Analysis
-
max time kernel
275s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2024 14:48
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/1268991976993456222/1291407962199560255/Cokertme_kebab.exe?ex=66fffce3&is=66feab63&hm=fa286f13e09428c9c7e93891509c129e04d5c7218f20974e196cbfa818503041&
Resource
win10v2004-20240802-en
Errors
General
-
Target
https://cdn.discordapp.com/attachments/1268991976993456222/1291407962199560255/Cokertme_kebab.exe?ex=66fffce3&is=66feab63&hm=fa286f13e09428c9c7e93891509c129e04d5c7218f20974e196cbfa818503041&
Malware Config
Signatures
-
Downloads MZ/PE file
-
Drops file in Drivers directory 64 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\drivers\ataport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\EhStorTcgDrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\usbhub.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fsdepends.sys cmd.exe File opened for modification C:\Windows\System32\drivers\parport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\storahci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\vmbus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\ipfltdrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ks.sys cmd.exe File opened for modification C:\Windows\System32\drivers\acpiex.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ipnat.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbcir.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\srv2.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\vhdmp.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mskssrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\umpass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\disk.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\scfilter.sys cmd.exe File opened for modification C:\Windows\System32\drivers\bthenum.sys cmd.exe File opened for modification C:\Windows\System32\drivers\cldflt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mouclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdyboost.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ndis.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\rspndr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mup.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\KNetPwrDepBroker.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tsusbhub.sys cmd.exe File opened for modification C:\Windows\System32\drivers\1394ohci.sys cmd.exe File opened for modification C:\Windows\System32\drivers\luafv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rdpdr.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rfcomm.sys cmd.exe File opened for modification C:\Windows\System32\drivers\msisadrv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\netbios.sys cmd.exe File opened for modification C:\Windows\System32\drivers\netio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usb8023.sys cmd.exe File opened for modification C:\Windows\System32\drivers\USBHUB3.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\afd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\fvevol.sys cmd.exe File opened for modification C:\Windows\System32\drivers\raspppoe.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mstee.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ndproxy.sys cmd.exe File opened for modification C:\Windows\System32\drivers\spacedump.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dfsc.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dmvsc.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Dumpstorport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\CAD.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tpm.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\spaceparser.sys cmd.exe File opened for modification C:\Windows\System32\drivers\amdk8.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ndisuio.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\tdi.sys cmd.exe File opened for modification C:\Windows\System32\drivers\wcifs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\asyncmac.sys cmd.exe File opened for modification C:\Windows\System32\drivers\beep.sys cmd.exe File opened for modification C:\Windows\System32\drivers\MbbCx.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mspclock.sys cmd.exe File opened for modification C:\Windows\System32\drivers\NdisVirtualBus.sys cmd.exe File opened for modification C:\Windows\System32\drivers\pacer.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mshidumdf.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\tsusbhub.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\SpbCx.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\pnpmem.sys.mui cmd.exe -
Manipulates Digital Signatures 2 IoCs
Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\wintrust.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll cmd.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid Process 3700 takeown.exe 2472 icacls.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 1 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\spool\prtprocs\x64\winprint.dll cmd.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid Process 3700 takeown.exe 2472 icacls.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\ntprint.dll cmd.exe File opened for modification C:\Windows\System32\Dism.exe cmd.exe File opened for modification C:\Windows\System32\it-IT\comctl32.dll.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\PresentationSettings.exe.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\propsys.dll.mui cmd.exe File opened for modification C:\Windows\System32\ro-RO\quickassist.exe.mui cmd.exe File opened for modification C:\Windows\System32\wbem\qoswmi.mof cmd.exe File opened for modification C:\Windows\System32\Windows.Media.BackgroundMediaPlayback.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\WorkfoldersControl.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\nlasvc.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\IdCtrls.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\ieui.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\SPACEP~1.INF\spacedump.sys cmd.exe File opened for modification C:\Windows\System32\eudcedit.exe cmd.exe File opened for modification C:\Windows\System32\Hydrogen\BAKEDP~1\Physics\presetmotionpropertiesdebrisdeprecated.hbakedmotionproperties cmd.exe File opened for modification C:\Windows\System32\en-US\msdtcVSp1res.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\Windows.ApplicationModel.Store.TestingFramework.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\WABSyncProvider.dll.mui cmd.exe File opened for modification C:\Windows\System32\spp\tokens\skus\PR3CDC~1\ProfessionalWorkstation-Retail-2-ul-store-rtm.xrm-ms cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_2.bin cmd.exe File opened for modification C:\Windows\System32\it-IT\NetworkExplorer.dll.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\joy.cpl.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\keyiso.dll.mui cmd.exe File opened for modification C:\Windows\System32\KBDUR1.DLL cmd.exe File opened for modification C:\Windows\System32\logagent.exe cmd.exe File opened for modification C:\Windows\System32\SortWindows61.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\developerCommand.xsd cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netwtw08.inf_amd64_7c0c516fb22456cd\Netwfw08.dat cmd.exe File opened for modification C:\Windows\System32\en-US\localsec.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\inseng.dll.mui cmd.exe File opened for modification C:\Windows\System32\xboxgipsvc.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\PSMaml\ProviderHelp.xsd cmd.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\c_computer.inf_amd64_aa72c8894a821b32\c_computer.inf cmd.exe File opened for modification C:\Windows\System32\profext.dll cmd.exe File opened for modification C:\Windows\System32\slcext.dll cmd.exe File opened for modification C:\Windows\System32\fr-FR\mshta.exe.mui cmd.exe File opened for modification C:\Windows\System32\GameSystemToastIcon.png cmd.exe File opened for modification C:\Windows\System32\ktmutil.exe cmd.exe File opened for modification C:\Windows\System32\MCCSPal.dll cmd.exe File opened for modification C:\Windows\System32\DriverStore\en-US\netpacer.inf_loc cmd.exe File opened for modification C:\Windows\System32\es-ES\ntprint.dll.mui cmd.exe File opened for modification C:\Windows\System32\fi-FI\APHostRes.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\tdh.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\discan.dll.mui cmd.exe File opened for modification C:\Windows\System32\pnputil.exe cmd.exe File opened for modification C:\Windows\System32\de-DE\iyuv_32.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\rasmm.dll.mui cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_GroupResource\uk-UA\MSFT_GroupResource.strings.psd1 cmd.exe File opened for modification C:\Windows\System32\winnlsres.dll cmd.exe File opened for modification C:\Windows\System32\en-US\WMVENCOD.dll.mui cmd.exe File opened for modification C:\Windows\System32\fdWNet.dll cmd.exe File opened for modification C:\Windows\System32\wfapigp.dll cmd.exe File opened for modification C:\Windows\System32\fr-FR\sessionmsg.exe.mui cmd.exe File opened for modification C:\Windows\System32\gmsaclient.dll cmd.exe File opened for modification C:\Windows\System32\it-IT\bisrv.dll.mui cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\netbxnda.inf_loc cmd.exe File opened for modification C:\Windows\System32\DriverStore\fr-FR\net1yx64.inf_loc cmd.exe File opened for modification C:\Windows\System32\es-ES\pnrpauto.dll.mui cmd.exe File opened for modification C:\Windows\System32\UXInit.dll cmd.exe File opened for modification C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_WaitForSome\uk-UA\MSFT_WaitForSome.schema.mfl cmd.exe File opened for modification C:\Windows\System32\DriverStore\es-ES\msmouse.inf_loc cmd.exe File opened for modification C:\Windows\System32\ja-jp\dui70.dll.mui cmd.exe File opened for modification C:\Windows\System32\spp\tokens\skus\PROFES~3\ProfessionalEducation-ppdlic.xrm-ms cmd.exe File opened for modification C:\Windows\System32\edgehtml.dll cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
Processes:
cmd.exedescription ioc Process File opened for modification C:\Windows\System32\termsrv.dll cmd.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Çökertme kebabı.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Çökertme kebabı.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 17 IoCs
Processes:
LogonUI.exechrome.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "66" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133724405306643918" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exetaskmgr.exepid Process 4308 chrome.exe 4308 chrome.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid Process 4104 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid Process 4308 chrome.exe 4308 chrome.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
chrome.exetaskmgr.exetakeown.exeshutdown.exedescription pid Process Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeShutdownPrivilege 4308 chrome.exe Token: SeCreatePagefilePrivilege 4308 chrome.exe Token: SeDebugPrivilege 4104 taskmgr.exe Token: SeSystemProfilePrivilege 4104 taskmgr.exe Token: SeCreateGlobalPrivilege 4104 taskmgr.exe Token: SeTakeOwnershipPrivilege 3700 takeown.exe Token: SeShutdownPrivilege 4784 shutdown.exe Token: SeRemoteShutdownPrivilege 4784 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exetaskmgr.exepid Process 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid Process 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4308 chrome.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe 4104 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid Process 3624 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 4308 wrote to memory of 2640 4308 chrome.exe 89 PID 4308 wrote to memory of 2640 4308 chrome.exe 89 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2440 4308 chrome.exe 90 PID 4308 wrote to memory of 2864 4308 chrome.exe 91 PID 4308 wrote to memory of 2864 4308 chrome.exe 91 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92 PID 4308 wrote to memory of 5080 4308 chrome.exe 92
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1268991976993456222/1291407962199560255/Cokertme_kebab.exe?ex=66fffce3&is=66feab63&hm=fa286f13e09428c9c7e93891509c129e04d5c7218f20974e196cbfa818503041&1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe7a28cc40,0x7ffe7a28cc4c,0x7ffe7a28cc582⤵PID:2640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:2440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1588,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:32⤵PID:2864
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2420 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:2184
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4776 /prefetch:82⤵PID:3904
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4956,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4196 /prefetch:82⤵PID:4224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5084,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:3176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5096,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5136 /prefetch:82⤵PID:4712
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5128,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:4376
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4980,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5468 /prefetch:82⤵PID:1504
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5732,i,10986565677679442130,6274341628455620209,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5104 /prefetch:82⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4160
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3804,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:81⤵PID:4884
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4104
-
C:\Users\Admin\Desktop\Çökertme kebabı.exe"C:\Users\Admin\Desktop\Çökertme kebabı.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3445.tmp\3446.tmp\3447.bat "C:\Users\Admin\Desktop\Çökertme kebabı.exe""2⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Drops file in System32 directory
- Modifies termsrv.dll
PID:4652 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3700
-
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32 /grant YourUsername:F /t3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2472
-
-
C:\Windows\system32\shutdown.exeshutdown /r /t 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4504
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3939855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
649B
MD5ce4d01558612fe30b572f18c558902da
SHA15aa7f118d027db5a4d519b9d744e430986a2129a
SHA256a1fb1460097b79d44f2d34be1d77275d71d1634a1a89614d20bba2ab75b974f1
SHA512bd35f17dd7e190a93c361da8437dbef1fd729dd2fc1eb284890c85d46ec6f6cd5fbc864f14a9d0037848ec6b6704169a9cb1b185bdc9572f089db7101a757125
-
Filesize
1KB
MD587eaa76d3232f96de99a96baccd7b3b6
SHA1d52b50f07fc55c97b1973b5a1573bfd61e8b434b
SHA256c73752c323f53e405b50745fc777c61dd219252df813409adbbd99815c45c040
SHA51219b987479eb6821c3a593f69a69994187515a789676df55d10dc8a8f2bb8d056ff4ab1eb84cddd0317517d3b426a4b8a7460f290cb1d00930002a6bad4e201ea
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
9KB
MD51171b767059473f6647564f6e12a22d4
SHA1bf8582c2836452f1b014a30e74da58bf4453977a
SHA2562488b6dc31a1be7934823f31923c17b393ad9e244aa8c3d8b88a8a69ffc8de84
SHA5122faf02360738df3c72098d6dfb71638e775383de7a1a5d2017c8b141b6b107a91d12a1c467bef2e9f0f1e85b52d99b449611421c93ce691037a99806622c0b1e
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
195KB
MD56a0f9c36d589523a3b6428f536f439d1
SHA117d61ff87b374b32d8b01dc754a44ef3a84cade4
SHA2569d939188ca206c19c80c4bf581dd980ce3250bc57bb89420f40ab578d9fd5a93
SHA5122a50dc306287d4bb258ed32561df579e7ba28c3008fa1dd9f1731e4592be5f3bbe824c870394f710d61ad267434b14e3326e09be01eae03dad3b1adda62d19a5
-
Filesize
195KB
MD5593325f42da1d9071a28b3e4b6caea76
SHA1b17664ff5dbc41ac22d07a494617c3feae2d1000
SHA256b43915571442905d36dc67e0e7024f3cae503e197e8dff14a070c9fcd7d89b84
SHA512b807002f62b907b4e174ff680481900103f49b7f9f59f0f944cd75a7589070258188927bd2427b5359f07dab72ac4ef6acad8f9ab96ba7a322d3a87e4269c0e0
-
Filesize
208B
MD5838355a330a59290ca362cf938e0378c
SHA11dcda840f5e8b96e80f3852550cafdd2748eed8e
SHA25673db043c6fa8db55302890ce97738e8ef1dbe4bf9bccb0603e5a5e4f97d2cdd1
SHA512622e9959dbf1e865926def6cbabf2b9a0d875227f87cf90e618f1ca5294763856f9214c288cc6d9360b44026bd981e765284680737489203fc1eb1dd00abbd09
-
Filesize
89KB
MD54996febaf9e813a08f1313dc10fa119f
SHA1bb20492b02354aeaec3593709fa10a0f7078e37d
SHA25617f4cce1ad4d64836096add8b88621db4d717c8b6f1db86245a7cc434da558ce
SHA51278a2ec11579fced740bf79c1985a7ea5b55a0a444918ad68db8d55e0ed759cdc3d89caf1b4ccbbb6f26b5d0b0c7fee20514602f2feeba4522d574dbe7f90db65
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e