agenttesla | hxxps://drive[.]google[.]com/file/d/1Wj07ngMff9_V0N6-76x4czf7APGZn0Bw/view?usp=sharing

Resubmissions

13-08-2024 00:24

240813-aqgpaszajk 6

08-08-2024 21:05

08-08-2024 21:04

08-08-2024 21:04

08-08-2024 21:00

08-08-2024 20:42

Analysis

max time kernel
65s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-08-2024 21:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Wj07ngMff9_V0N6-76x4czf7APGZn0Bw/view?usp=sharing

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/4744-141-0x0000000005480000-0x0000000005694000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
4744	7zCon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zCon.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	7zCon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	7zCon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	7zCon.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 4150.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3700	msedge.exe
3700	msedge.exe
3140	msedge.exe
3140	msedge.exe
2564	identity_helper.exe
2564	identity_helper.exe
540	msedge.exe
540	msedge.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe
4744	7zCon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4744	7zCon.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 632	3140	msedge.exe	83
PID 3140 wrote to memory of 632	3140	msedge.exe	83
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3672	3140	msedge.exe	85
PID 3140 wrote to memory of 3700	3140	msedge.exe	86
PID 3140 wrote to memory of 3700	3140	msedge.exe	86
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87
PID 3140 wrote to memory of 3148	3140	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1Wj07ngMff9_V0N6-76x4czf7APGZn0Bw/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadfb446f8,0x7ffadfb44708,0x7ffadfb44718
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Users\Admin\Downloads\7zCon.exe
  "C:\Users\Admin\Downloads\7zCon.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,6563869497506364486,6747910728622437116,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6528 /prefetch:2
  2⤵
  PID:5292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1988

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
080ed373b984d5f85b9d1ae4d20cb270

SHA1
4985eee1fad37da97ba5283b4e89300336a140e6

SHA256
b7e1ce06b946415362107fae419cc1e1dc6b59a08c78b9152c1a43dc441dc9c5

SHA512
6990e16fd4269987f5c74bd40e51caf465645bf2f181652fc1d23c1a828eb4429c05cf262a97c7fff07a91889cf3abbc3f821c633f8877bd1755a8df752f3df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
f51917d5f11d571f5ccb3c51fdd407f7

SHA1
4ef47e8ec674d9cb2a3032f55bcd7e41a5675b2c

SHA256
bb72121563cca18b49f7d7c54b086f79ed1b003bba8f16976158b252bb473174

SHA512
5803f5803cc018848d1c268f330ee864bb456c1e52b9b1970032c254975f83ae34ec3b8dc684e25a7587054ae1d78ae900c22ce340ba1e3ea562ab64c7a01124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
548d56a871809bf2423c7eab010b49d3

SHA1
acea0be1573a367b4e7a0f3b73ba2f265ebe4d85

SHA256
8fb110e0038e94c86d61ecdd864a856af72dd581246b4941f52d774e52654bb9

SHA512
12dc82f1cd9e6f25cd5358a9f2b3fdd834ee4456c50cb21d865d712200c3c12886a44a4475cca8ba6a28d795e44722e3bc3c1d56e0b343fa8c8a04cf6240e3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
389b128df13d3a9f064502f431746347

SHA1
8400dca75b31cfc228aeed4210e6270bfb6f05bb

SHA256
abc337a166bb002210e956b58a336fe777ddd277ff23aedca36f99fa070be624

SHA512
cfd4efc70a57328565c3d6904f9ee70dad1c49446a6b94a1a38eb755ab0a3ef330c084d39cbf3f284727cd795c91451ec1f7a9a5d8af206359a1dc9b0a94ee68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b072956169152303a4f5d0a2ba1fe842

SHA1
85805bf06790075d492a7176e8f49b85d67b06b7

SHA256
ad7a083ac90ab3488086679bfc50ccb05e5af45464ea0b90f6a8da64f82b7fe7

SHA512
eda8163eb986ba65a541e252612eb66efa5bcdb6a6911295a85ea5ea77adc45160052788dca44629fd90ced73c7f54f4bb6bd24c69b9c76d7cc9680ad9ed6671

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4f29c707daa71d4f5f5172a96c458476

SHA1
b1c9ae8afeb1571b55333aa173286ee34a4c47c3

SHA256
e6b41ba874a6daabf0045a23a07a74a704aacb6233bc9f53a894a56e5e82d34c

SHA512
0c39e8c6e2b744e7f51295cf4614c4194b324806da0fdfd5b1e1aba253f3242728043367ec786bb21c26d620b6cd23da6632e1760178785e8886318746de2f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
81b91f177ecbe4174dd0c6e405fe5533

SHA1
5a4f0f40ca454fa3638d3a30354796339fd87247

SHA256
efeaac437c19dda102f489ea5d83fca24d2d7fea619acc10d2b32c8063352d40

SHA512
d8d7a8bcb40f67baa50c2abf8537ff24de0c04b6767043b443aea95ec843bb94aca59e76de4cbb8154faf2a39bc6d1f0ed6ac13a69685c74a00bbd0425830317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
80cd946a7cba0d7edadd56acbe4e9e69

SHA1
2e6055deefe0753497d6acb848d18dde40b6e402

SHA256
fee73ed8cfe9b3474d83249c2a90bb98f91b6831ce9cd32f6699bfb3b8fe5a95

SHA512
295c0463b9ca990c98ac7c8d28765fde2aecf6ddab77c87a7edeb065a3938b701bcae53e6099df2b0e0cb98218cd06d0d101bc94a6c1de12a601c70e0a34ecd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5a059a7a91b08cad0c7edb4835665d61

SHA1
fadc0a8cff48ec3b863437560b22cd8bc5723b40

SHA256
c52363603e37b9effe0860735c9597204d711bdb7db2ff87be12c859c9ba2749

SHA512
cc24d91175a15ef7565a388c88c47c6d1a28c4bc941e9fae43228a9d8ac81f55614d6507e138183e1d93605ce38426dbb09c67f1bd56b863d8ad02f0b46f2672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5ecb1acfe1f1da8e71b29f4a0f106b2

SHA1
c6c74aadfa527092f75bb7a5d86571ec9533abef

SHA256
9d302df0de5e9ed7e8813b1b44044d752fa03178b434f3074ad5c609c79f8772

SHA512
8793d7eb2dc87a013915127e0d34352a85e3ef1f98bf3e50b63fb6f0c5c05cb3b1b2638d53f34ae9b70d27fc903730957db017e583a6dda2265a5896b38a01a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dfe3fa2c79f339fe2714b2ebbdb09338

SHA1
b94cc9471e2ea503d842b786f7a976536e3bff41

SHA256
4bdb0033a5da0c5548d4f54400c58e9f9e426305df0de2b3f649e0c06688cca8

SHA512
0398e94a8e4fc000859ed20638f71125583821985da1e7b2cc89599ccc65a9286f157c607891134ec07e128e8c32cd2cc620e798940f2ff6f0a1a27f3fd36c7f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 4150.crdownload

Filesize
1.6MB

MD5
231aa8bca139b5221179350c75014b8c

SHA1
f3c3456257ebd16c548861c248dba385f4fb5120

SHA256
f36e764587ea0d9e11364210d1ab41911d93bdb1c14a9d9146b677a56e626c50

SHA512
01562410cb8bd4feacf8e38413b57161778689cbc9b20f6017700f3737de925d3fd21e95451701a135ad120606004a452bf9c0f59742437bea8b9ce94e3ede25

Download Submit
memory/4744-139-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/4744-143-0x0000000007DB0000-0x0000000007E16000-memory.dmp

Filesize
408KB

Download
memory/4744-150-0x0000000008400000-0x000000000843C000-memory.dmp

Filesize
240KB

Download
memory/4744-142-0x00000000077B0000-0x00000000077C2000-memory.dmp

Filesize
72KB

Download
memory/4744-141-0x0000000005480000-0x0000000005694000-memory.dmp

Filesize
2.1MB

Download
memory/4744-140-0x0000000005100000-0x000000000510A000-memory.dmp

Filesize
40KB

Download
memory/4744-120-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/4744-119-0x00000000004D0000-0x0000000000666000-memory.dmp

Filesize
1.6MB

Download