Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2023 15:28
Static task
static1
Behavioral task
behavioral1
Sample
30082023.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
30082023.exe
Resource
win10v2004-20230915-en
General
-
Target
30082023.exe
-
Size
466KB
-
MD5
4d5ce0ea9efcb7e3fdb61c32d1626748
-
SHA1
5813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
-
SHA256
dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
-
SHA512
9739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1
-
SSDEEP
12288:zMYG3l6sMIBJCx6icVkGYJ/Zi/PBs6lD+S:zjGDFkiPB9lD+S
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/776-19-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger behavioral2/memory/2224-23-0x0000000004AA0000-0x0000000004AB0000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
30082023.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions 30082023.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
30082023.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools 30082023.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
30082023.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 30082023.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 30082023.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
30082023.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation 30082023.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4868 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
30082023.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" 30082023.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
30082023.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 30082023.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 30082023.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4868 set thread context of 776 4868 svchost.exe ServiceModelReg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 5084 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
30082023.exesvchost.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4616 30082023.exe 4868 svchost.exe 4868 svchost.exe 2224 powershell.exe 2224 powershell.exe 4616 msedge.exe 4616 msedge.exe 2348 msedge.exe 2348 msedge.exe 876 identity_helper.exe 876 identity_helper.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe 4296 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
30082023.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 4616 30082023.exe Token: SeDebugPrivilege 4868 svchost.exe Token: SeDebugPrivilege 2224 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe 2348 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
30082023.execmd.execmd.exesvchost.exeServiceModelReg.exemsedge.exedescription pid process target process PID 4616 wrote to memory of 2180 4616 30082023.exe cmd.exe PID 4616 wrote to memory of 2180 4616 30082023.exe cmd.exe PID 4616 wrote to memory of 2180 4616 30082023.exe cmd.exe PID 4616 wrote to memory of 1452 4616 30082023.exe cmd.exe PID 4616 wrote to memory of 1452 4616 30082023.exe cmd.exe PID 4616 wrote to memory of 1452 4616 30082023.exe cmd.exe PID 2180 wrote to memory of 3916 2180 cmd.exe schtasks.exe PID 2180 wrote to memory of 3916 2180 cmd.exe schtasks.exe PID 2180 wrote to memory of 3916 2180 cmd.exe schtasks.exe PID 1452 wrote to memory of 5084 1452 cmd.exe timeout.exe PID 1452 wrote to memory of 5084 1452 cmd.exe timeout.exe PID 1452 wrote to memory of 5084 1452 cmd.exe timeout.exe PID 1452 wrote to memory of 4868 1452 cmd.exe svchost.exe PID 1452 wrote to memory of 4868 1452 cmd.exe svchost.exe PID 1452 wrote to memory of 4868 1452 cmd.exe svchost.exe PID 4868 wrote to memory of 2224 4868 svchost.exe powershell.exe PID 4868 wrote to memory of 2224 4868 svchost.exe powershell.exe PID 4868 wrote to memory of 2224 4868 svchost.exe powershell.exe PID 4868 wrote to memory of 1644 4868 svchost.exe SMSvcHost.exe PID 4868 wrote to memory of 1644 4868 svchost.exe SMSvcHost.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 4868 wrote to memory of 776 4868 svchost.exe ServiceModelReg.exe PID 776 wrote to memory of 2348 776 ServiceModelReg.exe msedge.exe PID 776 wrote to memory of 2348 776 ServiceModelReg.exe msedge.exe PID 2348 wrote to memory of 4804 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 4804 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe PID 2348 wrote to memory of 2132 2348 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30082023.exe"C:\Users\Admin\AppData\Local\Temp\30082023.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:3916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7A02.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:5084 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2224 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe"4⤵PID:1644
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0xa4,0xa8,0xe0,0x108,0x7ffeb48646f8,0x7ffeb4864708,0x7ffeb48647186⤵PID:4804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:4616 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:26⤵PID:2132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:86⤵PID:556
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:16⤵PID:3488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:16⤵PID:5048
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:16⤵PID:4052
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:86⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:16⤵PID:868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:16⤵PID:892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:16⤵PID:4808
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:16⤵PID:4824
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:16⤵PID:988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:16⤵PID:2552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13116912072195646081,10889953644638817987,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3632 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:4296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵PID:1524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeb48646f8,0x7ffeb4864708,0x7ffeb48647186⤵PID:1536
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3328
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5108
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
Filesize
152B
MD5f95638730ec51abd55794c140ca826c9
SHA177c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA5120eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5b42984633539c1b6923bf09e1bb7a15e
SHA1b241a9d6d1b4a89d8d0070ff5760ebb20b6f6e00
SHA256ed28250a707585899363d20ad5ae30a841c3475ab370dabe914bae7e0b46764a
SHA512897ec6e80003afc0abb2866af48c0b619a4d45603d62ac3f98f60a275e11265cda9c2158faa02a9bd51f3472e300f13f8d8849723cf52e1c2565272b684a075b
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
6KB
MD552298bb6644c3cf520cbb23c80bf5e58
SHA12142e128ead39308714d95efda984cacc910db54
SHA256f6899fbb99c160123816650be41a610e30fd667e29606eba1a00d73b511fc052
SHA512f2fb5bf8ae98fcef8cc13665ff345bd816e200af66e1b332c40843fdd79273de628e7cc2f8bb6768dc81b1cdb13375674a6e3337e65661f0e4e080fa5b56ab53
-
Filesize
5KB
MD5e96f93c00f44744e75fe94f457605baf
SHA1ecafc0a9cc4638906e6f7645aa3fe5fef70dcc73
SHA256e8d3a027285547c8fa888aaf93953392944acbace85c3bece2eca2c302883938
SHA512722c5a7a4668c79e969b0070760fbaeea2cb6be3a320e9a11f7b1bc44957fe4e9a03ca50a4004e5e6bd28b3f26bb52543ff8f64f10e0c370f28ec7bdc79e60ce
-
Filesize
24KB
MD54a078fb8a7c67594a6c2aa724e2ac684
SHA192bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6
-
Filesize
371B
MD5cc553571828d149172e9a395bf065266
SHA161991cfe56b4ea596dccdd90bb9ca5e53af01678
SHA256c20254df9f3e669b33c56a5ad4fe1358545e393dba1fd6765b2ba3195111d9b4
SHA5129b72e107212af2eacb8b2cd0ea1ac03622607f1a9c64ade446c28feae02fe75dc70be92db3a11a87b5ef64a06092b6bfa8d2235f2358faa954058f705df33f58
-
Filesize
371B
MD5cbe71de97958dcdd831c2d30e5eb35cf
SHA1d883d4b344fafdc0222e0e413eef00244811e3ed
SHA256d9566425db207e21470698801a15fcae3c7122480ba4a6ff5bc1983124dde346
SHA512cee75df1a27f620154937d0332508ee55689bd96891b1430bd59e6d15ff011647c0824bef69df5053e00a74d600adacce390c5d825f29b074eb876416b7810ce
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD585510d35344668927791f37ac4720340
SHA126752ddc6a881e9adba2b44496467d6819513281
SHA256a6ca84b3a1161fe0bfd97983bd93f87206064807467702c19e6a153d5c6d52df
SHA5122d51162b222a2b2e3f4000c324c1c36f57645e4b36758c5a0e3312237ab3c509ce829c379a3d32e877d4ed0d45f515490ca4757a3239cdf16575308b7bfe9b97
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD50ec6a9becb4dffcf34e8b7c4253ad130
SHA1a7c9de8a719d8b570732b38677bf018db9bd0024
SHA256b434be816042d64d6279d8d697280c1cce7b698877054b1dba33268486aa81fe
SHA51218fb5f49f9561991a201ffa19fae71976bd1aa310266309077fa0aa850a4284330ddbffe03cb6b5d4a2752692f0d84afdcea6bb003db576975487fe09e12cb89
-
Filesize
466KB
MD54d5ce0ea9efcb7e3fdb61c32d1626748
SHA15813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
SHA256dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
SHA5129739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1
-
Filesize
466KB
MD54d5ce0ea9efcb7e3fdb61c32d1626748
SHA15813b82a84f3c3d8f4b5a7af227026fc2c8c7f66
SHA256dc5e498d5465b93688dd366c5661cb624456b0982928c3778845b5d640ebf625
SHA5129739f69426a5c58aca0c4349a65417994376fd436c5cd55f2feaf30f8fe15ea80e6271fcd80f0c70f77b1f171324a11d730248429f55b80f842b8a71f2fe7be1