Analysis
-
max time kernel
149s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 06:03
Static task
static1
Behavioral task
behavioral1
Sample
VAKIFBAN.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
VAKIFBAN.exe
Resource
win10v2004-20230915-en
General
-
Target
VAKIFBAN.exe
-
Size
896KB
-
MD5
e478fc4b0c1091347240550446e2f7a2
-
SHA1
2c46e2b777dc7a29c17deaee98534069efa91586
-
SHA256
6e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
-
SHA512
6476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
SSDEEP
12288:GmVjOxbWKVGu27Wm4XfbzsqPhxRAUwQ7xjAkZNPrApR60mR4IQfei08hTrC+iQas:GmVja2iPhhXZq60zD1himaDQ
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1572-25-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
VAKIFBAN.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions VAKIFBAN.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
svchost.exeVAKIFBAN.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools VAKIFBAN.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
VAKIFBAN.exesvchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion VAKIFBAN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion VAKIFBAN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exeVAKIFBAN.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation VAKIFBAN.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4464 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
VAKIFBAN.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" VAKIFBAN.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
svchost.exeVAKIFBAN.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum VAKIFBAN.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 VAKIFBAN.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4464 set thread context of 1572 4464 svchost.exe ServiceModelReg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4748 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
VAKIFBAN.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 4320 VAKIFBAN.exe 1480 powershell.exe 1480 powershell.exe 1480 powershell.exe 2132 msedge.exe 2132 msedge.exe 3148 msedge.exe 3148 msedge.exe 4732 identity_helper.exe 4732 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
VAKIFBAN.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 4320 VAKIFBAN.exe Token: SeDebugPrivilege 4464 svchost.exe Token: SeDebugPrivilege 1480 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe 2132 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VAKIFBAN.execmd.execmd.exesvchost.exeServiceModelReg.exemsedge.exedescription pid process target process PID 4320 wrote to memory of 5084 4320 VAKIFBAN.exe cmd.exe PID 4320 wrote to memory of 5084 4320 VAKIFBAN.exe cmd.exe PID 4320 wrote to memory of 5084 4320 VAKIFBAN.exe cmd.exe PID 4320 wrote to memory of 3052 4320 VAKIFBAN.exe cmd.exe PID 4320 wrote to memory of 3052 4320 VAKIFBAN.exe cmd.exe PID 4320 wrote to memory of 3052 4320 VAKIFBAN.exe cmd.exe PID 5084 wrote to memory of 400 5084 cmd.exe schtasks.exe PID 5084 wrote to memory of 400 5084 cmd.exe schtasks.exe PID 5084 wrote to memory of 400 5084 cmd.exe schtasks.exe PID 3052 wrote to memory of 4748 3052 cmd.exe timeout.exe PID 3052 wrote to memory of 4748 3052 cmd.exe timeout.exe PID 3052 wrote to memory of 4748 3052 cmd.exe timeout.exe PID 3052 wrote to memory of 4464 3052 cmd.exe svchost.exe PID 3052 wrote to memory of 4464 3052 cmd.exe svchost.exe PID 3052 wrote to memory of 4464 3052 cmd.exe svchost.exe PID 4464 wrote to memory of 1480 4464 svchost.exe powershell.exe PID 4464 wrote to memory of 1480 4464 svchost.exe powershell.exe PID 4464 wrote to memory of 1480 4464 svchost.exe powershell.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 4464 wrote to memory of 1572 4464 svchost.exe ServiceModelReg.exe PID 1572 wrote to memory of 2132 1572 ServiceModelReg.exe msedge.exe PID 1572 wrote to memory of 2132 1572 ServiceModelReg.exe msedge.exe PID 2132 wrote to memory of 4908 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 4908 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe PID 2132 wrote to memory of 1932 2132 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VAKIFBAN.exe"C:\Users\Admin\AppData\Local\Temp\VAKIFBAN.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C71.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:4748 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4464 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd586e46f8,0x7ffd586e4708,0x7ffd586e47186⤵PID:4908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:3148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:26⤵PID:1932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:86⤵PID:5112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:16⤵PID:1636
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:16⤵PID:4988
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:16⤵PID:3544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:16⤵PID:4244
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:16⤵PID:1944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:16⤵PID:4744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:16⤵PID:1560
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:86⤵PID:4728
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:4732 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:16⤵PID:3836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,6786418975013979231,12705492604735574424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:16⤵PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵PID:2840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd586e46f8,0x7ffd586e4708,0x7ffd586e47186⤵PID:3716
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:956
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1460
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
Filesize
152B
MD53d8f4eadb68a3e3d1bf2fa3006af5510
SHA1d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA25685a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD5d2a412894c7fee99ea5fcbab992604ab
SHA1dbef4af7669c177a88073a0d0ace23a00871059f
SHA256d8b60eed025955425696e31b0dc0b109f9d119673c5cbd9c3048f53a3e01a6ac
SHA512a2cee6e659b5e7b2be4a1d9a55f90c1d53bb272cc803fffe67094f7f0ec2b5a99fb3f0cb5187baa8504a351e34e2db85e47aafe1a5e6bf792c2dc9190ac3ac84
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD5630a0752811c2bd25ab93607bb8762a9
SHA1619f2c1dbb5686485eb217a180c527dd4ba09054
SHA25610cdf7eb701d1f5d662ee555edca8e38506a5d7c8df4fbfac7d0aca7793c5784
SHA51259a0ecef3251e3e6dd1dc3df64337150dc1662ab12fb5287a3f5a416ac3ef4a9f3d71d766253af8883fbebe2d07910aa147e447effe870c877be72b4babf58b2
-
Filesize
5KB
MD57f96c61779ed613f51ff310676960705
SHA1aafaa20baf2b083cde6945a07f707b199f6c18d9
SHA256b471bee34a0adcfbea42e8ee408d438f4e0a6a7224ed420ab9fb788486cfadf0
SHA512f821985df31821763a5680c4960590c355b52688373d8ac02e4c8f08acd9d7dd56aaae9bb2a40d91451f41e58e5394fcd60e3d10b2de67c635844a9387f5bee4
-
Filesize
5KB
MD532ffe00f2825553f1cd5bab9a32eb2e2
SHA18a672a25fef2141c25c301a3b1b280cd4f37c05e
SHA256bb6f3d3e0aa42579e45ddd150c3d78ed5ca2db21c5003a77f051c90a97a32ffd
SHA5122d9cdafa4879f9a5eec50b946af54db2a7c19f4c6b241e5fa6e8c44404ff6161342e0122bcf782eb8b41175635846d2449b6b932b729ad1d7af93d3575c5cc7f
-
Filesize
24KB
MD5d985875547ce8936a14b00d1e571365f
SHA1040d8e5bd318357941fca03b49f66a1470824cb3
SHA2568455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38
-
Filesize
371B
MD57d59d2e398c2cce8b2157e65ccbfc76e
SHA1c8bd35dae6c6b11e466f76bbcdb05fc3248a3b27
SHA256ee3c5d005eafe0e378825f585a6838d776ad8865deae231bccd92885e34d961c
SHA512ffd378ad266fe2514c1ddcf1e88026ee246c037b3d9c09391e944d9dce5494242dc49f2434a68665401bef1a64d7dd4b136da5855551d3c028f1fc1f5b93cdf3
-
Filesize
203B
MD51f53cfe9e13181e6631e66b85ca715e8
SHA137336e6db2b2c8f2dff8923bc838d97c841a5fca
SHA2567c135d7c0510c33576ab513c2529e2a83aea7d5184dcd2ca43829cfc77c01f26
SHA5125f7f08a1017ddc9c2b98550f623ab689211a405fbf38d8ffa8fe8ff14ab19fb9ff5444015f7445b183b02fb330b314472af0b661295583202ce2d562c673af5f
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5ca75b881596130940606e87c5c7dc137
SHA1bd8485975eb0d380f7c11dbc81eead9496cc770b
SHA256d2b7468445d1e75b70e95f9b515972306622fd8fdd6c066961fbef9e33833d54
SHA5124b89d50a3445f8e5bd287a3f1c5da913c31bfc8e96353f653453cfb3eef27e48e8a785499d19c0ea8402fc5d67b04a45ee67ce7e1617486bfd2be42a06d68cfe
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD5d72fe477f0c190e2634b99a2e6ac012c
SHA1ffc179fb4fd106ff38e62418c90a4d473f779e08
SHA2566cc16fa1eb45edc4820d08375d4f0eb9240108eb37f8f925135d20d47a61d4f4
SHA512e74a0a68a010b7c80590c426cb278ab7bc63f570d588b324d8d1b1dc28b9c09b7ff907adf3fa896959ecec03e05f65088a0d1891564a868ff8d233d210bebc81
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
Filesize
896KB
MD5e478fc4b0c1091347240550446e2f7a2
SHA12c46e2b777dc7a29c17deaee98534069efa91586
SHA2566e9331ce6b0ef84031079cf0d10d4f09e389b29c970cbe9f6f1d683eafa9aa52
SHA5126476b53eeabeea7b97e0af0e41454ff713ba5c625ca2b8a4d211c9fb32ecca847ac85a39b28a0f5ac1a37628708df22da5aea99853b289c1bb911acc435345e3
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e