Analysis
-
max time kernel
46s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 15:44
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://qo483.cfd/pyyk
Resource
win10v2004-20240226-en
General
-
Target
https://qo483.cfd/pyyk
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exepid process 4400 msedge.exe 4400 msedge.exe 4884 msedge.exe 4884 msedge.exe 2196 identity_helper.exe 2196 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid process 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe 4884 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4884 wrote to memory of 3812 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 3812 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 1312 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 4400 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 4400 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe PID 4884 wrote to memory of 704 4884 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://qo483.cfd/pyyk1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff88be146f8,0x7ff88be14708,0x7ff88be147182⤵PID:3812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:22⤵PID:1312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:82⤵PID:704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:4488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:2052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵PID:3260
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:12⤵PID:1136
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:82⤵PID:1028
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵PID:4772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵PID:3264
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:12⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3476917642086406174,7116336419044241271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:2552
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:840
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
432B
MD5b0d770a2ce68cc8b4de5a6acf82bd3b7
SHA1cf416b03c7277e71bf10ce59d5b430c954af933a
SHA256f6d0b19e41f1bc50ec91e5abc6e26c37d63441b20f9850854495b663b7eab757
SHA51280f64d5895091703877b92ef2658e1316cb2a9c17486f6e3d388c03168c777f9eee07ad6b2765e1dd4a1a3113c39da97b7b9f4c48fd1240498b55b88ed98a9ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
456B
MD55ca7137c42e5903759bd0b4d422f4c57
SHA1926984ba0a9cfcfd68e6d4ba45d019369c0ea19e
SHA25684c77c09b2acbf93dc69b66cf3980e52445c22449ac1f4fc827c78fd8ea4f9e5
SHA512bf22c4780c95daeafa230ad3ac5121f8c491b412f8343a869d85f6124fd5028fa5f28c64da7880d9fa84ed4cdc69d336d7f52b31ed5b45361a89c9251b5df2b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
509B
MD53bf264d5729f99c3d8bf42ce31e6ad20
SHA186066baad4f787b79b03978123ba8aa0dbc6a4e4
SHA256a49d24217f72652b62fe03b75d151eaee9d5313dedec4953b72a48de23661757
SHA512327e5c51397171fac772345b0c419e449669c2d4707234d303d4811bff5996e13d8fd9bd63d7bed19d6666ceb15853b23e0e65430b599498a21c99b70c427a12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51f68b63a582984c668e9be6a26378d83
SHA14154aee65701f086363caeecc438ef65d227eac4
SHA256c3701f7e7ab02a8ea6a7191895c18951093bca38827fd122b64e671472fef493
SHA5128ef9c9ce4da57ba1e3846a89d30b02994415cd0aa051bd140f38a4f60486819b532e42fdc464c9fac28557d295c127de464aee53526c5d6050da2b48a7f07234
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD523e923eca58cc784762a84736312b4e7
SHA117a1a9f003d050ba749997b919a326fe04b84a06
SHA2561a522b449e3df8bee815983c51f615f6e097adcdfd5a553bde053ad4c7c9ff3d
SHA512503b2608ae53e6d6a3ae0b5463ac2ea8ae3e5a1f3439f45cf12250b127a2c82cda47746801cf042a5a9217fc66808593ad6da74dd8491939666b1e8ce997a702
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ae01bc8a769711954a0ad5858fee2b75
SHA100acad7423e610abc1282b6aeef74776707ed63e
SHA25618a2fe11632dca111e9624945e38b2a07f969062032f644be57e82fe45838cfe
SHA51225c98d1274eaca337491e30b920ceff650218321b55bc4740953351d008e295a624e4850303e2b96ea1dfe83f1864060d6bab6b357783cf39c4ed58a9d2e7f81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD50b844d0938119676d76287ef5d2c3936
SHA1dd230404cd403a2fee53d2233488f64f67f11c96
SHA2565e39d82200c4f698d7dcb5745db962fd71479a497ab039efbe46bc801991eb8c
SHA512ce2600a55c9f44663134536d7d469e235106a9549d3e9ea5c6228ace971aae591cec398f1909deb961df510185310c9aaefd748acdc337cd43cad84a071797a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a487e4d715541a4d4e22f7ea1bbd308d
SHA163de8cb95cab3b8493a2027204b0bb29aefbb514
SHA2565f48560910eb6d7599996c8cd1558e5e60e68a7938648528c44b02ab11b22374
SHA5126174677156a5ea41d3a21a7e2b1770b6917c6be3a5e5cf9da9bdc406693aff2446dc91ffcf0028f9328fe23f973099dc52747aa0f86fb56e2e6a7d01fef5c3c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e9c27657a5ba60dc60a0f720c2898c47
SHA14b5896d79fc4fff9ca96e5c2f9b7785a30ebc831
SHA256d573edce25edd3302d8378cb07018a2d78681ca71f9308b06374f367bfff1601
SHA51250193b64da7b126f0acb7f78f68ea02cc9632446e791b9b1893a84717538921ff6f260ce0d63e9ddee44eaedbbf87498ea9b1c56442fe225f2b33e7d34a65844
-
\??\pipe\LOCAL\crashpad_4884_SXNSZUGQLUFRQOUAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e