hawkeye | 2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f

Analysis

max time kernel
162s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_c521f79249320c77b5b20007f871fbb1.exe
Size

951KB
MD5

c521f79249320c77b5b20007f871fbb1
SHA1

8b772e27c77fd4880b79fe8466bff21e21e1aa2a
SHA256

2cd607fb44480b61c90e5107a3131231936c99a7b766dbed4df4c6fed325ae0f
SHA512

f471c23576f61e2066e09c44ae3beab374153fdafebfb6cc03e140942c15d3fa273394848dd3a4ba0bd07c7883b678d0d2dcbc1be1ea5a381882b101e55107bb
SSDEEP

24576:9Sr69b1sIzdkdUDuCppG/HNs2HRT3s4ni4gSUf4:B9b1xdySu84lsMRzVniLw

Score

10^/10

hawkeye collection keylogger persistence spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
webmail.congtydirect.com
Port:
587
Username:
[email protected]
Password:
Fest@@21

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs

resource	yara_rule
behavioral2/memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4612-78-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4612-82-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4612-80-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/4612-94-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 5 IoCs

resource	yara_rule
behavioral2/memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4612-78-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4612-82-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4612-80-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral2/memory/4612-94-0x0000000000400000-0x0000000000458000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs

resource	yara_rule
behavioral2/memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/1620-38-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/1620-40-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/1620-42-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/1620-44-0x0000000000400000-0x000000000041B000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 5 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp	MailPassView
behavioral2/memory/1620-38-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1620-40-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1620-42-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView
behavioral2/memory/1620-44-0x0000000000400000-0x000000000041B000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp	WebBrowserPassView
behavioral2/memory/4612-78-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4612-82-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4612-80-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView
behavioral2/memory/4612-94-0x0000000000400000-0x0000000000458000-memory.dmp	WebBrowserPassView

Nirsoft 9 IoCs

resource	yara_rule
behavioral2/memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp	Nirsoft
behavioral2/memory/1620-38-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1620-40-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1620-42-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/1620-44-0x0000000000400000-0x000000000041B000-memory.dmp	Nirsoft
behavioral2/memory/4612-78-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4612-82-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4612-80-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft
behavioral2/memory/4612-94-0x0000000000400000-0x0000000000458000-memory.dmp	Nirsoft

UPX dump on OEP (original entry point) 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023146-5.dat	UPX
behavioral2/memory/4948-6-0x0000000000400000-0x000000000045C000-memory.dmp	UPX
behavioral2/memory/4948-21-0x0000000000400000-0x000000000045C000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
4948	M.exe
4028	M.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023146-5.dat	upx
behavioral2/memory/4948-6-0x0000000000400000-0x000000000045C000-memory.dmp	upx
behavioral2/memory/4948-21-0x0000000000400000-0x000000000045C000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	M.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	VirusShare_c521f79249320c77b5b20007f871fbb1.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	whatismyipaddress.com
37	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 4028	4948	M.exe	87
PID 4028 set thread context of 1620	4028	M.exe	91
PID 4028 set thread context of 4612	4028	M.exe	108

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	M.exe
4948	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe
4028	M.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	M.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4948	M.exe
4948	M.exe
4028	M.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 4948	448	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	84
PID 448 wrote to memory of 4948	448	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	84
PID 448 wrote to memory of 4948	448	VirusShare_c521f79249320c77b5b20007f871fbb1.exe	84
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4948 wrote to memory of 4028	4948	M.exe	87
PID 4028 wrote to memory of 4152	4028	M.exe	89
PID 4028 wrote to memory of 4152	4028	M.exe	89
PID 4152 wrote to memory of 3264	4152	msedge.exe	90
PID 4152 wrote to memory of 3264	4152	msedge.exe	90
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4028 wrote to memory of 1620	4028	M.exe	91
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96
PID 4152 wrote to memory of 3472	4152	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\VirusShare_c521f79249320c77b5b20007f871fbb1.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_c521f79249320c77b5b20007f871fbb1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffcd33046f8,0x7ffcd3304708,0x7ffcd3304718
        5⤵
        
        PID:3264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        
        PID:4904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        5⤵
        
        PID:3472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:8
        5⤵
        
        PID:3800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
        5⤵
        
        PID:452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
        5⤵
        
        PID:744
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
        5⤵
        
        PID:3748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4756 /prefetch:6
        5⤵
        
        PID:2100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
        5⤵
        
        PID:1844
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
        5⤵
        
        PID:1312
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
        5⤵
        
        PID:4868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
        5⤵
        
        PID:5040
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
        5⤵
        
        PID:4156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,5177812048164682178,18008828525823207481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
        5⤵
        
        PID:2416
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
      4⤵
      PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
132880b68ac4fe2a3020bbee8f8e9671

SHA1
64b8a2c66d40ac41562ea7e03d12bc82e0a0fc53

SHA256
f3b7a360554934463cd0373907fd5ba2bd9b9b2ece9b93bc3fab0f73221e7d0a

SHA512
40bb0e8c83bd27d1a323331ea449ad3d54f4d18b9ca917fbd54b43ecbfce2f0ad5716f1a6c80cf7f4074557a13a694f57da6f4e5afb33102b8680d94b2b87fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
932ad538f5b3e77ee7b6ce57099db404

SHA1
7725169188596f48d425e7c6f6ce7efa72ce2441

SHA256
65d9d27b710669c6455dda36603bb3adf52b8519bdde0a1010ec7355003f9856

SHA512
450ee1227dcfe36416b32d395fe952eea024c57dbb89a5bae16f74a04fe24ed09e7f0b948fe7d0bacd0bbd34b320e9a8ee71373002f3ff33a3b4eeed5294a257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cbc6230fd0f07d49681b18e78a89f6be

SHA1
b60af397dd3912fb7671b5fdce2054c709c1347b

SHA256
a9d44d68bc6027a39849bc86062217763b267134b33582c65a7f69c204f37735

SHA512
00881114f87e543ea0687639a6de2771ff08814a9285a01bc9c9b741c39324b18df057d89a264b5de68fc06331d09130118d2f6da6574dea47130f7c44d5fbcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5b2396086fe8502e61dcff071307ac3f

SHA1
9c6ed1c49e10ab85b6271d3f5f3ed9c0cb1ba94c

SHA256
ae00fee9823dd2baebde49c0a85b72d46782cb1a753d30dd8b6b4cb8687553f6

SHA512
95c54c9c64ebd573463d8bef30a64e0c35f5c57520fa7ac0dca01483562ac3a4a35ee413ada6c1a36a1a4e330864877c92ee0917ed0c0d44552469d25cba2f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BFile_1.pdf

Filesize
76KB

MD5
a044a4eaea50ac33f65fd614f4b78509

SHA1
f4c1d9a86ee7769492293508f650f67dc3c523f7

SHA256
8f9c44049129703f3d6d3beeff6ac8d576df276a56e8f7f85c86beda912ed8c4

SHA512
9fbeae185958d0c7868bc21fd08220cc8e1f6aaa6cea14ffbb257a93355ba043e294be25ae40c8f80d75563bdd1f9cec3f29afa944b3cac11664ec4b066822d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.ex_

Filesize
749KB

MD5
aa9da8f4f5e434d8449c17efccebef5e

SHA1
99487070bb0da9e0c2df138b111e9bebc2a271f2

SHA256
16b6bdc384d7b4821d541eb40f1be8c3ca2b027b9a329e77eb4c13800b3e8ec2

SHA512
768fb0d93c91ad868f7b2cfc0fc67ce2e20293e40ec1e4216bb805232a2f02cdfd3ec225c29c40bed6c4f505aa35b788f5291661b99d2773c24d395c825ef0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
104KB

MD5
7bae06cbe364bb42b8c34fcfb90e3ebd

SHA1
79129af7efa46244da0676607242f0a6b7e12e78

SHA256
6ceaebd55b4a542ef64be1d6971fcfe802e67e2027366c52faacc8a8d325ec7a

SHA512
c599b72500a5c17cd5c4a81fcf220a95925aa0e5ad72aa92dd1a469fe6e3c23590c548a0be7ec2c4dbd737511a0a79c1c46436867cf7f0c4df21f8dcea9686cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\M.exe

Filesize
140KB

MD5
bc9932d562808f046db8cf2d225b317e

SHA1
50827e282cb74b846b8ef79ccd3f5887e3a941f2

SHA256
49a50d91166a62cb0c1454d015af0b5b98ea86702c9e88c21f6e5775517571b7

SHA512
d46153b9d0260a076fd6247de14325b2f76d7537139677af927427fab23852258634b525a1e3e31e19456a04a5c58527ac351f44b475c2eb984294b30b0efa22

Download Submit
C:\Users\Admin\AppData\Local\Temp\holderwb.txt

Filesize
3KB

MD5
f94dc819ca773f1e3cb27abbc9e7fa27

SHA1
9a7700efadc5ea09ab288544ef1e3cd876255086

SHA256
a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

SHA512
72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

Download Submit
memory/1620-38-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-40-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-42-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1620-43-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1620-44-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4028-23-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/4028-22-0x0000000073CC0000-0x0000000074271000-memory.dmp

Filesize
5.7MB

Download
memory/4028-36-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/4028-33-0x0000000073CC0000-0x0000000074271000-memory.dmp

Filesize
5.7MB

Download
memory/4028-126-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/4028-17-0x0000000000400000-0x0000000004B18000-memory.dmp

Filesize
71.1MB

Download
memory/4028-37-0x0000000073CC0000-0x0000000074271000-memory.dmp

Filesize
5.7MB

Download
memory/4028-27-0x0000000006860000-0x0000000006870000-memory.dmp

Filesize
64KB

Download
memory/4028-24-0x0000000073CC0000-0x0000000074271000-memory.dmp

Filesize
5.7MB

Download
memory/4612-94-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4612-80-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4612-82-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4612-78-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4948-21-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4948-15-0x00000000022C0000-0x00000000022C5000-memory.dmp

Filesize
20KB

Download
memory/4948-6-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download