Analysis
-
max time kernel
279s -
max time network
301s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
21-04-2024 07:10
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://dosya.co/d2ucyv70iys0/logger.zip.html
Resource
win10v2004-20240412-en
General
-
Target
https://dosya.co/d2ucyv70iys0/logger.zip.html
Malware Config
Signatures
-
Detects Echelon Stealer payload 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023587-166.dat family_echelon behavioral1/memory/4720-169-0x000001FE47EB0000-0x000001FE47F48000-memory.dmp family_echelon -
Executes dropped EXE 3 IoCs
pid Process 4720 Echelon.exe 212 Echelon.exe 4680 Echelon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 201 ip-api.com 376 api.ipify.org 399 api.ipify.org 411 ip-api.com 173 api.ipify.org 174 api.ipify.org -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
pid Process 3552 msedge.exe 3552 msedge.exe 4000 msedge.exe 4000 msedge.exe 4356 identity_helper.exe 4356 identity_helper.exe 5856 msedge.exe 5856 msedge.exe 4720 Echelon.exe 4720 Echelon.exe 4720 Echelon.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 5004 msedge.exe 212 Echelon.exe 212 Echelon.exe 212 Echelon.exe 4680 Echelon.exe 4680 Echelon.exe 4680 Echelon.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeRestorePrivilege 4376 7zG.exe Token: 35 4376 7zG.exe Token: SeSecurityPrivilege 4376 7zG.exe Token: SeSecurityPrivilege 4376 7zG.exe Token: SeDebugPrivilege 4720 Echelon.exe Token: SeDebugPrivilege 212 Echelon.exe Token: SeDebugPrivilege 4680 Echelon.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe 4000 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4000 wrote to memory of 4084 4000 msedge.exe 87 PID 4000 wrote to memory of 4084 4000 msedge.exe 87 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 1660 4000 msedge.exe 88 PID 4000 wrote to memory of 3552 4000 msedge.exe 89 PID 4000 wrote to memory of 3552 4000 msedge.exe 89 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 PID 4000 wrote to memory of 5068 4000 msedge.exe 90 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Echelon.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/d2ucyv70iys0/logger.zip.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd95a46f8,0x7ffdd95a4708,0x7ffdd95a47182⤵PID:4084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:1660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵PID:696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:1600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6100 /prefetch:82⤵PID:5700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:5708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:12⤵PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:12⤵PID:3316
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵PID:1628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵PID:5160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:5176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1688266301702967283,208996264347325007,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3704
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1756
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5936
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\logger\" -ad -an -ai#7zMap11042:74:7zEvent197351⤵
- Suspicious use of AdjustPrivilegeToken
PID:4376
-
C:\Users\Admin\Downloads\logger\Echelon.exe"C:\Users\Admin\Downloads\logger\Echelon.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
C:\Users\Admin\Downloads\logger\Echelon.exe"C:\Users\Admin\Downloads\logger\Echelon.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵PID:5732
-
C:\Users\Admin\Downloads\logger\Echelon.exeEchelon.exe2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4680
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5120a75f233314ba1fe34e9d6c09f30b9
SHA1a9f92f2d3f111eaadd9bcf8fceb3c9553753539c
SHA256e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0
SHA5123c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3
-
Filesize
152B
MD5bc2edd0741d97ae237e9f00bf3244144
SHA17c1e5d324f5c7137a3c4ec85146659f026c11782
SHA256dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041
SHA51200f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093
-
Filesize
703KB
MD54d09e51bf9027c7a09bf320a1dd82715
SHA18ee5ae8f2f2287b2fdcd0696b0a750c53cfb6bcf
SHA256f27616b91b378b735fbf07e736369bd0bca801acb869c6fa471d2b93b55ea933
SHA51266a8268f9a093d095edd28014f6f171757423e965d014116a1adef3c4c9280795cffab0bae3f59a9a81b3771a0703f4497015925245ba3776db7cf259f95e7b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize528B
MD5fb5bb5473351b538de2278caf3dd07b4
SHA1311d4ff0ab66fc70552dc7454189e3415cc7e9cd
SHA25693ce046d2184ecf967458963f7067cf5347347123f93ba2e17647b2b28f2c83e
SHA512cdf0a485812e0d188a74917a55c6dc80e9f31a97e7ec1cc0c01a0acaf54971f53f6784160c360c354bc22bdf56fdc3eaff73aa365713aaef872a1aa135a96f21
-
Filesize
2KB
MD507b4d6411174ee1d85cba07250a3df91
SHA1589071cf107824165e0721cd502513e76cb4c3ed
SHA25689b07580227edabcee1098d6e2e6f03e3deed9e25bd2b25edfac72b5c9107476
SHA51272050f8d1c62d4c9bcaeb5685c0474c0766fea50a2518005b19c79046d4afa5b5cb168dc08c205ee80db11371d7f7192bd41bf6843845a1b0837fafe49e8386e
-
Filesize
6KB
MD526d183b0be6c090cf2c9efd6c1ce6b49
SHA1d7192244a600cacd723f29ea45875d5b9707edad
SHA25698ad701fd878f2807944751072788099dd2f6ce87282d1eb38a3326b79fc1da4
SHA51201ddb128d186a88a861d8a2428c959d2e6ce8aa68f39acacd1798ca5f27edad70ed0c1db00f3d133912650cc3497d173609356b74083779c9ab62cabc4672dbd
-
Filesize
7KB
MD52e0e81c3f9228607049724ebc1d33155
SHA18983fe5f8c820b7460d1f38dcb0cf0b906f3a1e0
SHA256be3b87959248487f037b18a9a26e58afa075556daa718123a7471e2e99d0bfc1
SHA512ce0b3ca63f8fe6a9169f123a4b812bfb6101e75f3ea4ba276b995ce52d41a1a988d8e8ad9be8ea5ea5941cd978c9b3a7dbda7a1558b2e93e40bd78a9581af433
-
Filesize
7KB
MD5671f80d09aa4761a0f3b064d13ed021b
SHA1ae890278e28309d766e9dacf606aa3b07454938e
SHA2564501c94c7cf0e55ee7742b8f063d95d5023b1658049234e01b22408ee13352f1
SHA512d8ae92ba124c5429ebab4e3709d6bd859acc43ef9db37f5cc6b27111ba11e2945acb8365259f779f096ba6076a79169c55f7bc15b0e5ce3cd52d24584ad38608
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD595c1a3f79316a339225cefad8ccdeeb6
SHA1328c193b2775f98a0e6cfd78fa8ba095b2377617
SHA256903c10e929e3d864913c00a2b5f256c58b478800fd74f00b75f9938bb6933e46
SHA51250e4851cf2197a698505e058275ebb4fd2cbf6d647b4ae04cdb377cdab58c64de6765bd7aad46cb93b1f8f69015ae622f1d2ca874add4bd64ccdd848cc545ed7
-
Filesize
11KB
MD56090ae0ba6836071f196a4a11219ec48
SHA1c968b832a266f34f8ead0fd414c56f482112142a
SHA25636476a92300e1e742877dfcb0d9c38bd0ed829e1b43ed386a7a54fba1363ee6c
SHA5126c303900629de1264af545ef1c2de4e04069ad6e1a3a615fb0141a6675562a610afa4f1374b76151da1d79e49f81a44bba3419c01c1fbc0ae5ea384a61aa89f1
-
Filesize
100KB
MD5b45ed8b906f7b08bc5db33091c4cbce9
SHA1b5cb87c23cf1dc00c3384bcae0598071ca92c9d1
SHA2560a54a476c7eaaea3111a6285d2cd1cf4b020d7de3926b6705a409f9000eab675
SHA512a4b43bd6b1c8eae01d58cf48fd435d40d580888ad18ec3ae846305411fcff928d8c3ec98aa0b1ed5cb8004d2180c4e9b69ac2ac27fa976e1fd30012b9432f852
-
Filesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
Filesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
Filesize
127KB
MD5ed60f4906a36d40ea20b53e91e663606
SHA101356a176302cc546205cfe524a78c14871788e9
SHA2561d70596565c15e4a23976e85b568c01e2094c793ad6daa530d681df5260e2943
SHA512d057e98915b56cf51d25b1f178927f452f4bc3156537231758dd77bc968a2bbba1caac0ed8b59fbe283e0e82792aec6996deba713697192c84f674236223e33b
-
Filesize
288KB
MD56005f2f80a108170596bf4bb6a13bda3
SHA1606f533dd8b30cc420e5e8b531d9526862aa8f20
SHA2568a85cd0d7d69fc34d24bf31503499e425563324090924359bf0f952b4dcb9fb3
SHA5128ad71289f6f67c42c073da6a28c6bd0c1a80b86fa59857bcf8fd0af6f19079587bac488f51a6595407362675f60361d9f215df18653cfaad70b0cfe621b9f83a
-
Filesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
Filesize
448KB
MD560caabbd43235889d64f230617c0e24e
SHA1f5f922bd3c69591663187d40ad732c73a5bda290
SHA2564d7851bb977d7bd1d7503e994bc4c4083faa2751f41624237309157b1b88681d
SHA512fedccb31b488ec1b7b28e8614a3eb53eb130c176837f687395e61a0f3f522d742d46ece1f6852ca45e831abe21728e08dadf010d828a49fbfdc9840b42cc975c
-
Filesize
581KB
MD52d9d77004af06b7d5fba73def3768dbd
SHA12d48d995505f8e1ae14493c6c2bb61d342cdf016
SHA256197984847de1c34ce400d548c13df6b1d2c4ac8a4d5dc2d4c3c985f47109f1eb
SHA51236f41f0daf31e4f70c423512cb7189d0e4f9573ac3d43edcb4c9a8077d4555e9d7d194a32be041e3ee74fe62b28862de07107d025c840c1ebe463c3d257196bb
-
Filesize
216B
MD5ed6192054a346a72d8bd4352895f25f9
SHA12de8e2859eb7451eb23d408cf9fa45f37a4e2d0e
SHA256707f233f9e814e64d7655a78275e60bb44c35646292fa5b41ee936e1763c9f77
SHA5127fe3851b67da2cd748c5e194e7b0c8252c65516ac710d950e5d6ac3aefe7051a5a01e034d6714f1dba077046ec211d234eb9f19e05c80d292b24e0f84dd6ce0f
-
Filesize
417KB
MD582ff82cec67ef5d0408a498dedf0eccc
SHA103554cae4dcbac99077c180ded7ccda887a8cc2a
SHA256103a8bb6db0259eb40bfe7077bb45265870aca3bdf7480433141b68aab8890de
SHA5124542284408003aea4e3b8b2b6ed11e0a6d65f1e60953063558fa42457b534f6b4783d681c51676948d8039c33fa0d4375b585da072692cd4848c5f8337e04c80