hxxps://github[.]com/dekrypted/simple-cookie-stealer/archive/refs/heads/main[.]zip

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/dekrypted/simple-cookie-stealer/archive/refs/heads/main.zip

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{D3D9C875-E085-4EB2-A5DB-C83E6EC5F17C}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4664	msedge.exe
4664	msedge.exe
972	msedge.exe
972	msedge.exe
4456	identity_helper.exe
4456	identity_helper.exe
1836	msedge.exe
1836	msedge.exe
1864	msedge.exe
1864	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe
972	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1836	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 4496	972	msedge.exe	83
PID 972 wrote to memory of 4496	972	msedge.exe	83
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4500	972	msedge.exe	84
PID 972 wrote to memory of 4664	972	msedge.exe	85
PID 972 wrote to memory of 4664	972	msedge.exe	85
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86
PID 972 wrote to memory of 4792	972	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/dekrypted/simple-cookie-stealer/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8156b46f8,0x7ff8156b4708,0x7ff8156b4718
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6516 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4984 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17390062476804767591,16915832924840105269,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_simple-cookie-stealer-main.zip\simple-cookie-stealer-main\requirements.txt
1⤵
PID:1300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\simple-cookie-stealer-main\simple-cookie-stealer-main\requirements.txt
1⤵
PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ca37d42f66dea06f3059bca4a814dc97

SHA1
3b3b6d780fabf526b825f909b185f6fe39808437

SHA256
5b988ca8a101297f296e07d61515048e7b705a89f99e168d879e789e66586d53

SHA512
408f365649e7502c33cdf072854c28b2581801d7fd4d39f62b73083300b7cb8441632beb202ccd1210971663967f23b70acfaccf2587e7cab8867841a2bf280f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f4ac47b689f0ef8486fae878db42b3ed

SHA1
80585a65a3a2b1652eb689a2095ff258cfcfecea

SHA256
dbf821e1652f8faa4932c0002bb96664ea3c5dffe90079b324e2678bbae0f9df

SHA512
fa24720d47f28462c9010d2daa7d4e5e13da444d3c4370cdd7679dc5a39571dc32506f570ec9b45f1c8042a31290b1b67c24e198773b1f9c8225d2cbcf2a1ca0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fcb547e8ab6a57afe277566d2fe7ebba

SHA1
c7e76e52665d5799614a029aba65f500b089d59b

SHA256
182ead1bde749a1c50012c6f6aed24d7219160066518f4b4ae1ae1e5ff6b728a

SHA512
e648259145020a122f7a0086797b8beffd13982dcc9177501eb9ba36c9685c13769006ee0d62861252d66186c8864abd4b58047b8e28a960716d43abf3d52b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
63bbf8d9ca86f4f38be53688379b147d

SHA1
6edba585fc692fd2a200ea16d4260c9e2b13291a

SHA256
8cd1c45ac8f92999d7ec480ab0dee7ece6bcece42e7cc43b459de59e582de5bf

SHA512
34786ded9a8a84caf4cdfd159a3a1be26f125564347ca5a72ffa0c78e9e4d1125693859b9754b23b19ab310cde0e1841d78074a45264b67393b3a33b8daa2982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
86277f351f2571910a8409de887c2fed

SHA1
7139c4e482d859ecc932c130945e001492fc4a48

SHA256
b942da60954f80958f93f490355ffa76a221bc0f5db4472002f321810ba28f67

SHA512
e2985dac183a3d227b10b461e96838c769c530675633705ab3a80af5369a5e86c35784f680935125b82b3ef3c1a8c1b731a74a5818baab718ed222dbcb55f71c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7bc10368c8b7a546b9b8f8b0c3674778

SHA1
9758b915589a5e20e9b541ffa7f97bf5bf6f8517

SHA256
4a3ff0e48b6f24cf4f46ae33d6a973805e4dc6c19c5cb7833da4daffa31bec21

SHA512
ad7d3c7097b2c1a712067fb18de3fd226452668deb4c8842aa84327660fe3ae67404500eb5401a8f2a7ed94795736df8bc5a9734797f88bcbc8ed737179f271a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ffc892ab11283d725211621bb82bf3c6

SHA1
d115bd84ecbb4ac09b657dce01991abd8fc97c7b

SHA256
6e11c4063ede72eb65f663616b084f477bcf9bcf2a1393fd53158224101dcc4d

SHA512
bb08f1427ba8796cde56f38e9e6718f4dbf4e72923ac31c3aef9ce6cc854deb44834d2061e0c4ded0b3603071ccc7cd373afb942e7dccde46ebd3da15c3f0ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
effdd52e7faeecc8c4178b2599fcd9fa

SHA1
5ec8de60c015c348a5e038a3b84b1ed2093aeef6

SHA256
cc6ccb4f02b2efb8e080664e14ed2248072eea6b4fde6105dd17b4ac3389955b

SHA512
0dc778da96ee93c54d94ae2e9e0a6eaef5f0b19eaf2ec808d4ff7c4350970235e199269210fff17a7d6a58490f170c9c83a722bc7f9c29a51922ec091f3f7a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a40b.TMP

Filesize
371B

MD5
19a8a1a417ddfa317ec50ac55f4532df

SHA1
9ee7b8565dcd79a174aacf6784c0c16acc15c317

SHA256
a8419e5d743fa71b6013c68e40f69d8abd72184a59badb3eec6f831f8d812114

SHA512
eb5247bb95172318bb5dd112435a9bf0bff95418d1f28eb1c524d6dcfd489d29f01f03ebbae6717c9c26d4a6b3a6fb3d7d3f1372adb49867b79bf46f388ca323

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fa1988ddaf857d337e9816e1b59e982

SHA1
3bb844dc151b55c0645dfd67099e9254c7cc8289

SHA256
013e499236957d060eda5aaaaa1738b96cdb6f0b215089f995077b2e6c1713b8

SHA512
95f9d5e7fe7c3661eb760534c93aa130c4603a1bf88eedc0c9770619f55d111853eb5b096edce08bd1ffa713a4fb1fcc5085e6ac9f3303dda14c640279f368e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56ea058a84af6e53ddbf4283c7ed04e0

SHA1
51e6e3f5123b68edc00ed6225218986c01bfa046

SHA256
e372de068d5ea1011f32e29f75228623a64e91cedece0e65298401ed2a38982a

SHA512
92a7bf63036191127476e7119ad349ced75415ffea81ffaab8ef0dd4c407dff9d28dd2204e3b86cdf4804513d861ce0d7fd98d8b57b5f726d6306af1510a9f1d

Download Submit
C:\Users\Admin\Downloads\simple-cookie-stealer-main.zip

Filesize
9KB

MD5
a3e9369fc4860d2f8c2a016f307773d3

SHA1
481f240673ee73a3351d5f6a846cfa2374495726

SHA256
55e5ac0a10e0e64b41fdcaa9364f379ec9afa95095f6d546c5a1fa68d01f86cd

SHA512
66f45c622927e01b70a8a467db70576ad4cac761d597d90a0fda077272433ef45f01b5cf8a660583b842cd584b477c652b2e85b28481971f34425bcf1224ff55

Download Submit