hxxp://59[.]178[.]28[.]6[:]36515/bin[.]sh

Analysis

max time kernel
360s
max time network
361s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://59.178.28.6:36515/bin.sh

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4380	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
2372	msedge.exe
2372	msedge.exe
4072	identity_helper.exe
4072	identity_helper.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe
4832	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe
2372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4484	2372	msedge.exe	83
PID 2372 wrote to memory of 4484	2372	msedge.exe	83
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 4448	2372	msedge.exe	84
PID 2372 wrote to memory of 3972	2372	msedge.exe	85
PID 2372 wrote to memory of 3972	2372	msedge.exe	85
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86
PID 2372 wrote to memory of 624	2372	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://59.178.28.6:36515/bin.sh
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba3b746f8,0x7ffba3b74708,0x7ffba3b74718
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,6620565825293243975,3475711261342836614,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\JoinUnblock.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\470cb8a5-8c9a-48a3-a634-42023ea78540.tmp

Filesize
11KB

MD5
f7ebe0775b7affb6bfe390d41625bc11

SHA1
92beca1b2d4b9253516239de2f6b770c4c87b5f8

SHA256
bfa90297f7ec8a8b51d937c550e658302b3ec77924f09f5d741cfbcf09780d86

SHA512
f58b6965f097e7682daad81cf5dea30df3b2c6d0c6ec179d3d051937422362d8fd54eb3ec4833f8e54098db05efe1f838f24cba26a53054870390cd6117bc2c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
48359b086f577f2d359910ba6fdd6022

SHA1
c105b2cc6475b30ce256aae9340d81fbebad2990

SHA256
fb2c9cd4e72c46c50b4fecfc61a1d7ed9d435c2a4ba02ad1836e04e02a39a29a

SHA512
86d6bc3c61e73de4b21717cff197a3f6380d980ab11b4b6481e3ec8db22d34ba90d5a1358f3315c806929d7f144f4d49dcd18058647c7018ab1c7725ce17651e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
1359279ea9c5ad7c440a243f8cf705ff

SHA1
b66b22ba0bc01367b9bd7f064d907686c19b16bf

SHA256
660d2167e61083101debea42d27b674cdfe99dc0cbdad37e999ef9feb246fb8e

SHA512
128fe74209ceb5401d658503718e6e4078bac3f8fa5b647f1c06fd76d10860732d67c2e2d2ebf097a631993964996c942e2033aa184eb57934e01299eed99dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_developers.google.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
884B

MD5
6eac96da83be64d6a1666bd944a8a5e9

SHA1
11637f86220b9d8c81495a2a033e98c6bbeb6749

SHA256
ae165d33915eca00bbea1987f6b35efa089f68e0f95ad3f22c91b88fe790c0d8

SHA512
6d9088e6b2f3608d79afbf9e21c3265b7179ffd05f305efe98f89e063ca951194e45f4b36ec5b6645a5ed5dd28f593b0ecda9e8ef535107a713eaaf825983fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
83f7c8206943ffc09fe7e751b0a82196

SHA1
1befa5b41199d3032236e5349a64070babe8918e

SHA256
5f7b3b592b3f529c20c4c26b273af3c93ef9f9d150c1fc1b016e2b26ced60fd3

SHA512
5107b38169729b8a025d4c981ccca0589425734457394e89954c2beb731a6758bcec8eba63fe0eb274326693265c1c0249e1712a2a8d413493d0aa4bec9ba01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
737064fa1ab6d7b87f6f2577611eaa3b

SHA1
8740d803e291c2ad7f06341b12c9b23a624903fb

SHA256
aa5fcc8a1265bdc97e1c751f019dea43966c3a53b337328767782687114c1616

SHA512
257d5191fa55c32c1006a9b4b123d125faa461183de0944930c28437cae512ed651fa001fc3ef71f0a6f1e2fa32d6529acc2f77926badd1ff16eb4966ee2aaa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d0f620a80a95925c097537311dd5d09

SHA1
eb8fdc190c3db284d0351287be0f4e2e9edfa478

SHA256
aec87618838e6abe834233fe30eeeea6dfeab27a3ba475a41bfd0df69674d18d

SHA512
55c8ebb4638c27ee6158e8342e8d619394b0d732654981758e6f39d5787cc5fb99852b60e5e3b30447240fef7c260c0cdee476a60bf9caba6b18237bac47a610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
453d42b00c931d034989ea80ea688ec7

SHA1
12a18f840abce548ff4e029f3bc7606b70cafbb6

SHA256
492e4cf781ecabab03dd70d1564504ae8892ee171fff5664bdecd670722e192d

SHA512
cc5e08daef64bef751a3e75b91c5b0bea08e00dc3d607d76d0c6bd503f2270386bb6c417fe39fa188f73331cdf7af35f7ea4d3b929b9d067d05fcc9eb8edc380

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d80c4d9b5df5a919caeb7cb04bcac0cc

SHA1
48c0595d3e7a1443c1e5013bfc880bf7a13e2b04

SHA256
5c806b46108af77940e2031d079f89414d8d542a9e496803146ea88820005292

SHA512
9c62281bb0037a26b0c9bd37dca7197e3c25b7cc14172b6434e9b1f8ce738c7ae6a7bee6d427393b6af7d009de1ead3a98056ea144aab81328441d9c02ac685d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e7aa9588e36808e1fe444df8c7786342

SHA1
b322d4e304a0c061811c410d2bb94c3468ece0bc

SHA256
5156f36fbbf55100a706d682438cf508f48ce4f133c08b5b0e1b34fc189e006a

SHA512
a5c6eae81c76057c1e539c734b3eaad3d4095f1bda78e3d3e88ee370c3c4449b658fc6291c0806366ed83c214330ac67b774b652234311096835e2009c8d3d18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
357b60e0d9509ecc1d4ca1c7a79c3455

SHA1
39c9f8626f4b7bda39bc954461a507941c0dec16

SHA256
93d45fdc8dcaba306e4fe5a4362e3a47f2ea5e2d181836659198b7c86ce497c1

SHA512
39eaba9cb86252a190367aa46a8248925ff0c61899fedba1e0fa0bbf4cdba8a2ce9ec69dd92bcb64e8d231a030f6886395a680f322526535be39134d648ec3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9fd4061f74aa8933607033614c9e4bd

SHA1
0145741af4e773c109c31ec70b010582d44479c7

SHA256
07b7dd18a120eb12527030372882a2bd5262367877e9b12dd05b8f402661d09a

SHA512
3649b21fd68212839f00d45dd0c389d4d970d00634bec69b4ce6b0648b54246106994e5d54cf156c604397ecfa794a3ee91676e3abfa6f4a1173b5821c6b27c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\5ce50966647b163092d864b9f37d981f5bccd871\index.txt

Filesize
111B

MD5
74bee8fb84f5c554155a653836ff5bf3

SHA1
95bca7ea8a7a9c1bd6e2bd5dadb475601cbd2fbe

SHA256
49cf3562997ab9d3b023d1e8f8d6297162ef8cc08af2b02a021d98a7da423314

SHA512
e5f7b236622d023b3aacb91f4cccb518ef4df18a05fb3e6f9e5fdebc520b8211a5d6691e04adb0d1c533adb88da8422b5398e527986c5bbf321d637fbce35b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81e43726857f8742fedef5203af2d016

SHA1
d35aaafd0afec86556ef50e7d53e93cb945ef683

SHA256
815883873420423828e11d30bbe8c44166a9a32a07a8da52be170a9acbe7e528

SHA512
71b7c93f194a1058bd3c7f31d528d10de5476da3c4d2fe323ca2d0a6ca6fa1a4194517c593c1a264ed8b65716e903c1b27179e9148914401eefb222968da79ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b90813d84989c83643205436ca3a6e39

SHA1
e633f099a4454d35f0dd432aa46dbe4768a471a1

SHA256
38bfe8ade20ac7acf744b9535fa06625cdf1877b26647c72e3abb8cec45022f1

SHA512
c7771daf2e967462f116b10150d2b215f2385e86ba54e6bce17a40b6c50ae1f933940e9b8fc94f2f7bf63feefa894779dbb026b688ca1137e88e88089dcd3ee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ccd9437aa0035b798a2b9a88a5c6c19b

SHA1
f036f54f0b8521082899b45c6095d788fb8605af

SHA256
d6d1b08e70cbe2d6e0d36983b44b92901688408b857ffd69d04670475f87dd97

SHA512
0a674451584190ee0be69c5c63c36a2c193446514687e465257689762482e2787f9149d6d85dc1528fdff492f944a74520f13e65d2bb80982fa041ece5b72c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a385db9eaabb52640f7cb1a3b956a6c

SHA1
f40a34851f4d774a096e49b8500c6df8304a7a7f

SHA256
869bcea201e21ac8813890ea4848f13c4245645c959f4ab0e342f940ec5ac107

SHA512
8f23a72f60b4bfbc7f28f63d9b0d93ce15735fe9227d670abd25b79df1e5db24a50b27eecf416f4afc482d775997c9f8f6a8058620227102ea770905d2ae566b

Download Submit