agenttesla | 7391718fd0958533d3857effb96cbebd00ceb5ed5bf3b11eb8e049db36e7315f

Analysis

max time kernel
94s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlammedOwned.exe
Size

2.0MB
MD5

04abf74d7f4e959c28f6cee61a95fe41
SHA1

e2cb85b4a0e7c56387eaaa778d03cb8fa6ae4c13
SHA256

7391718fd0958533d3857effb96cbebd00ceb5ed5bf3b11eb8e049db36e7315f
SHA512

676b1c55b46fec34f91dd03af9dcf46023ca85c8e3eb77a9cfc81cbdc613618aca5914774a57f2b1a876a07668cb952a57eae75d43aebb3d5a429aa173c4ff56
SSDEEP

49152:DvmbpxEjwwo96s68x924MTEceBaYItakmEKC464q0GtKJ:JTo9T/9OIP5kmEKC464rGk

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1312-8-0x0000000006850000-0x0000000006A62000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Executes dropped EXE 25 IoCs

pid	Process
3912	AMIDEWINx64.EXE
3624	AMIDEWINx64.EXE
1428	AMIDEWINx64.EXE
1664	AMIDEWINx64.EXE
2072	AMIDEWINx64.EXE
400	AMIDEWINx64.EXE
1416	AMIDEWINx64.EXE
5000	AMIDEWINx64.EXE
576	AMIDEWINx64.EXE
2324	AMIDEWINx64.EXE
452	AMIDEWINx64.EXE
4812	AMIDEWINx64.EXE
4868	AMIDEWINx64.EXE
1360	AMIDEWINx64.EXE
660	AMIDEWINx64.EXE
3160	AMIDEWINx64.EXE
3140	AMIDEWINx64.EXE
556	AMIDEWINx64.EXE
2500	AMIDEWINx64.EXE
2976	AMIDEWINx64.EXE
1240	AMIDEWINx64.EXE
2844	AMIDEWINx64.EXE
4584	AMIDEWINx64.EXE
540	Volumeid.exe
4496	Volumeid.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\AMIDEWINx64.EXE	BlammedOwned.exe
File created	C:\Windows\Fonts\amigendrv64.sys	BlammedOwned.exe
File created	C:\Windows\Fonts\amifldrv64.sys	BlammedOwned.exe
File created	C:\Windows\IME\Volumeid.exe	BlammedOwned.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	BlammedOwned.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	BlammedOwned.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	BlammedOwned.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
2284	msedge.exe
2284	msedge.exe
2924	msedge.exe
2924	msedge.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
2848	identity_helper.exe
2848	identity_helper.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe
1312	BlammedOwned.exe

Suspicious behavior: LoadsDriver 23 IoCs

pid	Process
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found
648	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	BlammedOwned.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 3912	1312	BlammedOwned.exe	98
PID 1312 wrote to memory of 3912	1312	BlammedOwned.exe	98
PID 1312 wrote to memory of 3624	1312	BlammedOwned.exe	100
PID 1312 wrote to memory of 3624	1312	BlammedOwned.exe	100
PID 1312 wrote to memory of 1428	1312	BlammedOwned.exe	102
PID 1312 wrote to memory of 1428	1312	BlammedOwned.exe	102
PID 1312 wrote to memory of 1664	1312	BlammedOwned.exe	104
PID 1312 wrote to memory of 1664	1312	BlammedOwned.exe	104
PID 1312 wrote to memory of 2072	1312	BlammedOwned.exe	106
PID 1312 wrote to memory of 2072	1312	BlammedOwned.exe	106
PID 1312 wrote to memory of 400	1312	BlammedOwned.exe	108
PID 1312 wrote to memory of 400	1312	BlammedOwned.exe	108
PID 1312 wrote to memory of 1416	1312	BlammedOwned.exe	110
PID 1312 wrote to memory of 1416	1312	BlammedOwned.exe	110
PID 1312 wrote to memory of 5000	1312	BlammedOwned.exe	112
PID 1312 wrote to memory of 5000	1312	BlammedOwned.exe	112
PID 1312 wrote to memory of 576	1312	BlammedOwned.exe	114
PID 1312 wrote to memory of 576	1312	BlammedOwned.exe	114
PID 1312 wrote to memory of 2324	1312	BlammedOwned.exe	116
PID 1312 wrote to memory of 2324	1312	BlammedOwned.exe	116
PID 1312 wrote to memory of 452	1312	BlammedOwned.exe	118
PID 1312 wrote to memory of 452	1312	BlammedOwned.exe	118
PID 1312 wrote to memory of 4812	1312	BlammedOwned.exe	120
PID 1312 wrote to memory of 4812	1312	BlammedOwned.exe	120
PID 1312 wrote to memory of 4868	1312	BlammedOwned.exe	122
PID 1312 wrote to memory of 4868	1312	BlammedOwned.exe	122
PID 1312 wrote to memory of 1360	1312	BlammedOwned.exe	124
PID 1312 wrote to memory of 1360	1312	BlammedOwned.exe	124
PID 1312 wrote to memory of 660	1312	BlammedOwned.exe	126
PID 1312 wrote to memory of 660	1312	BlammedOwned.exe	126
PID 1312 wrote to memory of 3160	1312	BlammedOwned.exe	128
PID 1312 wrote to memory of 3160	1312	BlammedOwned.exe	128
PID 1312 wrote to memory of 3140	1312	BlammedOwned.exe	130
PID 1312 wrote to memory of 3140	1312	BlammedOwned.exe	130
PID 1312 wrote to memory of 556	1312	BlammedOwned.exe	132
PID 1312 wrote to memory of 556	1312	BlammedOwned.exe	132
PID 1312 wrote to memory of 2500	1312	BlammedOwned.exe	135
PID 1312 wrote to memory of 2500	1312	BlammedOwned.exe	135
PID 1312 wrote to memory of 2976	1312	BlammedOwned.exe	137
PID 1312 wrote to memory of 2976	1312	BlammedOwned.exe	137
PID 1312 wrote to memory of 1240	1312	BlammedOwned.exe	139
PID 1312 wrote to memory of 1240	1312	BlammedOwned.exe	139
PID 1312 wrote to memory of 2844	1312	BlammedOwned.exe	141
PID 1312 wrote to memory of 2844	1312	BlammedOwned.exe	141
PID 1312 wrote to memory of 4584	1312	BlammedOwned.exe	143
PID 1312 wrote to memory of 4584	1312	BlammedOwned.exe	143
PID 1312 wrote to memory of 540	1312	BlammedOwned.exe	145
PID 1312 wrote to memory of 540	1312	BlammedOwned.exe	145
PID 1312 wrote to memory of 540	1312	BlammedOwned.exe	145
PID 1312 wrote to memory of 4496	1312	BlammedOwned.exe	149
PID 1312 wrote to memory of 4496	1312	BlammedOwned.exe	149
PID 1312 wrote to memory of 4496	1312	BlammedOwned.exe	149
PID 2924 wrote to memory of 4508	2924	msedge.exe	153
PID 2924 wrote to memory of 4508	2924	msedge.exe	153
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154
PID 2924 wrote to memory of 5028	2924	msedge.exe	154

C:\Users\Admin\AppData\Local\Temp\BlammedOwned.exe
"C:\Users\Admin\AppData\Local\Temp\BlammedOwned.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /IVN "AESF-ZUTN"
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /IV "GAMI-CTZO"
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SM "OZRY-LAXK"
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SP "BGBT-OOQL"
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SU "Auto"
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SS "RRPQ-EPEI"
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CSK "GVDY-FUBM"
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CM "KJDT-AHDZ"
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /SF "GIDS-SZZS"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BM "JAQK-DJJY"
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BP "VIRQ-XZFH"
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BV "EPJE-KXLK"
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BT "NQJV-LLQH"
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BLC "VKOE-DRIB"
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PSN "AEYR-PNBH"
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PAT "DWOC-QUHM"
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /PPN "PFWN-ZNNK"
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CS "RJUN-LADN"
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CV "GHEF-ZTVA"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CA "OCSP-WNRB"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CO "CCPX-UVCM"
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /CT "RNAF-SOWC"
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\Fonts\AMIDEWINx64.EXE
  "C:\Windows\Fonts\AMIDEWINx64.EXE" /BS "SBVI-PCMV"
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" C: "KWYW-VXND"
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\IME\Volumeid.exe
  "C:\Windows\IME\Volumeid.exe" D: "STKI-LGSL"
  2⤵
  - Executes dropped EXE
  PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8f5b246f8,0x7ff8f5b24708,0x7ff8f5b24718
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,13076903795401465136,1692011734257952735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:4348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
19c2ce0e598a62cee1d04cbb9845d1c0

SHA1
3fc43b2d21356316555aefd173025966db09f634

SHA256
ebf563ff7b9238016ff4831f383f3995e447ea88bcdddf8c599569af84bbbe8b

SHA512
83887cc9cd9567f639adbe2dc896aac06e45961e7f59b11bfc147e1088b6b41579889b2e992929f8b5b14dbada86b050d3711cc541545bb2d25bd4ba3c396f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
130d95f7e4e9870ab49be289a25a4385

SHA1
31cfdea339af3ae894903beb89008be684c99b4a

SHA256
bf53798a3cdeda76f5289f56e12be0a5eca642a5d12f9cb2b6301108ff57cb15

SHA512
24ce17674c11e55b182e2c097995eb8319469fecd3d9806bbd62917e117530f198e02443f9ca4d9157ff2ff583a142c787ee7cd9efd8388d7a6c3d5599ae5cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ff05e5f0db2041a7f573a09cd084d734

SHA1
cd1cdcd8215e64f5fc2b6cb1fbc91767bf63d47a

SHA256
5d2b435a1d1ecc58852d19452e5469de4c6d8263c6e1042e15648f54a656ca4d

SHA512
fff9dc844e77fe832472c08b25c38b90c8debfc66a45ccb5f12b94e85078064621ef783f2aa0290db499b9fac2c6be18360285f16728bcfe9cbd4afb5370e3ba

Download Submit
C:\Windows\Fonts\AMIDEWINx64.EXE

Filesize
377KB

MD5
64ae4aa4904d3b259dda8cc53769064f

SHA1
24be8fb54afd8182652819b9a307b6f66f3fc58d

SHA256
2c67fb6eb81630c917f08295e4ff3b5f777cb41b26f7b09dc36d79f089e61bc4

SHA512
6c16d2bc23c20a7456b4db7136e1bb5fcee9cbf83a73d8de507b7b3ffc618f81f020cde638d2cd1ef5f154541b745a2a0e27b4c654683a21571183f7a1bffd16

Download Submit
C:\Windows\IME\Volumeid.exe

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
memory/1312-6-0x0000000005FF0000-0x0000000006002000-memory.dmp

Filesize
72KB

Download
memory/1312-48-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1312-12-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1312-13-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1312-15-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1312-10-0x0000000009D20000-0x0000000009D5C000-memory.dmp

Filesize
240KB

Download
memory/1312-9-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1312-11-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/1312-8-0x0000000006850000-0x0000000006A62000-memory.dmp

Filesize
2.1MB

Download
memory/1312-7-0x0000000006060000-0x000000000606A000-memory.dmp

Filesize
40KB

Download
memory/1312-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/1312-5-0x0000000005D50000-0x0000000005DE2000-memory.dmp

Filesize
584KB

Download
memory/1312-4-0x0000000006260000-0x0000000006804000-memory.dmp

Filesize
5.6MB

Download
memory/1312-3-0x0000000005BB0000-0x0000000005CAE000-memory.dmp

Filesize
1016KB

Download
memory/1312-2-0x0000000074A50000-0x0000000075200000-memory.dmp

Filesize
7.7MB

Download
memory/1312-1-0x0000000000F60000-0x0000000001162000-memory.dmp

Filesize
2.0MB

Download