Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 02:46
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://file.io/ZoeSsaHh09if
Resource
win10v2004-20240611-en
General
-
Target
https://file.io/ZoeSsaHh09if
Malware Config
Signatures
-
Enumerates VirtualBox DLL files 2 TTPs 4 IoCs
Processes:
blackstar_start.exeNotoriousPRIVATE.exedescription ioc process File opened (read-only) C:\windows\system32\vboxhook.dll blackstar_start.exe File opened (read-only) C:\windows\system32\vboxmrxnp.dll blackstar_start.exe File opened (read-only) C:\windows\system32\vboxhook.dll NotoriousPRIVATE.exe File opened (read-only) C:\windows\system32\vboxmrxnp.dll NotoriousPRIVATE.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 6420 powershell.exe 7024 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
blackstar_start.exeblackstar_start.exeNotoriousPRIVATE.exeNotoriousPRIVATE.exepid process 5040 blackstar_start.exe 6976 blackstar_start.exe 5700 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe -
Loads dropped DLL 64 IoCs
Processes:
blackstar_start.exepid process 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI50402\python310.dll upx behavioral1/memory/6976-1682-0x00007FFD074E0000-0x00007FFD0794E000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50402\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50402\libffi-7.dll upx behavioral1/memory/6976-1692-0x00007FFD1BE90000-0x00007FFD1BE9F000-memory.dmp upx behavioral1/memory/6976-1691-0x00007FFD0AFC0000-0x00007FFD0AFE4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50402\_bz2.pyd upx behavioral1/memory/6976-1696-0x00007FFD0AF90000-0x00007FFD0AFBD000-memory.dmp upx behavioral1/memory/6976-1695-0x00007FFD0B1C0000-0x00007FFD0B1D9000-memory.dmp upx behavioral1/memory/6976-1697-0x00007FFD0AF70000-0x00007FFD0AF84000-memory.dmp upx behavioral1/memory/6976-1698-0x00007FFD07160000-0x00007FFD074D5000-memory.dmp upx behavioral1/memory/6976-1699-0x00007FFD08F90000-0x00007FFD08FA9000-memory.dmp upx behavioral1/memory/6976-1700-0x00007FFD1BCC0000-0x00007FFD1BCCD000-memory.dmp upx behavioral1/memory/6976-1702-0x00007FFD07070000-0x00007FFD07128000-memory.dmp upx behavioral1/memory/6976-1701-0x00007FFD07130000-0x00007FFD0715E000-memory.dmp upx behavioral1/memory/6976-1707-0x00007FFD1B3C0000-0x00007FFD1B3CB000-memory.dmp upx behavioral1/memory/6976-1706-0x00007FFD06F20000-0x00007FFD07038000-memory.dmp upx behavioral1/memory/6976-1705-0x00007FFD07040000-0x00007FFD07063000-memory.dmp upx behavioral1/memory/6976-1704-0x00007FFD1BB30000-0x00007FFD1BB3D000-memory.dmp upx behavioral1/memory/6976-1703-0x00007FFD074E0000-0x00007FFD0794E000-memory.dmp upx behavioral1/memory/6976-1708-0x00007FFD0AFC0000-0x00007FFD0AFE4000-memory.dmp upx behavioral1/memory/6976-1711-0x00007FFD15300000-0x00007FFD1530B000-memory.dmp upx behavioral1/memory/6976-1710-0x00007FFD1B320000-0x00007FFD1B32B000-memory.dmp upx behavioral1/memory/6976-1709-0x00007FFD06EE0000-0x00007FFD06F18000-memory.dmp upx behavioral1/memory/6976-1714-0x00007FFD0D6A0000-0x00007FFD0D6AB000-memory.dmp upx behavioral1/memory/6976-1713-0x00007FFD0AF90000-0x00007FFD0AFBD000-memory.dmp upx behavioral1/memory/6976-1718-0x00007FFD0A8B0000-0x00007FFD0A8BC000-memory.dmp upx behavioral1/memory/6976-1717-0x00007FFD0AC20000-0x00007FFD0AC2B000-memory.dmp upx behavioral1/memory/6976-1716-0x00007FFD0AF60000-0x00007FFD0AF6C000-memory.dmp upx behavioral1/memory/6976-1715-0x00007FFD0AF70000-0x00007FFD0AF84000-memory.dmp upx behavioral1/memory/6976-1712-0x00007FFD0D8B0000-0x00007FFD0D8BC000-memory.dmp upx behavioral1/memory/6976-1728-0x00007FFD06E80000-0x00007FFD06E8B000-memory.dmp upx behavioral1/memory/6976-1727-0x00007FFD06E70000-0x00007FFD06E7C000-memory.dmp upx behavioral1/memory/6976-1726-0x00007FFD07070000-0x00007FFD07128000-memory.dmp upx behavioral1/memory/6976-1725-0x00007FFD06E90000-0x00007FFD06E9B000-memory.dmp upx behavioral1/memory/6976-1724-0x00007FFD08F90000-0x00007FFD08FA9000-memory.dmp upx behavioral1/memory/6976-1723-0x00007FFD06EC0000-0x00007FFD06ECE000-memory.dmp upx behavioral1/memory/6976-1722-0x00007FFD06EA0000-0x00007FFD06EAC000-memory.dmp upx behavioral1/memory/6976-1721-0x00007FFD06EB0000-0x00007FFD06EBC000-memory.dmp upx behavioral1/memory/6976-1720-0x00007FFD06ED0000-0x00007FFD06EDD000-memory.dmp upx behavioral1/memory/6976-1719-0x00007FFD07160000-0x00007FFD074D5000-memory.dmp upx behavioral1/memory/6976-1730-0x00007FFD06E60000-0x00007FFD06E6C000-memory.dmp upx behavioral1/memory/6976-1736-0x00007FFD07040000-0x00007FFD07063000-memory.dmp upx behavioral1/memory/6976-1738-0x00007FFD06DE0000-0x00007FFD06DF4000-memory.dmp upx behavioral1/memory/6976-1737-0x00007FFD06F20000-0x00007FFD07038000-memory.dmp upx behavioral1/memory/6976-1735-0x00007FFD06E00000-0x00007FFD06E10000-memory.dmp upx behavioral1/memory/6976-1734-0x00007FFD06E10000-0x00007FFD06E25000-memory.dmp upx behavioral1/memory/6976-1733-0x00007FFD06E30000-0x00007FFD06E3C000-memory.dmp upx behavioral1/memory/6976-1732-0x00007FFD06E40000-0x00007FFD06E52000-memory.dmp upx behavioral1/memory/6976-1731-0x00007FFD21A40000-0x00007FFD21A4D000-memory.dmp upx behavioral1/memory/6976-1729-0x00007FFD07130000-0x00007FFD0715E000-memory.dmp upx behavioral1/memory/6976-1740-0x00007FFD06DC0000-0x00007FFD06DDC000-memory.dmp upx behavioral1/memory/6976-1739-0x00007FFD06EE0000-0x00007FFD06F18000-memory.dmp upx behavioral1/memory/6976-1741-0x00007FFD06DA0000-0x00007FFD06DB3000-memory.dmp upx behavioral1/memory/6976-1744-0x00007FFD06D20000-0x00007FFD06D2E000-memory.dmp upx behavioral1/memory/6976-1743-0x00007FFD06D30000-0x00007FFD06D71000-memory.dmp upx behavioral1/memory/6976-1742-0x00007FFD06D80000-0x00007FFD06D95000-memory.dmp upx behavioral1/memory/6976-1745-0x00007FFD06D10000-0x00007FFD06D1A000-memory.dmp upx behavioral1/memory/6976-1746-0x00007FFD06CF0000-0x00007FFD06D0C000-memory.dmp upx behavioral1/memory/6976-1748-0x00007FFD06C90000-0x00007FFD06CED000-memory.dmp upx behavioral1/memory/6976-1747-0x00007FFD06E70000-0x00007FFD06E7C000-memory.dmp upx behavioral1/memory/6976-1749-0x00007FFD06C60000-0x00007FFD06C89000-memory.dmp upx behavioral1/memory/6976-1750-0x00007FFD06C30000-0x00007FFD06C5E000-memory.dmp upx behavioral1/memory/6976-1752-0x00007FFD06A80000-0x00007FFD06BF1000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
blackstar_start.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Notorious = "C:\\Users\\Admin\\Notorious\\NotoriousPRIVATE.exe" blackstar_start.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 345250.crdownload pyinstaller -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 6208 taskkill.exe -
NTFS ADS 1 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 717869.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exetaskmgr.exeblackstar_start.exepowershell.exeNotoriousPRIVATE.exepowershell.exepid process 536 msedge.exe 536 msedge.exe 3576 msedge.exe 3576 msedge.exe 4832 identity_helper.exe 4832 identity_helper.exe 6884 msedge.exe 6884 msedge.exe 6404 taskmgr.exe 6404 taskmgr.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6976 blackstar_start.exe 6420 powershell.exe 6420 powershell.exe 6420 powershell.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 6156 NotoriousPRIVATE.exe 7024 powershell.exe 7024 powershell.exe 7024 powershell.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NotoriousPRIVATE.exepid process 6156 NotoriousPRIVATE.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 42 IoCs
Processes:
msedge.exepid process 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
blackstar_start.exetaskmgr.exepowershell.exetaskkill.exeNotoriousPRIVATE.exepowershell.exedescription pid process Token: SeDebugPrivilege 6976 blackstar_start.exe Token: SeDebugPrivilege 6404 taskmgr.exe Token: SeSystemProfilePrivilege 6404 taskmgr.exe Token: SeCreateGlobalPrivilege 6404 taskmgr.exe Token: SeDebugPrivilege 6420 powershell.exe Token: SeDebugPrivilege 6208 taskkill.exe Token: SeDebugPrivilege 6156 NotoriousPRIVATE.exe Token: SeDebugPrivilege 7024 powershell.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 3576 msedge.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe 6404 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NotoriousPRIVATE.exepid process 6156 NotoriousPRIVATE.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3576 wrote to memory of 2076 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2076 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 2848 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 536 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 536 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe PID 3576 wrote to memory of 4828 3576 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/ZoeSsaHh09if1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1c0c46f8,0x7ffd1c0c4708,0x7ffd1c0c47182⤵PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:22⤵PID:2848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:536 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:82⤵PID:4828
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:3672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:2096
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵PID:2496
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:12⤵PID:2872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:2348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:4992
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:12⤵PID:5296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:5444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6496 /prefetch:82⤵PID:5492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:5724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:5732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:12⤵PID:5740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:12⤵PID:5748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6920 /prefetch:12⤵PID:5756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:12⤵PID:5772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:12⤵PID:6132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7468 /prefetch:12⤵PID:6140
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:12⤵PID:5208
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:12⤵PID:5216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:12⤵PID:5224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7856 /prefetch:12⤵PID:5232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8168 /prefetch:12⤵PID:5244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8340 /prefetch:12⤵PID:5456
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8520 /prefetch:12⤵PID:5472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8268 /prefetch:12⤵PID:5560
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8852 /prefetch:12⤵PID:6276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9020 /prefetch:12⤵PID:6284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:12⤵PID:6564
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9668 /prefetch:12⤵PID:6856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9760 /prefetch:12⤵PID:6864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:12⤵PID:7028
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9988 /prefetch:12⤵PID:6736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=9536 /prefetch:82⤵PID:6744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10284 /prefetch:82⤵PID:6996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9268 /prefetch:12⤵PID:7120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:12⤵PID:7128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7364 /prefetch:82⤵PID:7160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10032 /prefetch:12⤵PID:5412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:12⤵PID:5440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10652 /prefetch:12⤵PID:6396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10640 /prefetch:12⤵PID:6372
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9328 /prefetch:12⤵PID:6276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9548 /prefetch:12⤵PID:5512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:12⤵PID:5476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:12⤵PID:2972
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10408 /prefetch:12⤵PID:6876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:12⤵PID:8580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,6827128435960508890,9412742268728419223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1864 /prefetch:22⤵PID:8984
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4372
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x244 0x3081⤵PID:5568
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6420
-
C:\Users\Admin\Downloads\blackstar_start.exe"C:\Users\Admin\Downloads\blackstar_start.exe"1⤵
- Executes dropped EXE
PID:5040 -
C:\Users\Admin\Downloads\blackstar_start.exe"C:\Users\Admin\Downloads\blackstar_start.exe"2⤵
- Enumerates VirtualBox DLL files
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6976 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:6148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Notorious\""3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6420 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Notorious\activate.bat3⤵PID:7148
-
C:\Users\Admin\Notorious\NotoriousPRIVATE.exe"NotoriousPRIVATE.exe"4⤵
- Executes dropped EXE
PID:5700 -
C:\Users\Admin\Notorious\NotoriousPRIVATE.exe"NotoriousPRIVATE.exe"5⤵
- Enumerates VirtualBox DLL files
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6156 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"6⤵PID:6636
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\Notorious\""6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7024 -
C:\Windows\system32\taskkill.exetaskkill /f /im "blackstar_start.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6208
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:6404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
Filesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
Filesize
1024KB
MD54322f0449af173fb3994d2bef7ecb2e4
SHA1b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934
SHA2560502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9
SHA512d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef
-
Filesize
250KB
MD5ff2f5ca154017b946b0fb41fb689f4d8
SHA1c8734581728346d0f3faeeea89fc589cfdbc8cae
SHA256acd5afb29d1b87e2dcb15e518283c3f8311aa3d74c3452a1c88837ffeb3c3199
SHA5128c23296846a123c8a9e1c07443ebe620a288c9936e18ba4643b8b1047f3fbf58dd133ad9d2edfa57a4989bafd3481a5bb36cd266d8f2fa1ce7a4e2f05633a39e
-
Filesize
1024KB
MD5099d8e1f3f8203715803f284eebd02a6
SHA10275efc65797bcdbe502594f2938e215a7bfe80b
SHA2561bfdab24a0f2ad3a40a43db5afc6ce4f97e4a4092d35768300399ab99fa07730
SHA512bc57372f13e4f1aa456b0a77621790bfaebe35665e44bfbe5ee1fc22707ebc98c34fa0fd7679cbc793b520160dbd4c387523f645bda5e6a90edbdbc20e61c7b9
-
Filesize
38KB
MD5c98e916ad3c483be47cb0f6b7ed47660
SHA10d7403e0442dfb1d4125896fbfbd704d72cf83d0
SHA256850631cdc619db82616e3674d408475915f410d9aa7e5cc60da88edd545f5893
SHA512923f038dfb9808b3d7ccab62eefee60f2557af19fbf65e4df91dcb308e0c5af794007ab3d9d605ad1398e8624712cdfe5d041e46558b5b70121b286d53ca356e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5adadafee4d1a92f4080bebae05384ce2
SHA16118ebe9d933d1ce668eb13967b424f854b2366a
SHA2568b9948c0fd8a362e9f85543537666e6ad3c3133cbef2f8785e49ef87988ca196
SHA5128841f10e9de63512a81cb607fbf84a29c3eda6b79760f556463fd280336250762da88d4b5545a17aa01ed3e211314c048eafcc3b9ef8048d33d6691ff957bb33
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD52f47c06f038539a09cc3c7d7aa57f7ae
SHA115dc48ad2f5ad70188cb5ef2dd0464e681afc442
SHA2562339c5064ab89cca66d2edc616cc4da10546b7a41cebe343caceec1dbf53f91e
SHA51264467b013be0907ed3b703a580b7247891f235e8df3a93bf7d2856f756c55a791b9772bdfc51a2071e83a88550cdb132fe812a633b44e94ebab51915b672b51f
-
Filesize
12KB
MD503023033b8e88a5b6bc9a5e85beee816
SHA1b5f23e2c9c77adb860512d826a3eeae3faf0ca4e
SHA256d99743947e1472cec5d5640fbc980f2f31383d798ddefeb6bf984bb2e7a8c5f5
SHA512fe6c30687561f9617791dc4da1a94e3922aa53e02505482b3f701f2d682df33e890180ebb7b682f1769381d13a42f9e228ce55f3ada02c066a38dd6ad777ac9f
-
Filesize
6KB
MD5da3e546b3837890a7a3676dd7f10b0aa
SHA186e141483cb303eb3b2c103b061273f8eea7dd8c
SHA25624e75a62374c3ebe0de7bded73dd5e32e098ebf94766e78ad656e95782f46299
SHA5121a334ff8fb98aa6d182bd46cebb2465458877639b06d4087a87fc8a5994ad777cce9371e9e42113a0f1f005b895935de6b0b440fb9d40d1bbb2345269fe949e2
-
Filesize
8KB
MD5f81335a9b0f87e37fe35f50a07e28643
SHA1c2ce632d955deddf2a3d872ebc6e077e8437060a
SHA256400db8295ea5974e71f7d40dc4d35c5b7519c808d87941287d10f659ce886541
SHA51264ce023b5c1c8d7f0315f756accdef6da8cad5e05230e02b2cc9582efc7dbf8060bb1b031285580779eb39185316ce887cc98deedac8a4b116e0eb8fe6e58bd7
-
Filesize
17KB
MD5df83944b830309f5896590ca4ef1dac3
SHA18e79dc6404f165191df899ee6ce554c8caee31b5
SHA256d58fb51a43614a6cc8a60dfa05e8a47f92f47619da9dada2dd7d09d55cfd9717
SHA512071768ad61163f50b7c325c5a2e5905ecc7bda7e20c99071967447e81d41e8d72d0f6218220b7806178369cbd95c47726cbd1b8cfcd00f330810bbda231e2df6
-
Filesize
5KB
MD5fe18a8fb289ed204bc5fb06573999b5c
SHA187c7db9c54867efe98b3092ed037dc6cf79a4775
SHA256bf948261965566eeb59943d75de906f04066090486d49e1a5fa5bb80093d1819
SHA51255319f0d421d0bce058bb8ae3125d264301c2da854b623c1b6f1ec95962d3a4041f2d4cbba95390da0566b735752f272e4dc1c227733fc31859c2c6c31e5fe42
-
Filesize
2KB
MD5bd9e2d28cdcefa02e84b42c8146ebd40
SHA1487f71339c81d065957706f510db4753895f1f6d
SHA256087d32277ac92ac8c281879b10358dcba03553c00f8075a639811b7182a12823
SHA51280b155f097deefb77651495cdd7df80049dbe95d5fc8d1e9554549e5028d2e5eb71f0706a9f19e56dd7ccabbc105b4a6e941609231c53058529e6c1fe37b82a7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51475a79138479ec61c1345972823a6f3
SHA151b543cc563029e9566c50ba1fbe04688ecf96a3
SHA25633aa3459008747e578726ac7c79134ca9b43a5607c6e8f77d3aaf741dcc6e893
SHA5126b6b3c187ae327c650ff9c49965e8a1060f7a5b31d4763adfffeb10fdef442ce0b75145717eeef3d349cd6054db05a54878e1b9f9a18455c1be810184efbcb88
-
Filesize
11KB
MD55cbbc187aacb2ba74a2e35a1831540d0
SHA16ce6a6c0bb14b94e3300689fa3459638facc2a70
SHA25627c150b1ea0dbbaf80e9ca3a2bef6171b12c768773711e6fad3ee2ba02767406
SHA512c50225fa1f6695bd18d395d5727933abf22fad204d2a6c33f4ba3a31df67040e59480d4a7cb85ac55d2660343bf6a0bd6597fc0d326dc47beb78c79d69bfe3ab
-
Filesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
Filesize
46KB
MD593fe6d3a67b46370565db12a9969d776
SHA1ff520df8c24ed8aa6567dd0141ef65c4ea00903b
SHA25692ec61ca9ac5742e0848a6bbb9b6b4cda8e039e12ab0f17fb9342d082dde471b
SHA5125c91b56198a8295086c61b4f4e9f16900a7ec43ca4b84e793bc8a3fc8676048cab576e936515bf2971318c7847f1314674b3336fe83b1734f9f70d09615519ac
-
Filesize
56KB
MD5813fc3981cae89a4f93bf7336d3dc5ef
SHA1daff28bcd155a84e55d2603be07ca57e3934a0de
SHA2564ac7fb7b354069e71ebf7fcc193c0f99af559010a0ad82a03b49a92deb0f4d06
SHA512ce93f21b315d96fde96517a7e13f66aa840d4ad1c6e69e68389e235e43581ad543095582ebcb9d2c6dda11c17851b88f5b1ed1d59d354578fe27e7299bbea1cc
-
Filesize
859KB
MD56d649e03da81ff46a818ab6ee74e27e2
SHA190abc7195d2d98bac836dcc05daab68747770a49
SHA256afede0c40e05ce5a50ff541b074d878b07753b7c1b21d15f69d17f66101ba8fd
SHA512e39621c9a63c9c72616ae1f960e928ad4e7bad57bfb5172b296a7cc49e8b8e873be44247a475e7e1ded6bc7e17aa351397cdeb40841258e75193586f4649d737
-
Filesize
23KB
MD56f818913fafe8e4df7fedc46131f201f
SHA1bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA2563f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA5125473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639
-
Filesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
Filesize
1.4MB
MD5178a0f45fde7db40c238f1340a0c0ec0
SHA1dcd2d3d14e06da3e8d7dc91a69b5fd785768b5fe
SHA2569fcb5ad15bd33dd72122a171a5d950e8e47ceda09372f25df828010cde24b8ed
SHA5124b790046787e57b9414a796838a026b1530f497a75c8e62d62b56f8c16a0cbedbefad3d4be957bc18379f64374d8d3bf62d3c64b53476c7c5005a7355acd2cee
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
16.8MB
MD5fe8e90d9f4f02701c2de747d6a5d8915
SHA1db1cdec62475664eaf364c790b7cd13bba740c15
SHA256849cbc1c2971fb5daec296fec29d2d4684ae919b16f0a1796a0caa2887d7456b
SHA51290a7d42478cfed3f0e5cf4a939405a5ddb28300ba36e5f4aad8d0e7a5511a787cc69955bafa16119db36f959126fb10939bdf84608457062ba73409c2db63be9
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e