cobaltstrike | hxxps://gofile[.]io/d/LyySBc

Resubmissions

27-09-2024 21:21

240927-z7mdjszfrl 10

27-09-2024 21:17

240927-z5b5sssdjd 3

27-09-2024 21:14

240927-z3rgpsscmh 3

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/LyySBc

Score

10^/10

cobaltstrike backdoor discovery execution trojan

Malware Config

Extracted

Family

cobaltstrike

http://www.bilibli.mom:443/jquery-3.3.2.slim.min.js

Attributes

user_agent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Host: www.bilibli.mom Referer: http://www.bilibli.mom/ Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Signatures

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 25 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.bin	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.bin\ = "bin_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\jsp_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\bin_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.jsp	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\.jsp\ = "jsp_auto_file"	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 513356.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
2732	NOTEPAD.EXE
4576	notepad.exe
2456	notepad.exe
3508	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
3580	msedge.exe
3580	msedge.exe
4124	identity_helper.exe
4124	identity_helper.exe
2524	msedge.exe
2524	msedge.exe
4360	msedge.exe
4360	msedge.exe
3844	msedge.exe
3844	msedge.exe
1624	msedge.exe
1624	msedge.exe
2644	powershell.exe
2644	powershell.exe
2644	powershell.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe
4412	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4900	OpenWith.exe
1620	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeRestorePrivilege	1788	7zFM.exe
Token: 35	1788	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe
3580	msedge.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
1652	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
4900	OpenWith.exe
3084	OpenWith.exe
3084	OpenWith.exe
3084	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe
1620	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2336	3580	msedge.exe	82
PID 3580 wrote to memory of 2336	3580	msedge.exe	82
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 3316	3580	msedge.exe	83
PID 3580 wrote to memory of 4948	3580	msedge.exe	84
PID 3580 wrote to memory of 4948	3580	msedge.exe	84
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85
PID 3580 wrote to memory of 452	3580	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/LyySBc
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca8c646f8,0x7ffca8c64708,0x7ffca8c64718
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5748 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\test.ps1"
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3860251783051819427,8810914070553779975,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4900
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\beacon.bin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Downloads\test.ps1'"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Downloads\test.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:2456

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3084
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\payload.bin
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3508

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\20240703095507.jsp"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
d3ee6e1f66e9d6c95117c1679964ca92

SHA1
b8078154148478494e1a1181123065efe9dc2d5b

SHA256
ea690dc009dc05df149d6d97d48bd3438c63d2a9a1abf7719afa8411f1541d77

SHA512
394901571498a1a4ab0755bdc78d65e84cacd1e50d70b7651b03914591207fea5ca2383c8d2429bf6c13fe13e336f6ad564baa94b4434775c1d96f47ec62bbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
41254fb983880bf867e6ae7f362ea83b

SHA1
4e15beddb192ee2c5f44282adfe7f93a6e076e86

SHA256
bdaf591bc9456845ddbc4b5d153b03c838261c863daebf728626c1bde826c419

SHA512
2f26a57152a48cfca061fadbaa72fa88beaa92ed3da634b30d681656d992724794e5d11ccf53a0cb29d83312e1d9b07b888670fab979a89d93a5eabcccfa3026

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30a92e72de54b2d3fec93273ddd7ee9f

SHA1
334d2b7956e3c19f5593f35c4e06d0a8b0510a71

SHA256
73a0b70192382c9dd9982f02b80d1f74e00e1e5cf1d436ea7173029bc96b49c6

SHA512
e0a008008c669537a249324ab50d07c9632e30175eb6d91c2e0220225d5925933031aad72d06872d148933b62b12c3315705c30b5bfedea49e22d231e8b3bb26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50bfc6ea6d50621b20fdd2572b2646a3

SHA1
28431da8f52e6f67c5a2636c8c2dd6d1bdb908f4

SHA256
7e3b6d00a1afa8d09c9997fde81a18b1cf868d13708854e22072f079705c7beb

SHA512
119d14e24d941f1a54237fd6c1bdc7381c899f7fb2caac8f6d122b70b6998bd5954862003ab3e9fbdad6a206d9980e1123d03e7288fad78af9ee5161d4c4353f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ef5a1a4411c635b4588e7566b73357f

SHA1
6480c174d6a6228eee418842ae2db26395004889

SHA256
3e50aff4a8957af2850a568313c21f6446e00ee8c8483d66235eefb07eb50fa5

SHA512
b26ef21f359fc8307103b969ee5f645227cd1c0de43e98902100331979386c144f21fb075cdd90685dbb734685b74ecdf91df9863cfe0e35562c81ab46a8dc7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2a0f153dadcea52ed2d4131fe5e36a0a

SHA1
db935d4f7c61c9cb7862d28d9f9fed6ad84ca2c3

SHA256
b267489fc93c7c130b86bf9aa699217fd5f327d5b4f08ee719bb1489fd9981ee

SHA512
144422c84664cef5e7f47f5c49fffc0fabdd0ab45d61e1083197741a31f98825752edebda32df8b147c7dc433bd25af5c7af12f488bf8eba055c9e00b219abc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2d12081a7a4e22bbefb62677b3f369c2

SHA1
2d506574c3ab5c618ea67222525b00c1dd2c9cb2

SHA256
bf4be9822f234f3a02391291e31da865fbcd08ef47886c34fd374bfaa7153122

SHA512
cbdfd66db71c5bdd8343de48921858554d4ecfce46177da138664c49325b187a31d5a0fd6416ae78751d07a39bfe7c3394f849fc1e6547cac62d78f2f5fa5c48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
28dca610a2c4feb9a47d6558727f3a5a

SHA1
919e82f889ae2bd79e5dd4f323975e1bc5e677e5

SHA256
61d970679c2ec3e46185a0b0a96acf819456fa0a3d5fcb848892ed1848b2ed5b

SHA512
a9a52116992eab7667ad5e0b86103d3f7e972436aefe2e2ec83fd45fa72e04698592dded64ef6f231aaaa36f00eed09def8323d15746ab272d78d52a0c65ba6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wwvdqass.bci.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\20240703095507.jsp

Filesize
1KB

MD5
a7dfb9716810a9140d05d38b755c245f

SHA1
ceca61fd153f002f117109adb43a9909791b7826

SHA256
7e78095ea0ff5b20664f6ac1ea6bd55c9aa4a31c0eeed281a6cf9af4725580ec

SHA512
9ee220d800771ee05292d26137df08d9f60e1f7a40788aa349abecb1ae172b201a8d8b6ce5be4618608d094b749a02a173d901172b3d1fc776edbca7ddf0eb27

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 2133.crdownload

Filesize
16.6MB

MD5
3f841e33af657be62759a836792c217c

SHA1
cc8679f13851346867d061638d54b9f8132a73a4

SHA256
e0b7ec6e2a544fdb4a40bab73db5311cdddc2438c7a216f95be72bf25c351a08

SHA512
2947097c0603d969cc55507cc8a8f3a5662857b1801b70e4addadbfb90d476969a8c6030533048da041c5d3afb2472899ceee49e89097b4534e1096be54006be

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 513356.crdownload

Filesize
47KB

MD5
d8185d4e4aee5600ecd5c04b1ca9806b

SHA1
d91747aa10868f5da10343f42382f63368e21ea8

SHA256
cc5b2273de1a10631dbc8ca990f7ce05fc2fd04893e3fa3aeff63428d278cadc

SHA512
1b5db4ff03d65dea00a883455dec40489e8eada926fa60e18c25cd9d3e0e2e23a07576e2cbec6d0ee6feef6a0ae680ddd4215e8148115be831a5168bbe4fca06

Download Submit
C:\Users\Admin\Downloads\payload.bin

Filesize
929B

MD5
32a5ec75366a0e0043df417b855f3c1f

SHA1
97d29310e442e0ae3bf9e919f4a18b5bbd6bfe7f

SHA256
30750b95dab094b85a22c4d3bfbd7fdd70538af927324077758a9a01fb07a1f3

SHA512
a11e98f5b39064810cd29c08c44aa6b350a5d4a2d0cedc8e0bdc769a6ad72fa8b68443aebb60012ef767db5681f2fc539504fa12bb8076680b1c072f16337e5f

Download Submit
memory/2644-253-0x000001BE65BF0000-0x000001BE65C12000-memory.dmp

Filesize
136KB

Download
memory/2644-256-0x000001BE4CD40000-0x000001BE4D801000-memory.dmp

Filesize
10.8MB

Download