hawkeye_reborn | 545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Size

696KB
MD5

4ee93de86def5cb761ff63b8be928a50
SHA1

8a49f1244152fc4dd5e3174335cbfb77bb6abfeb
SHA256

545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9
SHA512

fa65530ffd92e1e6665c23762e6b1124e629e27894529c32a4474cdb244328967fa549de94f69f374fd42a12aa949701cbd6357c91cefe2a66bcee0ea8f184af
SSDEEP

12288:sFtUJ5yf/yw6hKomF9Fsra7aZKDNuO+S+Ua6H7KyK4T/+MY:sFnHZ6ht+7nf+S+wK4+MY

Score

10^/10

hawkeye_reborn m00nd3v_logger defense_evasion discovery infostealer keylogger spyware stealer trojan

Malware Config

Extracted

Family

hawkeye_reborn

Version

9.0.1.6

Credentials

Protocol: smtp
Host:
mail.nokachi.rs
Port:
587
Username:
[email protected]
Password:
Proizvodnja2018

Mutex

c9ac8604-645d-4898-8da0-95fd2ddef895

Attributes

fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:false _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:Proizvodnja2018 _EmailPort:587 _EmailSSL:false _EmailServer:mail.nokachi.rs _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:false _LogInterval:99000 _MeltFile:false _Mutex:c9ac8604-645d-4898-8da0-95fd2ddef895 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null

Signatures

HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
keylogger trojan stealer spyware hawkeye_reborn
Hawkeye_reborn family
hawkeye_reborn
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
stealer spyware m00nd3v_logger
M00nd3v_logger family
m00nd3v_logger

M00nD3v Logger payload 1 IoCs

Detects M00nD3v Logger payload in memory.

infostealer

resource	yara_rule
behavioral2/memory/4740-11-0x0000000000400000-0x0000000000490000-memory.dmp	m00nd3v_logger

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Executes dropped EXE 1 IoCs

pid	Process
4740	svhost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3768	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe:Zone.Identifier	cmd.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
5068	msedge.exe
5068	msedge.exe
452	msedge.exe
452	msedge.exe
2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
2500	identity_helper.exe
2500	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Token: 33	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
Token: SeIncBasePriorityPrivilege	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe
452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3104	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	89
PID 2004 wrote to memory of 3104	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	89
PID 2004 wrote to memory of 3104	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	89
PID 3104 wrote to memory of 3488	3104	cmd.exe	91
PID 3104 wrote to memory of 3488	3104	cmd.exe	91
PID 3104 wrote to memory of 3488	3104	cmd.exe	91
PID 2004 wrote to memory of 3032	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	92
PID 2004 wrote to memory of 3032	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	92
PID 2004 wrote to memory of 3032	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	92
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 4740	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	94
PID 2004 wrote to memory of 3888	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	95
PID 2004 wrote to memory of 3888	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	95
PID 2004 wrote to memory of 3888	2004	545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe	95
PID 3888 wrote to memory of 3768	3888	cmd.exe	97
PID 3888 wrote to memory of 3768	3888	cmd.exe	97
PID 3888 wrote to memory of 3768	3888	cmd.exe	97
PID 4740 wrote to memory of 452	4740	svhost.exe	98
PID 4740 wrote to memory of 452	4740	svhost.exe	98
PID 452 wrote to memory of 2976	452	msedge.exe	99
PID 452 wrote to memory of 2976	452	msedge.exe	99
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100
PID 452 wrote to memory of 2308	452	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe
"C:\Users\Admin\AppData\Local\Temp\545b31a40f0af2f7ea8bc0f47e40c308fc3b05b575543d2abe6901a1f6598bb9N.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\FolderN\name.exe.lnk" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.lnk" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3488
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\FolderN\name.exe:Zone.Identifier
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3032
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xdc,0x104,0xd8,0x108,0x7ffc85cf46f8,0x7ffc85cf4708,0x7ffc85cf4718
      4⤵
      PID:2976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
      4⤵
      PID:2308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
      4⤵
      PID:904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:1580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
      4⤵
      PID:4288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      PID:4160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
      4⤵
      PID:2116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
      4⤵
      PID:4432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
      4⤵
      PID:4140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
      4⤵
      PID:2896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,10108081125957363960,14150622400008707320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
      4⤵
      PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svhost.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc85cf46f8,0x7ffc85cf4708,0x7ffc85cf4718
      4⤵
      PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 300
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae2a8f2ebc841509f7b978edf590d3cd

SHA1
91358152e27c0165334913228005540756c35bd3

SHA256
631550765e3db02be0709748c0634a2cfdab711cea94f5890854d0c1dfbcb214

SHA512
e52180dd175f1e6ff72d76400085869387cd70da33919de219a04dc26871e8421e93b22e7c59125c19c6ee54a8a8f742d796ac68ea9077c9dab5f03b80967d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9bfb45e464f029b27cd825568bc06765

SHA1
a4962b4fd45004732f071e16977522709ab0ce60

SHA256
ceb8f1b0aaa1ba575c3704e73fd77edf932d68c8be902b33f1ba3b1d130cd139

SHA512
f87cce8bb5489b56027f5a285b948b639a1c7b0f213a111f057235177e5bffc537627c82586736704e398a0185cf2ad8ba8cdee788531fb753a2d08f16e906c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\12f30c27-53c6-46bd-972c-43d27fb337b8.tmp

Filesize
6KB

MD5
b9a8966dfce92c30e1f1eb5318a8f0ee

SHA1
7c7a0b10ef3b42b3e987a031aa4c1f20a5d22fb1

SHA256
948f15711b6114b577f3a26d5553b9f06c04c9398dc00ba993dfe34fb2db682e

SHA512
2d24655eb8b3a7a00db4316ae42ff9cfb4b432c6d0ce1e483598cf643cd2102ac34d3a11ef9634445074826075074392fb4b9ecbf576e1cf758f13ab57333970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
0128fb25a6a8b0b32139d110253a701b

SHA1
c1cdc41fe5c8c2d28e08f2cc13d567b9e4b48c03

SHA256
70f8e8f5ec8809650e0d5434340d8a7a5752e4abbb66ebdd3f7ee22941ad3f44

SHA512
533fe003ca7b73aef0a0953ed3d253efeaa2ef6cefbfc72d988a7798c2d3053f1dcf0e594688e866e4822de8899d957f890f11dca2728d8d15938a870ccf94ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0e00b7bca15f7e54bcd8a008796a1777

SHA1
fe401e74a13965b852b91f87a60c0d2d0b7d0e0f

SHA256
bab740740dc2843ad27eb28f705954c9785108d337ca8330a1c0b2e22bd41503

SHA512
a21fb5df0ac3871ac5c4ca9a0093d0499862a8bd0726f53ae7e9b8a0e736c9b129e493e8b8654e3310fe48111f23a953c20de46e52681d915909ff5b0bca3b08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5940d83bfd263db20cb88f07b6560dff

SHA1
40a8bfb033e94333453838c9ab94f69d2d4b6eb7

SHA256
5601fb4d6326cf4e9ab85ff28204769c038b421591308c16dd1a2be8352c58cd

SHA512
26af92ab28fb6fa3742f2fe0c4157d5c4cae86829ce414720d237ba62aa6fd42a2145b6e1bba148606e03fc0dc81d6b73f5b9f07339c51b4de7e5b586e483690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
0e9ac1b91e33cb0e5d10bfbe1dda6cc3

SHA1
277eeec8cbf4b0b2703adae10929dd016089aa60

SHA256
68c22d9cce31c707b73bd42c302951d2fe4edb1abc66409a7a483e0619897e15

SHA512
5441aa0a552d3bb49f848df4294fb587123f0595565f6ff02895241b68c412e2cc55477b372c34935fcf158f4ee321327bce424e2d166c88f5b2cce8a1bf8eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585203.TMP

Filesize
371B

MD5
c89a8111d27093e8c00b7653d8b8af08

SHA1
2f51363d82c59a3bb2dc2d3ccd8757584da79b9e

SHA256
6e1f2b0d30aa62ab8637b02b38a4ca4299085f94a686a7e51cbe83ec4c685b8a

SHA512
1fb63a2d43b588b02e26981e5b10525969b94a3fdc0fb279001906647bbd6bc22fdbcf33d90ff036f5b0aadc9b134b7532e14c34ce8217cbb6ce80f68aaa4f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3b1c709a6f75df7244244f83d1df9622

SHA1
027f8d213caf9b2fa4bf8caaa1de6d035fe0e2cd

SHA256
49af54cc4c3187f8b4c4f12fcf0134960c88072cac0e8e0ecb92b482efe847b9

SHA512
d9edc2a63c62267b975c60b4fc910d2f868be87e7f8d19c498391dc5908187d55440f8a4710666254a7ca93ba9ce068380a99e8bd9cb6e836225c0a52b9d9f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderN\name.exe.bat

Filesize
204B

MD5
bfcbf382f036462e63f307ca4ae280c7

SHA1
ffe98d15fa5ea205220d6bc105e317253a6ea003

SHA256
2c3dd84c3ce3e529117e611d8caf4fc7f5a902840350f4ca524c251a2152c727

SHA512
1b912652cc989541b396df5fd6bf207a4cf4ed891dc6e3223b8d0497c19a2589cb644c4c96ca01d882a7643f240c566966d84e46d77e9ad33e05214f8f553d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
2.5MB

MD5
0a7608db01cae07792cea95e792aa866

SHA1
71dff876e4d5edb6cea78fee7aa15845d4950e24

SHA256
c16336ab32195b08c1678220fbe0256fee865f623e2b32fcfa4d9825fd68977e

SHA512
990a6fa1b8adb6727b1dcd8931ad84fdcb556533b78f896a71eae2a7e3ae3222e4b8efaa4b629ced2841211750e0d8a75ddd546a983c2e586918dd8ba4e0dc42

Download Submit
memory/2004-67-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/2004-18-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/2004-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/2004-17-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/2004-6-0x0000000005530000-0x00000000055C2000-memory.dmp

Filesize
584KB

Download
memory/2004-5-0x0000000074ED0000-0x0000000075680000-memory.dmp

Filesize
7.7MB

Download
memory/2004-4-0x0000000005280000-0x000000000531C000-memory.dmp

Filesize
624KB

Download
memory/2004-3-0x00000000051E0000-0x0000000005272000-memory.dmp

Filesize
584KB

Download
memory/2004-2-0x00000000058E0000-0x0000000005E84000-memory.dmp

Filesize
5.6MB

Download
memory/2004-1-0x00000000006D0000-0x0000000000784000-memory.dmp

Filesize
720KB

Download
memory/4740-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download