Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2024, 18:16
Static task
static1
Behavioral task
behavioral1
Sample
Patch-BBT.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Patch-BBT.exe
Resource
win10v2004-20240611-en
General
-
Target
Patch-BBT.exe
-
Size
2.4MB
-
MD5
537cf278960705c0682c2a443bf235a4
-
SHA1
3305446365a260f3d2e2d5437cccb6dff5816ed9
-
SHA256
e2b3c3d7de982f2a7abbc34300cba1dea4d52af24e88b4d944ff938fbfa479c3
-
SHA512
0fc0a73a29b6c2b10a654ce47130c703253d23ebeb3e12c24f30ff60ce367ed316d69d24daf1e72a53c8e1faa2e57beec515543b1849b4ccc49e1327db8e4848
-
SSDEEP
49152:nB+Sz9p93mo5O3xT46FemiJPRQFoQ1vIn0OhmHhE9u8m+:n/j3Vg314fmisyQtIn0SmHh+uc
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6BE59A10-3968-11EF-B1BC-CACDD8B22A4F} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116661" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116661" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2043a44275cdda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f1ae4275cdda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1082059368" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116661" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb7b7aaa19eb84499a1cb94a069837d1000000000200000000001066000000010000200000002790152037f4e833441f1265a297edb6bde144a75826d89194a6c158a7df6d11000000000e80000000020000200000003eb56cc56140368de870ee0bfca6d2d1ece1a666109b39893e08dbd8e26c94452000000016cb028ccd77691931068be47c794bc372edc42a80a9fc37c2227b6e122918c6400000003b9abec8bb3a4d0f4d8e412614e9dad7fda36a0de89b54e6064e56802ca3e84a88ef482aa12d92822c0515ba9f21b80e4fb20b27a44cd4ff37099fefb5379864 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fb7b7aaa19eb84499a1cb94a069837d100000000020000000000106600000001000020000000d79eb7adea374efb00b6295f8fd8cee045d77148d91ba40deafd321d8ee6e7eb000000000e80000000020000200000002dbea12464cc39af8792693cbcba4fb10b00e24b54b13d0d0f1150841ba70d0920000000fa5824cc8e46449065af4ec3a8ff2636c05e62faac527810bdc604ab662f557240000000a0d20328ca6249688f3cad3840eb6ba0a9086a07cff06a44484522a8d335e7a802b71d2f4b4713521a1b9877766e48fe362a0eee42681ecac3ca98209be7336e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426795587" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1080935794" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1082059368" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1080935794" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116661" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{421CEC63-4148-4C06-91AB-684A822401BB} msedge.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
pid Process 3956 vlc.exe 3444 WINWORD.EXE 3444 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4844 Patch-BBT.exe 4844 Patch-BBT.exe 644 msedge.exe 644 msedge.exe 4332 msedge.exe 4332 msedge.exe 4708 identity_helper.exe 4708 identity_helper.exe 3988 msedge.exe 3988 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3956 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
pid Process 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4844 Patch-BBT.exe -
Suspicious use of FindShellTrayWindow 46 IoCs
pid Process 4844 Patch-BBT.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3772 iexplore.exe 3772 iexplore.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 3956 vlc.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe 4332 msedge.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
pid Process 3956 vlc.exe 3772 iexplore.exe 3772 iexplore.exe 4248 IEXPLORE.EXE 4248 IEXPLORE.EXE 4248 IEXPLORE.EXE 3444 WINWORD.EXE 3444 WINWORD.EXE 3444 WINWORD.EXE 3444 WINWORD.EXE 3444 WINWORD.EXE 3444 WINWORD.EXE 4248 IEXPLORE.EXE 4248 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3772 wrote to memory of 4248 3772 iexplore.exe 100 PID 3772 wrote to memory of 4248 3772 iexplore.exe 100 PID 3772 wrote to memory of 4248 3772 iexplore.exe 100 PID 4844 wrote to memory of 4332 4844 Patch-BBT.exe 105 PID 4844 wrote to memory of 4332 4844 Patch-BBT.exe 105 PID 4332 wrote to memory of 3852 4332 msedge.exe 106 PID 4332 wrote to memory of 3852 4332 msedge.exe 106 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 1632 4332 msedge.exe 107 PID 4332 wrote to memory of 644 4332 msedge.exe 108 PID 4332 wrote to memory of 644 4332 msedge.exe 108 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109 PID 4332 wrote to memory of 4024 4332 msedge.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\Patch-BBT.exe"C:\Users\Admin\AppData\Local\Temp\Patch-BBT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://glasshousecommunit0.wixsite.com/blackboneteam2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9348d46f8,0x7ff9348d4708,0x7ff9348d47183⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:23⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:83⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:13⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:83⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:13⤵PID:2200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:13⤵PID:2492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:13⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:13⤵PID:5312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5364 /prefetch:83⤵PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5388 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:13⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:13⤵PID:5152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:13⤵PID:5540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:13⤵PID:5624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:13⤵PID:5908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:13⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:13⤵PID:5512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:13⤵PID:2836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:13⤵PID:5528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6327334272850670818,1817816215056984750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:13⤵PID:5596
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DismountSync.mpv2"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3956
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3772 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4248
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\SyncOut.dotx"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3444
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:812
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD563a2d2b4cdc269762fe4bdb8cdfde7f8
SHA15cce14e5285ce9844b164d37de9f4ad0acc7880f
SHA2568e323e0354939fd301d8db011a0b007476c93e0e048100922e3e59e34b04f716
SHA512db3b35b23c3088fdf8f5215d8f9149e717d871be0c7b69541aba232e6f829e18d9d074b53f173387985a3ba4df1c016ec5b75f4387d6123c6c1ba3113c43dec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD589ed05cf47d81cc3a5d560c7f323c230
SHA1e843e4a9379c665725573051d937401f3a2a665b
SHA2560059042b7d9947b1c6c948c138628b7e94062dcd85d018a6635f29936907d6b4
SHA51236036ea704eb640874025bb0d36599d39599d8392213df0d0bbddd0d2ef95faf2d38407aa6d6580295fc6058aaac73ecbc71ff01cc21e28e92340fe7c0f84a3c
-
Filesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
Filesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5acf8a27beccfcd441e10a9c00eead265
SHA1b18c00535a56506052ede7e0647644cf71556960
SHA256ba799e0bf75a499552fcdd9b58a4e9d9724e2732fc18653704ca2ba63cf2bb03
SHA5122765fbb167ef44ad46aa85bd60eae4746fc0d26db5e7f3ac1d8452bdb10c2ca3b4dd0c7b523a248405916eb34cf62fad57a84186f2349aa61d21d8b1dadf9c0e
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD555975c0bfaa649312997d441a0714b1c
SHA1ecf6e425a6f1df2b4df4870af311ad035653913e
SHA256cbc88cf33be84641f40f412ae94ce80507dddbf3ea6c1f4745934757d601db9e
SHA512c30627c0bd8aaf5cf5816562a4414076a35ce8ff13173415763ce3bf5e06c02ba542592c7ee2433d53f7ee31bf64ba60d2748784ba47e43876c5673e42e0df84
-
Filesize
5KB
MD55c69c33c5428daf734d9e1b7c9b91742
SHA1f6c7b11661ac04931bbf0e8bdb80eb7d081ffce9
SHA256909429bed4b357a1b22366a270ae3a67ed0232b17246d077b26ff6566b3ca9ce
SHA512c470dc633df0ffad2738484273cb651fef90a6dd94c7af4b3efd543da74dad383ae1c4a5fc88e4dbf709ee4b95a6ec2ab2b4f2e054831fa79a4baa37b002a8e2
-
Filesize
7KB
MD5a887128b46c33d176f0a35475f86cebb
SHA193e675e582c7ed30a267981699c35a67359d736d
SHA2568948d305ff9cc037210df064e7928c1fe1da6bdddd56e4ee65502fcfe8cc5200
SHA5126c4e44578847dc426521adc5029c1cb96e552970c838c82ae563c99baff65059283755694418e9b4a11d1f537db2bc9b8fe13344572f4868c006db22ca1dc14d
-
Filesize
11KB
MD5f182412ec2cd6e6648ddb33c6d44fee3
SHA1de8a98d1df4747a9f777b2753e8550294f713982
SHA25620cebb88cccbee97ecf88435f1d11a055da24fbc3210702e4789cbe2ca6fe258
SHA512f86111f4e6c2afeffc83a84d4536883e9124314a0480d2393625bda115f17b690d754d43be28509c505737bdcc1391d6b828e0e111c0bc09b9dfb0fe7281f685
-
Filesize
4KB
MD58ee6fe09130c4b3325ce31f34d694841
SHA1b2364170c5fa73423e179dc5cd4e290f7d75d4a6
SHA256c34798fde9546b263bd9feee8ab6e94d19b7f8f591d51d941b91864f5b3c7c62
SHA512e2f3b4c5c34a01f5d54f6e2e86aab123be7e4d7b83a7fe71598d9790624d285b77e4d9d5c60d0c88b3e2ce3e67d3efe3245a1e50696e8cf1f96ddfecdb2dd162
-
Filesize
2KB
MD5a7389897b00fbc12ae7ea2d3fbd11e6e
SHA12ec99d6020e4145d4ea1881cc580a47aaa04f9e6
SHA256a86f84db43ac501d53e1849b7a222364fa90f761626e4c2684e08a0d4435b5ae
SHA5129ad5c0f403038491cec7084331939921118136f52e0e2d89ce6fea8267942b94ee98c8f5ce622f900ca4186df4f67058e815a0f46a26b85c7d5c55420dd272cc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD550248c3bf92a10fcfdac9c2f4a65a9dd
SHA12f29744d6688ef5dede1a978709e739075228272
SHA256ae04802648f370ae5b202a2b5fd9dc16cd08aca6d16d9af58f765069d0c97a95
SHA512e37c16bacdf22377a2be987c0f436826d533ed0e4e0e9bbbcb3984bbe9d0523959077a320db56ca3c78196a7cc3291a117d6472c4aebb6737811ee39af9d3474
-
Filesize
11KB
MD529b783735cefb6628544382e0f0590e7
SHA1c95ddf56b4d8f55498a957594bcffd0f3f3d9e41
SHA25624bfc2b6684a6b4ed451be43e87e2729cc475eb610ec0867316d38a297410911
SHA512002a09a4cbb7a5ef336085ece0b53a35dbe97a31e0eeed42b58687f24e5f101d2b916dd5e88a5941a198ea5cbf4f1647de3db81e7edbc31afdf2818e7de18166
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5916eb0308ebe88dfbeeb379c41146b6f
SHA19a75ed99e2d0c86207eaf197cd6e9d9e7bdf7646
SHA256e9698dc4e7b99698b26bf993003d3318c06a46cb758686006bb255892ae2df2b
SHA5126f8bac880e742a457436f8f54f0f6da9d9076b383ab5a00a7beac91160e72d81bd9b111a9f9b13a52d2e875d405f50a185a26d794a143260973c5d8134e7ac77
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD54396510018bb8f4687240a75af19db40
SHA162303128d935cbe075197b4a1ef885d95a3fad2a
SHA256890009d015695e7acaf04e61ef69f79031ff2c9429cff364fda9aaff20ad72ad
SHA512e0e2a1283280d7684ef91dad6b148ee3fcfe7598b852ad9ebb1822488c598e8cb42baf2e626de87f5722b3d04db6b088899078101e10590a5bbcc0c8407208f8
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee