agenttesla | hxxps://mega[.]nz/file/8HgATTyK#6wjeMXwCkXoLOcywMOdcXWfaNlKASka8iEfDpQSVJdY

Analysis

max time kernel
48s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/8HgATTyK#6wjeMXwCkXoLOcywMOdcXWfaNlKASka8iEfDpQSVJdY

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\SecureByte v1.0.4\Guna.UI2.dll	family_agenttesla
behavioral1/memory/4848-332-0x00000000094C0000-0x00000000096D4000-memory.dmp	family_agenttesla

Executes dropped EXE 2 IoCs

Processes:

SECURE BYTE GUI.exeSECURE BYTE GUI.exe

pid process

4848 SECURE BYTE GUI.exe
5944 SECURE BYTE GUI.exe

Loads dropped DLL 8 IoCs

Processes:

SECURE BYTE GUI.exeSECURE BYTE GUI.exe

pid	process
4848	SECURE BYTE GUI.exe
4848	SECURE BYTE GUI.exe
4848	SECURE BYTE GUI.exe
4848	SECURE BYTE GUI.exe
5944	SECURE BYTE GUI.exe
5944	SECURE BYTE GUI.exe
5944	SECURE BYTE GUI.exe
5944	SECURE BYTE GUI.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\SecureByte v1.0.4\03756014.dll	agile_net
behavioral1/memory/4848-320-0x0000000005390000-0x0000000005562000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

81 raw.githubusercontent.com
96 raw.githubusercontent.com
80 raw.githubusercontent.com

flow	ioc
81	raw.githubusercontent.com
96	raw.githubusercontent.com
80	raw.githubusercontent.com

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2704	4848	WerFault.exe	SECURE BYTE GUI.exe
2332	4848	WerFault.exe	SECURE BYTE GUI.exe
5272	5944	WerFault.exe	SECURE BYTE GUI.exe
4360	5944	WerFault.exe	SECURE BYTE GUI.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SECURE BYTE GUI.exemsedge.exeSECURE BYTE GUI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SECURE BYTE GUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SECURE BYTE GUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SECURE BYTE GUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SECURE BYTE GUI.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SECURE BYTE GUI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SECURE BYTE GUI.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

2460 msedge.exe
2460 msedge.exe
1844 msedge.exe
1844 msedge.exe
4644 identity_helper.exe
4644 identity_helper.exe
5948 msedge.exe
5948 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1844 msedge.exe
1844 msedge.exe
1844 msedge.exe
1844 msedge.exe
1844 msedge.exe
1844 msedge.exe
1844 msedge.exe

pid	process
2460	msedge.exe
2460	msedge.exe
1844	msedge.exe
1844	msedge.exe
4644	identity_helper.exe
4644	identity_helper.exe
5948	msedge.exe
5948	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXE7zG.exeSECURE BYTE GUI.exeSECURE BYTE GUI.exe

description	pid	process
Token: 33	5376	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5376	AUDIODG.EXE
Token: SeRestorePrivilege	5672	7zG.exe
Token: 35	5672	7zG.exe
Token: SeSecurityPrivilege	5672	7zG.exe
Token: SeSecurityPrivilege	5672	7zG.exe
Token: SeDebugPrivilege	4848	SECURE BYTE GUI.exe
Token: SeDebugPrivilege	5944	SECURE BYTE GUI.exe

Suspicious use of FindShellTrayWindow 40 IoCs

Processes:

msedge.exe7zG.exe

pid	process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
5672	7zG.exe
1844	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

msedge.exe

pid	process
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe
1844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1844 wrote to memory of 2212	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 2212	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3380	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 2460	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 2460	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe
PID 1844 wrote to memory of 3960	1844	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/8HgATTyK#6wjeMXwCkXoLOcywMOdcXWfaNlKASka8iEfDpQSVJdY
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80dad46f8,0x7ff80dad4708,0x7ff80dad4718
2⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
2⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
2⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 /prefetch:8
2⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
2⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
2⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:8
2⤵
PID:5928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,16523499527533310369,5318934165500361158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap7335:92:7zEvent11966
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5932

C:\Users\Admin\Desktop\SecureByte v1.0.4\SECURE BYTE GUI.exe
"C:\Users\Admin\Desktop\SecureByte v1.0.4\SECURE BYTE GUI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2252
2⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 2212
2⤵
- Program crash
PID:2332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4848 -ip 4848
1⤵
PID:5692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4848 -ip 4848
1⤵
PID:3472

C:\Users\Admin\Desktop\SecureByte v1.0.4\SECURE BYTE GUI.exe
"C:\Users\Admin\Desktop\SecureByte v1.0.4\SECURE BYTE GUI.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 2208
2⤵
- Program crash
PID:5272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5944 -s 2208
2⤵
- Program crash
PID:4360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5944 -ip 5944
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5944 -ip 5944
1⤵
PID:5100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e36b219dcae7d32ec82cec3245512f80

SHA1
6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

SHA256
16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

SHA512
fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
559ff144c30d6a7102ec298fb7c261c4

SHA1
badecb08f9a6c849ce5b30c348156b45ac9120b9

SHA256
5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

SHA512
3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
95ff7905387c84309cfebf0e812e72d5

SHA1
227d04acbf0851f3b31be3af50c80e090995b939

SHA256
1fe62a10d2819069be0cf8bfde524e9a2a630ae91dcce4c7a22340558b8d72aa

SHA512
63e7a58f7e42ee6f179127de5419afa4d2b59ee65b55be9ede4ebd0643bf605dbbd1aa8c0f56680a6e659aa0c8f582e37e1beb257374cafc1a7b04f72cbd94e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8fd7c93de2b4ebe8688988df103a61ad

SHA1
cc5aafc2cd2cfcd265ad1debaf5ac1dbe9aeb0ff

SHA256
7998435c8aefd692156285a74bd63e14a63801e49ba376496f75f707383562c4

SHA512
0c3da4232671409a7dc15bfc82014704fc2a9103d24d49f32aae380f1c791e01d41bb5b2c17c2b161afa6e4ace3ffb00721f9891c2c77245015b27402606ead1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fa044ef6deeec710e04436c24837d68d

SHA1
6d18572c7c59f9ce9dbf45da4b2f8f104133e723

SHA256
0975c053de7f9188621743e1e499db309f12bfca0b621203c1f0c6141eb309f9

SHA512
c469a58498979048724e53abf82bea3ac6c9c7387ed8d350415e08a38b607d688bd78027c3f03492555281143d831178863ca12b9f6a0d5990674018c3a6b98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d2d429460a7472e87ea4994f4198e5e5

SHA1
3cb2cf11aead59bf339cf77cba6c4a954cbfe5d9

SHA256
6974f48fca0dd98256988232e9d4cc299d24b5aba80e44a351ddeecdac86a181

SHA512
c0dc546242880ce9447ceb9722735d21ab9ba205933d4b222ab3e17bb3e580934f1fe99fcbf741e42fac81f22f753b9a4f245241d58862f2c2907a97e866545b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
7f931a7c860f2105c71df7a0ee21bcb6

SHA1
ab340286c47b4c4a1aac9a83a7cca3976b822770

SHA256
9b4b504b771b69c77c67381a3e3adc533e04818859529e3d857035c6c97a7f55

SHA512
70a77f96ab435ed4687239c7eadd924aa6c5e67f21914d7d6a70945015485124fddb32580d76451d167f05764298c9ebb0922c9b9c041e1d9e53b4ada2353e5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5787be.TMP
Filesize
48B

MD5
42dcb5875b08e8cbbff25850841f7a5e

SHA1
ca8c2ee754895171891841c91fb09716f19a6593

SHA256
4644fc948fc66147e767dfb956643eaaf9d1ca5b6d33af0ad814bea4bf119130

SHA512
7e033fc98bbdfcb6a94b0110d91fc3dac29e6dc8dc541130595bbf481a6dac409f2544b049efc4605140ad5fd835ac7e24d55b074bf4e25fd4653d1bbb42532a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
f3095f5ffa57156d827396e67e610b25

SHA1
c6827e15e9eb9f98bafcca69f9ad4ea085e3f035

SHA256
5b169a0e1c4dd7f969a40b9cc89ef4c402ad4fb361d8fde562e102dceda41441

SHA512
58c9ce603bf2938cbbe3588b5ea14b2e7cd6e479a942ab7824c853f8aace50a57df5940eec2d5093138fca9347b899849ec5627b6a79e7f894b310985421a592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
bc0e595764ba1bca1eef0c0f4b80ab97

SHA1
e664ad7114f211e2c5b6cbd5b1df3e70de08fdf7

SHA256
188ecdfd0463daf57642fa818cfec7c605f41d7ec24ac01938bbb60507c0214c

SHA512
8775c51ea230fd830399b69317c0cb6f2494d3ae6c512c83f93bbbc9ca91895d5dc6bcd62aae28c91bb73ce837857af125470f0451b348d36e7ef2026f4462a3

Download Submit
C:\Users\Admin\Desktop\SecureByte v1.0.4\03756014.dll
Filesize
902KB

MD5
bdbaa4b53aabe2c0c122375a6c8fee7f

SHA1
b93a17e22b7ad490d785498810e40fcfae4ba2bb

SHA256
a1db9c3535a258e1f56c13eb15236ec0aab95dec862b4e129377fbcac5108ddd

SHA512
e61463ca94058547619e385fbd0bebf217497718d0614e4811c91e930ee138052042fb8b8055cdc8b8ee7ff6dfe7177567191ab38dff8ec695708a5b83e597b5

Download Submit
C:\Users\Admin\Desktop\SecureByte v1.0.4\Guna.UI2.dll
Filesize
2.1MB

MD5
278752062981db6fe27ba55f5099b8ae

SHA1
8446637986cf4a24e9135ee5c54f3170600e1e83

SHA256
538e6ca6001d609e251f88243409a2cbc9bc0517751843e76485a2c335e7829b

SHA512
142ff82ca90ca63a6a854e866615d742b585c102e8c4de5c773edeb1ac30c2cc2f6bcb190da394e4aadb4ef9518d194d99904463d6e952170d2924b16fcb00a5

Download Submit
C:\Users\Admin\Desktop\SecureByte v1.0.4\SECURE BYTE GUI.exe
Filesize
3.0MB

MD5
d2fab62b33c90f1b8e2ad112bf5ec5a7

SHA1
46e8df3bed78d045dc6e08d6dcd91a8a8f582870

SHA256
4ee2b26e47114f996f367d5c4d3aa967eb118a9baf0401ac1eadf95e6fcb5634

SHA512
3f1345b475d03849ef73625bc8d31b030f716484aaaaf9109332e2ccd20bc6694cbfe4d5e6120ebddd154e332a4c8d3d8dec3969bd3ff157341e2584e2ba7def

Download Submit
\??\pipe\LOCAL\crashpad_1844_OTFDTMIIQYCSJPDJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4848-327-0x0000000005AC0000-0x0000000005B52000-memory.dmp

Filesize
584KB

Download
memory/4848-328-0x0000000009240000-0x000000000924A000-memory.dmp

Filesize
40KB

Download
memory/4848-320-0x0000000005390000-0x0000000005562000-memory.dmp

Filesize
1.8MB

Download
memory/4848-322-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4848-324-0x0000000002840000-0x0000000002846000-memory.dmp

Filesize
24KB

Download
memory/4848-325-0x0000000005940000-0x0000000005AC4000-memory.dmp

Filesize
1.5MB

Download
memory/4848-313-0x0000000000280000-0x0000000000594000-memory.dmp

Filesize
3.1MB

Download
memory/4848-312-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/4848-326-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/4848-314-0x00000000051A0000-0x00000000051B0000-memory.dmp

Filesize
64KB

Download
memory/4848-332-0x00000000094C0000-0x00000000096D4000-memory.dmp

Filesize
2.1MB

Download
memory/4848-333-0x00000000751C0000-0x0000000075970000-memory.dmp

Filesize
7.7MB

Download
memory/5944-336-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download
memory/5944-337-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/5944-343-0x0000000075260000-0x0000000075A10000-memory.dmp

Filesize
7.7MB

Download