Analysis
-
max time kernel
145s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
17-03-2024 08:12
Behavioral task
behavioral1
Sample
002f6f310a1ea664bfe07e5dd7045676.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
002f6f310a1ea664bfe07e5dd7045676.exe
Resource
win10v2004-20240226-en
General
-
Target
002f6f310a1ea664bfe07e5dd7045676.exe
-
Size
5.6MB
-
MD5
002f6f310a1ea664bfe07e5dd7045676
-
SHA1
104e60ea49811a2b33442c5192b0d5f539fd235e
-
SHA256
c875d48e9242fff77283972803a88ca27a9045381a42c57c94f105cee7e0549c
-
SHA512
3caad6aaa12f9dc5e5e7ddbbebe166b90e5721233619c8f31ad02754b0060889cb6cc36688b1b725e526e8c5e263b40ebb943c9bcf8938a56ce69c122076cb85
-
SSDEEP
98304:V2wSiJSTjLc3oYusZhfoFH/Ydc4ajxG/zSDZyqBJEJaO6JrRe7kEcEAL:gw1gT84Y1ha/YdAftyziJrRnE
Malware Config
Signatures
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-4-0x0000000006FE0000-0x00000000074EA000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-5-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-6-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-8-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-10-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-12-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-14-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-16-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-18-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-20-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-22-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-24-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-26-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-28-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-30-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-32-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-34-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-36-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-38-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-40-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-42-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-44-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-46-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-48-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-50-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-52-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-54-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-56-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-58-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-60-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-62-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-64-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-66-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/5000-68-0x0000000006FE0000-0x00000000074E5000-memory.dmp family_zgrat_v1 behavioral2/memory/2368-4821-0x00000000071D0000-0x00000000073F6000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5000-1-0x0000000000A60000-0x0000000000FFC000-memory.dmp family_purelog_stealer -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
002f6f310a1ea664bfe07e5dd7045676.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation 002f6f310a1ea664bfe07e5dd7045676.exe -
Executes dropped EXE 1 IoCs
Processes:
Geynnlzh.exepid process 2368 Geynnlzh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ilasx = "C:\\Users\\Admin\\AppData\\Roaming\\Ilasx.exe" 002f6f310a1ea664bfe07e5dd7045676.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exedescription pid process target process PID 5000 set thread context of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exepid process 5000 002f6f310a1ea664bfe07e5dd7045676.exe 5000 002f6f310a1ea664bfe07e5dd7045676.exe 3808 powershell.exe 2204 powershell.exe 3808 powershell.exe 2204 powershell.exe 4304 msedge.exe 4304 msedge.exe 652 msedge.exe 652 msedge.exe 4312 identity_helper.exe 4312 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exepowershell.exepowershell.exe002f6f310a1ea664bfe07e5dd7045676.exeGeynnlzh.exedescription pid process Token: SeDebugPrivilege 5000 002f6f310a1ea664bfe07e5dd7045676.exe Token: SeDebugPrivilege 3808 powershell.exe Token: SeDebugPrivilege 2204 powershell.exe Token: SeDebugPrivilege 856 002f6f310a1ea664bfe07e5dd7045676.exe Token: SeDebugPrivilege 2368 Geynnlzh.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe 652 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
002f6f310a1ea664bfe07e5dd7045676.exepowershell.exemsedge.exedescription pid process target process PID 5000 wrote to memory of 3808 5000 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 5000 wrote to memory of 3808 5000 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 5000 wrote to memory of 3808 5000 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 5000 wrote to memory of 2204 5000 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 5000 wrote to memory of 2204 5000 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 5000 wrote to memory of 2204 5000 002f6f310a1ea664bfe07e5dd7045676.exe powershell.exe PID 5000 wrote to memory of 2368 5000 002f6f310a1ea664bfe07e5dd7045676.exe Geynnlzh.exe PID 5000 wrote to memory of 2368 5000 002f6f310a1ea664bfe07e5dd7045676.exe Geynnlzh.exe PID 5000 wrote to memory of 2368 5000 002f6f310a1ea664bfe07e5dd7045676.exe Geynnlzh.exe PID 5000 wrote to memory of 2028 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 2028 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 2028 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 5000 wrote to memory of 856 5000 002f6f310a1ea664bfe07e5dd7045676.exe 002f6f310a1ea664bfe07e5dd7045676.exe PID 2204 wrote to memory of 652 2204 powershell.exe msedge.exe PID 2204 wrote to memory of 652 2204 powershell.exe msedge.exe PID 652 wrote to memory of 3692 652 msedge.exe msedge.exe PID 652 wrote to memory of 3692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe PID 652 wrote to memory of 1692 652 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMAAwADIAZgA2AGYAMwAxADAAYQAxAGUAYQA2ADYANABiAGYAZQAwADcAZQA1AGQAZAA3ADAANAA1ADYANwA2AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIAAwADAAMgBmADYAZgAzADEAMABhADEAZQBhADYANgA0AGIAZgBlADAANwBlADUAZABkADcAMAA0ADUANgA3ADYALgBlAHgAZQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwAUgBvAGEAbQBpAG4AZwBcAEkAbABhAHMAeAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASQBsAGEAcwB4AC4AZQB4AGUA2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACcAaAB0AHQAcABzADoALwAvAGcAbwBvAGcAbABlAC4AYwBvAG0AJwA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.com/3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd751346f8,0x7ffd75134708,0x7ffd751347184⤵PID:3692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:24⤵PID:1692
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3024 /prefetch:84⤵PID:1952
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:14⤵PID:4128
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:14⤵PID:3696
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:14⤵PID:876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:14⤵PID:1772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:14⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:14⤵PID:1704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:14⤵PID:2548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵PID:2444
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6386311458035022159,13321274013276472914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe"C:\Users\Admin\AppData\Local\Temp\Geynnlzh.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exeC:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe2⤵PID:2028
-
C:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exeC:\Users\Admin\AppData\Local\Temp\002f6f310a1ea664bfe07e5dd7045676.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:856
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\002f6f310a1ea664bfe07e5dd7045676.exe.log
Filesize1KB
MD5f7047b64aa01f9d80c7a5e177ce2485c
SHA1bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8
SHA256807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915
SHA512a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f
-
Filesize
152B
MD51eb86108cb8f5a956fdf48efbd5d06fe
SHA17b2b299f753798e4891df2d9cbf30f94b39ef924
SHA2561b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40
SHA512e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d
-
Filesize
152B
MD5f35bb0615bb9816f562b83304e456294
SHA11049e2bd3e1bbb4cea572467d7c4a96648659cb4
SHA25605e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71
SHA512db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1
-
Filesize
198KB
MD506d38d9bf028710762491328778f9db6
SHA183e1b6cbaad5ca5f6dc63453da324f8df28de193
SHA25691558d69c027808e375e11c80166dc6ba245fbcfce715c9588decc55b4a33dad
SHA512b197e5f92add72688396a07246ee9842a3b0de36508aa57f0254531cb109c77d0392e00ea28e006f9fbab1b8fee9b333998946de47ca7526b631e8c810780781
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize120B
MD5308d111cd3307529d6bb79264ceabbfd
SHA112573c266275a91f51fd00f13e19500cadae7dfa
SHA2560673a80fd6827764c98854ba57d802d2703385d399b7f5376ca57af3e733e60a
SHA512cb8f3f86c91cc9babd7a1b7b35e5a2e8328efbbcde79d88799d31797e1f2c2c8a019e2e027254d511e35a439357fd3b4dd3b447583da5969d2f8159e7143ca04
-
Filesize
6KB
MD5fc919e28853afa7624f1a3fda5b07d3e
SHA198e2cc5d08e526861b8af7ec10f095f888baa289
SHA25602c2b233ea43b57ed31c3335d8def330c6549f28f65dea4a15f2165fb2eea9b0
SHA512dc51ed78c4efcdcdd08eb4a51b8b8852b7cecd937b21039e797666d17bdfb02477cd0ffd8320436e9c069c3ad08739cf95d135e5342ebb46f9e8fcde69162381
-
Filesize
6KB
MD540f3ce3c27287ae0bc9726a38bc6b58a
SHA12d4de179f72134c2292cb0a5feefc6d0fd797dde
SHA25644179ed167a85f668b3de15b9337356f874440356f8cda84c1ba6fefb552d7c1
SHA512a25bb481fedbd02b6a1015ad8172ad3e8d22bfb6f51e5f028fc24efa22bd9d3fa0e533deb83e8ec676dacc41652f0c3aedfc7adef2b809cd483135a34a53c288
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD533bd2790a105e1b535a873c9de08632b
SHA11e24cd8460455a32c4e9188877dd17407646e4ec
SHA2565dcb9c6f517d6ba6ac0478b67937beebcfec8c81d33a32b16c8e13688beafca5
SHA5121f815334d0af5ece1a8f9f0cd3b037b0e4b4385f8b4e4435c9bef76f29c84ccbc1e4518de22e26c421ceefb77642b55f77e611ff07afe5d3a387af8810b5f000
-
Filesize
2.5MB
MD536e180f151e6f4d9b75595667f229f2e
SHA10300078e0ad46fbfe7cb687bc6f78e2bb801391e
SHA25683d931bc3227b46e3a53db00c567c10f961fb05de48b53ab56e5140e7dd143ae
SHA51272bb78e8dea38de8b9f20691027e9b047015db69cce4a342a613a7e555777cd9bf9eeb82807ee666e0b519378b574eff388d09ac8215afafea8d56ea4f03fea9
-
Filesize
1.2MB
MD5c85866b00056959d1191ac66cc66ace8
SHA1d47942cfce4a0d178703a826ec6e08d01445c953
SHA2564046605b7e8dd2fe38bccf93ef6d23f13c73b9864ab9946de24f97f51291e00e
SHA512beb07ebdedfcdfd8442c676f69f5163785c666d5b9013bfd30c95291e7d315dd567a848cf45503d00d5f5703e37c318be84f769418bdc62bf96641dcf1d98848
-
Filesize
1.7MB
MD5f0fc2322dcb573538783dba91367abf3
SHA17540010722cbe8ae6e101add342bafa105081718
SHA256e7defc5cadfebf025d0e08228ed92f86dc944da2f65a14c89791fde702ef04a6
SHA512c4e80e11656234c9fdd45c3f70466a1ced3022b12b5016f4355396e1669357f954f8e61ec6e6f8193e1c7f628dabe85ef4fc1c97a83bd157d6a73eeb542ddc9c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e