Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 13:46
Static task
static1
Behavioral task
behavioral1
Sample
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
Resource
win10v2004-20230915-en
General
-
Target
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe
-
Size
692KB
-
MD5
f0683bb61a43a8dd7061dbd8ee3af88b
-
SHA1
c94587218dc3ce9bd66e7ebe23c720ca50afd989
-
SHA256
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
-
SHA512
7bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
SSDEEP
12288:x8avfjKnHHYHq03Lytq3SRlW5cY26RTTmsp2TDNJ0/el69Q01ZLkrai9i+Plb5py:x8ef8HCbB2W57/TTmq2TDNJ0mM9NipgH
Malware Config
Extracted
snakekeylogger
Protocol: smtp- Host:
mail.gkas.com.tr - Port:
587 - Username:
[email protected] - Password:
Gkasteknik@2022
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2808-23-0x0000000000400000-0x0000000000424000-memory.dmp family_snakekeylogger -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.exec9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 952 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\svchost.exe = "0" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe -
Processes:
svchost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 952 set thread context of 2808 952 svchost.exe aspnet_wp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 928 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 35 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 952 svchost.exe 3208 powershell.exe 3208 powershell.exe 1464 msedge.exe 1464 msedge.exe 4352 msedge.exe 4352 msedge.exe 1528 identity_helper.exe 1528 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
Processes:
msedge.exepid process 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exesvchost.exepowershell.exedescription pid process Token: SeDebugPrivilege 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe Token: SeDebugPrivilege 952 svchost.exe Token: SeDebugPrivilege 3208 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe 4352 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.execmd.execmd.exesvchost.exeaspnet_wp.exemsedge.exedescription pid process target process PID 1400 wrote to memory of 3732 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 1400 wrote to memory of 3732 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 1400 wrote to memory of 3732 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 1400 wrote to memory of 320 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 1400 wrote to memory of 320 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 1400 wrote to memory of 320 1400 c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe cmd.exe PID 3732 wrote to memory of 2328 3732 cmd.exe schtasks.exe PID 3732 wrote to memory of 2328 3732 cmd.exe schtasks.exe PID 3732 wrote to memory of 2328 3732 cmd.exe schtasks.exe PID 320 wrote to memory of 928 320 cmd.exe timeout.exe PID 320 wrote to memory of 928 320 cmd.exe timeout.exe PID 320 wrote to memory of 928 320 cmd.exe timeout.exe PID 320 wrote to memory of 952 320 cmd.exe svchost.exe PID 320 wrote to memory of 952 320 cmd.exe svchost.exe PID 320 wrote to memory of 952 320 cmd.exe svchost.exe PID 952 wrote to memory of 3208 952 svchost.exe powershell.exe PID 952 wrote to memory of 3208 952 svchost.exe powershell.exe PID 952 wrote to memory of 3208 952 svchost.exe powershell.exe PID 952 wrote to memory of 496 952 svchost.exe AddInProcess.exe PID 952 wrote to memory of 496 952 svchost.exe AddInProcess.exe PID 952 wrote to memory of 3088 952 svchost.exe InstallUtil.exe PID 952 wrote to memory of 3088 952 svchost.exe InstallUtil.exe PID 952 wrote to memory of 3088 952 svchost.exe InstallUtil.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 952 wrote to memory of 2808 952 svchost.exe aspnet_wp.exe PID 2808 wrote to memory of 4352 2808 aspnet_wp.exe msedge.exe PID 2808 wrote to memory of 4352 2808 aspnet_wp.exe msedge.exe PID 4352 wrote to memory of 3004 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 3004 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe PID 4352 wrote to memory of 1340 4352 msedge.exe msedge.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"C:\Users\Admin\AppData\Local\Temp\c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:2328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp396A.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:928 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:952 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\svchost.exe" -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess.exe"4⤵PID:496
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"4⤵PID:3088
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94c1d46f8,0x7ff94c1d4708,0x7ff94c1d47186⤵PID:3004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:86⤵PID:64
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:26⤵PID:1340
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:16⤵PID:3444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:16⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:16⤵PID:4068
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:16⤵PID:3624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:16⤵PID:440
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:86⤵PID:2484
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:1528 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:16⤵PID:1496
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:16⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:16⤵PID:3288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8021673660497699432,10230803968806457882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:16⤵PID:2148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.05⤵PID:4124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94c1d46f8,0x7ff94c1d4708,0x7ff94c1d47186⤵PID:1068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1156
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2312
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
Filesize
152B
MD51222f8c867acd00b1fc43a44dacce158
SHA1586ba251caf62b5012a03db9ba3a70890fc5af01
SHA2561e451cb9ffe74fbd34091a1b8d0ab2158497c19047b3416d89e55f498aae264a
SHA512ef3f2fc1cedfc28fb530c710219b8e9eb833a2f344b91d3ffb2d82d7bbedbc223f4b60a38bea35b72eb706e4880ffcbb9256a9768f39bae95c5544be0f503916
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD513af14ad9b18074d9cf992f873c9c3f6
SHA13ce328d1046999f11b0c1e892a88fa1021a868e5
SHA256e346d6fcca8a6bec80fc1e8be53580120b1f08a7c7624460266dd1eae9a637fa
SHA51285e54df1617b21c529c27af14b77ba55b62135f16b1458078aaf2f50b666c0d8927b85f9ee004cbbd7e16333e0da150207c3fe8d68aaf3b9ca018b7dd9a3c2aa
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
437B
MD505592d6b429a6209d372dba7629ce97c
SHA1b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA2563aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa
-
Filesize
6KB
MD50d5f1c5358c8658e8632ed47d8a80165
SHA10468ca530ab8f7d0c12de31285c84f1ab695792c
SHA25695180debaca4144c7e265cb43fec55efb29319f764b0100d78ebb8171b9d6d1e
SHA512d42c3de9f2fbc941e7da9602d19544730bdb61ae5032b9ffa7a6634f704361e89788320976e7b2f8da414f1f9f55a82af96946c6acca03a154939adeb4679bfc
-
Filesize
5KB
MD58b648003dfaa8ddda6e68e7bb5359937
SHA10844b3bb1f496002004c84b964b336ff7a83545f
SHA25630a6cc252fc96f7d02d321b6f8976939913e0123cc824b2b01eeebf1e4225133
SHA5128e9713064444c6f87c2ba855e61ee874ef6f78bb368b700b3319a438a50e29a1ea05154b60fdae50b7149cec158093e3f8c6a549a4f681ebfe6754ced62b695a
-
Filesize
6KB
MD51ad74b1336e62de16539f98331047081
SHA10677f81e4ebe6b57142d7a06dc22e59749ed3e84
SHA256b3257df2ac9a3b8a85726b68100328b70a312d960a7954a325d88c58f168ddfe
SHA5128cec58a5c1b35198b2d7eca6b1d709ed3f284fdea3a8c476a7dcb0f07e12e46d2410992481d8c70c351c1f4cd016f0db6e99c92e028eabe6a5a0155b6a871cc6
-
Filesize
24KB
MD515ad31a14e9a92d2937174141e80c28d
SHA1b09e8d44c07123754008ba2f9ff4b8d4e332d4e5
SHA256bf983e704839ef295b4c957f1adeee146aaf58f2dbf5b1e2d4b709cec65eccde
SHA512ec744a79ccbfca52357d4f0212e7afd26bc93efd566dd5d861bf0671069ba5cb7e84069e0ea091c73dee57e9de9bb412fb68852281ae9bd84c11a871f5362296
-
Filesize
371B
MD59e8bfaafaefac70b6bfe440fd3beeb0b
SHA13f0724be0714de1279bf5e9272bbea12b3499ec2
SHA256e3c07232f1281e08a2b7915c53c1a002aafefc36136e3e3188adce2585b11f33
SHA512d4d7bc29bde21d2098258e734de01fee6c593cb033a11b71db8c1e30a3de369769f3899bfa6d36b66f3a6dfe080994ac13a33b670a98cae331fcb0171c18afd9
-
Filesize
371B
MD57433e60501ea54690f965d1f7477fadf
SHA10e10b0a0cb423e9b0819b9866dce8d00e5bc0e59
SHA25671fb0fee39e0c50c431aad2aabfa9a1185c0898d9e85a3a63e24a930f83a7721
SHA5120460c03f9bad48b229ff078081ae81e15b4d78f33d4c1f9de878bd916e6ff00e21c84ffc888efe11bbe00be889d8aea3ee76186255b93f9e63b180ec59d60183
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57c0d64d7da3a4ade759f42b985f6007b
SHA172175747296f99489d254bada2d765208c12f590
SHA256a20db4da4524f13f96cd615855db08bfc779aa43b9f2612ba771d2a8c1a82a88
SHA51293bdedc7355cc24695d123f488ea8969d8120ef285967d1034b37223d78b9d70bc769f7bf8b60517ec3751cf293c1e472e6db1dd6f0e3113c4ebeb8ac0d41069
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
151B
MD5c9344e82f9c4ebdd99651804f18eb38f
SHA166ce921dcb85bb508b812ad0c2f7a381161ddc4b
SHA2564255de1392dea0a059e5e3c77ef4ad828038eb153ea87d977676b52a150d0094
SHA51237f7177489feb12e44d212a10d92452634d37bdae07f15175054144dfe1a6b3d68b2de7e998d5e30a3685a34869a4ffa99dfb5dac4359d5ee86bc7bbe8683eb6
-
Filesize
692KB
MD5f0683bb61a43a8dd7061dbd8ee3af88b
SHA1c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA5127bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
Filesize
692KB
MD5f0683bb61a43a8dd7061dbd8ee3af88b
SHA1c94587218dc3ce9bd66e7ebe23c720ca50afd989
SHA256c9f2aae3eae18a283ef2a868116c01d80c9e0e9588ae125c7e842f928d31acff
SHA5127bc496ee73cbc6d5fa86edde2154c50cdc2aedc50fb98f368fecb30294888e1a59ec507d23a4b5b4ab2dee5dad22ea868caaea2e1b56d7e76f70b57567a5e2d7
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e