agenttesla | 4b6445ecc58246ae8a6bf5f6fa698e9a78e5f84ace99b33fe4620bdd30a97324

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 09:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HwidSpoofer.com.exe
Size

3.3MB
MD5

14455e202aadc14b93925e7e1e0b3638
SHA1

b39a2fe207201ef21573a56bb9e5503e2111cd2f
SHA256

4b6445ecc58246ae8a6bf5f6fa698e9a78e5f84ace99b33fe4620bdd30a97324
SHA512

6d547f69a1f2121c31b418e857c8383acb890cdb8b894838e84b6f1b83feb1edb67a143ec2ee7d60633f96b601032f393f386c12b4062fd98055f12a93f65146
SSDEEP

98304:K04Zo07xa9g7xa9L7xa9o7xa9T7xa9Nppppp8vkESY6SXvyQt:+I9r9o9D9A9QnB6SDt

Score

10^/10

agenttesla discovery evasion keylogger persistence spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/1976-13-0x0000000005420000-0x0000000005636000-memory.dmp	family_agenttesla

Executes dropped EXE 6 IoCs

pid	Process
1976	hwidspoofer.com.exe
1068	icsys.icn.exe
5028	explorer.exe
3676	spoolsv.exe
3176	svchost.exe
456	spoolsv.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
38	discord.com
39	discord.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	HwidSpoofer.com.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HwidSpoofer.com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hwidspoofer.com.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icsys.icn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoolsv.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	hwidspoofer.com.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	hwidspoofer.com.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	hwidspoofer.com.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{93E1E46F-F131-4306-881E-0B0DC47B9F73}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
1068	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5028	explorer.exe
3176	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1868	HwidSpoofer.com.exe
1868	HwidSpoofer.com.exe
1068	icsys.icn.exe
1068	icsys.icn.exe
5028	explorer.exe
5028	explorer.exe
3676	spoolsv.exe
3676	spoolsv.exe
3176	svchost.exe
3176	svchost.exe
456	spoolsv.exe
456	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1868 wrote to memory of 1976	1868	HwidSpoofer.com.exe	86
PID 1868 wrote to memory of 1976	1868	HwidSpoofer.com.exe	86
PID 1868 wrote to memory of 1976	1868	HwidSpoofer.com.exe	86
PID 1868 wrote to memory of 1068	1868	HwidSpoofer.com.exe	89
PID 1868 wrote to memory of 1068	1868	HwidSpoofer.com.exe	89
PID 1868 wrote to memory of 1068	1868	HwidSpoofer.com.exe	89
PID 1068 wrote to memory of 5028	1068	icsys.icn.exe	90
PID 1068 wrote to memory of 5028	1068	icsys.icn.exe	90
PID 1068 wrote to memory of 5028	1068	icsys.icn.exe	90
PID 5028 wrote to memory of 3676	5028	explorer.exe	91
PID 5028 wrote to memory of 3676	5028	explorer.exe	91
PID 5028 wrote to memory of 3676	5028	explorer.exe	91
PID 3676 wrote to memory of 3176	3676	spoolsv.exe	92
PID 3676 wrote to memory of 3176	3676	spoolsv.exe	92
PID 3676 wrote to memory of 3176	3676	spoolsv.exe	92
PID 3176 wrote to memory of 456	3176	svchost.exe	93
PID 3176 wrote to memory of 456	3176	svchost.exe	93
PID 3176 wrote to memory of 456	3176	svchost.exe	93
PID 1976 wrote to memory of 1688	1976	hwidspoofer.com.exe	98
PID 1976 wrote to memory of 1688	1976	hwidspoofer.com.exe	98
PID 1688 wrote to memory of 2292	1688	msedge.exe	99
PID 1688 wrote to memory of 2292	1688	msedge.exe	99
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4048	1688	msedge.exe	100
PID 1688 wrote to memory of 4120	1688	msedge.exe	101
PID 1688 wrote to memory of 4120	1688	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.com.exe
"C:\Users\Admin\AppData\Local\Temp\HwidSpoofer.com.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868
- \??\c:\users\admin\appdata\local\temp\hwidspoofer.com.exe
  c:\users\admin\appdata\local\temp\hwidspoofer.com.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dsc.gg/abdiv2
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffeacd046f8,0x7ffeacd04708,0x7ffeacd04718
      4⤵
      PID:2292
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
      4⤵
      PID:4120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:1880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:2384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
      4⤵
      PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5196 /prefetch:8
      4⤵
      PID:4016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2244 /prefetch:8
      4⤵
      Modifies registry class
      PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
      4⤵
      PID:1284
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
      4⤵
      PID:5260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
      4⤵
      PID:5268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
      4⤵
      PID:5488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10634414968042030373,1818655846104041773,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4608 /prefetch:2
      4⤵
      PID:5672
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1068
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3676
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
7f71fe0b12568d57032a99c006fb506f

SHA1
86ce7bb9ded56e141242b5ac756bb5dcd915e8ec

SHA256
7fa6cd98df39bd5dd393d3c1376d304c25c24b004d03755c9015c64cd281e950

SHA512
eeae21e0650810b26a181fd46b06b4efad4161b3a1b465e928a88c208bf4042b3a19076df7bf3ad816e3e9160fb4b128c9228317ebe58d5f2bf58728629d5d98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
453B

MD5
be9d480a1d54f8fec37e49ba557028ec

SHA1
0c101635bb6f0bba31f081de190840276713cac8

SHA256
ba45f8769396ebdccb99fd8d1092e424e754b8cf80f658c912a6034408206dc4

SHA512
4cc0d4680491697961603671bdb0dce8a588381625c5ea2a8509a9201c588efe3f23eeb2fbc8c7f8436b5e602b0d05921b4738af02a4e5149e7acb366c0ab2b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
12a0e3a5593526a33b5cd274c1b3d20b

SHA1
1c68370ba653c8a0da4d870a86d567ea3d8d1dc8

SHA256
ed3215b0b00fbd3ad4ea438d44a7442f101d18682551d7a779f439c2f88c56cd

SHA512
2d21132ad37e378dbac3f5a5fc28d821471603ef6cf79bc34b4a966df2b56f9fc608a68bb89c9a9eb889c300cca23c7d0d310afa1b94917ac0be19116cab09ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b409925c960434cdc50426ce868013fa

SHA1
2af6e3a24f75533396c643c72d0cdf8def6d33d6

SHA256
19e56477335ab7160cad1b952cc958e950a8463e0a9b1fafec5b599c25a1157e

SHA512
578506be5538ff0800bc68df48f287d894c4ff7ee8917604a9763dd51c94bd5f2828df0c407dd289e5dd1eb3ac0511a28033ae220e5c32420830046a3778a29f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3ef4a8fe986f0700479a736584d0dacc

SHA1
69a635b232b486d9f5139da2e1f2ceb973d03980

SHA256
f7452800bd29c3458a869fe60d0b6c2c0ad66cc51783d6b460f71c3d601f5eb8

SHA512
58a2e1d242dbd6dec0fce5e7eb99a16e9c2871a3c75c674ad2b5370b853474c665f2be7cec4aa176c456542ac216955fdf1c80fea9a4682fe3a283ccefd06be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwidspoofer.com.exe

Filesize
3.2MB

MD5
fe972213b44158482bee7bfd284746c0

SHA1
cf87c237249a170f66ae79387ed185a26f5c9aed

SHA256
dcc252a5e17e598b81d95fb7e74676c4f3480f8368f9f74582fb89c3433cfbb3

SHA512
84fae7570def0919f5ef27494da41ab47225722f1468d6b2812b3c29c2ef50e5fd636727cf17144c3ff2a051da0c261ca5a59d72c167252d92bb758806a028dd

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
0d6c5df24b314033a11221a59cab8f56

SHA1
6d797e668b499edef0ffa00097eef9bac9d8a8d8

SHA256
c41490e7dad62be565e5f2e4dcf22467560d7535c0fd29da46ec0d2a4b913dca

SHA512
39d9b934ab4925820323f01b2fe74bfe86964a19eab507b874ae734e2240e575d4c7361143ce369984faf6d8314adadf0fe8291327f741c1cd03dd94c849a413

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
d55de084c3c23474655a9767de628d15

SHA1
e03c9bda898b9f27b8fd143c55b97fccddccbb7c

SHA256
fce827b88bc65b164260083e89f760c663623c71f5bf954e8d47779458a67f6a

SHA512
feadb07ebfaf4f47d24d09fb3ec91f4c2741eaad78d08057dd0f604de1b47e3c03a5dbdd7337d86388e758be9c48fdfc01fb97f9de089dab5439b2763ddfad4b

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
9250fba6a7b3801fae59271274474003

SHA1
f87c5bf6b86266116df2a9324cd50ccc71184f48

SHA256
3ef61cfe36c48ac01cd32a49d5ae11647bc0d0fc898298c23479750bd37b08a0

SHA512
da7fa3e3abc520ee121334f280305c02a57ecdb0774c2563f29f7a9d3a4cecd377dc642020674ce7624408db6a9d9e12b7e2e06079989bdb1e98d18f6d4109b7

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
ea900ce27f84d74b42f28783a74422e9

SHA1
1c804d71153da4b665d072e122a8be6d8def6309

SHA256
efad7ff69820f1f318d66c5c20b350398daf317b2db9c586366f35be4e40df6f

SHA512
b07a7e5be29a88679f42b95d711964889a29e69b348ee727e51f6d374d297a7d394640a5e66ecec2ab9d02cfe6cf9228868ff4c3e0b8a63f13ec144def7b2984

Download Submit
memory/456-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-55-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-56-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-15-0x0000000005740000-0x000000000574A000-memory.dmp

Filesize
40KB

Download
memory/1976-11-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/1976-57-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/1976-9-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download
memory/1976-10-0x00000000004D0000-0x0000000000804000-memory.dmp

Filesize
3.2MB

Download
memory/1976-12-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/1976-75-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/1976-14-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/1976-13-0x0000000005420000-0x0000000005636000-memory.dmp

Filesize
2.1MB

Download
memory/3176-48-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3176-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3676-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3676-38-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-27-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download