agenttesla | 51a8255b49900d66ec1640d09f12c057b8d0a2e0dbc6e8dee2f61b959a52b2a0

Resubmissions

12-06-2024 04:46

240612-feblss1ejn 10

05-05-2024 21:44

240505-1lv91aeg6z 10

05-05-2024 21:21

240505-z7h15aec4t 10

Analysis

max time kernel
148s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
05-05-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seroxen launcher v3.1.2.exe
Size

1.3MB
MD5

a30b4df046ff1aeaa9bc6aeb650dd9aa
SHA1

538b3248c00d43b6371d88151d43b4e95012da5f
SHA256

268067fee4b2cab61138bcaa62402c1aeb68d6db3c92f23be88b6c61071a0ec7
SHA512

91c175b4543eba084b32f79b3f4fdb144c47d78eecf7955a4eab0409c03bdf7d275aa25f13aa592fc7d307af1d351746793bb632d7621597273bae294d06ee73
SSDEEP

24576:N7njFX9ew/1bffPrhEqE0r+UPffBhffffffffffjhKhrfQjsRw:tFNb/lffPrhEqtr+UPffBhfffffffff9

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral9/memory/1492-3-0x000002A6EA010000-0x000002A6EA206000-memory.dmp	family_agenttesla

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

13 discord.com
21 discord.com
22 discord.com

flow	ioc
13	discord.com
21	discord.com
22	discord.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeSeroxen launcher v3.1.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Seroxen launcher v3.1.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Seroxen launcher v3.1.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Seroxen launcher v3.1.2.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2551177587-3778486488-1329702901-1000\{475CABE9-468F-42AA-BD4E-8FD37DB21323}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1980	msedge.exe
1980	msedge.exe
2056	msedge.exe
2056	msedge.exe
3392	msedge.exe
3392	msedge.exe
2272	identity_helper.exe
2272	identity_helper.exe
3700	msedge.exe
3700	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Seroxen launcher v3.1.2.exe

pid process

1492 Seroxen launcher v3.1.2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

Seroxen launcher v3.1.2.exemsedge.exe

pid	process
1492	Seroxen launcher v3.1.2.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe

Suspicious use of SendNotifyMessage 13 IoCs

Processes:

Seroxen launcher v3.1.2.exemsedge.exe

pid	process
1492	Seroxen launcher v3.1.2.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe
2056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2056 wrote to memory of 2820	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 2820	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1612	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1980	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1980	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe
PID 2056 wrote to memory of 1176	2056	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe
"C:\Users\Admin\AppData\Local\Temp\Seroxen launcher v3.1.2.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffac8713cb8,0x7ffac8713cc8,0x7ffac8713cd8
2⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
2⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
2⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
2⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4080 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
2⤵
PID:1628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
2⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4732 /prefetch:8
2⤵
PID:2080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4724 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
2⤵
PID:3024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
2⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
2⤵
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
2⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1328 /prefetch:1
2⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
2⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,11836399859275094486,7042737037591787170,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:2956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
7915c5c12c884cc2fa03af40f3d2e49d

SHA1
d48085f85761cde9c287b0b70a918c7ce8008629

SHA256
e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da

SHA512
4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9faad3e004614b187287bed750e56acc

SHA1
eeea3627a208df5a8cf627b0d39561167d272ac5

SHA256
64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9

SHA512
a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
efcd88cef9aa0b159b05c9a059d0b424

SHA1
f4d76ac3c135376896e83b6eda0421b44216e534

SHA256
aeee236b1b4247f8586d3ef798b8b7561678ec2314b8f9e048fe4ffcacef70e3

SHA512
c90c619aa99adc467d333694140c116f0db2a4fe3411d39b9cb83ec60be823e4ba79293d0cc031ec27f55deca4d050560d7af05159c0439808b39d87928c7da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
034ace7ac873a42690c180ced69a2e02

SHA1
0d31dce36f9fb337d327860dcba0e1f3805b39d2

SHA256
00ac3efee76b4f5f8058a69b7347da283c99c8d04b6d7da564a54c56a62884c9

SHA512
d5a798dd78e6adf8507b5bb64785bf6e110c66355e5e6f7857cea66ca1363cbe0464d3a4512c283ba4fee4365ba445fb0ba445fbd3a4e47bb3abfbacda6843f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
109ac836f8663189f5d42edc42bc7b22

SHA1
5890decb4bbb09d248fe6beea06dfbb60e22cfa2

SHA256
8683c8a63a83175088542127f0ac0226c78360f23e79088ff8a84c6551135c3e

SHA512
e5e91f9946d513746a1dfbcaa28e914bcb4ac8430d3d1e8884903ca81ec8d7c6a46ac77a430fb870aad871376cda8b09938cddd62198b367ee41af89a610b956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b2867dd2f1c7cde19df48314cbb891bf

SHA1
d24dc79cd0c02338346d75389b980d6204a7776f

SHA256
6ffd0bc3d5dc929628a4524b7035e7bdb34b67f1e04d241afdb4020e20b3f94c

SHA512
8fb57e7fd278cb3730f03cf9e55e67b1bde7189090753753bb89cc012f89550ec19b15b8dfd5a2bf6ed38e0af1a3d6a42c69f28cf49b9951a0201cf36b2f8ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d050b97e527a903c1b0b3054bf357850

SHA1
a29a600888a975a2b93035b334743d80fa9bc125

SHA256
69430d784e696c5bfae4052e9d5a9ce22d66709c5ca0b5e8d52158a403fc221b

SHA512
5399a0bec9fd7220156837dd4e0718f1acabf28a47a30dd7503af33200b56b3f936cfcfe8e68519b0cecdb92deb36d910f1e5d3daebd125be08418acd2b48ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b6d61941c521932ad381d1ae80602680

SHA1
0fe5edc694bcc8af79b3d3cb7c69fe69115d3938

SHA256
460f5fe416fb1bdfe18bd0022af3c77d202cc522e25733cc489f712d880a291b

SHA512
71c5bcd1d1ef1ff108c6ae1036a95a97660eaf725919547505462f16a0a19711e5fc59259d979d1ba35f22dbfbc80e0964010bea100da357f79de786dd64ab03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
04236e6ccbe2d5bc14ab123daa3d248b

SHA1
fa98272fc4c058d9ef9cd5104e803c58d23e051b

SHA256
0d82b7b375e3363736f0e313a724125d8e08d9ebcc6bb48bc4f726ace37614f7

SHA512
5da92aa3d18f412cf03bc1bcfa8531ebe642bb59f2202f282a28eada61d1e2b78bd1bcbe8327fb2732501d3055c0ff5683417b6a675dd2118d59a40bf5c2f4c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
553cdd7892d05d27832ca0ef1ec6e48d

SHA1
4b528ff3875e7b1217cb8431fa3c8f461e3547c3

SHA256
3abb68923394fb0f7af715c84a512673c7182aed39196355c883b04e96f0a6e8

SHA512
279e7b13e00ac3e302551d5531e521adfb0c03fe1a62cddb9a555035c6cb24f2d87e756deaf839531cb07d28657e81fbb243472d34ba37da8cd3b0e920fe37ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a2b3.TMP
Filesize
1KB

MD5
cb297d273f9d97dda9646ea359cac1a3

SHA1
8c76ff04e0cebd2f91de076e525510ff4d5c0dc6

SHA256
9bf5582593aae77af369c8ca78411c5e9d22c8de1de5d8a96dbc4bbccc11ba6a

SHA512
bf5ad98fc8d7ffc2c6a760787deb49139ab5176021f8a59060cad3b581c9cab420ae5a6c8944569a5e7a7bef7b88cc63432f9f37108621617c34afe71f5f3f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ce305038-96f8-4bdf-995e-2e157c47061a.tmp
Filesize
5KB

MD5
98f320fd15cd3d389d7cac145311dd2c

SHA1
6a9a952aa3719bf225f4c989412917b3fb64722d

SHA256
a341d5469db56562334b5fc4b81263683e147f38d4b29f1884daaac720f1c0b0

SHA512
e2f4bb8377c67ce1c0f7ee03f338a0bd8778c366003016d1bcc34545c82716ff217796aa07cc46811b0b40b13d4bbf84918d73aac78043dd148b194b1187710a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6e7971dcabe80f75968b808ec1e6f174

SHA1
ebc27438067721edb1124b4f7d767979b15704f1

SHA256
1ed1571ea101065a897bd18cd51e047d65aea90c12df705be1d67a03e240c83a

SHA512
35cad36b4e94ff037df8c310415a2ae8e2a1ab690be39d11dbe57c51369bc2b83e896384e7acbdb34952820b1301592cd1db6f93ab7f944e0049a39dfad5b139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
cffbb387755bc7b24d1706cf068059ed

SHA1
e48cb01e500406347f04a41bcea3aa89fa519c3c

SHA256
69e83c6f8ab34cdbec4a328806a1e8801c6d4fe296baa1a30c2a4ade580234e8

SHA512
616ffb442655c6f3853e7f2acb0e40f5440805c68e8ee155616377de151b8575155cef92a900ab70723e2b56fc43f891e03fb2019e1838e5f718b5058dbe41d5

Download Submit
\??\pipe\LOCAL\crashpad_2056_KIIOSIERZRGDDLOZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1492-9-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-11-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-10-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-12-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-8-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-7-0x000002A6EACD0000-0x000002A6EACE0000-memory.dmp

Filesize
64KB

Download
memory/1492-6-0x00007FFACD223000-0x00007FFACD225000-memory.dmp

Filesize
8KB

Download
memory/1492-5-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-4-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-1-0x000002A6CF2F0000-0x000002A6CF444000-memory.dmp

Filesize
1.3MB

Download
memory/1492-3-0x000002A6EA010000-0x000002A6EA206000-memory.dmp

Filesize
2.0MB

Download
memory/1492-2-0x00007FFACD220000-0x00007FFACDCE2000-memory.dmp

Filesize
10.8MB

Download
memory/1492-0-0x00007FFACD223000-0x00007FFACD225000-memory.dmp

Filesize
8KB

Download