Analysis
-
max time kernel
198s -
max time network
185s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-08-2024 09:13
General
-
Target
SteamRIP - 🧠-palace-of-humility [1256286199694495844].html
-
Size
238KB
-
MD5
17ff4593972658c0964b6813e1aab14d
-
SHA1
4d2257ff540dd6e1ab14fce6a4aa1be96721ce3b
-
SHA256
26ecb3cd51fbaab64cfc024eabe3c0c8230001594be9b34b9e943d01fe02ea79
-
SHA512
64367f97c622f38a74ead0b7596dfef0c282c28e35e70bb5affec99d28f9358b96eaf7af9f4fd7b85af28b9ce7887e58f8bcc83abc76946a88dba94d77d6ae63
-
SSDEEP
1536:4MNDL8DMDahDEqlDO/RnXbvYEVoSWaoo1TREiDQcD0sFbyMzQrHPDfaS3epmxZCr:NeCuTsX8XDzsl+SRP
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 8 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
-
Drops startup file 5 IoCs
-
Executes dropped EXE 14 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\SteamRIP - 🧠-palace-of-humility [1256286199694495844].html1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9111b46f8,0x7ff9111b4708,0x7ff9111b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5696 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3508 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1856 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5588 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6268 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6356 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5712 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2016,3682120787216020552,1534095552388220546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\Downloads\BlueScreen.exe"C:\Users\Admin\Downloads\BlueScreen.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5ad8536c7440638d40156e883ac25086e
SHA1fa9e8b7fb10473a01b8925c4c5b0888924a1147c
SHA25673d84d249f16b943d1d3f9dd9e516fadd323e70939c29b4a640693eb8818ee9a
SHA512b5f368be8853aa142dba614dcca7e021aba92b337fe36cfc186714092a4dab1c7a2181954cd737923edd351149980182a090dbde91081c81d83f471ff18888fe
-
Filesize
2.7MB
MD59364eda7981c35c055455059f6514887
SHA11f068dff412fcc20b30e35e33d6d39126a13807b
SHA256e770e5e6ba0a96fc8a1fd68e9c64a5a0851d8d67e4ac970d75fe832ec3c4bef1
SHA5125dff0452a894a70c158475bb9ab6ed0f3e57081d46e96f76a869ab52733faf789cee0aa0735e7e5c357df57a9b8588b2f97bf32df2a7a2fd0bc950cdbfc7a6ee
-
Filesize
152B
MD5f9664c896e19205022c094d725f820b6
SHA1f8f1baf648df755ba64b412d512446baf88c0184
SHA2567121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e
SHA5123fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae
-
Filesize
152B
MD5847d47008dbea51cb1732d54861ba9c9
SHA1f2099242027dccb88d6f05760b57f7c89d926c0d
SHA25610292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1
SHA512bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f
-
Filesize
7KB
MD53f196b11509a22fa696f37651392f600
SHA182d5bf615f6b92765e1b2d55d6718433f6edd961
SHA256797edf1d879c904cf8da5b4568aea81e08bd5f0b0934a360d178d57ac3588b16
SHA51244c75bf49f213f3940890c48049c70ffe61d7a4a368e94904194938cb42b3bb6df18a82254226328e4ae26971bdf31e1e9f49a218ed1c397817642959a3147fe
-
Filesize
5KB
MD560d0f72fff2e647f2369dc1f89fbbc43
SHA1c98c89a1ff2ac36f65ec35aeea11be392a8f3cb8
SHA2566eeac0e745f15216e6c6d65eb33b16ff4d9f5ccdb17ec6090f096e5759da53e8
SHA5125c63364c3dd9c28740d792365ac54810496d4286ad0aa574efdaf03fdd5965c34677793e8dcc504a25877354819293335800c7a1349e572bfb329d14b96ce0ff
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
70KB
MD50f6e110e02a790b2f0635d0815c12e5c
SHA12411810c083a7fda31c5e6dd6f1f9cf1b971e46c
SHA2562f7018f3c214ace280e4bd37aabe0690bd9d8d0532f38e32a29d1f9de1320605
SHA5122f2fb7c4ddfb6abb5dcde466269f625eea58a2c69d25830e6bb24126e7679ec7c83fdb0d8ff2a7de4dd4b994513f5e80813dbf1f5d6a9a474c3a60d8bee74f4f
-
Filesize
43KB
MD5e352d970a4f70796e375f56686933101
SHA120638161142277687374c446440c3239840362b4
SHA2568a346ccc26d3ae6ded2665b27b443d6f17580650d3fdd44ef1bb6305bee37d52
SHA512b2c95bc6a7bd4cc5ef1d7ea17d839219a1aa5eba6baeb5eab6a57ec0a7adbc341eb7c4d328bcc03476d73fd4d70f3a4bdec471a22f9eb3e42eb2cae94eeb1ccc
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD50aba6b0a3dd73fe8b58e3523c5d7605b
SHA19127c57b25121436eaf317fea198b69b386f83c7
SHA2568341f5eb55983e9877b0fc72b77a5df0f87deda1bc7ad6fa5756e9f00d6b8cac
SHA5126a266e9dad3015e0c39d6de2e5e04e2cc1af3636f0e856a5dc36f076c794b555d2a580373836a401f8d0d8e510f465eb0241d6e3f15605d55eb212f4283278eb
-
Filesize
4KB
MD5200d1fe16266a3c95eb9cf1f687d9bd8
SHA15c26fa948e4a39b390bd198be0d76121d8c45492
SHA256ee6e54123b07fea510373104a5ff2268cd2eb07a78bb82594c1d7b78382b1c22
SHA5124005b487d0320ebffca0e7d77a66c6b4fd53bda9ce7a1e94a67ff4d73df4db9ebdb6304246435c25ea54805337a4c26d05afd323424773b4ebf0c9a7c1eb7353
-
Filesize
856B
MD5a13b8753205eca39b15545e2021aa31c
SHA10164bbb0f0b9a6f616093122f3271d5af5dff736
SHA25681ceb3ad652141340fa6485f3bee2a8dd92d5540624e9bb7e0ee52463583161a
SHA5128992f3fd39f62f84b48869e62ea148ada5c7c99a84c1efc873ead5887c72acf2e295db8569c1bf73b05dc6750ee9f7a7a487a5c0b2e56b67983d1d6ede09e9da
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
7KB
MD5efa6a6efac33b816aed53f4e4ff7188e
SHA13ab7e884af32e7a09942904563eca77295a63959
SHA256bb3b74bc369ed4925387d35dcaaede0db81d184297330945cad0b3491baaba03
SHA51243b16c3c09cd9dff0bd9c37fd990555b3f3386d580287895b56eebd1e68d82f9e631e3d725fa2432e5e65c7ded494d635d9f43bf89ade6094c09b804781f9285
-
Filesize
7KB
MD59585749dc7437a2daa3e8b73b8a38f5a
SHA17f180dfc04a1a80d9194e78ecb5cf6de8addb51a
SHA2564e43b87aeb3d90bb51d91dfb6830393429754c0a5bada951a4d9a008ec708c39
SHA5126beb5a0b11e1d1a9577840c99bc484f197a2afab599ccc914e33a27bbfac54ee61c21ae0ce6429355d740278e754e2a60cfb24ca3ebe3f18519ebd9b54adbdc6
-
Filesize
6KB
MD5bc0be024a68383f1606f42efa4cda8f5
SHA13961c7121935bfec95392593b5de9a78644a806d
SHA2562eee732e340df744e0e5b7b14407ce2720e6c0e24a92e2d21c538d7ca608b4ff
SHA51233f34a3b2a4e1a8b3cf6c8047896cb0742e7c7e0c9b059603f98e2bfeb9f55606893473da1c07796e96f5fdcc8080cd26f726a4ab0eeb2ec251293ed251170da
-
Filesize
6KB
MD544abeceeb875961ddc92634ba1f99558
SHA130e59b9462c3d96f666c1ec3eff24e910f29b1ea
SHA25615944c2f338b96a28f175f954735c9c56fd8e5184975a9a4dd509761089a9643
SHA5127d0a64bb80e0f15b84db3661a3f6579beb4151e1df8e4743dd988f128ba3b63a59ac24e902a312156aea8f748fe29e1caa301bec906de2ede1f584cb6d08d5d2
-
Filesize
7KB
MD5baec99396543f8bf5943a73ec7cfb95c
SHA130b2c8372c0ff8022d509a83529f369b05f3a0f5
SHA256f3c5d663b5d6b1d4102f9347c83053e7100192262e6bb0807399a5f886574fd7
SHA512dcc2346418944f11e01c5f3da1a5e7f5f6f263985116a84d20d79382eb442fbecb6b6531c3924b77f4b13ab3384c80fa4c1c28a0e214af53ccd6966b64297337
-
Filesize
6KB
MD505d9da5eb22febb8aa3126b320699e8b
SHA1560e8fde04709399afa6c028c5b6e81e52335922
SHA256db0bc9c82017e330d5c2e3dc8b7ce2914d2b8b63bc3fb60dadd08c0a8480edec
SHA5129876326fe02b671387e46d689b29269eedfc4f8b05bed753d2ab536dc6ac19aa460de168df21cd79db174f6acf204952c7268debf212ac3204f36cd1f9585baa
-
Filesize
1KB
MD5076838408617390bd7291ac9992b5614
SHA1e5fc7939749849db080377111cf2c279ac3c2209
SHA2561aaddb5d8d239e5f0d3698c3242e6b1d676927f38d78271ef72d029f5da6a45c
SHA5120f5850ca4774dd88207370002882ed3f6136ed796da2201fca529fc9646e4cb3ed784d987f705420f17c2eac0f5d6c6e35391f0d605d1600d8ac69f31c94555b
-
Filesize
1KB
MD5f9ccb9ea3bf86f4b6e2856c8c1a92a2c
SHA11092d08c5b79059590dafabf3e0517ebb5c0318d
SHA25650e045b7abe25e70e53da64a9d1242c0d76cfbad52da5ae38839e7c2754562c8
SHA512c2f5385e577a54d2141d88133e8035da5de193ab91815b8c791f53dd1054cc541d96454d359894fa61f95ef0e04a9b62fd3b9682be71c5cc3a93ada1e5bb1ffb
-
Filesize
1KB
MD50ca8860f05871176fb90404f0adcf01f
SHA18822cd0169c03b8ea15eeeb4fb0c2c92cede7de2
SHA256fb6f21cec02f7edf068e8f75aacde16ae5f75b381175ec1f385b94bb658f0f82
SHA5122431282c4818238f3017659519d5c8cbd5cabb2807b1d57cffcb8cd7d156eb7299ee138f45ca0915d5681bc668fce257e9d6e04362895207276753aa65bb3f9b
-
Filesize
1KB
MD58c01a5bf47a660774b1af5fa265a1f21
SHA1eb1e8410e0423326fdd5d95cdb733f30a8c816b5
SHA25696069c2515a951cb7f37bd1d57265c35adc6ea777fe61b097f6114a256dbe281
SHA5127b0bea8319b4b828d9784587347cd67dcee133d1e5db725033954ac2b19bbdc8b5735b29c04abca0981823a62c8f4f6a720660ebd9c6a9854f57455192f652f2
-
Filesize
1KB
MD53065885123d5f2fcf3bb89406985ca3c
SHA1facee2451f135c15d37c404b0107bdb760da411e
SHA25699c2df0611121fb6b54e4258a5bc53dbe9d8e681532501c8c64ee7a10cd66aaf
SHA5122ff486f147674220396dc6cf14301d7af96df1d73b5260996bbefc46bed0a0aee675f46a4fa60798120849e30e094fabe816545522ed9839d6beaf40d04d0d92
-
Filesize
1KB
MD53dbeccc1dd908f5cf1ee3e31d92a9e78
SHA197e461defb0ebdbcf83f8bacd0a8b987b322165f
SHA2569f1e47cb3c2c03b68af79e3b400029fc7a5719241fc04ae6364ed036e397b600
SHA5121ec1285dd3c72f8f112c40bf31324f28187b57dfaaf83109820a6c1ddb1cacd96c0c318de965fc8df8e60ac8eb3a868ee467b627dae6db430b83c69849e4fc11
-
Filesize
1KB
MD514c37d338c6071cc3f9aeb452994b24c
SHA17e36bb8bb4a9445cee16a1083975cd3aa26ce652
SHA2565707e8a721b53f04ff2a93e951a8285c4ed79bb07f596e790cf481fe7e248762
SHA5128412deba51fa417f1b1dda39b77f95fa1303e40f3df5253fae11628a11cd2654f34798fdc89ad4cd5fce2549211d3d657dabc3da868c6d169f3154a88beb9df8
-
Filesize
1KB
MD570bd8b4a0cc393455f5e214481039c9c
SHA10f797235cc39ee3f45dc7c025894bbc4a155fd95
SHA2563ff3be224c5f0f90bba6c83d750d59ad0a4982299eb54187470cc79ec7da9437
SHA512ae45c4cd962405c88a185de8ad2cd4a0c56b217d3d8d0a78323af5209d735568cfedba74c01395632b8f59a0dc73d22e9362805d076ee77b81dc3d3c81b2b5bb
-
Filesize
538B
MD57a7609a31540c93d67ae690c92e06354
SHA12823c138e341c09a64942f8cb15e18b8baccccfc
SHA256bf2749d2ff70ef63c83242304dcd600fa2eb5b194b10cfcdf91c1f028f3adddb
SHA51284b948a042c3906ff2bb8cb2d559c0bac512af8c38774564a4e783143b2a9f6abc0fd7a26d2fa717db3a0384459357dac12445ae5332aa0876b8b65e2207ea7b
-
Filesize
1KB
MD5a7f018189c22066e2a2e6cfcb85f1144
SHA135939a15ef09a8a031c4f72b55df999f35051939
SHA256dafaa6d45d392e450c2a76144b94b14d7411cdf0c8cb9e4787c3c2e832b8af47
SHA512f062464b63e6bef5abfb6c24fa33a89ce90a11bd170bfa8d6a1fcebb12a32711b278165ecce21c224b4024c52453cd59d1560f40330818742d45db2fd69f6716
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
76KB
MD5913dfb45dedefd22b6ad79bf9a1b46f3
SHA12f9177d928ae599e3e38cc767b53859cd1993be4
SHA2562d297a33c45384a0778fa204410a80d6fc1ce0edaa90ac2537208ae8600533b8
SHA51287be951439e01c99dea6d0a3311774f2641c6ec69b3e8ac35bb672391bb2697534e0cbefcafed33a609123187d1df74dae9e5aa720660096082ccabfe38eaf87
-
Filesize
12KB
MD5a8f3df5bdae746733451cab842261c0f
SHA1751cecae605ede320d51890de9ca22721897bce0
SHA25696b9faf9e894ea86c97625b4a179f77239682087553e3b2c1f8ff923fd7ed674
SHA512e5cd9b9921e7f7b9f98aad470d76584c7584c2609b8fbcddfbf78577bfad2d10cc9bcc3718386d9d844c159474c9587cfcebaa2c65990d1f27114270bee178bb
-
Filesize
11KB
MD5a26f92cd8feae15119af34da424d04e6
SHA1d1b859ebbb83e0d912f7e2b5eff6e7ee6a4b7ed6
SHA25612dcbe929f517c33629718e9b87b62cc69cc7882583556ba9d73ff8f57c2df78
SHA5125997667c037a1c71c5f07c393b41b112254f6f028d6811d134585ebd24af29c3a12b957a35c7c70384c21c9e4bfa60ba3d4a0a4f4116a9c040057f75c1ad0b41
-
Filesize
12KB
MD515e24e8284b6065c3c962a2991c18a6f
SHA164fed764a0a7c1855c37e0956c937765aa5341f1
SHA256afa2f8e97de6bc5419ebb73b698239477196e742db1c4ba78e30f3dab8ae2a1e
SHA5128f196696475e2e5cffef234caf37f10cf77cfe355e32e8bcd3af7a71703e611c78d7844912ca8c347a3b5e3c5f05454f1bb40b1ac2a87fffcb5466257dc1dae2
-
Filesize
10KB
MD5716e1b51df3e747d1580e47f5f1a17f4
SHA17cabc7b3e12292a05357b16dae6b4d37027c97c2
SHA256a829e7e3dc5c615864f5f17a0d35b029c8f710f1af47af801c672cca676e609e
SHA51244c4657ba0d8602922e7c50c465f13b371a3a99227d086c0237bb6129bf7767ca78aa27171d441b8fe5f547f94f2b855901f19c39797a71619ae7a37a8ed6781
-
Filesize
9KB
MD5b01ee228c4a61a5c06b01160790f9f7c
SHA1e7cc238b6767401f6e3018d3f0acfe6d207450f8
SHA25614e6ac84d824c0cf6ea8ebb5b3be10f8893449474096e59ff0fd878d49d0c160
SHA512c849231c19590e61fbf15847af5062f817247f2bcd476700f1e1fa52dcafa5f0417cc01906b44c890be8cef9347e3c8f6b1594d750b1cebdd6a71256fed79140
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB