Analysis
-
max time kernel
115s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 10:08
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Hawkeye family
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation netprotocol.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation spoolsc.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation hotbest.exe -
Executes dropped EXE 11 IoCs
pid Process 5004 hotbest.exe 5100 netprotocol.exe 5256 netprotocol.exe 5372 spoolsc.exe 5568 netprotocol.exe 6000 netprotocol.exe 5684 netprotocol.exe 1884 netprotocol.exe 5712 netprotocol.exe 1644 netprotocol.exe 6032 netprotocol.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts netprotocol.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 42 raw.githubusercontent.com 43 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 83 checkip.dyndns.org 60 checkip.dyndns.org -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 5100 set thread context of 5256 5100 netprotocol.exe 117 PID 5256 set thread context of 5568 5256 netprotocol.exe 120 PID 5256 set thread context of 6000 5256 netprotocol.exe 125 PID 5684 set thread context of 1884 5684 netprotocol.exe 131 PID 1884 set thread context of 5712 1884 netprotocol.exe 132 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprotocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprotocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprotocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprotocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprotocol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hotbest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netprotocol.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 922103.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3268 msedge.exe 3268 msedge.exe 2484 msedge.exe 2484 msedge.exe 2908 identity_helper.exe 2908 identity_helper.exe 4044 msedge.exe 4044 msedge.exe 5100 netprotocol.exe 5100 netprotocol.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe 5372 spoolsc.exe 5372 spoolsc.exe 5784 taskmgr.exe 5784 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 5100 netprotocol.exe Token: SeDebugPrivilege 5372 spoolsc.exe Token: SeDebugPrivilege 5256 netprotocol.exe Token: SeDebugPrivilege 5568 netprotocol.exe Token: SeDebugPrivilege 5784 taskmgr.exe Token: SeSystemProfilePrivilege 5784 taskmgr.exe Token: SeCreateGlobalPrivilege 5784 taskmgr.exe Token: SeDebugPrivilege 5684 netprotocol.exe Token: SeDebugPrivilege 1884 netprotocol.exe Token: SeDebugPrivilege 1644 netprotocol.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 2484 msedge.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe 5784 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5256 netprotocol.exe 1884 netprotocol.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 4860 2484 msedge.exe 83 PID 2484 wrote to memory of 4860 2484 msedge.exe 83 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 1824 2484 msedge.exe 84 PID 2484 wrote to memory of 3268 2484 msedge.exe 85 PID 2484 wrote to memory of 3268 2484 msedge.exe 85 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86 PID 2484 wrote to memory of 4092 2484 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Viper4K/malware/blob/master/Hotbest/hotbest.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb397546f8,0x7ffb39754708,0x7ffb397547182⤵PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:22⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:82⤵PID:4092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5624 /prefetch:82⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:2236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:82⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
C:\Users\Admin\Downloads\hotbest.exe"C:\Users\Admin\Downloads\hotbest.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f4⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v "Load" /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" /f5⤵
- System Location Discovery: System Language Discovery
PID:4168
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\imzbclcl.cmdline"4⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFD1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF4F56DF4894E4F4E984DB425FD64B1FD.TMP"5⤵
- System Location Discovery: System Language Discovery
PID:5208
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5256 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Mail.txt"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5568
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Web.txt"5⤵
- Executes dropped EXE
PID:6000
-
-
-
C:\Users\Admin\AppData\Local\Temp\spoolsc.exe"C:\Users\Admin\AppData\Local\Temp\spoolsc.exe" -n4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5372 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5684 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1884 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -f "C:\Users\Admin\AppData\Local\Temp\Mail.txt"7⤵
- Executes dropped EXE
PID:5712
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe"6⤵
- Executes dropped EXE
PID:6032
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:6116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:12⤵PID:6124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,4649757514475572194,3881186571777609739,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵PID:5168
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4580
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1276
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5784
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1780
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5acd733f58bf155a1bf140b2bf7643bbe
SHA104fb61e4097f7f0743ccc135b4db45e30f65205f
SHA25659d77e3784bd27c65551056009ca85b493e021659983c8dacf033b41be3d4c00
SHA512358595d389b70f3cadb44f9b632afb526f57431c4c24ee3958bd1922458904772c920c2b72f784fc4b676632abc3b6c6ffb59daa6ef1370b9c34c509dcef70f7
-
Filesize
579B
MD546fa4f5f7344089589d117bd7599b3a9
SHA1b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA5126b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c
-
Filesize
5KB
MD592b347c31fc156e25da64eba8ee76297
SHA1eb1cc9a01940acbbf5fafea4d03e8ace1917724d
SHA256d388680ff3de951d6b7ede2d71c961b249b708b71d8ce909568610a088984fc1
SHA512490939555cf8895d2a2f3ee3400515efc1ce55b7fe6cbe0681ff7e8311787c9fcf25d5cf0888a86109a0b62e495483e7cd6a4c46314f14f7e4a9572496b7d01e
-
Filesize
6KB
MD50a76dd73744d0e38f05ed2fee6c081a0
SHA1835d82accc81e48616c4604b05590e2711537ee0
SHA25647a9b76b85eeef07eb4a5439b01e8207f44989f75f0f0a8f7c50a5f83c3cfd42
SHA5127ab7dff97da0b9e434a41b4caa4759627454ab2a27829dfe7c19f31a8336d431d8e21477453318e2fef345a44e6102e753d786af6f2bcc7821e2eccb38fef81f
-
Filesize
1KB
MD510827b3563e7ae55bb1dce0ca0832b37
SHA13279c57d76924b8a0692b3589c17e7c9f9bf59ef
SHA2567420c7785a572510f8096a1bb16a3f85c9a6bdfd9966c7b98381a52dd70f96fa
SHA5125dd4d447a4ef8b2c15e2921f4aa22807bc6d8eb17f37914123e9c34884bac52c03af20dfee50d1c154061f712d40d4285f590c0b2e2d2bd0bef1d53963f3bb79
-
Filesize
1KB
MD51139f7312ca390a8adae1293e0007edd
SHA1bec6f6a9b8bf13b6672d1ece9bcb08cf9ed53672
SHA256a4322d2ed0f0c5ba007157b8b97e52aad95cf2075f954e1e83d3c69fc4d5409c
SHA512ae6d07d92c76cd0e668bb2ad3eeaeb3e60a889eabd985b30d97ad0eb3ed6dbc5d2420662d1902783fd5ebb9553404410be0d1e5809889b2bb830d3d5c19b6ac2
-
Filesize
1KB
MD5878edd33e460e5af814b54fa2700c142
SHA1ea51eb805f85fb9e6dc5ab9933d26fc07c71487e
SHA25667060ae5963317050d835fa533f92fb9cda8d20b5d9a9bc7156fcbfaa9862ae8
SHA5129c8f2a184fdeb2b337ec433532e74d5896d9d10845f4052d941611319ab52a0d518cbfffc48c4c70d7607efcfab67f55ed63881283dab250e21843bb2efe6933
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5bcc132bceeac78d8c4f9f4bfeb6f90e5
SHA1bf4f24eaed73de93cdd5721c327de51cc651dbe1
SHA256a8d08e125934e016d2a0193634cc32e4aab152ee86f3bb951b74c7835fe611c2
SHA5125e815f7fb3fa4c6cb92ac8adc74dae16652e3c5bed11bbe1d189acd3bbb79e155b7a15af95bfee5562ed5022b1d4cf333d2881e3e82319ae3b19e8bae7f48ac2
-
Filesize
11KB
MD5c15ddb68a238ae0e2a87fb2517a4f95b
SHA14ea904c5f3510773cd83074bd6a047b2e9219444
SHA2565aeaafa31f57d45d8e3e2ca5e0b2d7372e490bbc59bcd6290b0041d79c5d889d
SHA5121ec9a54cc38860269a82de7e55a9e8dda151cd7747e626003c49be8fe0ce5afa1d55a38764dd9a1d6650d80a116bdf55c8ff70c1498c5796c9663c34458359a8
-
Filesize
11KB
MD5291e6694a3a22e99e7c795aae3a9df43
SHA195bca371e1206497c455dd2e4fef4ec5ec1b04ef
SHA256da88cc06e418c630b2b9cd34c490296fcf648a7f1297b5ffb330425b9c0f8167
SHA512dd9900ffcec8424ae46dfc6dbe39b1aa83ebf09fa49d69b66b8d785d6b96a71072632a95d721fe1630e22b211a71573bc82cbc10dce3104221a67b4341452c1f
-
Filesize
10KB
MD53d7daa3df68eb79aa6c04d030e0ae4d4
SHA1c6f948a46b4d73099e0503765de843c8892ec379
SHA2561062e3170900f4385c4a01bd2a53c1caeee46f38816369c922bf41ee2f88332d
SHA512b29475106c92cd4205180938a1c653ffde22c61fc9d95b6b2f99e17b22b95afd2f7272fbe19a043308c213879513ed066eba5efa5f1bc8c4f2d03261710910fa
-
Filesize
267B
MD5c114ca9951083036225f8685229961c5
SHA187c68a210524e95f774cdfff35385cf966c11c9c
SHA2566f5af57d51603a4f304a1cc68c3baacb3344d265f5fce727b1bb19340ff5dd02
SHA51268b3df07358f38bc8083fd705d114cfe81209083fbf38ad69389149e84a2ae51a32cb334735aa1ff97d054f9a0fcbc60245eece267d5e286f92f5f4e795c0011
-
Filesize
1KB
MD55a2bb13d6b1d1bf2fe875a418869441c
SHA14b4f52632fe1c12f19e2e1c678148a2b092dc5cc
SHA2569c77149f45414b18a462c44a22355630e6b40660a533c51d91787a52c1772d63
SHA512edf05849326d48a54e75e0d18602b1dfb7a2901621bf8c98b492e7ce1d95f64c92900267c1110c838332220df6c3e866367d660b198e3f0b49a97a0dc539b7ae
-
Filesize
3KB
MD5e40446114fd3a07083f484e14fcba4c4
SHA1086fcf1aac441cbb6f59fa079b506aabb94a493c
SHA256ec6b3348f5b776c8adaba5b50714667f393c693d1839bccf01385f7094d6c9ac
SHA5124143d482b15938b44505f5e5ecba5c0080f83d8c29b84f4e93819afd5da1bf37327f16911ff1ace253b9167c514bf5422f1c85fa72cdbe7892180fe22e9b5cc1
-
Filesize
224B
MD5374e25ba7721b2bd3106a3581609c62c
SHA1a5b9e99b1a4f3fb17b88d1c891eebcf007cefbc7
SHA256e1508cbe7af0f8ddd79ca0bd7b7db53562d5634967fc997107d4793f5d05a0de
SHA512b583a9f1ba0a68dca4d9516453aaecac9e0d0add6b183be301208971e74dde32bbe67e8c72792048e211d963c38fa4b3d02efe1aa41f1407dc1f3929817cc273
-
Filesize
8KB
MD5e65d00efb7f6a5566924c5fc5ab7e2c6
SHA11c04d62e2558e485b931b117862c846ac78c0b7f
SHA2561e530aa440929261891b134c30039c5dbf2ecd7dbdbc9c43ee295ee0aafc4fdd
SHA512c98b593198669cb5b5974243ae57e398b0117a73417e57a4e72d40193433c107f1479d787220ac6f41d50c95d227f0c20a3849fbccb554c3848aa3f6efc5f295
-
Filesize
964B
MD552d9c8ba23ef6a3c6542be3c34f9adbf
SHA13bf7b4f0ba7ac08798c5f5c52d119f79c26017d3
SHA256e7c06aca847231b51e5303b631cf78f34cd2fcb074a239267bc737258f6a5e9b
SHA5126dc22e583b418ca4da2cb996f3bc1e18127d3849ca3fd175f580d34768e32eb12a3f4675a2a346b324e72845b870d42fa6397d2aeab305dd08a2eac9f3fe57a0
-
Filesize
4B
MD58819159f9246232ed1299a7414448ab4
SHA14ac7f0107ada07797a925b4d27ea601359cddf1d
SHA2566c6be40c2a563b401324a4e221da74080d0f4fd9425aaf18a771ede47c3109c0
SHA5120cdf1bd9d2b98d3e1d248dfee82c69e8bf169062b0e015ba3238fb840d8d435097a639a291d04d17a89e67be11db34dbbf560c64bbfc7e22b458f16a56f00303
-
Filesize
76B
MD569275d427c2c6d00d029ffb971798f3e
SHA11f7c3f5f55c97cc3013bae5ed4d10d526c147e9e
SHA2563a6f6356af22109ac68f3a13ef149c8ddbb5457cbfd0f867a6600e196121c5b6
SHA512012fa24d8d75f6a3a4ec43628077a9454809bfadba3e00ae5a6da2fcf10a77fd24d349f46bb7a054e9e9084eb8f70a51080affaf879c38fb7c55dc3e75b74980
-
Filesize
572KB
MD56c9177754244a999e36b838622c8b3a4
SHA1449df07d92f65d20dfffb60124e6123c5a85c491
SHA256dcb7d0214c7253a6acfe023f50e9bdf6f7586e15935037ef85f93024fa1115d5
SHA5124ff43bc990248d5fd043551244e00daf0988b973246b234413ef82d9a9a74c822353ddb00235709e594c9211e7df692fae73e9a6be8d024b1b661ba0f8d59b34