Analysis
-
max time kernel
147s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 06:41
Static task
static1
Behavioral task
behavioral1
Sample
Hesap_Hareketleri__20230929_194202031.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Hesap_Hareketleri__20230929_194202031.exe
Resource
win10v2004-20230915-en
General
-
Target
Hesap_Hareketleri__20230929_194202031.exe
-
Size
595KB
-
MD5
816c7761599a4e2b666d2e47e380c615
-
SHA1
6e1de32829fce91c28e24f42972575ba4803318c
-
SHA256
10979714162c9b426a7e9b2e14a582b03b4153bdf3cbce775b69b505a2463cd0
-
SHA512
e242b3b046c32feeedfcf493683daef8c6647447e7cb35b1f96f87f87f96ff752890764bb1cfeed13c72906da075ca0dc009600191510927df648faec4d063f5
-
SSDEEP
12288:bJFl3t6SU4VbiQQoiu6dqHnqczOYhT9/yLhUQ8vFheac4FdKwJ4mAp:Dl9aMb6okqHuQaL89VcSgwKp
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2300-20-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
Processes:
Hesap_Hareketleri__20230929_194202031.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions Hesap_Hareketleri__20230929_194202031.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions svchost.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
Processes:
svchost.exeHesap_Hareketleri__20230929_194202031.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools Hesap_Hareketleri__20230929_194202031.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svchost.exeHesap_Hareketleri__20230929_194202031.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Hesap_Hareketleri__20230929_194202031.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Hesap_Hareketleri__20230929_194202031.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Hesap_Hareketleri__20230929_194202031.exesvchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation Hesap_Hareketleri__20230929_194202031.exe Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation svchost.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 4224 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Hesap_Hareketleri__20230929_194202031.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" Hesap_Hareketleri__20230929_194202031.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Hesap_Hareketleri__20230929_194202031.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Hesap_Hareketleri__20230929_194202031.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 Hesap_Hareketleri__20230929_194202031.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 4224 set thread context of 2300 4224 svchost.exe ServiceModelReg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3632 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
Hesap_Hareketleri__20230929_194202031.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 3676 Hesap_Hareketleri__20230929_194202031.exe 4164 powershell.exe 4164 powershell.exe 3792 msedge.exe 3792 msedge.exe 1444 msedge.exe 1444 msedge.exe 3492 identity_helper.exe 3492 identity_helper.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe 4808 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Hesap_Hareketleri__20230929_194202031.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 3676 Hesap_Hareketleri__20230929_194202031.exe Token: SeDebugPrivilege 4224 svchost.exe Token: SeDebugPrivilege 4164 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe 1444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Hesap_Hareketleri__20230929_194202031.execmd.execmd.exesvchost.exeServiceModelReg.exemsedge.exedescription pid process target process PID 3676 wrote to memory of 3192 3676 Hesap_Hareketleri__20230929_194202031.exe cmd.exe PID 3676 wrote to memory of 3192 3676 Hesap_Hareketleri__20230929_194202031.exe cmd.exe PID 3676 wrote to memory of 3192 3676 Hesap_Hareketleri__20230929_194202031.exe cmd.exe PID 3676 wrote to memory of 2232 3676 Hesap_Hareketleri__20230929_194202031.exe cmd.exe PID 3676 wrote to memory of 2232 3676 Hesap_Hareketleri__20230929_194202031.exe cmd.exe PID 3676 wrote to memory of 2232 3676 Hesap_Hareketleri__20230929_194202031.exe cmd.exe PID 3192 wrote to memory of 2812 3192 cmd.exe schtasks.exe PID 3192 wrote to memory of 2812 3192 cmd.exe schtasks.exe PID 3192 wrote to memory of 2812 3192 cmd.exe schtasks.exe PID 2232 wrote to memory of 3632 2232 cmd.exe timeout.exe PID 2232 wrote to memory of 3632 2232 cmd.exe timeout.exe PID 2232 wrote to memory of 3632 2232 cmd.exe timeout.exe PID 2232 wrote to memory of 4224 2232 cmd.exe svchost.exe PID 2232 wrote to memory of 4224 2232 cmd.exe svchost.exe PID 2232 wrote to memory of 4224 2232 cmd.exe svchost.exe PID 4224 wrote to memory of 4164 4224 svchost.exe powershell.exe PID 4224 wrote to memory of 4164 4224 svchost.exe powershell.exe PID 4224 wrote to memory of 4164 4224 svchost.exe powershell.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 4224 wrote to memory of 2300 4224 svchost.exe ServiceModelReg.exe PID 2300 wrote to memory of 1444 2300 ServiceModelReg.exe msedge.exe PID 2300 wrote to memory of 1444 2300 ServiceModelReg.exe msedge.exe PID 1444 wrote to memory of 3580 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 3580 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe PID 1444 wrote to memory of 1924 1444 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri__20230929_194202031.exe"C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri__20230929_194202031.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8C13.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3632 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffafd4f46f8,0x7ffafd4f4708,0x7ffafd4f47186⤵PID:3580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:86⤵PID:2868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:26⤵PID:1924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:16⤵PID:4864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:16⤵PID:1236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2200 /prefetch:16⤵PID:4860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:16⤵PID:4256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:16⤵PID:1148
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:86⤵PID:792
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:3492 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:16⤵PID:5268
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:16⤵PID:5280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:16⤵PID:5480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:16⤵PID:5472
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,12633289215605882578,12836014845652626423,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3012 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ServiceModelReg.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵PID:5204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafd4f46f8,0x7ffafd4f4708,0x7ffafd4f47186⤵PID:5216
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4932
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:792
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53d5af55f794f9a10c5943d2f80dde5c5
SHA15252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA25643e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA5122e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71
-
Filesize
152B
MD53d5af55f794f9a10c5943d2f80dde5c5
SHA15252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA25643e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA5122e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD545713231de8354b6b51549beef727f57
SHA11b5ad55511168fad25e9f99235d3d7ee753fa36d
SHA256dca1edc258d6c5ce91b6a8817531943639fe974e5526437e5dc8658f378137c2
SHA512c93af0536ca9202a4db9ab16b12739a90a81780450d33c0dc78e4f29d9ba40afb6ee2f387f1fc9719148dae62bd7755e07de9428efaaf980ef072b60e94e447f
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD53f4980475bae32e83b6f196c6604ab20
SHA1ab01db61ea4b10d3df5394051abad992ad0f8dec
SHA256c47a93591d51b79d5e4616d537cdbbd1970292150b5d4639db10213bd115e1f9
SHA51238dfcc74e62d6a49ca2b19b65051c471c3b950144e908afab5fc8d6fddf984eeb1b377a57a1f70ba6d75ebfc39b30ab02da3f9dd46e261ed8d2b6f3e97a3b954
-
Filesize
6KB
MD5848a56fe0bda3130d75619d27dd549ef
SHA16739ae730877835b681d2c278f5e5307ec49fd5c
SHA256e2a8545fe1778a7b2d71cf223995989c9edda9ff0e1b04aa62c805b4f7b096df
SHA512f2e9c08f3f97c75492d0b18688ba21999829fefeb2fddb9ccd8a997a8c78383c1070585f61eeeedf1ee319fa893de531b1401320279a013489b59bf36c49e5d9
-
Filesize
24KB
MD510f5b64000466c1e6da25fb5a0115924
SHA1cb253bacf2b087c4040eb3c6a192924234f68639
SHA256d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b
SHA5128a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db
-
Filesize
371B
MD5f0151d7f6c48dc57205235a368e9c690
SHA17079a424e5c86000bd7bbf4ba267b2aa007ac204
SHA256e1404bdc9de22fe6c5e5682031d4d28d153ee0fa119679df22669d2e18557ae8
SHA5129ea7d37ffb89722e656b6012c1b8c44c1187d140d18416f6fa52a8d6e20deb7720e9f3607790df37a94ca9548a6eea693307214f021997a84c97c8589206ff84
-
Filesize
371B
MD5f236e83b1254eefdfbe39dac75e7d09b
SHA16b6d8480b7d120b0b6bd5ff764c4b313081a7677
SHA2563be32ec90c8ecd4a513ac67f005e1f838605428b30cd350dd485475de8ef9726
SHA512d9a7937d207fb04ce06c467a99e9d57a2446e0ba5e74410867e98fc7a114cd473c1037745b44f1c958c6c40a76e093a399c368f45247a862fdafe3c44b5adc0c
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5b60ece6ede494a5a18060f0b30f5a15e
SHA1becb85dbaf5f3dda47601649f8a1d3d3d0652166
SHA256553e8df5f1e54014ae59c873acd28bd997f8f159ef02ff45325cc60dd4426805
SHA512c085ba017099982f2a10ef1a66ee3393c9e13e383c19e3339ee9b08b077c63c95aa0ec54c53e76a49a4b9bfa867c9ed55f8d1ba75b4ebef2af4197dd062d86c0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD53933c9fa9fdae0ee58e282137aeecf4d
SHA1d6749ca7bbff4e80d697b489a194961fa3d14aaa
SHA256f6422727abd7a65e23a92a62618da8dd0c567ca02bf4c8d98e898f1ff36a239c
SHA512fac40f97e795f347a11502a20ab4f1da17e238a917a78d8c6e16f411d4a77861c0de834661b3cfe71d862e5e73a5319710884a430412fc52040808e3289d15d9
-
Filesize
595KB
MD5816c7761599a4e2b666d2e47e380c615
SHA16e1de32829fce91c28e24f42972575ba4803318c
SHA25610979714162c9b426a7e9b2e14a582b03b4153bdf3cbce775b69b505a2463cd0
SHA512e242b3b046c32feeedfcf493683daef8c6647447e7cb35b1f96f87f87f96ff752890764bb1cfeed13c72906da075ca0dc009600191510927df648faec4d063f5
-
Filesize
595KB
MD5816c7761599a4e2b666d2e47e380c615
SHA16e1de32829fce91c28e24f42972575ba4803318c
SHA25610979714162c9b426a7e9b2e14a582b03b4153bdf3cbce775b69b505a2463cd0
SHA512e242b3b046c32feeedfcf493683daef8c6647447e7cb35b1f96f87f87f96ff752890764bb1cfeed13c72906da075ca0dc009600191510927df648faec4d063f5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e