lokibot | a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/03/2024, 13:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

$RMQOKEW.exe
Size

300KB
MD5

f52fbb02ac0666cae74fc389b1844e98
SHA1

f7721d590770e2076e64f148a4ba1241404996b8
SHA256

a885b1f5377c2a1cead4e2d7261fab6199f83610ffdd35d20c653d52279d4683
SHA512

78b4bf4d048bda5e4e109d4dd9dafaa250eac1c5a3558c2faecf88ef0ee5dd4f2c82a791756e2f5aa42f7890efcc0c420156308689a27e0ad9fb90156b8dc1c0
SSDEEP

3072:bGSHTJKB/DA8SBV7Nr6JD6u8w/CpLmrCpLmlrudATPTVWZV5wx3nu9B6jFdnp:bGSzYBchvEJD6LpZj+PTa7wx36AjX

Score

10^/10

lokibot agilenet collection spyware stealer trojan

Malware Config

Extracted

Family

lokibot

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Signatures

Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/1420-2-0x0000000005320000-0x0000000005334000-memory.dmp	agile_net

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	$RMQOKEW.exe
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	$RMQOKEW.exe
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	$RMQOKEW.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1420 set thread context of 2144	1420	$RMQOKEW.exe	102

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2727153400-192325109-1870347593-1000\{EF07E99E-CCD7-42ED-BF7D-4E03E5C8B8EE}	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1420	$RMQOKEW.exe
1420	$RMQOKEW.exe
1420	$RMQOKEW.exe
4556	msedge.exe
4556	msedge.exe
916	msedge.exe
916	msedge.exe
2764	identity_helper.exe
2764	identity_helper.exe
3188	msedge.exe
3188	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2144	$RMQOKEW.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	$RMQOKEW.exe
Token: SeDebugPrivilege	2144	$RMQOKEW.exe
Token: SeManageVolumePrivilege	5648	svchost.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2144	1420	$RMQOKEW.exe	102
PID 1420 wrote to memory of 2144	1420	$RMQOKEW.exe	102
PID 1420 wrote to memory of 2144	1420	$RMQOKEW.exe	102
PID 1420 wrote to memory of 2144	1420	$RMQOKEW.exe	102
PID 916 wrote to memory of 1208	916	msedge.exe	106
PID 916 wrote to memory of 1208	916	msedge.exe	106
PID 1420 wrote to memory of 2144	1420	$RMQOKEW.exe	102
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4804	916	msedge.exe	107
PID 916 wrote to memory of 4556	916	msedge.exe	108
PID 916 wrote to memory of 4556	916	msedge.exe	108
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109
PID 916 wrote to memory of 3492	916	msedge.exe	109

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	$RMQOKEW.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	$RMQOKEW.exe

C:\Users\Admin\AppData\Local\Temp\$RMQOKEW.exe
"C:\Users\Admin\AppData\Local\Temp\$RMQOKEW.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\$RMQOKEW.exe
  "C:\Users\Admin\AppData\Local\Temp\$RMQOKEW.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:2144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5e4046f8,0x7ffb5e404708,0x7ffb5e404718
  2⤵
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2608 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18038792015358053128,1563062784953347213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:5132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\SearchCheckpoint.mht
1⤵
PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5e4046f8,0x7ffb5e404708,0x7ffb5e404718
  2⤵
  PID:6024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b206e54d55dcb61072236144d1f90f8

SHA1
c2600831112447369e5b557e249f86611b05287d

SHA256
87bf9a4c3564eb3d8bef70450da843ae6003271222734c4d28d9961c52782e0b

SHA512
c9e8d2452368873e0622b002a0c2f8a2714b5897a09475738a9f9740122d716a9f0d3841725230d58e039564c820d32a6f3a675a7bb04bd163bab53dcb4e22f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
73c8d54f775a1b870efd00cb75baf547

SHA1
33024c5b7573c9079a3b2beba9d85e3ba35e6b0e

SHA256
1ce86be0476a2a9e409fcb817126285bc4ad83efd03ee06a2f86910fe18d4d94

SHA512
191344f5830cfea68499bd49073ffa7215a42265a9629d203d07849b2417c0ffdbdbf288bf2c669e91009a0d7e8bd6a6b378c92fc283049141231ca7bf4da3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
da050bf9b6643cd6361e00c71a18869d

SHA1
e94110891686c52bed5893d8036063330539aa76

SHA256
71189a079cc8d1e5309df4a16fe92b080f1326b21c4e266e4707ef248b6d25a8

SHA512
628aa61770a4edd77bdf63f32ac089fd220f1b741c1fb88490e79f945fde78f48622c164191d9cc724035c027d5bf06dfaff96efbb1900cadbf251291be87143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c965734f9998753c2792274a9b2344c7

SHA1
5a8cc62116b9549c11bc5b9f96999bc307cefee0

SHA256
3e66156b1d273d53def5f683fd23f686b33a072368c2a9dbb4e7beacdf16a040

SHA512
23b0bb19e188e875ddf1e595a06405f107a1005aa81183c6d254ad9ef2ee76b2797c9662e5f3f237dcd3956c14f343f38aded4f771f1cc0411fc3b48df8c8a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3643f5b7d73b1c5a793fd4d8d36fae20

SHA1
fc88cfe7970c54af00d473eb3f0774b1a333bb65

SHA256
d5966f79152140af013b60d898de6db49b743e4ef8d9a19ae2cb137a02472aed

SHA512
ee78f311d725a8fdb91d3f91273341c667c1b0263c82a272b925dae062a0094a57c46dac34632fa9e9b3c5b2e5ccf1010b6ddfc60a3814a6aac584ad9d043ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
502b2232285e4ff57259b9b31823f5c8

SHA1
5f8382e3d864a82bfdcc66a2570ba34f76517e57

SHA256
640ed29b4e924fe8ac73cd2956f336ae64e5605e161dc3cc9e9d4407d7184080

SHA512
da2626a94731923b3f9346d48a05a0ae84ea3cb3a0b31612ef60edb0db0688f9d744f6e5eb87a79d1822ae629f8bba57a4beefd27dfc10c65c760e5df34e49d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86a1615b5f21f711e627e5e5771eef6b

SHA1
8bf8ad12ad45b34758642ef6b12a10360f7cb039

SHA256
90f9dd87c7ca4619fa9b72147a5c1e11c8389a2f7b4d839b80e0914549184687

SHA512
b4396373568ec101c3f45ab0a9b109b03ba3f9ba9829c7ce938bc4528f95ad9fc7abe40d877a37ab1683925e9307158e3f0a5edd42673392692a6bc2c8446520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4909248c87cb03a1024779aefdf316fa

SHA1
21c2768fecdb7b598b2224b5fca90f762d57286d

SHA256
5d72a846165bb3be6876f2aedc1c7f9266a21729e303954c5c3ba593efa53011

SHA512
92d8b97393342b603bc05279a5f2ae908ce3268c53f8c8a121e6c69a8d1c31370d436d0499c8b13a0b6171077d4254d1b17a4f251688e284cc9bd7857cbf2843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b1f2fdbd53b0dd9b95744127887a0b99

SHA1
87ab97c3fdcea9f01f71e6d1246eaf41ace9333a

SHA256
305e1144fbb1495c407f85d5c2bca719d1791a660c3b392e8070b29e580bfec9

SHA512
ac75f6fec69a7f31a3e72e1dcf94a36711b2350fdebe86e0d0517a2691f5f185ef7bda0b1275f763156f44aecc42596b02dc86edb7fe865f7f289b359f926c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
926eda6ee53d0f7262bfe92901936d08

SHA1
085c617252365ba06876441832fdeff2c148cffc

SHA256
7ea8a880eda87b07fe28cd1d58041185450af75712db182f9459f018438f859b

SHA512
ed8407ea5ffdb390f4901a6f53537914ca50a6739c3349f14a0c97166facca95b23d4b0d6f736c567edef454a5d9d681bfd845ea06f402fee73ba37366df495a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b47ff8603c2ea6c69064e495ced3ea11

SHA1
690d62c9acf53c928243fa34a3e6366237d73510

SHA256
7ffd58b890bec6346b525817ea63b09fc55e03584a16a3e8951b34f3b64ca5b2

SHA512
e27e1649ee1a320dba950b310498da13dfaa53455ed2117d0feec52f04ad4457e0c7842a2b58dde0012f04e3b426ee672566a525cb884f5906f51e287035ef9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64a40f50c5d46c7dc9ecdc09e5ab29d8

SHA1
c598ac2ebfb69462822948f05d9a0014a06242a0

SHA256
e6420c557c608bbd6418700d7409e08747e999d9e99e550d9bf96d33d7e50929

SHA512
9506915c536353d13dc92eaa1b6b59bff05a7ab6b863cd0ac23c2239766c91579e199668c917da5bd38e3a33d7d948900f1ddb39884d97438b61acdc337a05ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bae64d60666312f3bbd5abd4da066f25

SHA1
8336ec485cf816a999238b0299d776b674f4d374

SHA256
20a26307a988c1465a521f7be2d1918ba65322b47f063ca04e3cb3a625a14651

SHA512
11b20b88287b9221672fa1b1b9bfcd5cb592002a3edf8b60827a29130a4683c02d1a78bfcd203a04243ab8aaf1c38f52edb615091525fa31e272c5c3f2b31a19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a8be.TMP

Filesize
538B

MD5
d36e3bdfe974d211585f33bded02ac17

SHA1
40105d7c47dba3d7be9f484b40cd225c247ab902

SHA256
c41bca0eba5e65336387d4389f545dd567beeb6010781f8808294f3491770abc

SHA512
2b93f854314f74a273ee17f548ac6d5c0d647094e1e64c885bcd7399e8056e6d305075734f9a67e8062e93109b6548a92ab06a9db94287c0cacb5fa6d1df2066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b8adb6d9-6bd0-4f7b-8895-e362c2b50c97.tmp

Filesize
1KB

MD5
bc2a0064630e61e668f283b85bfcfccc

SHA1
1134692f1a7f4bb0def666f0a16eda8547dae6f0

SHA256
7623c0df68897c6391b95164034c364a4e252570bd9a5baf083013a5dfd5bea6

SHA512
af2d85de855a15a48461574085a0c3ed6d07a157d4033692fb3e6fbaf912758b29fb7de61f9e76daa180d935434c56b176b9ba48303cd82a8f70903b9d32b604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82abc4559b6254f760aca8a57f30ca2b

SHA1
e22295dbab6ea3875899d56d64ddd948a13a4dba

SHA256
fdd912e2529f993a7e079daac5f481ee6b165534cd05adcb856047636e80e775

SHA512
780341980366fe3f4a5fc2f9f5c57525b89e603947cda6a9458e247f8e73f610205bc3148c4c162fe5bc0d188533e9fd02928e3333dd318aead55e27af1c5c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
86c8f3bc9e6b46ce7acd1359a58011aa

SHA1
66eb63b4941301a9a48a4694a3af26bf12802496

SHA256
a84f65e3a625aa2da230528fc5c52b7fec0e5770a91d0f018dbe83cd7ff57216

SHA512
7ac96e305ffd6190a608e30d4675bc7b4709fc769721d8e122b03856ec4be0adf8b67422078b432078bc01123f43a81b7ffd6b03f45fe33bf47cd56ddde08bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b21835fb85dcaec220e8f492af180b9a

SHA1
3b15fd1186f7f229360dab9ebf43921caa515c0f

SHA256
1fc0feb5e0c39d963bf912ffb604a09edf0923bd50b84ef570ed85b8916d1a5c

SHA512
6b2905fc0e65c1552b0a0248d9e3cbf3bc25518d63d21b94376c59b20222935aa50fd6bcd36cda2e0229f34033a0a9f1440b353eab798f397806a5905751f05c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2727153400-192325109-1870347593-1000\0f5007522459c86e95ffcc62f32308f1_fd53e311-4742-43c9-a8e2-ced45f79c52d

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2727153400-192325109-1870347593-1000\0f5007522459c86e95ffcc62f32308f1_fd53e311-4742-43c9-a8e2-ced45f79c52d

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
memory/1420-6-0x00000000061D0000-0x0000000006262000-memory.dmp

Filesize
584KB

Download
memory/1420-5-0x0000000005510000-0x0000000005518000-memory.dmp

Filesize
32KB

Download
memory/1420-1-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-2-0x0000000005320000-0x0000000005334000-memory.dmp

Filesize
80KB

Download
memory/1420-3-0x0000000005A00000-0x0000000005FA4000-memory.dmp

Filesize
5.6MB

Download
memory/1420-11-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-10-0x00000000064B0000-0x00000000064D2000-memory.dmp

Filesize
136KB

Download
memory/1420-0-0x00000000009F0000-0x0000000000A42000-memory.dmp

Filesize
328KB

Download
memory/1420-8-0x00000000061C0000-0x00000000061C8000-memory.dmp

Filesize
32KB

Download
memory/1420-7-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1420-9-0x0000000006330000-0x0000000006374000-memory.dmp

Filesize
272KB

Download
memory/1420-37-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1420-78-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/1420-4-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/1420-12-0x0000000005540000-0x0000000005550000-memory.dmp

Filesize
64KB

Download
memory/2144-559-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2144-74-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2144-77-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/2144-193-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/5648-327-0x000001C045050000-0x000001C045051000-memory.dmp

Filesize
4KB

Download
memory/5648-328-0x000001C045050000-0x000001C045051000-memory.dmp

Filesize
4KB

Download
memory/5648-329-0x000001C045160000-0x000001C045161000-memory.dmp

Filesize
4KB

Download
memory/5648-325-0x000001C045020000-0x000001C045021000-memory.dmp

Filesize
4KB

Download
memory/5648-309-0x000001C03CD40000-0x000001C03CD50000-memory.dmp

Filesize
64KB

Download
memory/5648-293-0x000001C03CC40000-0x000001C03CC50000-memory.dmp

Filesize
64KB

Download