purelogstealer | hxxps://www[.]perfectmod[.]fun/hwid-spoofer

Analysis

max time kernel
67s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.perfectmod.fun/hwid-spoofer

Score

10^/10

purelogstealer discovery stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023517-361.dat	family_purelog_stealer
behavioral1/memory/5652-363-0x0000000000CF0000-0x0000000000D36000-memory.dmp	family_purelog_stealer

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	SyncSpoofer.exe

Executes dropped EXE 3 IoCs

pid	Process
5652	SyncSpoofer.exe
4264	SyncSpoofer.exe
4412	sWsmPty.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SyncSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SyncSpoofer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1392	msedge.exe
1392	msedge.exe
1624	msedge.exe
1624	msedge.exe
4588	identity_helper.exe
4588	identity_helper.exe
5816	msedge.exe
5816	msedge.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
5652	SyncSpoofer.exe
2944	taskmgr.exe
2944	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	5820	7zG.exe
Token: 35	5820	7zG.exe
Token: SeSecurityPrivilege	5820	7zG.exe
Token: SeSecurityPrivilege	5820	7zG.exe
Token: SeDebugPrivilege	5652	SyncSpoofer.exe
Token: SeDebugPrivilege	2944	taskmgr.exe
Token: SeSystemProfilePrivilege	2944	taskmgr.exe
Token: SeCreateGlobalPrivilege	2944	taskmgr.exe
Token: 33	2944	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2944	taskmgr.exe
Token: SeDebugPrivilege	4264	SyncSpoofer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
5820	7zG.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe
2944	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1544	1624	msedge.exe	83
PID 1624 wrote to memory of 1544	1624	msedge.exe	83
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1236	1624	msedge.exe	84
PID 1624 wrote to memory of 1392	1624	msedge.exe	85
PID 1624 wrote to memory of 1392	1624	msedge.exe	85
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86
PID 1624 wrote to memory of 2212	1624	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfectmod.fun/hwid-spoofer
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab66646f8,0x7ffab6664708,0x7ffab6664718
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:5796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,16525417267701651863,7076890160167594607,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7084 /prefetch:8
  2⤵
  PID:5504

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x4f4
1⤵
PID:5608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5268

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\SyncSpoofer [update]\" -spe -an -ai#7zMap29205:102:7zEvent20369
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5820

C:\Users\Admin\Downloads\SyncSpoofer [update]\SyncSpoofer.exe
"C:\Users\Admin\Downloads\SyncSpoofer [update]\SyncSpoofer.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5652
- C:\Users\Admin\AppData\Roaming\sWsmPty.exe
  "C:\Users\Admin\AppData\Roaming\sWsmPty.exe"
  2⤵
  - Executes dropped EXE
  PID:4412

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944

C:\Users\Admin\Downloads\SyncSpoofer [update]\SyncSpoofer.exe
"C:\Users\Admin\Downloads\SyncSpoofer [update]\SyncSpoofer.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
20KB

MD5
681684b98337ff2d590ec8145f8f95d4

SHA1
a3d12dd3e20be6520c06bda3c188ab58478370e6

SHA256
6ed6c1fd7cf2572a27b0de9b5797bda243394eef1cce39c5583b9aa8e9b6ca26

SHA512
0743b836ce01b920723eb59e79ceffe2a068ec1dfb55523ac7850ebd9c432788677f0327c9ce8b27aa60d9d8e9294b08bdda53c20651f38f1cb0be073a859a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
63KB

MD5
e93848e7f29b9126e8c2ed6b0bc630a7

SHA1
10c9807e351a13104c0ee913fe7002f6324199d6

SHA256
4e857dc011248d1ccd8fcf8972714cccc44d7045e0b9dcc18e663b2d754e4bc6

SHA512
54c9b845fef1dacf236f88e7a7de0d1b36a4a4bd20eb926d81ccb6a3f8e7ff78c04ea24fe757c677a2007249713dde30dbb18edefad38d0ad6888d61aa14fca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5b1f12c17782a8ff0070aaa41d5d8d3e

SHA1
94609c1e8b2c1affdf32ca0d5dcbdc7c6d2b74d7

SHA256
7aef10001e5e5b3b8e9c6bc4ebf90a3ff7657ab73c0f04165689b8700bacf9c3

SHA512
90c02569e66b6c939ea54e42167bdbd6657a999c7260bc19f44b0f74af274bb6ba9adc8018b20d691e12fe0e72cdd905fee9b2ea6121bd3664a2789b8bc24a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bcc12645bd2b9e2aebbf0fb50abdfdb3

SHA1
1c3c3d9288bd8d1d3ef147ce12cd9491a680c4c4

SHA256
3b33c4c601cc42e12648ffed448b64615030130f71e10b2524a919f846390f10

SHA512
33ec8d7f2af64e3318680769c2e15f754e637aff7e99cec33b11bfc069658ba366d6ffe4870a7b6c8945c4303a305c27331761f3c1e4be6c3dfcea1d72691a0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
59f4b7275ce01007d5846eb475285630

SHA1
599247876750ac32f20a8c157cb344fc134e4722

SHA256
c39e8c47b6afe0c2fe06708b81a8203ce4ae7a9f533efff4e6ec241ec397f7d7

SHA512
eea0550bee554dd248ccd5c0f8eec180576e0bbef1ede9b4203e70b8af61877a9a3c307c8d5560f2738086cb05a38273147a098211edd22eb67bc980f29e0f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb86288d1be371d24d6b0823608e4c99

SHA1
39cd3da4ea54f2f18a7c6453546d5a498e1d4e33

SHA256
d13c99f38b4df5b2ea931f577575135bf4aa0adcaaa2e39c244c2a9c6d0962d6

SHA512
bad1c382d4e67cb28bc5404bcaeac384b7b3b4340ede4207e14dbbb33e2536b587bafe35500457f3d3cff9812b8560f16956cce7f4cc54dad539aa8b79e2273d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e3e48aba9d5f1658850b681bb1accdfb

SHA1
d71ea5345e2e8dfe837d198ca768a64009463555

SHA256
d40ff580dbb1e0ef148049c58026452b33de2c01eb41bcbc18782c7c181dad86

SHA512
7012f25a6d541a89e97444820fb84effff3498c1e7a83e7c0421bbd0b5282fde6fed33a12d5944f196de3006799305085826bfd511ac30d12b729e8a2ac96f93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f9c07c75c082e8f8d7487a9a0184662a

SHA1
035c12b3613da21cfde639e34040d59fdc7cff6f

SHA256
ab91036b6690f2621fa7d17364e73c58c8de436e1e02621a7266d28f8c64824b

SHA512
1900b35f14da064c352f590cc16856ccae35414ea5f3a1f947e2690c7f2d3010564b872e1cde7c688cc3ec4fdda7fbb3d192147370408b28f2c2741a905e3e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
526a067430e2260a7a2a8da3df6dea50

SHA1
1458344df2d18c73061b5c0e9cae4717730eaa8a

SHA256
7d1550a98349059b031428a6c5968ad59e671b94887839205fac3c841759421f

SHA512
28c5400ff131288c0cab9895d062025ef9277e699e843ec8534782a580f5dcb62072ad9f570d2d5b96b9d48b5528260cd56d37179a309d15e16f340416886de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c6de743317b00fb4b566360a5e4bf03e

SHA1
4ff1946dd801c5dbd6104b2fabdee052e7a86583

SHA256
a4b37bd2227374d93ae0c4e418932499589ac5597d6a77aac1e3eb77e7a57e22

SHA512
f8f85e0844b86d72ce8e29a413e1ae72e2ff616b13e448bf5448bd80850cdf925f1db651e4394c9af4de74a034cd0281ef718869a6c43a70f939d38d3f6ecac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5ba19b.TMP

Filesize
204B

MD5
bac45e7c79a0021f408ef9dca4bc7759

SHA1
4314f5c7494b8cf54e37f2f0bae9abb78b6d4c89

SHA256
06f861c9af43bcf2873c520dd61a506631fd6d9292b24f9cf82d596f5a2816fb

SHA512
bd85f0bb1a031699582157dc9474583178f788af9f06ecd70c9596ebe8b379ce3a017c5661b2db100d722b47c0f0437170a87f3deb4569f75da472d63f77fed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b819e78d9e6acf16ed0ebfdc46adeb8

SHA1
e656bdf8afc0beb8a996bf6ed3e730ec1eebc8c8

SHA256
8e8d9dc893da9a9a3c231eb9c9a01979e7051774b7ebdb975962319b060bf79a

SHA512
76c8296496b8be577d64aca25716ce3e9510f911f64b410e313a2dc9e3347a855fd6239868a2699b3590f119a7af471985a4d3ea75d4fd42d7d146a7c5b3a6ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dff13edaa90a73669f17213c2dbee29e

SHA1
52ae3461f924387c93977a5095fc8c225975d0e9

SHA256
2a4d693caaca06499541b3a1d557ae60ad5f5c4c69232c7881add2cb6ae0c830

SHA512
d123840744c4b431ee4d2d46398a0970a45101d459d55739b0e75660b8942d4fe183bbeb608aac34e142b876ac886ec38a2f174b85dbb48f22cf7796a5fa75b0

Download Submit
C:\Users\Admin\AppData\Roaming\sWsmPty.exe

Filesize
13.2MB

MD5
f94352e1545f9b8820885dca9baafcb4

SHA1
710f642efb3e30e5e9a3abc7586997de1aac0852

SHA256
07d614e26f1ab51b36eba12ba11e5deae3415688c6d6989e9a41d387884df763

SHA512
d13ccb3b6ba61db1bc1a03438fda50e617ea531ea568aa86366909fecee01b8979e284552aac2441aa8bdeddf4c1634d1d5e82701697978986294f53196537ab

Download Submit
C:\Users\Admin\Downloads\SyncSpoofer [update].zip

Filesize
74KB

MD5
a4bc70f8cf74da1fc5dcb2ff74f93d6a

SHA1
1a8a4328a03636d9a0815b3663e04df3e903e5f7

SHA256
f047b89c3b3b5ef56453bdf0c9016a6109f27dbf7f2d019d3424f007d15eb665

SHA512
f0e58297c7bbbf131e6ffd2e4305405dc857f8ee5d9aa6eba47b00bf68e950227cc9b99f68563cf4cf8b7f98d9d295cb1c4be97e093136cddc9921b93b780ce8

Download Submit
C:\Users\Admin\Downloads\SyncSpoofer [update]\SyncSpoofer.exe

Filesize
276KB

MD5
5a8afe7bfd11728c32066c4290eeddc7

SHA1
f2064bbdec287d61722ef35e511b4090212cd1a8

SHA256
92c799a2fd29060a44558a153d1ff5866e420e46b35bdd4546c782c17d4bb50f

SHA512
e03994e666aa7ff84400e86e4cc3db5a77a5475e1961b553f16dbc293160f58f196b0ab6fb7be4ba34b1d030969f2f94ae80dc0c423f3ec015621bf987b796cb

Download Submit
memory/2944-395-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-385-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-386-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-390-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-396-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-384-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-394-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-393-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-392-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/2944-391-0x00000201FFB20000-0x00000201FFB21000-memory.dmp

Filesize
4KB

Download
memory/4412-464-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-453-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-465-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-462-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-461-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-460-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-463-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-459-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/4412-466-0x0000000140000000-0x0000000140273000-memory.dmp

Filesize
2.4MB

Download
memory/5652-364-0x0000000005770000-0x000000000577C000-memory.dmp

Filesize
48KB

Download
memory/5652-441-0x0000000008110000-0x00000000086B4000-memory.dmp

Filesize
5.6MB

Download
memory/5652-363-0x0000000000CF0000-0x0000000000D36000-memory.dmp

Filesize
280KB

Download
memory/5652-365-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download