hxxps://workupload[.]com/start/nrP2QTQjjew

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/start/nrP2QTQjjew

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.java	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\.java\ = "java_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\鰀䆟縀䆁	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\鰀䆟縀䆁\ = "java_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\java_auto_file\shell\edit\command	OpenWith.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
1488	NOTEPAD.EXE
5864	NOTEPAD.EXE
5780	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3996	msedge.exe
3996	msedge.exe
4376	msedge.exe
4376	msedge.exe
4588	identity_helper.exe
4588	identity_helper.exe
4480	msedge.exe
4480	msedge.exe
5372	msedge.exe
5372	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5944	7zG.exe
Token: 35	5944	7zG.exe
Token: SeSecurityPrivilege	5944	7zG.exe
Token: SeSecurityPrivilege	5944	7zG.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
5944	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe
4376	msedge.exe

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
5576	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4284	4376	msedge.exe	84
PID 4376 wrote to memory of 4284	4376	msedge.exe	84
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 1136	4376	msedge.exe	85
PID 4376 wrote to memory of 3996	4376	msedge.exe	86
PID 4376 wrote to memory of 3996	4376	msedge.exe	86
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87
PID 4376 wrote to memory of 2468	4376	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/start/nrP2QTQjjew
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b8ed46f8,0x7ff9b8ed4708,0x7ff9b8ed4718
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2512 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1960,8150708961636860182,9935887628955921053,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5520 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5732

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Clientlauncher\" -ad -an -ai#7zMap3100:90:7zEvent3752
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6096
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Clientlauncher\ClientLauncher.java
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1488

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Clientlauncher\Scheduler.java
1⤵
- Opens file in notepad (likely ransom note)
PID:5864

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Clientlauncher\ClientLauncher.java
1⤵
- Opens file in notepad (likely ransom note)
PID:5780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
9318be6fa74d2add02d4dd23c286b660

SHA1
4dbf107e4d55cf733ce5a47bec2ebe1d7507d004

SHA256
c2db311cc13ef85a375a198f166566cbdce8fb0ad6f0e9bdf3dc90e1a41e24a5

SHA512
b5f2119f7618c30618ae16a030772474fede5405a6bff8a0753c288b59e538ebb09fec8bb54654fc37455527f6a28dee17ecf8a8aecf22f2035c44124d7e5189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c4525332c7fdceb88da3dc65e16f779

SHA1
b4a4fb5c3567a97459c44f681bf34bd16c043661

SHA256
ed23a8220ce37be74c73b05d9635b5ea21a6684e332a815d5092d0e6488e8406

SHA512
44902afc0e116d2faa7d70b2b33f2bc7a13742240fcdc1694292f6fe1b370e7bb2982c91c6d297864a6089ffb41d2d8cc4c302e94becc108ae46648712fe9a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6f4074b4ddfbf0d2c78cbc35f536fe3f

SHA1
4eff53d6b7d0bf1ea229d30dd46cb2cbc1a2faa5

SHA256
c048d501cb4607751977a4b52d37d2a27140a08327b09f459f14eabb2b821cc7

SHA512
f9a39ec5133f0023352a716dad3d1ea4fa32fe6aa4ba98791a4f58c160208117c0d090ff1c784f97401db518e4709e3f8536490141f0db5a11f042b163f39810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0a3b02a0a24aae77091054fe3516f0a

SHA1
9b80c393945228f16201fd875a591c05388bfb4b

SHA256
486402f3a6d97dfd8cc2d1bb79392d041a9a1c2ab14c5516e3dfe018af4a3419

SHA512
ba6c54adb823ab50eeac95d0fc1acd8d9de9264ef332dd31ce4f5fe68534ed05218f167f80c998fd53b5824200e6b32c1feeca5e88abd3ff0a34b632e1631bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65292b6c6d9721b6cdccc9650e48b6d5

SHA1
bee578f600a2bd4141b5ec8f8832d2dabf1decf0

SHA256
4a104e6fc5057bcf1cffa11c6a211789d7679fb0abe551596f2f2e6f415bdfe0

SHA512
ec75790196af40514b76628f68d7d0e6cabe923467e0a494b8f4848186a6b46318206c7b8d1f7f1dade2ae615a8e78789dbcbee657234691e43bc90639f54b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
80d46188dcbfea283bfc37138f71ed8e

SHA1
328309b713e1067fe3bfa36764a4da4a05612783

SHA256
e08fcc422cae8dd3f44219eac37036fb34b30b791065aab38e22809d213ed7c9

SHA512
149b6e4258dea70a7cbedf41c6419f875b099651bf5e7fe213e6be3883cf822bace574cdace80c677fd6be7e03a51b823550e963d68b28fed69476b8be0b3c89

Download Submit
C:\Users\Admin\Downloads\Clientlauncher\ClientLauncher.java

Filesize
11KB

MD5
0d93acc94dda6bb00ee67de1b3d82462

SHA1
661ad6c8b18067c676f4fb77e0f3d1eceb738d4e

SHA256
b786416546b03807b770c42db53a5efaa562b61ad3523b5cfa90e682d8e09fd5

SHA512
89196d42c3c4d56fda05742615df63089483ee2ddb31d15e4d9011aa24fd62897fc34abcf8746c09b73a91385288726def4900c34fe0aec0c8d4479de13584e3

Download Submit
C:\Users\Admin\Downloads\Clientlauncher\Scheduler.java

Filesize
1023B

MD5
e9f44f6d73d790085b8ba41377e5e4bf

SHA1
6f735a55a299c01d257f9d1633a77067f408908f

SHA256
07f835b45212912a527a239cb42e70274dfc98b49c499355f1916ccad475f736

SHA512
908bcf1b4150acbce22401d7b5b88f8e9119111befd696e6802d2343c19f5a4ce03b378e3d4639fc0e97c28eef2ec0173f3509437e9b20bf815974d1d2a37df1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 757414.crdownload

Filesize
3KB

MD5
ede998cef712221d2155e7efb58031a1

SHA1
4625a946fd256445ef7999dac7aafbb6a93b78ab

SHA256
61ee0d9df8e82823418be998f3f2bada982fdfcefd427b39fafeb84932d391a8

SHA512
92afc5987f2d5ff21ae1b0b85d435e690e0d657ea9c6aa5044861f233c87e4b1b14a97b2d8ce76375f4a4bcdb261384760026b4b096ce9ab70ef5288f0a908c2

Download Submit