Resubmissions
14-04-2022 13:46
220414-q27ymaeea4 10Analysis
-
max time kernel
704s -
max time network
713s -
platform
windows10-2004_x64 -
resource
win10v2004-20220331-en -
submitted
14-04-2022 13:46
General
-
Target
SkyBlade.zip
-
Size
3.3MB
-
MD5
05db414a0e7a3cc7e576bc00af2c7f18
-
SHA1
dc898d3d96066ca8ef27f9673dcfe212b61bb9e8
-
SHA256
63a37203d598350b284c05833662fbdc89d9d46142120bb035609216f1a3ee77
-
SHA512
1e218ed7efe1a49732336f8d156613e738e0b7f6cc6a65f54544051639df094b64cb5b3cd3013329e92dfb77f47a5c7dce08acf9a317809cc9c245f3db3ba8de
Malware Config
Extracted
redline
1
65.108.41.163:38151
-
auth_value
95517c2a2f56575288c35d9dfde4a6aa
Signatures
-
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Modifies Installed Components in the registry 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 28 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Modifies Internet Explorer settings 1 TTPs 8 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 34 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\SkyBlade.zip1⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe7ee4f50,0x7ffbe7ee4f60,0x7ffbe7ee4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1724 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2864 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4472 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5060 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4568 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4900 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4356 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4372 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3080 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,8248019958999290133,5775420363783492691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4308 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe7ee4f50,0x7ffbe7ee4f60,0x7ffbe7ee4f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1620,2149474276870291899,10988344055125303712,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1620,2149474276870291899,10988344055125303712,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2008 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap22665:74:7zEvent92801⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\b44949214d974025841e59e8178d1f13 /t 3112 /p 31081⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Desktop\SkyBlade\StartGame.exe"C:\Users\Admin\Desktop\SkyBlade\StartGame.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Desktop\SkyBlade\StartGame.exe"C:\Users\Admin\Desktop\SkyBlade\StartGame.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Users\Admin\Desktop\SkyBlade\StartGame.exe"C:\Users\Admin\Desktop\SkyBlade\StartGame.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SkyBlade\ModTools\Scripts\TechnicalDocumentation\index.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbe85b46f8,0x7ffbe85b4708,0x7ffbe85b47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10409512450836586314,4350290806493813577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10409512450836586314,4350290806493813577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10409512450836586314,4350290806493813577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10409512450836586314,4350290806493813577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10409512450836586314,4350290806493813577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,10409512450836586314,4350290806493813577,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5420 /prefetch:83⤵
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD5a362c0bb1c8e54989969af2b4a937bbe
SHA1568f3c49d0d4eff76eba6632304bd4a7a006b2d7
SHA256e1af69d526c73de64ae23989183fd93b1fd0f33e19c0d9c05676c9f42b578782
SHA5122c22658c4e75244acedf88da5c4bba5f0d05678045aafb1b215f301f63c23d0c133d1e7454f5bd0d11cc0e7f8ed2db6342ca67c93802c0f0cf28780a360ffca5
-
Filesize
40B
MD5a362c0bb1c8e54989969af2b4a937bbe
SHA1568f3c49d0d4eff76eba6632304bd4a7a006b2d7
SHA256e1af69d526c73de64ae23989183fd93b1fd0f33e19c0d9c05676c9f42b578782
SHA5122c22658c4e75244acedf88da5c4bba5f0d05678045aafb1b215f301f63c23d0c133d1e7454f5bd0d11cc0e7f8ed2db6342ca67c93802c0f0cf28780a360ffca5
-
Filesize
20KB
MD58129776ace56d5b3a6b0a03c4fd7cf37
SHA1d716ab65d0947d7cbd3046acf9a95a1518d982dc
SHA256a31a0d3a4b15f3e050e099bcd786663ad3eff5ead52f9653348b404b5be653fa
SHA51221ff819e42d3b367f824dda39573bb701988d93a5c965c4026d116160df772e49fc7f5516031874be18dce467f2cecc9d4429e30ebf0950eed257a6360408be9
-
Filesize
68KB
MD5ac53d9f83f6f125f715e2c517a9a2859
SHA1e5b9d0dc891b0d95db6c0162a537d418da2715a6
SHA256af1ff094a6c51d94efb8827fe435d9937cc49be4dc328f9eb0aeb6c958e9bf5c
SHA512f033377c35c6514708868abd08aa64a90e322177c2abfb6c804188a6052c619e39bb4030e874679fd359fdf008aa562dafceb1af2c4ad1407ab15f0c16b388d7
-
Filesize
68KB
MD5dc7572c041d6df74b2a55930b18d4252
SHA1af475c0d4704bf289244fa00ccf7129939e32266
SHA256de614396bc22053ad1677b8f5e6911d6e72abd2c47897299a7a2459243b5b14b
SHA51212e9d4f18b4917faa56b8eb0ae5220f7c7eea93bea32c7955ba1501aa14e9d52985bf69ac071388d2028ac0d1b408eff02a163e7387ac7ea80fc9cb7c6bf080d
-
Filesize
72KB
MD573fab257dd52ad555745f21e1057a1b3
SHA1ac2150b3d422e50b507f0d84fcbb32adb8d6038f
SHA256641e68476842b7ef9d1f7b3ba7d494986de857806bcef6396bd39e8bab2185d0
SHA51298dcefbb1e9d8f01fba2cafc084c0e0d13e3525b871f128795deb28ecd6178d78801e90b767e9c854dbdd7d81a00b31fe21b98993ee808c33620097703f8428c
-
Filesize
2KB
MD59c49939c6bad2727502a6d536f8a3516
SHA1b5eefe41d4e8fe019da07c5ca0f18651fa23934e
SHA25664ba592b4ea398f8525140a1b5693a3e9a0e899d9afae5b6d8b150190c2c4f3a
SHA51240cd10bebcc4a71f3038f8cdd6c06e9ea7b61e4758f70f80f48f31ec57b5e4e64b169a8f70cf6ed35a60e4368191e0f5dea29c049d49898334230cc148ebb477
-
Filesize
7KB
MD56a46983efba304c1dbac261200d86b7d
SHA1b7451858541ea84b7fd1dfb3c238866c414d284a
SHA2560bd87e5051ceac8c90daa090c581110990121a501fb336976dff6dba3e77491a
SHA512f3483ed3abc628923e5899b9d1acc1a4b2573c3e73be91f09788a65dfba83d4f794c659dfe93bcc6a78d94bed40831047fb9f6ba26879db07dbc7b8806da1b62
-
Filesize
16KB
MD51148a4544b2d1d2c2a9bc42e4159aa4e
SHA14d14176ac3ac071cf2fa8848e05f33afab6bac08
SHA2566d8068f53c69e0f02aaf8544fdba07d23446fcc9eba1d178d14398544c6a8da0
SHA5129a780351af03567ed40f45e8c17a32b59ef02dbcbaf37650bcc8a1b8d6feba39a4e72cbdf793fea69b213df8cec8b612184db483b8cf7f400f2cc44df5d36b7e
-
Filesize
5KB
MD56402ae87bdd5777300e3ea80512879a8
SHA121038dfbf1a31ed7153597899796d86d37727eb6
SHA2563edb8f4818e5cc987fdcb63445ac1e6a20d8a9321603f8b73ae485869d48cb7e
SHA5129701d0f8157f700bc43c66660be2a9e76b0ae031d9a5d1d06313be3136784647165fa399d86370b9368b5f79e322830097dccd4535a5b6c7cb2ca4552a6c68ad
-
Filesize
103KB
MD51421570482287074e5761834f385300f
SHA1c3b432e82c5dc1efc88c4f678eec4c242e478c07
SHA25666b9783eb8951a12f84816ebc070c3d4e5f67647ca7db8e14f61ce4c5a853254
SHA512fb2866d51fe0845cfbf25cdf2b4474f2f16ce70713ab926c6b3fcc9ec4ac90ed3f363c7d144e5ed319c3de59f5a8c2faf61690807fe4d7d4baedb979e30b9a38
-
Filesize
22KB
MD5bda9f7831f7b9dbacb36990b27c8161b
SHA144da65f0bd2a08af2ba5cf9a8bea8089d65df437
SHA25612094919363142504305742b67d48ec43fa9e9a49d70b6cb8f0dcf73efbb85f8
SHA512fe831003b21723af16b7bee0e4925d3823a195c09ed32d9ee5a5f910c2a31b79c20b3f3fe74f30e0b5a623a4f64f12fe57d52a82bfd8f92d021a688e34b829da
-
Filesize
27KB
MD547d7deee36d6699afccf40741f45b228
SHA14d3e1a615349c7a0dea8e057b20db271a1afc5d4
SHA256e530c947198bbfe4980daa799e9f23f94b2d46bd7a9163422a19be30a76ad4bf
SHA5127392becfc608e3c0608b42956a0c17bb27c6fade0fb69dd44ac0207e0e27e37fd9869c22a5d050a9c5d212244eff2995bbbf6fb7055f1c964bfd43e45506a287
-
Filesize
1KB
MD5531c28453ca67d0744c65d5019e015ff
SHA1b34b909cc17cd1f7f7ac35b62a3dcfcd00f23c10
SHA256bcda7bb353a47f0ef79e6deda52a2a2e65633587a9849838a3152559b34db869
SHA512fe84a1a180cbc3c468639a829fba0440276d475668f5a6f33f4c8b455f69cfba38c17d5fd48ab76fafea1f5f29cc3567058ca106eff505f5f7713020965a1c8a
-
Filesize
3KB
MD53ee1fd2936ff763f824efeffdbfa6ddb
SHA180793461bc3d150e66d5cf8750c96e7b70c9492b
SHA2567aeaab10b6adcb218d59eeb5cd543ce685e95bfc47f2e0f52e49c91ea42a0bad
SHA512d9b79d999ccfcde4e6f856c0b2d1b20b557c469833741022c667836ef0a28d4cf87b145d6f15f9fbe8123f17c7be69880e9def811894ec3938e6f070cc7b4b74
-
Filesize
3KB
MD5f588e93768556e1043c11f1385056395
SHA1604cd2cc502d4d3e3d4fcd802e3f1b777b3f9294
SHA25635ecc9bc5fc2316732cfc2d53af352e150d39ec6f09ff575f1dec1aa23c48765
SHA5124b43e5e1171762caec221e21cda6a9001a96709dad23825f6bc07e3ae4204d964a6017f1ea15269f6e8772b1becd0a3cac37b7cc9d5e5cd4217ac721ee418827
-
Filesize
90KB
MD5383771ef1692bfcc3f2b6917ca985778
SHA1a1ce0bfa507f23cc414a9a7634bd73b994bb3b35
SHA25620638e363fcc5152155f24b281303e17da62da62d24ef5dcf863b184d9a25734
SHA5126101012d233c92dcc531e27ed33573d5b637a085e9f00e0658a1b6d6d9f64bcd69bd38717e4354b0c49c30607252295df8bf9477629cc366456f2ce3c9222538
-
Filesize
1KB
MD5147f45c1c097b4c2305dd632a5bc0ef9
SHA194f823225ab8aab6651a760b69d38324b97fac07
SHA2560cfdb74a06621f4305915e42d93715deba1cd8ef573380019ae677e24d624f43
SHA5128dc092af47c797cbf3898a1ead622d399446538872c07272d92c113fc42fab13bacb91dc62a938ad711532297cb7631d53ff365857cab6312b2e3f5967763425
-
Filesize
6KB
MD5ab06e936cee7dc2bf4effb40fcbe01b5
SHA186f33cc9838a8b9d6be88a791a3b002c55288072
SHA256f4c1ca97a3aa7f628344e9a1c3490d0aa190cfa70a4fcf108246591d3a056eb6
SHA51230768007260f1f5c2c1c29df35fb392e17bee1dedc365ecb5b69eaf66224e533f8631e00d3017d290cf0c91515691b222485db05bfb487fb4ee5a11be4c8884d
-
Filesize
687KB
MD568996a0f13bf6034cbd21114359a3e26
SHA178c30ce831f26a5f3eeae5aac285c1e1ac9ea388
SHA2563de1ca0ddcad89ed87ad352594ac6df366592c657992b33083a1b945ef8e2329
SHA512cf3e761d6bb7a9015ec0c3d2847c37589121b5d10dd13a9d51106fbfb82125e6710a87a660151ee5d72ba0d4a76470337c22facb06d8455f3183d82c898b8853
-
Filesize
2KB
MD5ed341a2068faf9b2c280c4caebeeecbb
SHA15a6834afb0426395b284b24313e89eb8ab51727c
SHA256dcd815347e0a7e37a9c8168da417fd7f5db14d7aca04ba1bafc14d6ec786bc5f
SHA5127baed77112e678b2f81b101bcc5eb5ded887e40bd5049ea90d8a4eb4eafe05b6fbf7b327f37545f2786e268824d370fde753bd21057ba9b72a7f8bf85f818c35
-
Filesize
3KB
MD53da8249fbb761a08e69f90b8e2f24730
SHA13cb8417f2393dc7187cfc6744710a385a965cc3a
SHA256a6c7ee0c0d1cb0cb511b3a0aeb618400e370b75ad59965c45002d9778b9e97d8
SHA5124caa46942b4247baefa90bf4fed5ce17c36ed2ee285f892cf4c479f2bc0db920e158f4845ef7bfb59bffb8230b8e806868cfc0e586f669aec4255521bc93776d
-
Filesize
1.8MB
MD522e9a832c4c9bb705d65ff11b31daab4
SHA1e03118acc0918d828a5e41c2467642758148a09d
SHA256ca88d5e1d164070489ab499916a5327b369c1f919c5ace2629f2fd33f89c6d49
SHA512a22112ea127df4349984bf3ef69426e10853b744ecf9ee20206a1c9b6bf2fa54bce96f614d797d165d0e32f105a8972096fb3ec3efe32915029cf6c12024aa89
-
Filesize
1.8MB
MD522e9a832c4c9bb705d65ff11b31daab4
SHA1e03118acc0918d828a5e41c2467642758148a09d
SHA256ca88d5e1d164070489ab499916a5327b369c1f919c5ace2629f2fd33f89c6d49
SHA512a22112ea127df4349984bf3ef69426e10853b744ecf9ee20206a1c9b6bf2fa54bce96f614d797d165d0e32f105a8972096fb3ec3efe32915029cf6c12024aa89
-
Filesize
1.8MB
MD522e9a832c4c9bb705d65ff11b31daab4
SHA1e03118acc0918d828a5e41c2467642758148a09d
SHA256ca88d5e1d164070489ab499916a5327b369c1f919c5ace2629f2fd33f89c6d49
SHA512a22112ea127df4349984bf3ef69426e10853b744ecf9ee20206a1c9b6bf2fa54bce96f614d797d165d0e32f105a8972096fb3ec3efe32915029cf6c12024aa89
-
Filesize
1.8MB
MD522e9a832c4c9bb705d65ff11b31daab4
SHA1e03118acc0918d828a5e41c2467642758148a09d
SHA256ca88d5e1d164070489ab499916a5327b369c1f919c5ace2629f2fd33f89c6d49
SHA512a22112ea127df4349984bf3ef69426e10853b744ecf9ee20206a1c9b6bf2fa54bce96f614d797d165d0e32f105a8972096fb3ec3efe32915029cf6c12024aa89
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
1.0MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
128KB
-
Filesize
6.1MB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
5.2MB
