a4e4e343cf8b6023977421175f1787a4b01eddfcfe7b142b2cbdcff079315b16

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
Size

1.9MB
MD5

0c6af8ca5ace541a278647550954406b
SHA1

af114a253494f59e91011d854a3c2f0c12f58198
SHA256

320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339
SHA512

047094710f62caea9b63d65cf8894d17490bf0e2366dd0fd141f2a88a9a6a9f7d14f99d8e935f047a6b1896c8f36061bea5568c7d95e9fcb14816096cd9287b0
SSDEEP

49152:Ju5z1o02R2cFB3gwqQXSjewyeCx/DLO7b8Zf05yPmsn:ME03yB3gwqqSKbWe8IN

Score

10^/10

collection discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5OP2bQ4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5OP2bQ4.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	5OP2bQ4.exe

Executes dropped EXE 2 IoCs

pid	Process
4000	2VW7324.exe
1588	5OP2bQ4.exe

Loads dropped DLL 1 IoCs

pid	Process
1588	5OP2bQ4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5OP2bQ4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5OP2bQ4.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5OP2bQ4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
72	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000800000002323c-5.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5824	1588	WerFault.exe	100

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5996	schtasks.exe
2444	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4148	msedge.exe
4148	msedge.exe
1648	msedge.exe
1648	msedge.exe
8	msedge.exe
8	msedge.exe
2276	msedge.exe
2276	msedge.exe
5200	powershell.exe
5200	powershell.exe
5200	powershell.exe
1736	identity_helper.exe
1736	identity_helper.exe
1588	5OP2bQ4.exe
1588	5OP2bQ4.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe
3712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	5OP2bQ4.exe
Token: SeDebugPrivilege	5200	powershell.exe
Token: 33	5404	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5404	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
4000	2VW7324.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1588	5OP2bQ4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 4000	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	89
PID 2928 wrote to memory of 4000	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	89
PID 2928 wrote to memory of 4000	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	89
PID 4000 wrote to memory of 8	4000	2VW7324.exe	92
PID 4000 wrote to memory of 8	4000	2VW7324.exe	92
PID 4000 wrote to memory of 3652	4000	2VW7324.exe	94
PID 4000 wrote to memory of 3652	4000	2VW7324.exe	94
PID 8 wrote to memory of 2136	8	msedge.exe	95
PID 8 wrote to memory of 2136	8	msedge.exe	95
PID 3652 wrote to memory of 1572	3652	msedge.exe	96
PID 3652 wrote to memory of 1572	3652	msedge.exe	96
PID 4000 wrote to memory of 1452	4000	2VW7324.exe	97
PID 4000 wrote to memory of 1452	4000	2VW7324.exe	97
PID 1452 wrote to memory of 4552	1452	msedge.exe	98
PID 1452 wrote to memory of 4552	1452	msedge.exe	98
PID 2928 wrote to memory of 1588	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	100
PID 2928 wrote to memory of 1588	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	100
PID 2928 wrote to memory of 1588	2928	320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe	100
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 2456	8	msedge.exe	102
PID 8 wrote to memory of 4148	8	msedge.exe	101
PID 8 wrote to memory of 4148	8	msedge.exe	101
PID 3652 wrote to memory of 4692	3652	msedge.exe	105
PID 3652 wrote to memory of 4692	3652	msedge.exe	105
PID 3652 wrote to memory of 4692	3652	msedge.exe	105
PID 3652 wrote to memory of 4692	3652	msedge.exe	105

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5OP2bQ4.exe

C:\Users\Admin\AppData\Local\Temp\320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe
"C:\Users\Admin\AppData\Local\Temp\320f473e994fdb11ab78274c29f46373fb9beee06fc6d36c4ae088f2205d4339.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:8
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef8f046f8,0x7ffef8f04708,0x7ffef8f04718
      4⤵
      PID:2136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
      4⤵
      PID:2456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
      4⤵
      PID:4836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
      4⤵
      PID:4596
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
      4⤵
      PID:5516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4052 /prefetch:8
      4⤵
      PID:6104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4032 /prefetch:8
      4⤵
      PID:5392
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6428 /prefetch:8
      4⤵
      PID:4660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:4368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
      4⤵
      PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
      4⤵
      PID:1804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,4769153376959345098,12861911943021821073,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5168 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3712
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef8f046f8,0x7ffef8f04708,0x7ffef8f04718
      4⤵
      PID:1572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,16062424752855210033,6731779252596961332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,16062424752855210033,6731779252596961332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef8f046f8,0x7ffef8f04708,0x7ffef8f04718
      4⤵
      PID:4552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,3380457160740074791,7238868451392339961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Windows security modification
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - outlook_office_path
  - outlook_win_path
  PID:1588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5200
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:5556
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:6116
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2444
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 3052
    3⤵
    - Program crash
    PID:5824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5352

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x390
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5944

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1588 -ip 1588
1⤵
PID:5672

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv DY6gquex7kOdW6kiTyVDvA.0.2
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8a1d28b5eda8ec0917a7e1796d3aa193

SHA1
5604a535bf3e5492b9bf3ade78ca7d463a4bfdb2

SHA256
dfaf6313fd293f6013f58fb6790fd38ca2f04931403267b7a6aef7bfa81d50bb

SHA512
51b5bec82ff9ffb45fee5c9dd1d51559c351253489ea83a66e290459975d8ca899cde4f3bb5afbaa7a3f0b169f87a7514d8df88baaeec5bd72d190fd6d3e041b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
283e9c6938dc2370fd65c01ea48c84c1

SHA1
324ac57063c5297a9bfedcfa12b41b9766e19bb3

SHA256
9c8f7856d4822fbf4052356c0a13c40760538036e75a83e76ab53e1089dd2cbe

SHA512
fcca3c394e755396301d61aea47ec092d63f60eb37f798736ce570520f27910b4e149ed2a3368a46cf6fa4645e17039bbbad6b1b2aae6ca71400a55d4a39ac3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
96001d7e7957bd6f856fc9a88c31f9db

SHA1
bd414186263cd518f438bce1864dcc9c3d0d0488

SHA256
de8e95fdc609d4d49c5acae9979960f3609d8b5c8ea92bbca1f84b8a1f57e29f

SHA512
8636d0e806f5bd29f4e2984065c94e6298dd2c9e8f4b75457486f2ccb50f2990e6173ad340e2c1f33285d90968ffc00a3ccee1e2dfd609e29a5dd4bc5d5e86f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
115121827dbc3e7a14acff6333db1889

SHA1
fe883f0e3414f3426eb370198317650e7901cca1

SHA256
c0d77b71daa8b01ea02b902d47b554ce6589d2c757f2aa86b02e0b0bb8e9c7b2

SHA512
d164704bed650d317bf906f3a2b39db79aa3c5af81435b2ef44b2431efc1f45dbc00498192716c7e7fdc89705930d9dac369d23f0795f5f38f696f7fa4eeecdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6834bcce00768e5be5f0be2f0bf5d029

SHA1
5b5093870879e9fa17bbeb0587819b8751494d40

SHA256
8c1d84a0545cff20bfb207d55d08693547dce108840d0b249ffc467e27db4532

SHA512
158a72c23f92c3d1553ea7d0354ed68680b5d366d287755b3944baa08ed144a8bfc7cfd31b31602f01014614d530f44df469d033b63cf4c9b5a53cbe3ffd1eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\2VW7324.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5OP2bQ4.exe

Filesize
1.2MB

MD5
ab812696602745c67219e64b261d236c

SHA1
2ede1b91dc93469214e1cdd59220b70cb6fb8652

SHA256
40908148235975b5961d7057def9967fdaf563c9416cd1824db2f7a6f4928df3

SHA512
e8e5b84aa7319a96ce31b0b12c8a9dac7a5a505a93b931664ad5b4a3ec5b15ffb565545030654d21df640c94d33425ac7cb46af8f8b1eaa5533c6fb53ced26b5

Download Submit
memory/1588-25-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-56-0x0000000008870000-0x00000000088E6000-memory.dmp

Filesize
472KB

Download
memory/1588-42-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-567-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-550-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-463-0x000000000A630000-0x000000000A984000-memory.dmp

Filesize
3.3MB

Download
memory/1588-461-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/1588-462-0x000000000A090000-0x000000000A0AE000-memory.dmp

Filesize
120KB

Download
memory/1588-369-0x0000000000650000-0x0000000000AAE000-memory.dmp

Filesize
4.4MB

Download
memory/5200-194-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5200-231-0x0000000007790000-0x00000000077A1000-memory.dmp

Filesize
68KB

Download
memory/5200-122-0x0000000006730000-0x000000000677C000-memory.dmp

Filesize
304KB

Download
memory/5200-174-0x000000007F740000-0x000000007F750000-memory.dmp

Filesize
64KB

Download
memory/5200-89-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/5200-195-0x0000000006830000-0x000000000684E000-memory.dmp

Filesize
120KB

Download
memory/5200-197-0x0000000007260000-0x0000000007303000-memory.dmp

Filesize
652KB

Download
memory/5200-176-0x000000006FD20000-0x000000006FD6C000-memory.dmp

Filesize
304KB

Download
memory/5200-175-0x0000000006850000-0x0000000006882000-memory.dmp

Filesize
200KB

Download
memory/5200-204-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/5200-205-0x0000000007590000-0x00000000075AA000-memory.dmp

Filesize
104KB

Download
memory/5200-209-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/5200-222-0x0000000007810000-0x00000000078A6000-memory.dmp

Filesize
600KB

Download
memory/5200-116-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/5200-323-0x00000000077C0000-0x00000000077CE000-memory.dmp

Filesize
56KB

Download
memory/5200-324-0x00000000077D0000-0x00000000077E4000-memory.dmp

Filesize
80KB

Download
memory/5200-326-0x00000000078B0000-0x00000000078B8000-memory.dmp

Filesize
32KB

Download
memory/5200-325-0x00000000078D0000-0x00000000078EA000-memory.dmp

Filesize
104KB

Download
memory/5200-340-0x0000000073690000-0x0000000073E40000-memory.dmp

Filesize
7.7MB

Download
memory/5200-105-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download
memory/5200-90-0x0000000005420000-0x0000000005A48000-memory.dmp

Filesize
6.2MB

Download
memory/5200-99-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/5200-100-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/5200-93-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/5200-91-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5200-92-0x0000000002A20000-0x0000000002A30000-memory.dmp

Filesize
64KB

Download
memory/5200-88-0x0000000002940000-0x0000000002976000-memory.dmp

Filesize
216KB

Download