darkgate | 3b9834e0526112969e152073bade66f606fb9b81c5d06b8ae0bf52b74dbce947

Resubmissions

07-03-2024 15:20

240307-sqx1dsed53 10

07-03-2024 15:08

240307-sh1rbafb41 10

Analysis

max time kernel
141s
max time network
142s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07-03-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64.msi
Size

5.8MB
MD5

9c02a9298b97fcfc5a75fbedf08002bd
SHA1

2d3bc2856c015914f2856331a0315298f3c34b0c
SHA256

693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a
SHA512

fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc
SSDEEP

49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

prodomainnameeforappru.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
443
check_disk
true
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VzXLKSZE
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral1/memory/3140-106-0x0000000006340000-0x000000000669C000-memory.dmp	family_darkgate_v6
behavioral1/memory/3140-111-0x0000000006340000-0x000000000669C000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
568	ICACLS.EXE
4400	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	8	msiexec.exe
3	8	msiexec.exe
4	8	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFF0E025DD468E92E2.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8F7994CB-D53E-4E42-B335-CF29C4D0CA5C}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE135389FA0E8D89B.TMP	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e57755f.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD6CCA222515EB065.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF1F65598615BAEBE.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7639.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e57755f.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4432	iTunesHelper.exe
3140	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
4036	MsiExec.exe
4432	iTunesHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ee1015b08c64d8bd0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ee1015b00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ee1015b0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dee1015b0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ee1015b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4488	msiexec.exe
4488	msiexec.exe
2016	msedge.exe
2016	msedge.exe
2564	msedge.exe
2564	msedge.exe
1924	identity_helper.exe
1924	identity_helper.exe
1136	msedge.exe
1136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	8	msiexec.exe
Token: SeIncreaseQuotaPrivilege	8	msiexec.exe
Token: SeSecurityPrivilege	4488	msiexec.exe
Token: SeCreateTokenPrivilege	8	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	8	msiexec.exe
Token: SeLockMemoryPrivilege	8	msiexec.exe
Token: SeIncreaseQuotaPrivilege	8	msiexec.exe
Token: SeMachineAccountPrivilege	8	msiexec.exe
Token: SeTcbPrivilege	8	msiexec.exe
Token: SeSecurityPrivilege	8	msiexec.exe
Token: SeTakeOwnershipPrivilege	8	msiexec.exe
Token: SeLoadDriverPrivilege	8	msiexec.exe
Token: SeSystemProfilePrivilege	8	msiexec.exe
Token: SeSystemtimePrivilege	8	msiexec.exe
Token: SeProfSingleProcessPrivilege	8	msiexec.exe
Token: SeIncBasePriorityPrivilege	8	msiexec.exe
Token: SeCreatePagefilePrivilege	8	msiexec.exe
Token: SeCreatePermanentPrivilege	8	msiexec.exe
Token: SeBackupPrivilege	8	msiexec.exe
Token: SeRestorePrivilege	8	msiexec.exe
Token: SeShutdownPrivilege	8	msiexec.exe
Token: SeDebugPrivilege	8	msiexec.exe
Token: SeAuditPrivilege	8	msiexec.exe
Token: SeSystemEnvironmentPrivilege	8	msiexec.exe
Token: SeChangeNotifyPrivilege	8	msiexec.exe
Token: SeRemoteShutdownPrivilege	8	msiexec.exe
Token: SeUndockPrivilege	8	msiexec.exe
Token: SeSyncAgentPrivilege	8	msiexec.exe
Token: SeEnableDelegationPrivilege	8	msiexec.exe
Token: SeManageVolumePrivilege	8	msiexec.exe
Token: SeImpersonatePrivilege	8	msiexec.exe
Token: SeCreateGlobalPrivilege	8	msiexec.exe
Token: SeBackupPrivilege	1572	vssvc.exe
Token: SeRestorePrivilege	1572	vssvc.exe
Token: SeAuditPrivilege	1572	vssvc.exe
Token: SeBackupPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeRestorePrivilege	4488	msiexec.exe
Token: SeTakeOwnershipPrivilege	4488	msiexec.exe
Token: SeBackupPrivilege	1892	srtasks.exe
Token: SeRestorePrivilege	1892	srtasks.exe
Token: SeSecurityPrivilege	1892	srtasks.exe
Token: SeTakeOwnershipPrivilege	1892	srtasks.exe
Token: SeBackupPrivilege	1892	srtasks.exe
Token: SeRestorePrivilege	1892	srtasks.exe
Token: SeSecurityPrivilege	1892	srtasks.exe
Token: SeTakeOwnershipPrivilege	1892	srtasks.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
8	msiexec.exe
8	msiexec.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe
2016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4488 wrote to memory of 1892	4488	msiexec.exe	87
PID 4488 wrote to memory of 1892	4488	msiexec.exe	87
PID 4488 wrote to memory of 4036	4488	msiexec.exe	89
PID 4488 wrote to memory of 4036	4488	msiexec.exe	89
PID 4488 wrote to memory of 4036	4488	msiexec.exe	89
PID 4036 wrote to memory of 568	4036	MsiExec.exe	90
PID 4036 wrote to memory of 568	4036	MsiExec.exe	90
PID 4036 wrote to memory of 568	4036	MsiExec.exe	90
PID 4036 wrote to memory of 1216	4036	MsiExec.exe	92
PID 4036 wrote to memory of 1216	4036	MsiExec.exe	92
PID 4036 wrote to memory of 1216	4036	MsiExec.exe	92
PID 4036 wrote to memory of 4432	4036	MsiExec.exe	94
PID 4036 wrote to memory of 4432	4036	MsiExec.exe	94
PID 4432 wrote to memory of 3140	4432	iTunesHelper.exe	95
PID 4432 wrote to memory of 3140	4432	iTunesHelper.exe	95
PID 4432 wrote to memory of 3140	4432	iTunesHelper.exe	95
PID 4036 wrote to memory of 4940	4036	MsiExec.exe	99
PID 4036 wrote to memory of 4940	4036	MsiExec.exe	99
PID 4036 wrote to memory of 4940	4036	MsiExec.exe	99
PID 4036 wrote to memory of 4400	4036	MsiExec.exe	101
PID 4036 wrote to memory of 4400	4036	MsiExec.exe	101
PID 4036 wrote to memory of 4400	4036	MsiExec.exe	101
PID 2016 wrote to memory of 3896	2016	msedge.exe	106
PID 2016 wrote to memory of 3896	2016	msedge.exe	106
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107
PID 2016 wrote to memory of 3436	2016	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 93B4BB7E7B01256033EB93DBF45ADB90
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:568
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1216
- - C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\vcredist2010_x86.log.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc95423cb8,0x7ffc95423cc8,0x7ffc95423cd8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,13578176155928388643,13955160382018630693,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
1KB

MD5
4f4655480ce30a0bdda1d6224c2e38cf

SHA1
083c8cfddb4ac31416e79226596035c0f1f80795

SHA256
dfcabceb9d824bc7ce2f3cf91a8086dd0d3efec234f158959788ce81abb656a5

SHA512
d5a3fab43d2cac397aed5bdb4ce1617a921af21c18defc424d168ccc4a39d7b304fea40c2ce04297235c349794409a1e9fe382a249810947af387ae50e67f41e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
1e3ab4a60bad099cafbea5bbe3dd870c

SHA1
49f728ad2c3de9812547a611febf481044db0d53

SHA256
db44dd178be7e49cc34a801018dbc6f0828e62b15ee23aef646c72a6ac93ede2

SHA512
7dbfd6f8126a834b25b8076398b0bba24b16aad7cb32842c2f4baf9bb94828098b47385c845d8bc7257e83ff655566425aca0fdeb13b1017e739292e0015fee3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
540B

MD5
ea7e3c0518afc7a0395ab15b983104a7

SHA1
836cba3f55d2c5bce2d253dc7affcfed6816213d

SHA256
96f5e1bdd0f596a33f276668c3297696570dd9e3f31f5cf74bb9e4054e88e43a

SHA512
ada0dfb27b0be37dbebf7aff31687725be45ed88fe31bc93ab33bfd37647575022b89f6ee3a1a50a59dba58407cd5acc96a7bc30ca75a44abb368a13a0739b8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
fa93e7aa21b8f3c0cef8c92c45980334

SHA1
95efd70b18959726f7cb6798deeaa9c8e3bf54ee

SHA256
2b87d4d67c42fe38eee746cc18a8fbadc2a70a3b98f6393eaee5ef466a061bda

SHA512
50205a0db1e73424ddde5943d9f333d91cca6959abfd9ed58b3599e2bd47ae19e22772df3fbde2e8c1c06643b99ef45bb4a9a86de91aabea6640a1fb9737556a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c3ea95e17becd26086dd59ba83b8e84

SHA1
7943b2a84dcf26240afc77459ffaaf269bfef29f

SHA256
a241c88bb86182b5998d9818e6e054d29b201b53f4f1a6b9b2ee8ba22dd238dc

SHA512
64c905e923298528783dc64450c96390dc5edbda51f553c04d88ee944b0c660b05392dc0c823d7fb47f604b04061390b285f982dfcc767c8168ccb00d7e94e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c65e704fc47bc3d9d2c45a244bb74d76

SHA1
3e7917feebea866e0909e089e0b976b4a0947a6e

SHA256
2e5d6a5eeb72575f974d5fa3cdff7ad4d87a361399ffdd4b03f93cdbdec3a110

SHA512
36c3be0e5fbc23c5c0ad2e14cfb1cf7913bea9a5aeb83f9f6fcf5dbc52a94d8ccb370cef723b0cda82b5fba1941b6a9ff57f77ff0076a2c5cf4250711e3dd909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9c9a0ed64e11d5ec172a1e9c924f41ef

SHA1
347cbed77ef4f6b27e6388d680bfc3a4648d710e

SHA256
a1190487a6e5a6b1fe168c7cfc76076d5b213f7c6e90550d9e75d447d324db59

SHA512
03ae68281135d80a4217bd3eb76268f4670fa76fb9ab710050dff50ba938d53a30fc6e39e442870db1eade6769d86b487c7805057c6492225df5f5f441e265c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6ec50cd02197e41029e2e601d0400e6

SHA1
3ae616ed9e0f42f71f218e905ddd51c4097fd59d

SHA256
908303bac9688dbbe9070d5494770ad89f3da037aeb889b53b84195fa9d2240c

SHA512
e0eb220936aff1d364188c5de235c97fb5d4916cab3776392c687e6f76f12b2aefec08de98d3e87208ff73c1ac6d434f232891b962625547efaa617415bf5a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fad925dbe836d294bdc9b4fd2400b725

SHA1
dd92d81de599f2343f75d671366f88dae60b86aa

SHA256
c4de83b5b958d1fcde574e20c5c657b22379fccf88e44e35152476542d0c035e

SHA512
15d06506bd2648f2c79552b8ea14b82f1f6ea2e0d9de4119e657c4d39e1b5e0b076330e4ef930d6741a9c348405932a630acb2fe74b54480a8e22cc192f8d36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files.cab

Filesize
5.6MB

MD5
a6f0fa38c1ef89290ee787f7577993ad

SHA1
1b03510e8c5a1a3c976086327ebab3c8acc19550

SHA256
599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882

SHA512
9040548c6937e93168e57c1b3d18c20d21702d9632096191bab84929f18de0bce4cc31bb0f178b9d34f9259e6176bc4a8d5b86fe21ceec0b5a24ea2809acc68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files\CoreFoundation.dll

Filesize
3.6MB

MD5
3b81ffed1e2d61f739bb241e395ce563

SHA1
ce08355cb95ab3d1ad177eb641acfa0339ce73d4

SHA256
f049356bb6a8a7cd82a58cdc9e48c492992d91088dda383bd597ff156d8d2929

SHA512
06ee1ca4b102d90bd1390c9e7fefecfa7fd8ebc131a8fd24d76a0aa51655cb254b021ba05ca976910395c08658171f0f8c1f6b1fec0fbc6c9ec5b906fddb606d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\files\sqlite3.dll

Filesize
1.6MB

MD5
0f64a8b96eee3823ec3a1bfe253e82be

SHA1
e47acbb2fb97d05ce5222ba2737a5b0c0f039a0c

SHA256
17158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724

SHA512
4d08d96bfe4ed497ca01d6f76acf1f5138d775b56556923b24e1e86cbd26fd54b6f517c8d3211b80332f90fe46cb77e347280636dc984ded2da8842aff9a5f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\msiwrapper.ini

Filesize
1KB

MD5
542cd385e0e3ca5af55d36ab3593f551

SHA1
f843ba4ae107b774730f030b46b60aed616ed47f

SHA256
988ceed847213d636c0ea2aeb9f1a3216a7cbd5e61f9dd071c71f943f661dcbe

SHA512
a54453c1d3cb6d5f7e16429ccb9a252799c1d91e24bba79b1a322a6add0244629b6ffb03f43ac5a6bd1298a2e5743b373ba4e7655c640f3454b34baddb5a698b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8f985b6a-e18c-437b-9e77-d7b055e84cfa\msiwrapper.ini

Filesize
1KB

MD5
d9a1299c40729f9f0919e96ee9756c52

SHA1
70132e7df6e55f35786788db5bad45ede9caecea

SHA256
3d7cb3c21abc9450d206928dc4dc9b877ac488a1344d2034aa13c21d1d547698

SHA512
035c550a2aa80f90f76a4c60e5e274edce1d48066b8ee8ce5c6ea10c3011bbbd108f6a399b775913dc31cc473e3961d1f391ee47061ec2dbbdddbef4e8f5392f

Download Submit
C:\Windows\Installer\MSI7639.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
daf979198a1b2efd6f4739fadf3a95e4

SHA1
bc793f8dd5db71fa72a0f35c1d0d9e1fcb8d81ec

SHA256
33dcdbc820f6c8902036b60ade1fbb1e7624aa87ff32c0da21987bd427823cf7

SHA512
17b48c8f96af2f92ef02f96e26db03934fb433d78735dc7191b950587a877d4b64eb40dbe8f72fd818a978fec41c6d89b6e605d5f579bc40d771b1ffeb560f54

Download Submit
\??\Volume{b01510ee-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b84ba43c-fcda-4dee-bb35-bde718efe48b}_OnDiskSnapshotProp

Filesize
6KB

MD5
3af041911a33fd89b2a41312be518a56

SHA1
fd5922c695585f4453868c805ff82cda1c15c8fd

SHA256
453c86060703bb3ebe0a7f41c7a9f1132ee4bca64a23fa4e778e359c6db6f029

SHA512
0892b93dad87f9e20896a5bb38ae6b9ddf7d37d4d6fab835fddddf85b26186ff42d2ceb78b4f8a7e09d23c1997de39257b3665e2632385d3872e983de430d56b

Download Submit
\??\c:\temp\script.a3x

Filesize
473KB

MD5
33ca8bc4ac593027fd3e83ba44be54fc

SHA1
07e2e129a5b0a694d38ac29bc21f74eda100519f

SHA256
2296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236

SHA512
05f6f03e69a7d31686f422e422d61161bde45173a6453fdf0392a7a084c9bd69c7c0ed11eb7a37281481eea14497e95c51dfaded21e2ff943fee3f371592db61

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
e0cb113b19ce53ef7b72edbb0a4937dc

SHA1
2499a76ad9ec4a44571bfd8083e09b23373f9f69

SHA256
03bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6

SHA512
0b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca

Download Submit
memory/3140-111-0x0000000006340000-0x000000000669C000-memory.dmp

Filesize
3.4MB

Download
memory/3140-106-0x0000000006340000-0x000000000669C000-memory.dmp

Filesize
3.4MB

Download
memory/3140-105-0x0000000004E40000-0x0000000005E10000-memory.dmp

Filesize
15.8MB

Download
memory/4432-108-0x00000296BD540000-0x00000296BD6E0000-memory.dmp

Filesize
1.6MB

Download
memory/4432-107-0x00000000776A0000-0x0000000077A48000-memory.dmp

Filesize
3.7MB

Download
memory/4432-96-0x00000296BD540000-0x00000296BD6E0000-memory.dmp

Filesize
1.6MB

Download