a1af6

SHA1
3aaa14b02e0b27fc3353d683bc14e0e5230d1546

SHA256
69bf5f8d46b3e85849e2ffc158670479bd25785b31a20c7303918ef8fafb5ca8

SHA512
3922dd178728760f49cb94e9fc0ec609d02aa4ed216e947c4797ea83911fb42ea99f6cf5f6aa7b3bdb91c69430b0f1a8b616c9130a5975a0dd51fcf81c8d0294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39b91b6b64db2acd78b831340729014e

SHA1
084b01d78b6afc3b66c575bbd01fe562c4837e47

SHA256
e85474f7ea5a86d5682eb972208610d1a16c72afea59561a2ca09b4f0f547482

SHA512
e4ce725ec11fa8f3e3a9e0120cec59daf2af23e466076a08f2e3262b103b2e74a31f2a79ff80851ead5f6d40da275366f978aa018d9e5400fb43fece952c5816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c4d786eab449d242b463bc72d4fa1d9

SHA1
16a63ae5061929d75e5226f38dab3b524c39ba26

SHA256
279629bd4e998efacde96b5777ee5d8c9847616a3a57f21203854a6a2d83219b

SHA512
4dd73835bab6791eabe1a10743dc780faaf451cb94881c0a251939dfff2acb4af741b3525f0c9498c0d705beaae57c6206882190707fb51a214bae4eea5a9a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
9c0c18da7db094415c001b1fb710ac00

SHA1
fe220b7c835b1f79cfd48e7bc9037497a3622951

SHA256
a79713c1ca316ebeefbd183758c0f5454fa0b53c3d9fa43f2430c0c0375ead4e

SHA512
af46aa184d33d3de1d7e0d74515e843755efaf60993a2bb5e8aca391704296c1305e5b65c75c0243d7a3e17a7a75b73eb1b23ee6b3764cdbe9544cff614011f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581efd.TMP

Filesize
705B

MD5
5eee62e92cc1d14e7e0afe8d7fd9aa5c

SHA1
b19054bfa6cad53022efe36138b2a4134b938f2f

SHA256
01467dcb8acfcd35b075f3e48f421cb0e37b74344ef7b85303ef77818776bcf6

SHA512
d61e316cce3b5da915dde4e706e7b0ce4725d0b843f3c9f60f1fa8edf090a148d769826025329a47be9c60e6cdf4263aa995da3bec751ed540293b85837922c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
615aa083259128acd9b3316ee3f02760

SHA1
f6c47bbfaae217abb0cf73d37197d07240abcb03

SHA256
3818e7a62bf948c65d7be6038ace67c294d314898b91c61b8dc685d9c64dd4c9

SHA512
21125604c99daa9f6b3dd88f3e84a28d452570aa230441e81c50629c899c607ff15c93900f1299496ca1d333b75dd07bb88cda79854c48993ecf703665fc5743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aac573542a498926941efd9cb6b5060c

SHA1
9a1c89695be2d4077141749248e54f09aaea49c1

SHA256
2970b057962770c80e80946220ca0772abd2c5bf2e772a7eaf74eb4a6f00baa0

SHA512
0cdab302459918e8769c2b605a7a8fb0e40edc26a35929f405e5840208290b0e033d5f86eadb7dd0feee2e09fd0311ca32051daa71bd763a1994342accb43aa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
431d84d29dd4e015204016568170b6ed

SHA1
0f4ecc39f335e2e0c5b43eca58b237b879d85314

SHA256
63b1bd213d80840956fd1faf8536c703a1ca50977bf718cf1c2d78f5502268d4

SHA512
7e43406c747d797223ce5a39e0cdb12f3d06d9e900e3eec125af23a2dc64b9168349e660a3000f92028faeb6d0cdf2e23bf53aa4241b787b9fe30a06e79ff2eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
20652765455d866aac21a85c1e99fb96

SHA1
c15b70bf827f7d79c19dff9ebbe1c9147e681148

SHA256
12ebe6effb61ab4dfe4d13ca9303b956d831e954118b11523c230d39a05b4099

SHA512
ee8c4e3f64fb89cf2984f4a06211a9fe811016366581698a8b955001bd789f1819ee403c4758a286f8abe272240cc698903fcdd958bde23353833cec11fe8dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA05D.tmp.dat

Filesize
92KB

MD5
199ba39bc59c8427ed005df1bc22dc88

SHA1
a896449ba7cb1f6bfc0c01fbdbf7a7437a9ec164

SHA256
2b3190a22f79e9083f82b620dc61ac1daf71bbb36270e97736ff0d08e67f1587

SHA512
0714352b46ceaaad3d018e5a5fb6b156b0938903ab4e5fbe8e228d7078d01c000c637aac1fcaa2f728c1ead3ced4dd6952b8b189a6e495982f6f5e55aa7f5639

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA06F.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Cookies_Edge(82).txt

Filesize
2KB

MD5
bd6c95b69a9613c3a24ea3d5d06a05de

SHA1
16ad536f725e70b1a9f5a579cd12229d00de939c

SHA256
e99c18d0ef4a90d69dd1d81db424cfc7d1e088037b37d27086dcdb5d42220494

SHA512
0b131248c4695206f1f99d1977e242d1de79a4b2c890dc02268103bd3635f7b3ed7b4d346ad2d0df72bb510c0bb25b2c7a3f4e66bdc5038ffedb6bcbf1cb09e8

Download Submit
C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\44\Information.txt

Filesize
647B

MD5
147bdac3ffd89c9363de6a46c2f28aee

SHA1
4d48e407565cf8fe1fa7b7dc14ecec0952b193a3

SHA256
02e689743687b63db33b5a972e1a0212c3dc5001fc3a10f9a598b4c7590fb90e

SHA512
34cbc3eec192ccc2ec012b467b6d0a207fb22d24c772210ac201a6b8b127b6283878f9900615d7dc65e5bc5acb4cf1c4dcdccff50d21fe68826f8efd043ca33d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
757B

MD5
aaacfc3e04a6f613e2cef5ae06da2991

SHA1
16803914987322a552e385ac5bb53143fc00d564

SHA256
0957cf53bd8c03c4d8651d5d35f2d8fe8d4b9d6c81408b27978b65dfacc1cb09

SHA512
dd3c38b83024a9ec89cea7a9cb56237ed03da96d66d7b5eb93469ae79a9900329d2da6facbf4a2d990a5ce15f738409568dbe00664adfb67e4e30e0b9a295255

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
f689f4896fbe92ccee1e9545a960d84e

SHA1
4a0a2a35a522da935ddec1b7b23071e78c8336d6

SHA256
cf5aa735ccae3c02419c782bc90e2df0c282c6507bfb883023c5d414bc043c3d

SHA512
9fa81e0aeede2a1a3e7ecbadcf4b3ccaa34bc35524bd2ba6eb2305611c25b45410f2877308a1d91609170adc317b11c732e325051ff3029a4a4b1c1e768a3bd6

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
2KB

MD5
1f71e2946c394eb476821f2bb660793b

SHA1
c79af8394c6221c2584d18aed38797cfdeddab12

SHA256
f189f6eae2543b2e528bd5dffee2e175f66a81722c36dbd341e8d2d8de8628a5

SHA512
ebf7d1f32cba7b259c2f39f0b033c5a004379a291d6398cab6ef281a5a53091be4e1f9aec5ad3112d79730480734ce764a80f8a8a172fb9ed7efdcd1d23e25bb

Download Submit
C:\Users\Admin\AppData\Roaming\44\Screen.png

Filesize
143KB

MD5
b4d7fc7cbef19c235bbfe923a8b7101a

SHA1
69c45059e357f622e9c1422a1417c3d0be7ca277

SHA256
380e47dbb2d5b4c92b138c92be80e8cb9b6395a776b1189f72bbf56d116a7ecd

SHA512
ad6fe31fe583e785bb619af6bddd2013132e92bf0257b5237067ad3f6b33b38163144094abd8b022437abd143cf4576d3e8df4bd25f79141e2914843bca994da

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 102726.crdownload

Filesize
273KB

MD5
3f62061544094b6aab3728177e20a8d1

SHA1
a0497e0f63b96eaf206b91efcde95426b956e079

SHA256
69cccf88eedbae6a6a4818d587d3a5f74b5bfae56b162a9a551f5879f91b9261

SHA512
29d9b13fbda73522dc2c54bd246cfe2b3c67519e1d36c8e542081647457fbcbc49fe09cac0a2624f463dfc05cfee6282d0db2f1b22886b645ac29ceaa60e0664

Download Submit
C:\Users\Admin\Downloads\extend.exe:Zone.Identifier

Filesize
51B

MD5
ba446afe6ce2341d9dde43bd50da7167

SHA1
a14d6a5b9b32cd8452da874a550dd2f852a8ce04

SHA256
e51cad403cafa19ae3d19b0b8b5f6ae61f7231047d8041cff4cfed2f57d4100f

SHA512
2ba923d92cf26e2bbd5c2029f553e1401358d39e63265d3e659d0005a8f4d296a73c6ca19c819b181dd8e11b735015d0a1d59e33fbeb9a111ecbbd2e609622ea

Download Submit
memory/3016-430-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-431-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-433-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-434-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-435-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-436-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-424-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-425-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-426-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3016-432-0x000001C5CB6B0000-0x000001C5CB6B1000-memory.dmp

Filesize
4KB

Download
memory/3704-398-0x00007FFC20CD0000-0x00007FFC21792000-memory.dmp

Filesize
10.8MB

Download
memory/3704-246-0x0000020CF8EE0000-0x0000020CF8F2A000-memory.dmp

Filesize
296KB

Download
memory/3704-252-0x00007FFC20CD0000-0x00007FFC21792000-memory.dmp

Filesize
10.8MB

Download
memory/3704-258-0x0000020CFB530000-0x0000020CFB540000-memory.dmp

Filesize
64KB

Download
memory/4012-515-0x00007FFC20310000-0x00007FFC20DD2000-memory.dmp

Filesize
10.8MB

Download
memory/4012-516-0x000001E21AE70000-0x000001E21AE80000-memory.dmp

Filesize
64KB

Download
memory/4012-612-0x00007FFC20310000-0x00007FFC20DD2000-memory.dmp

Filesize
10.8MB

Download