agenttesla | 20027c560483941c10d60098ea22ee973b647ad934377be62c88ee4acb2fc465

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.6.exe
Size

17.9MB
MD5

49f6c848fc3b1f32ed96b08bca221e53
SHA1

0c1da68ae22f31f61ded840a42515793e1432a24
SHA256

7926286cb142cc3d2511cde859dc78ea4d9a26b5007c80bc33879fc3e5800c0c
SHA512

1cb5fea83ccecf175ec1ed6e381bf09f915115458869f05ebdbfbd2a92b6ec41f0a5d004e0bf74a80ccc68491554bb7df95d10242f22ce1429a2bcff124b5ba1
SSDEEP

196608:M0gakUV27n9vemQvnDi9BsSqzcB/BAe1d4ihvy85JhhYc3BSL1kehn4inje:MXakUQ7n9vemmmB16ayIhhkRka4i

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan vmprotect

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/1708-4-0x000001D1436A0000-0x000001D143894000-memory.dmp	family_agenttesla

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/1708-1-0x000001D1252E0000-0x000001D1271EE000-memory.dmp	vmprotect

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.6.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
1708	XWorm V5.6.exe
4692	msedge.exe
4692	msedge.exe
1500	msedge.exe
1500	msedge.exe
2212	identity_helper.exe
2212	identity_helper.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	XWorm V5.6.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: 33	828	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	828	AUDIODG.EXE
Token: SeDebugPrivilege	2904	taskmgr.exe
Token: SeSystemProfilePrivilege	2904	taskmgr.exe
Token: SeCreateGlobalPrivilege	2904	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1708	XWorm V5.6.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1708	XWorm V5.6.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
1500	msedge.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1500	1708	XWorm V5.6.exe	92
PID 1708 wrote to memory of 1500	1708	XWorm V5.6.exe	92
PID 1500 wrote to memory of 4480	1500	msedge.exe	93
PID 1500 wrote to memory of 4480	1500	msedge.exe	93
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4848	1500	msedge.exe	94
PID 1500 wrote to memory of 4692	1500	msedge.exe	95
PID 1500 wrote to memory of 4692	1500	msedge.exe	95
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96
PID 1500 wrote to memory of 228	1500	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.6.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/necrowolf_coder
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadce146f8,0x7ffadce14708,0x7ffadce14718
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
    3⤵
    PID:1980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
    3⤵
    PID:1156
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
    3⤵
    PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:2780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:1456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
    3⤵
    PID:892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1425066330080816855,1343474106327528719,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
    3⤵
    PID:2152

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x2f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3056

C:\Windows\System32\h920ln.exe
"C:\Windows\System32\h920ln.exe"
1⤵
PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\01644c52-eb57-46c0-a933-09057c6e91e1.tmp

Filesize
10KB

MD5
9d9b034c56f559433e9f935111e654f6

SHA1
e28fa5b7be0e9c31992a96fca3727d9111b08a85

SHA256
ac87687621e72db94d9354fdda684a1a9a141c713272967fd59dad78e07c595f

SHA512
90bb89d97af2987b9da1a5be7107fd95abbbab2225e3f3635e23fc7661b8103ffa5c75458a052987c2ae50a9cc7300786efed4a7b252f4ec6c9dc10867bdbf85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
d3be227f5185b9944ff01ac918e3364a

SHA1
b2bd3811382d849c5abfbf83570e01a301a898e8

SHA256
473bde352fde9ff5d4706ae33eebd129c1aa9c8b8bbbb034ac42c3e00e3e229b

SHA512
03653ee11b5a54f7ec64974baab3f935bff523eebb8d1f831e8236115ca88a6e6db3f7c3cd7cddfb7a6eddd29ca1d4329d45dfcd50cde7b412f8acf06df1a801

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
733B

MD5
64497d7c6cd53170a358145d62fdb43b

SHA1
8778e9c1fc4be06e659764145928771056ddfa96

SHA256
2bedbe1afd1255fdf02e945eb09daabf634cb980918e7101c4eb6d84518b8db5

SHA512
59ad3f3fc72393027e03b736b7203462e4ceb37e39fdbf990a8a8b6bc96575ae683b6c57424aaaa3e1756726e5a8c64621757b545c28b3557ea8c150cc1ee756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8684019d445d7535be427ce6acb5bd63

SHA1
073e3da5246c49a8ae456f1da8c3e6018b89ad8a

SHA256
7bc7805a3fb5c0cfbc08c611b97a278bb5f162848dafd557f50f410bd4be6d97

SHA512
1fc2d65bfca49311182974b6eca9d4ac5d681ad19b9d7002315dad2fda5b6e4d32f50946d0513d80b4b1fbcd85f1df795ef214897b413e19633b8f4f43cf7d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8866055547fdc0bd2727ba211a3611fb

SHA1
5d0aeae85291b6a8ce09d389e54ef27473860ac7

SHA256
b72b2852c3ea074161b232caf94cd8e2f80030a6cba20447972df4c054c5a3a9

SHA512
29e1ad7a6874715a264a9f5801e36c8273d8f74ae7bdd39c428fd065c0ca39f537359afd2cc8d0bdbf199aada26a5b6b51363d2e6d46e20ff47135c96a142a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7cd768e76d94f67646250e3e52332d5f

SHA1
03b3175cd99a0d4d8b35e5ff908938177c3f7fab

SHA256
2351d2fa3e1004841dde26e204c4e7bd750ba5080f1f8c41ef84031fbb028ad6

SHA512
4aea20e8a94e9dd00500d256b5eaeedbc9a7c1b2a874623dd86a71bcfb4e55c02a4179ecad7265f8eedd14c5834acf19c05430d3d94b49120443ad8be62743fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
6ea8642ac1b0a0c6090cb62f82d85e97

SHA1
a9a9cc39fd107d09d0e9b92033cef7ae13c105e3

SHA256
788d437c6dc8dd875ccc00e34c270b917453945211282ca863ce2a3dde45e229

SHA512
e15c1e87967d0f9758b2873fa8b742c338398dda7cac840e7a33de0c39f9282ccab02b782a96cff79f524ac20f355467d62239afc9aa1d0e13f3739ea2ea4e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5871ef.TMP

Filesize
705B

MD5
54e6b4c3430e63230d922b92111d59da

SHA1
8865427bd2340050d0a6900c47a3c247dcbb6ef8

SHA256
0ca644c8166614f734ab055cb37b2dfc9766c4d0ba7abaa32c2aea285100dfce

SHA512
f821420fe219c7976604036f00d1d5fecb0d64d2f3359491a30dee56c51ae450949ff94a55e233f471edd17e1cc7a39fa06d6581bb0eeb00e442b7560f67726a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8e1e14d464fc341b0cb175f7c3cd3b54

SHA1
34286f57d15c783c4b524b28440f2eb29ec4dd57

SHA256
6ecf3632918c63f1868ed9f2a0b901d2a642ef6f924042f0eb6a54d9f96f691a

SHA512
56dfcbed89c69ae4cff4a1f16133f282c9490f74529273fa73b7de583d520d95392cac5520cfadef99972836b51e47b80f12c7606784c4a56a4c3e5888b9e2c5

Download Submit
memory/1708-9-0x00007FFAE27C3000-0x00007FFAE27C5000-memory.dmp

Filesize
8KB

Download
memory/1708-3-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-10-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-49-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-0-0x00007FFAE27C3000-0x00007FFAE27C5000-memory.dmp

Filesize
8KB

Download
memory/1708-8-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-7-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-87-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-6-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-5-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-4-0x000001D1436A0000-0x000001D143894000-memory.dmp

Filesize
2.0MB

Download
memory/1708-11-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-2-0x00007FFAE27C0000-0x00007FFAE3281000-memory.dmp

Filesize
10.8MB

Download
memory/1708-1-0x000001D1252E0000-0x000001D1271EE000-memory.dmp

Filesize
31.1MB

Download
memory/2904-133-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-132-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-144-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-143-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-142-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-141-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-140-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-139-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-138-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download
memory/2904-134-0x00000299F04B0000-0x00000299F04B1000-memory.dmp

Filesize
4KB

Download