pandastealer | hxxps://drive[.]google[.]com/file/d/15SC86gG8AepffXhD7HKVHz5hQgZLoMQs/view

Analysis

max time kernel
149s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
22-02-2024 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/15SC86gG8AepffXhD7HKVHz5hQgZLoMQs/view

Score

10^/10

pandastealer stealer

Malware Config

Extracted

Family

pandastealer

Version

1.11

http://cocojambo.collector-steal.ga

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a86c-278.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1101742937-4171729779-750941522-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Discord Nitro Generator + Checker.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
4324	msedge.exe
4324	msedge.exe
4120	msedge.exe
4120	msedge.exe
4032	taskmgr.exe
4032	taskmgr.exe
788	identity_helper.exe
788	identity_helper.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
3368	msedge.exe
3368	msedge.exe
2972	Discord Nitro Generator + Checker.exe
2972	Discord Nitro Generator + Checker.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe
3860	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4032	taskmgr.exe
Token: SeSystemProfilePrivilege	4032	taskmgr.exe
Token: SeCreateGlobalPrivilege	4032	taskmgr.exe
Token: 33	4032	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4032	taskmgr.exe
Token: SeDebugPrivilege	3860	taskmgr.exe
Token: SeSystemProfilePrivilege	3860	taskmgr.exe
Token: SeCreateGlobalPrivilege	3860	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4032	taskmgr.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
4324	msedge.exe
3860	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 4772	4324	msedge.exe	79
PID 4324 wrote to memory of 4772	4324	msedge.exe	79
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 4472	4324	msedge.exe	81
PID 4324 wrote to memory of 3972	4324	msedge.exe	80
PID 4324 wrote to memory of 3972	4324	msedge.exe	80
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82
PID 4324 wrote to memory of 3516	4324	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/15SC86gG8AepffXhD7HKVHz5hQgZLoMQs/view
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffecd633cb8,0x7ffecd633cc8,0x7ffecd633cd8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1316 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,13396754068400033158,16084329697561001321,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4168

C:\Users\Admin\Desktop\Discord Nitro Generator + Checker.exe
"C:\Users\Admin\Desktop\Discord Nitro Generator + Checker.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2972

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
9e466b4837d8431be725d6b9c1b4d9ef

SHA1
3f247b7c89985a41d839cad351cd0fc182fcb284

SHA256
2f9a5eeb5ac8cec52a3e73621e4d392f501f5d657dfec3215ccd40eec317208d

SHA512
01de0fda555d63b5c38339b0f6d38c28de2a882643439679e63cf5d75f13516b57dc90e8dfb8c638bda328fc12342e58d1e501acec8f85b92dbd5589dac06418

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
960B

MD5
16846df493521e84fe47cd6b6451ec8f

SHA1
6d99eb017c5aec08d3a7e908bbd4a051ce250c02

SHA256
69f19f2ab2f3625faca623477864766ab1ef3a21712bc892d7b2b0886585b3f9

SHA512
aefa5121601b8273cff6b79b7f76417c71e29e835b66faf3e1a67d0d38fb9ebe90320b75493fd5c4a2d9ea3e3c485d0a84bcdbfb78c26a8ecee3175cd8bd93cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a91469041c09ba8e6c92487f02ca8040

SHA1
7207eded6577ec8dc3962cd5c3b093d194317ea1

SHA256
0fef2b2f8cd3ef7aca4d2480c0a65ed4c2456f7033267aa41df7124061c7d28f

SHA512
b620a381ff679ef45ae7ff8899c59b9e5f1c1a4bdcab1af54af2ea410025ed6bdab9272cc342ac3cb18913bc6f7f8156c95e0e0615219d1981a68922ce34230f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
601fbcb77ed9464402ad83ed36803fd1

SHA1
9a34f45553356ec48b03c4d2b2aa089b44c6532d

SHA256
09d069799186ae736e216ab7e4ecdd980c6b202121b47636f2d0dd0dd4cc9e15

SHA512
c1cb610c25effb19b1c69ddca07f470e785fd329ad4adda90fbccaec180f1cf0be796e5628a30d0af256f5c3dc81d2331603cf8269f038c33b20dbf788406220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
c08aaa6959c301fc3d62a383173af57e

SHA1
14c675dabeb4c086b7dbc77c88abb1098355c3fa

SHA256
3207a8e4016b6fe5539bc051982cd1f2388b1cf9e9ee32852d9a54134af79c2a

SHA512
635318e1364084296ec97b943715350b41ba23af733747b3ff95d183dd71c0e714d36483356bd4a06220e5ab2222e469f818ef9d31298a1b88016d61ea61082c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
36e7f705e9851e9d552d542bf918236e

SHA1
be161a76c70e66d8206ca04ca33debc0f4ad18de

SHA256
c634c6be6dd1efbf5c194a6e9824ca282e2f2779d609ca8b43fa273662783e78

SHA512
fa7bbe0dcda32a56af08a98fe0c35b06c357ef3d6f0a50e6b6c68a0234c816d441105336f170325844b55811f91df1a88722259361748d6a4066c0e8c7aab406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
438a4efc7981490e2f65baeb85aac9ea

SHA1
626f72e506698194f2efc912d54c69afae704f0b

SHA256
74232406cad67f178dde92c1d058c0d6f8ab0e55b68e2521c5e831d332d1d1d7

SHA512
3ec759a59fb467c75db469b6fa7add4fa1e38dfd78b0f92f64334913c61757cfcc0acfaca67bd0fda1e103b85609fceb6f96f2cb9dc46163d162b57ee00d2dc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
cee254612868681b912bb2c2dcac10dd

SHA1
b100024c898118b3af2fddbbc47ce2bfa6fae50a

SHA256
2178a35f6b5db822efb934b8c5f65765696aa31580225f04971253570d365bdb

SHA512
b259f36f84020fd1910b440c37bce3c070f1bb48a17669c51455e4f8d606f6ac968af82be9ff6d5e3b1fb23533ed6b2283f4fd1bd8b3f8788c99f4c3d5688aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2182b8ff2477adc440c6032bb69341b

SHA1
66aa2a3a71ebf483ef5a4cffb906a765ae9ea3eb

SHA256
eed834a837049e44f56152586abef7f8d0e3c5b03025bd94eef3456c9b898671

SHA512
e406e6c9584e16997f7215ed40bc8cbdd447a8c7d1772426c158fb9129c0cf37569ebc18b3c6fadb96125465419128b971dd19f891c6022cdc011f21681fccc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ed6a049de7461b4c1f1dffe383dc40a

SHA1
8b20f1729a0217a3ebe99161a1047080f53cd5b3

SHA256
29e8836788bff89584857dd2cec3ef6c51c96161748ade45910545c494787738

SHA512
d6a2953c220c4783aa4ed705667ccf0d76f7e7760e628b0d1364245ea0b612eb63c073b4af1a5d320f92fd101ba186d26ab7f7e04ecc8867595408c20cdf28f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab827a2f63d5e6492c489870d473a958

SHA1
9344a0d58d9607c50710d77c5ae07a74f67db024

SHA256
5ca341bfe9d24a7182f4781d5ebae54205826c7cbd21732ca3a8dd8395515e67

SHA512
40d33787f5fd11234d8c4e9ad52be2ce1c28a9eee5b68a944b48408f2b2799260f8c3f194dded79426e18d642705052a28048802e89ac7c628bbdef5b0a0f996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f0bb625fd37f03a0544c29ce8d48d9c

SHA1
da9a7222d3e96ab4962f761f9f398f6042f4b348

SHA256
1d3b5b08e1a4323c1a0d7ed2d608cbc25bb4a7bfc306d187c6da6f3d7b098280

SHA512
b3e2f50fb7fbb9658dfba8727e612f5613dcc7403e8700c4bf517db8aa57474b083996925ee365dce203c2658bf797015172b6e98d8daa2b3b074abd9f8fa2e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a82f7df9df363fe6188a240c154daf6

SHA1
8b7b4d952dd44593cee9497d76e3fcf031350821

SHA256
ddb18a4649a4d2a4c1ce71c0e377aeb9f6dc334714e6872d1b2ce180a25aeb7d

SHA512
137f0630753088745df33f359b0482c0aab013707145d7d809c576f1045e5fe2ec187bb534c4c5c1afe7933f75fcfd6cd7385fb5b865978feaee4d6ec9e424fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6cd1b8d4d066ccc09aa994c915292795

SHA1
c4d926ef30d05f1a715960e92c54d0621dd0ea68

SHA256
acd39c78396a3ac292b811767d5e0194555c9ce940e54e7c7023eccfc58c660b

SHA512
d4cf4ee33317f629bd89876fc2ede0ca2e687729cf1e90ee633376a851a1f80cc9c1f7fb734ed2a9d7480370e3410a26a28217abc1dda755cb1919f68b2860f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d2c102f49b66bdeeecdcc9bddfa12ad

SHA1
bcf510adc95ddf4e250f47d7f569d670592544fe

SHA256
17905668f71d652decb1fde8eb18a83d6ec6857ddd0cecf5cd16d55609031077

SHA512
0987cdef061d388de998e993457b0890358d05d68c55f6a3dca4fb56f3be438a30154476774e828b37c40b7afe472e12ac28813dda88ba263fb26e31bd22d857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
95eedb35215249c13a7c3ea965c68549

SHA1
e0d7b67241a0c2e1e14cdb3315927bee50b77866

SHA256
b96dc1a28c16a3bf3e5588f66527ca3d1d254d01a67b585a3d97b5135a3d071f

SHA512
c5df0a91a8c2702f224e8070667238a7aea175542b2cefce3f4fa7219423180020b9997137d57d357c4f54454f2c6919573a54f643c79ccac3e74f02fc887707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
8445d8ab94a6b6679694fd08c69a6992

SHA1
db89d80cc3e72f24ec541a36c4e51abff149ae78

SHA256
ead9155d4b3088d8c61230458788d6da412b593c2a789afbe390398071d54cf0

SHA512
ba2f21dc8cbf7dc02fec7df6eda52531defe9f1e64d73c52d43b54b2566f3e1ee428ae94ee78ce20a6f8943d7310e860b89f11e168cd40fae518c49a167cf133

Download Submit
C:\Users\Admin\Desktop\Discord Nitro Generator + Checker.exe

Filesize
681KB

MD5
326ec775fb8fa48082c18248864674e8

SHA1
062751ef1949f75f25a23e278e18a1105b9149fa

SHA256
88b0a2344d8c7433afb364f5d0fb67301ddb6948613a4cb3a9e023e7b2080d82

SHA512
cea1e2f0b5ef81818e1c0958ad37d56cf89f532fba1e2bef2047129a9421e3bc66eff7682f69dd2f46dd5b67715ccb373b19cd9c0831b62b2344a5d803478379

Download Submit
C:\Users\Admin\Downloads\Discord Nitro Generator + Checker.zip:Zone.Identifier

Filesize
173B

MD5
d99a738b129cad7f1f2c6b0ac8060701

SHA1
88b0e62a818028edc25a7a6d5f02c16bf30bde0e

SHA256
40742e17d1d694e607a1df208ae4167a99b5de2d88dc36155234a6ddfa9cb85e

SHA512
587f9a6e9b05e7ac09f8c6cac64c88b7f1736258bb78feb78bb67029152770917a3805d6272e4bcfc1079f001ce50f36005a63c72637d0d43c783a985e16973f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 290932.crdownload

Filesize
367KB

MD5
6d037001b224adbafb9203e28412528a

SHA1
060162104120846e031a246cf7d602e2803c4e94

SHA256
11509d1c300588a8176d444e1d9971db236ec3a040d57706e54a6eb8a58271ed

SHA512
4c8d2972e875414527566bc64d407dcc59974c513dd996f3f43df052d6daa9cf8531a6b1b1014978863bc80c7d273ad6bffbdec3888193eacc7749a47fa1d4b5

Download Submit
memory/3860-263-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-272-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-273-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-274-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-262-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-264-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-271-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-270-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/3860-269-0x000002B287930000-0x000002B287931000-memory.dmp

Filesize
4KB

Download
memory/4032-107-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-108-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-109-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-110-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-113-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-111-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-112-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-103-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-102-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download
memory/4032-101-0x00000217B4400000-0x00000217B4401000-memory.dmp

Filesize
4KB

Download