hxxp://zmeskanyhovor[.]com

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://zmeskanyhovor.com

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3132	msedge.exe
3132	msedge.exe
1492	msedge.exe
1492	msedge.exe
904	identity_helper.exe
904	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe
1492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3380	1492	msedge.exe	83
PID 1492 wrote to memory of 3380	1492	msedge.exe	83
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3484	1492	msedge.exe	84
PID 1492 wrote to memory of 3132	1492	msedge.exe	85
PID 1492 wrote to memory of 3132	1492	msedge.exe	85
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86
PID 1492 wrote to memory of 968	1492	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://zmeskanyhovor.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c31d46f8,0x7ff8c31d4708,0x7ff8c31d4718
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7130262465331297329,1773783983448682266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fe6f52d67858c7b860f6b8893638658c

SHA1
1f65540de62519e8e2f65a2190c06533e3c94751

SHA256
b7378ba57cd4eecb6cd6fb294b046ee454c67d218a68c6f15f4871fae1389ce7

SHA512
8af44238bf2e6337ae863a8d7107d991f06b9f965e4847466e211b8f1784e59169758469402efeb4282df08b66f5f999bae9e00aab1753a1ffd2a1629f80c4e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
25c0657400ab5f960ba657ca4f5620ce

SHA1
dce6a7a7f28388e956d08ca900473a2daa39eebb

SHA256
a823579a79f5418f6ad08e254d786c5dfee0c961ad0473e20ef2054dfe53a132

SHA512
d6be89057c156495b73da60b91274807f67db1101231cf294b329f3a721d89e3f6c8696a45b5274ccf833e09511aa1573bbe6cb1fbcd918020d438bbca54b800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1a1b75ef9c084fbd9d2565997f95c59a

SHA1
72fa1a3e68cec4233cb64c3bcc56c85218c66d87

SHA256
f470aed0ea6f6e94cea9f1aec14232983c99d8e54cea28cc3a0126661df86a68

SHA512
5a9b85717960315078c59051202fdb607b70fc31a0f1f1d13921c3ab7d964217402e5a3f65c579afa65bfa3508f6863a486b7483258976ce57092aa63c7ab3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
05b8df4056ee08e4c47211dddd962feb

SHA1
7d3c24d7fd29e938e17fdddff2e18de342094200

SHA256
9ba1dfd1221ab6451857cd8865904adad742cd746ffd713e399bf20e31b0fded

SHA512
cec685d415af3b2c5c05003e98738d6aa100de3c0fb965b9e2f97099462324949c7f2916ca2281eabce5a41dc7e94ad9bea78d732eb6d22d514b5fffe309a0b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a9acca9665982330e95efb71461f39d8

SHA1
3a9cec766714afbd7a6e24a167c53d699526d102

SHA256
35c15ffa5f37e50eb976fe557f79278fa54bbebc117c0a5f4e6222024c873ff1

SHA512
0826f1ec81e2786d000a1266439736eeae05e27c0c7ce563495d471e49c0c72356b068e422defaee293b90ac096c9c816f9fb576f03a3f8e13edb7bdd79996bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e00377e5add057b013f34df38c575120

SHA1
b0a824bf1cb6797e23055edbb532bfa3179251f5

SHA256
8492f30ed7b3c5d8b13d4f77a385367973c7f6bc237f1f1974c37e7ec246c0b6

SHA512
7d9134d07b6d5b4ba697012529dedd0a59a06e38ab7ee0c09c9b7421243f429c58574f33992a2662ceb9328cfc60dbd65af43bf48b0111f10b85620e47c32ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
69f62e75e030121c2c6ce398f5c3d857

SHA1
0d28cf4f35d7f69a74bfec29f2c2254eb54b9451

SHA256
43497d9c3ebb5215c263df1c6541e5063e21e4dec7cdafe1bd9abf0a831b04a1

SHA512
2867db52a3ceb7cf80a68a75e746a8a18f83d2056ddb77b12a7a01b71eca579ceee45a6abe63aa63a7b61b1808fc4eaf30e6401a22ad6979a28729ddf8e89e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cf600104649e7921e99ff7367fd0d94b

SHA1
272d48873153904e64d7fae12dd8e4de87c12ae6

SHA256
398a4fec7aff5810053232e1cf60f157747c08c51907ca46bbd03faac96b10e6

SHA512
2914cf7936ff2c371d4853853d6e19a608c069c46011f48c15453e1cd92fdb02528b903a4d1fea4d6af6fd50761a3af59a6bf11ceda56ad5b23267482ad45311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580971.TMP

Filesize
1KB

MD5
2b92569a85f6297f73e151f6e6d90826

SHA1
e70776c6ba9001d6d170aa8348c988fb0bf23b4e

SHA256
725157f44db045cdfc91bedc6aecec3cb8f7f5faa4ef21b31c0c5295b3e82c59

SHA512
80ef5ce49abdeb80e37f8814cefb5b55ce73ae02b384f4c9f2a7d2e91dcb99def066b7ebb7a2120f6fbac832915f46a190c715e08106d086a49291b48f38bece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1141caba441be132fb6f6f0b0ab23769

SHA1
1ff5aa08c7617718ed8975436d59bc2951495065

SHA256
ae03f18af9143a7b209e591211f9e382bc358cb41956ca859dd9e9609f012676

SHA512
80f4042d75c3c3cef441a24cc8bc7cf9342b562f994ff6fb1faed3f9ae3e665c2701b93d0efe6959f9e1495766041dc4307d35bf0be628105ec2880dd8a09b5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8ce016dc38d8eb7d894ac20a41590f24

SHA1
bb7701d6d39547d9f2fdb2b3c335c162a42c35d5

SHA256
43d1dbbb58382e52ee5a273c2b194015e4bf39f5f8e32e28e0d67f2f8a274323

SHA512
bb1185550d692f7da140a9ad022e6de8875a2c021cb7d81aee2ba1d210ecf2275f44ef390c0c2b7a63e71b16251cfe3a939d9eb7e13c3a916d762fca444eb86d

Download Submit