Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/06/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
3644f9a06d97f903a5ceebdd7f2f4500.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3644f9a06d97f903a5ceebdd7f2f4500.exe
Resource
win10v2004-20240226-en
General
-
Target
3644f9a06d97f903a5ceebdd7f2f4500.exe
-
Size
222KB
-
MD5
3644f9a06d97f903a5ceebdd7f2f4500
-
SHA1
53ed26fba664d03b0e2423d6da7235c983fe2a1e
-
SHA256
bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56
-
SHA512
f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a
-
SSDEEP
6144:zVW1Fk5kc9tepTde06Or1HVSuZyfbqLW:JWnYt0hHVSuTLW
Malware Config
Extracted
asyncrat
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot7379351260:AAGqtKlpHd72GFMRON17QY1OA6l1sR7mBik/sendMessage?chat_id=5795480469
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
94.232.249.111:6606
94.232.249.111:7707
94.232.249.111:8808
o6tEeoRxJb0n
-
delay
3
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000002327a-69.dat family_stormkitty behavioral2/memory/2364-88-0x0000000000190000-0x00000000001C2000-memory.dmp family_stormkitty -
Async RAT payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023270-58.dat family_asyncrat behavioral2/files/0x000700000002327a-69.dat family_asyncrat -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DC6.tmp.svchost.exe -
Drops startup file 5 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Sun.exe.lnk 3644f9a06d97f903a5ceebdd7f2f4500.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\psvhost.exe.lnk 3644f9a06d97f903a5ceebdd7f2f4500.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Adobe.exe.lnk 3644f9a06d97f903a5ceebdd7f2f4500.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Microsoft.exe.lnk 3644f9a06d97f903a5ceebdd7f2f4500.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service_Mozilla.exe.lnk 3644f9a06d97f903a5ceebdd7f2f4500.exe -
Executes dropped EXE 5 IoCs
pid Process 3512 relog.exe 3812 DC6.tmp.svchost.exe 2364 17AB.tmp.Serverssss.exe 1808 1932.tmp.svchost.exe 2928 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Adobe = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\Service_Adobe.exe" 3644f9a06d97f903a5ceebdd7f2f4500.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Service_Microsoft.exe" 3644f9a06d97f903a5ceebdd7f2f4500.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Mozilla = "C:\\Users\\Admin\\AppData\\Roaming\\Mozilla\\Service_Mozilla.exe" 3644f9a06d97f903a5ceebdd7f2f4500.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Service_Sun = "C:\\Users\\Admin\\AppData\\Roaming\\Sun\\Service_Sun.exe" 3644f9a06d97f903a5ceebdd7f2f4500.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WpnUserService = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3644f9a06d97f903a5ceebdd7f2f4500.exe" 3644f9a06d97f903a5ceebdd7f2f4500.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File created C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 17AB.tmp.Serverssss.exe File created C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini 17AB.tmp.Serverssss.exe File opened for modification C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini 17AB.tmp.Serverssss.exe File opened for modification C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini 17AB.tmp.Serverssss.exe File created C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini 17AB.tmp.Serverssss.exe File created C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini 17AB.tmp.Serverssss.exe File created C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini 17AB.tmp.Serverssss.exe File created C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini 17AB.tmp.Serverssss.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 76 pastebin.com 77 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 66 icanhazip.com -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1616 set thread context of 3512 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 17AB.tmp.Serverssss.exe Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 17AB.tmp.Serverssss.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 3608 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3280 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3300 Explorer.EXE 3300 Explorer.EXE 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 684 msedge.exe 684 msedge.exe 2280 msedge.exe 408 msedge.exe 408 msedge.exe 2524 msedge.exe 4288 msedge.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3512 relog.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3812 DC6.tmp.svchost.exe 3512 relog.exe 3512 relog.exe -
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeSecurityPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeTakeOwnershipPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeLoadDriverPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeSystemProfilePrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeSystemtimePrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeProfSingleProcessPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeIncBasePriorityPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeCreatePagefilePrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeBackupPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeRestorePrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeShutdownPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeDebugPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeSystemEnvironmentPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeRemoteShutdownPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeUndockPrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeManageVolumePrivilege 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: 33 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: 34 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: 35 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: 36 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 3512 relog.exe Token: SeDebugPrivilege 2364 17AB.tmp.Serverssss.exe Token: SeDebugPrivilege 3812 DC6.tmp.svchost.exe Token: SeShutdownPrivilege 3300 Explorer.EXE Token: SeCreatePagefilePrivilege 3300 Explorer.EXE Token: SeDebugPrivilege 2928 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 3512 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe 91 PID 1616 wrote to memory of 3512 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe 91 PID 1616 wrote to memory of 3512 1616 3644f9a06d97f903a5ceebdd7f2f4500.exe 91 PID 3512 wrote to memory of 3300 3512 relog.exe 55 PID 3512 wrote to memory of 3300 3512 relog.exe 55 PID 3512 wrote to memory of 684 3512 relog.exe 77 PID 3512 wrote to memory of 2496 3512 relog.exe 78 PID 3300 wrote to memory of 3812 3300 Explorer.EXE 94 PID 3300 wrote to memory of 3812 3300 Explorer.EXE 94 PID 3300 wrote to memory of 3812 3300 Explorer.EXE 94 PID 3300 wrote to memory of 2364 3300 Explorer.EXE 96 PID 3300 wrote to memory of 2364 3300 Explorer.EXE 96 PID 3300 wrote to memory of 2364 3300 Explorer.EXE 96 PID 3300 wrote to memory of 1808 3300 Explorer.EXE 97 PID 3300 wrote to memory of 1808 3300 Explorer.EXE 97 PID 3300 wrote to memory of 1808 3300 Explorer.EXE 97 PID 3512 wrote to memory of 2280 3512 relog.exe 79 PID 3512 wrote to memory of 408 3512 relog.exe 80 PID 3512 wrote to memory of 3436 3512 relog.exe 81 PID 3512 wrote to memory of 2524 3512 relog.exe 83 PID 3512 wrote to memory of 4288 3512 relog.exe 84 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100 PID 684 wrote to memory of 3232 684 msedge.exe 100
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"C:\Users\Admin\AppData\Local\Temp\3644f9a06d97f903a5ceebdd7f2f4500.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\relog.exeC:\Windows\system32\relog.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
-
-
-
C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe"C:\Users\Admin\AppData\Local\Temp\DC6.tmp.svchost.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit3⤵PID:3668
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'4⤵
- Scheduled Task/Job: Scheduled Task
PID:3280
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4D7F.tmp.bat""3⤵PID:3796
-
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
PID:3608
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe"C:\Users\Admin\AppData\Local\Temp\17AB.tmp.Serverssss.exe"2⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All3⤵PID:1752
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:1112
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1092
-
-
C:\Windows\SysWOW64\findstr.exefindstr All4⤵PID:4440
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid3⤵PID:4568
-
C:\Windows\SysWOW64\chcp.comchcp 650014⤵PID:2300
-
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3472
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe"C:\Users\Admin\AppData\Local\Temp\1932.tmp.svchost.exe"2⤵
- Executes dropped EXE
PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f4,0x7ffd3b3c2e98,0x7ffd3b3c2ea4,0x7ffd3b3c2eb02⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2276 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3220 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3480 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:82⤵PID:3436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5312 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:12⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5324 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:12⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3468 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:82⤵PID:3232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4700 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:82⤵PID:3336
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e1acba25e664db4f5b29a4f53d733a42
SHA13372c405dc21ae7e061e947176041b3414b52818
SHA25640b699f4d64261b9802580be4e723fed50af6e081a6453e2eabbf9c58eb29012
SHA512a9cbb29a0f4543b350951df9bdd3f06bbf9df4871692f87b4e84862e85d5b72305efba0ee886914de6b05075910f2906d75f78ade715240bc70e970a1e31f206
-
Filesize
175KB
MD5da34ea26ddfedfd7966e8aedf0bb93e6
SHA1ba30bde364d564268d175090364158cb66c165a9
SHA256817940c9dd88c9d185f58532e2027e9df7bfaca8249ec96ae055da03c8750f20
SHA512fbf634fd22ec37a65540c6ad1968b53666308d4d31a151c26b1444e242de40c95c0f48f96010bc72e5e0e9a10982b4f56590e96aded12015de915d7d86af8dff
-
Filesize
47KB
MD56d13d147a209e3be044035f0c03b7bde
SHA11eb5fb487ea7742ff1766ca5bf1b7191cfcf6283
SHA2569c457b1cd061ae951fbed7841149b247e085befa6e2c5170058ce35cdebce548
SHA512a159d09265fa833afddce5fe7fab6d4be0fc37fd4c2e0d1a15851427764ad3c068249ba28d000a076209d017cb65e4320752ac7a3a0314239d836f1e15ae39a9
-
Filesize
222KB
MD5933bc84c355410977507fce60295cc73
SHA11b395d4888d1dc60127e7c65fe7da857981bda1e
SHA256f097a2cdef650eddd702047ae31625bafedd92099b92c1cfc61be73e636ed152
SHA512d7f3ae4b5729b392e610fd084b7b19408ec52215106e8dd58cf7d019db8cd398bd4a368adf526e72f8cd6e8584ac0fe392d979e719df79bb17b5570542cb4740
-
Filesize
151B
MD52bea490af3f2d791c9d9d23d3ebfced7
SHA1b048fdb35104437d740c5dd84ebe8b8cbf0a454b
SHA256dd82e69f788b551c42ee824d773b724950d86511ff3e8a7e1709a926f08e57d8
SHA512e3b1b271210b1a4582900aad715d4a14736199b59ac40f4666c4d9f62014d7dce9dec853a19d7ed2303b82fbb2b35799f42d1610e761e177847132abf181f1c7
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\d0448a264e9ef0baf128e2d49c44d784\Admin@OAILVCNY_en-US\System\Process.txt
Filesize4KB
MD5f016dfc231f6a5632ee40227595e58a1
SHA11177fc2d3fd86e97f625bb700074936e9b39367c
SHA256ad7217e70adbbee374d0a8a44528b4e68706a03daf09f06e2172009620728409
SHA5126a8a209e987de6bef6267e75a4f6ecaecd739ff897c7b0b54ebaa90bcec851efb5e3342c5f5406e6b8e2f56debb163409b4d78233c89aae5eb3ed48acbe0a5e3
-
Filesize
222KB
MD53644f9a06d97f903a5ceebdd7f2f4500
SHA153ed26fba664d03b0e2423d6da7235c983fe2a1e
SHA256bfc572da40fc3dcbee2ff5590ad5f630becf69e18df37b44140bd4f214facf56
SHA512f0dced1046018e83a33acc0e06f43bdd300ae4defff974c033a1f16cfd78c366cfd11e480554c197d844442fcfd51494ea39abb7c9c22c686d1b3a6cf5c30d1a