agenttesla | hxxps://dosya[.]co/2wc73yr4es21/ErisimEngeli[.]zip[.]html

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 02:29

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://dosya.co/2wc73yr4es21/ErisimEngeli.zip.html

Score

10^/10

agenttesla discovery execution keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023520-485.dat	family_agenttesla
behavioral1/memory/5176-486-0x0000000006330000-0x0000000006542000-memory.dmp	family_agenttesla

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	BTKInternetAgi.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\btk.lnk	BTKInternetAgi.exe

Executes dropped EXE 3 IoCs

pid	Process
3028	NDP481-Web.exe
3560	Setup.exe
5176	BTKInternetAgi.exe

Loads dropped DLL 6 IoCs

pid	Process
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
5176	BTKInternetAgi.exe
5176	BTKInternetAgi.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5612	powershell.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\2766033437.pri	LogonUI.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDP481-Web.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BTKInternetAgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	BTKInternetAgi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	BTKInternetAgi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	BTKInternetAgi.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1800	msedge.exe
1800	msedge.exe
1400	msedge.exe
1400	msedge.exe
3136	identity_helper.exe
3136	identity_helper.exe
5108	msedge.exe
5108	msedge.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
3560	Setup.exe
5176	BTKInternetAgi.exe
5176	BTKInternetAgi.exe
5176	BTKInternetAgi.exe
5612	powershell.exe
5612	powershell.exe
5612	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	2900	7zG.exe
Token: 35	2900	7zG.exe
Token: SeSecurityPrivilege	2900	7zG.exe
Token: SeSecurityPrivilege	2900	7zG.exe
Token: SeDebugPrivilege	5176	BTKInternetAgi.exe
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeShutdownPrivilege	5908	shutdown.exe
Token: SeRemoteShutdownPrivilege	5908	shutdown.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
2900	7zG.exe
5176	BTKInternetAgi.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3028	NDP481-Web.exe
5980	LogonUI.exe
5980	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 4376	1400	msedge.exe	83
PID 1400 wrote to memory of 4376	1400	msedge.exe	83
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1288	1400	msedge.exe	84
PID 1400 wrote to memory of 1800	1400	msedge.exe	85
PID 1400 wrote to memory of 1800	1400	msedge.exe	85
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86
PID 1400 wrote to memory of 1080	1400	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/2wc73yr4es21/ErisimEngeli.zip.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff91c4a46f8,0x7ff91c4a4708,0x7ff91c4a4718
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,7595325007168187160,1989431000006144849,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3964

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ErisimEngeli\" -ad -an -ai#7zMap8103:86:7zEvent20775
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2900

C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\NDP481-Web.exe
"C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\NDP481-Web.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028
- C:\87e9fdf066cdc6bfc244cf54949b08cd\Setup.exe
  C:\87e9fdf066cdc6bfc244cf54949b08cd\\Setup.exe /x86 /x64 /web
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3560

C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\BTKInternetAgi.exe
"C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\BTKInternetAgi.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- C:\Windows\SysWOW64\shutdown.exe
  "shutdown" /r /t 0
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3958855 /state1:0x41c64e6d
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\87e9fdf066cdc6bfc244cf54949b08cd\1025\LocalizedData.xml

Filesize
81KB

MD5
075961c7e742c66ee4cd8b614a778141

SHA1
a5541fa0487135aaed1c336bba79e8025ac2804c

SHA256
4198a6ae89b0be8bd07ed3c18dea6ca87239a5a47343b73ff612ce0ab47e08dd

SHA512
c6881fc501805d0cb5aa9b42fc14029404a236166699e3845586e0609c26e4536bdd6ca2181e1139f83d5cb78c35d0fa7d158134f522fb9f4736880e330fc8f6

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1028\LocalizedData.xml

Filesize
70KB

MD5
8b37256ce099957b91ebe1d51ad8f61c

SHA1
6bf4bcf46781126ffdce92e39ad4d1d912e75ac5

SHA256
7d6777e8c9484229c1b8e3f2e354a88f57539503c2c56f2b0ee47679a6ef9cc0

SHA512
6659dec6fae7a7f733a0c9e44a04f178a6732e1b9b785833c63efd8ed6e25adabb58e37b2ec039dacdb071732f8ee42ceb297cb2ec72b67e8d25eb093d5423a5

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1029\LocalizedData.xml

Filesize
87KB

MD5
aadf97951359a8267f7990cdd2cc950d

SHA1
61f626b44e252e916c9c70a4222efc9c21d951c6

SHA256
e28d2d89fc269d25272956cee4d7150a30706f58ad305e84e3c1c9fe7ac0ee86

SHA512
2d352cf7d8d167b2a9fd4416582328d894619f2eb213fd334e1b15ef1044735a69ffca36fba02d9d1af6355e9d1a55d38c3b7f5339ecacb8c1dfdc4cc50c5342

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1030\LocalizedData.xml

Filesize
84KB

MD5
e1f2f586d75650df1a751d86bb659df8

SHA1
283097241e6b1acc8f30ca822585df104c918e51

SHA256
615a6380adcfa3a0e7a5db2df9b98dad650678d8c46b1c7c3f2d2854204f079e

SHA512
b7fb3e366a7e5cbaaf99e8e14731653dd14885cd0b3d5462c091113f12800478ff2e5bd351bd403abaeef3041cdd5a7693825e488f27ec48d087686c95daa774

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1031\LocalizedData.xml

Filesize
89KB

MD5
74d28384c38283518c6490bfd068ebf1

SHA1
c52d2fd41a59691e18871ec64db10c43f241fb6c

SHA256
01afd814b009538f387812f6940c863a9d0cd7dc4159050f34f82e50ecbc33f8

SHA512
e23ae604eafab0c3a0d8aeb07321c0dd629d21c5ba47d37958f48f1b9f27d89de4db880ec3958ad1e5f2165a69bed18d61f73f71fd743a2d7eaafdc0ef8d1cc0

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1032\LocalizedData.xml

Filesize
91KB

MD5
233d0d1551b17f2284ad80674569de79

SHA1
67cd31126c6e5547e60d7266e61b6835b80b5916

SHA256
7106a1121056a73fed77aab7c7293dddffe0f5aecd7db969799a121ad5d88181

SHA512
c3375081c704fb05c7335929505ef4589fa728c97bb58738932b7ee05dd6e00c19d8ba14bb0a8dfce0d51ac73fa76bffa0ccc00772b73850eea37d39088a0473

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1033\LocalizedData.xml

Filesize
84KB

MD5
31bff8efc0cc701092ab7fe606271d65

SHA1
844cc4837ebe3eea9563df6613989b4588d6f19c

SHA256
b3048715a23d9bd77e9b3e1ec8577f94cfc8c2dd30b61dbf326871a97aa6e22c

SHA512
472b881df9128c93f9183ab05d2406146aeef8ce9723c9dcfa6e93d093d90b2db75bb4a3f784d26db187436242409f021fa8b7844aa04bf9cb58f48a6c4822d5

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1033\SetupResources.dll

Filesize
24KB

MD5
49a9bedc81cd400abbf794f272883a8d

SHA1
dc9aa0fe56bc4f0d5fee333eb28a29bb4750eed1

SHA256
197cb97902aa576a8a4dcbc5b4615a28943b1941d67c6fc163b5b4a034c650d0

SHA512
bd579834eb275cc07d458052317f1851380c5a510869b224c0441f70d2cb468c5cea034649704c9cced28cf2425fa1c67c0f8c22011b81ce98ed243647422415

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1035\LocalizedData.xml

Filesize
85KB

MD5
c78dddce3189c67c23f60561dcacd4a8

SHA1
e375a6d1f71709ead1ad4139b1c16476019666d2

SHA256
e9353dedb338ce826b3b990851a955da1b04e484a378cac7c3c17a2de26d14a4

SHA512
a58d995936f5c5310e04f7514c177a071f3451638f0a9692593c4d505c5f48caeca1cee9644b092bf32bd70c52bb956f0b87ac748190aea2040adc3afbbab3b0

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1036\LocalizedData.xml

Filesize
89KB

MD5
d7e814adae1a18958416b7e29ae7078b

SHA1
857fed2c8766102d1a64d91eccb0661f6de750fd

SHA256
c8c847bf9ddf8998520123ff0a638c6e9843c860b68943275b7f0256f324c4ce

SHA512
73ad8b3d24ace1795c93ef807b3e644512fee2a295eea05a93fea07d131746aa99f895a68075efe44c2c4e305da3881c27a342d2fa13dd6d1f258a9cc669491a

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1037\LocalizedData.xml

Filesize
79KB

MD5
a258bd1060df46dcefe6257d4af638dc

SHA1
9e989db32e94499a717c93e889ebf47787509a42

SHA256
83120845e156ecbd401a9047365647cf8e9b2ec75d9295237da33c53eda365e4

SHA512
6f69aa98e264e3de3669f52e34140bf3a1bc333e3e3c4e06228eb1a78aabde380c8a444d9086a1f1188c49ead7ca73962db488dfb8e4e13c09ebf539ae53d011

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1038\LocalizedData.xml

Filesize
88KB

MD5
1b59e64e51b3f9b96e8897d5b9b17c37

SHA1
1fdd8951133add26ae062da306133980e31809b0

SHA256
5dfa759937eb0ee393d94485e0ac74546d344f342fc3d42ad33847ebbd5163e4

SHA512
f1cb4670805ccd1327a7ea31b98caccc7c5bc7cb7ea7817a5749b0e176f4bdae36339d25d1037f9cdb19a47bcaac4e53fc49656c365ee7981473264b55f2a996

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1040\LocalizedData.xml

Filesize
87KB

MD5
3192c0f7f30df881ec199d77b095b93e

SHA1
dca1cfe248a9de56f2d207d5f1979c92e006831c

SHA256
5dceb300d25c68003d61437e3802f97e1d5503e27032989338f7d260c7b0904e

SHA512
42a5f98103e23d7e8d7a34f8ba08d027ac4317d92109565b5f3fa4fd7057104d3a12b88846bee1914451cff59ed1b46e9146592784c09cd724bf004eb65864c3

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1041\LocalizedData.xml

Filesize
76KB

MD5
4cfdb16e84869a51119e17a545ace7a2

SHA1
5eb358e13291d65ff8805513254b02ff3b83d7c6

SHA256
1c2587f7c0d7e57494061d24638a83c8f9d33a4eb192cfe6bd65c172fb6a76a4

SHA512
381878c16a98aae9ef688bf4735b13d2d42b2c115d76c1677f5c275db3745b35fac35468f11d80284307a6f5ed93265fa2c378a5199284d848fdf984f2a88daf

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1042\LocalizedData.xml

Filesize
74KB

MD5
401f386416c7c37f92da9ec1688d750b

SHA1
c6565b80ba557827e3e6b96901f27fdcd1b525c6

SHA256
721cf8956fb2fb01df302713351eb9721cfccff096dc429d02b0f2b150855919

SHA512
f4ac60826287262b87bd407c85091d583ac504645faabd6fe8e116ac50e35908341d85850e8888e5928cb8235101e6b7a1074597946d584550e8aea6a7fba591

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1043\LocalizedData.xml

Filesize
86KB

MD5
18efd16361a280efe263f261a4faa21e

SHA1
6e5bbbc46b2decdb00cd957d02e27bbbf2a4d880

SHA256
88de82f8c0934f23e0eb16224def959ff55da396610bd34149e4fb9aab24fb03

SHA512
b4bdaf600c5a855c040db974744b780c4860474c38ec453c4bfdc5a11c8beff65437d17c5ab0c3c78b5b861d93b0d41f1c3f4d5d435d233ba3719f78c9058446

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1044\LocalizedData.xml

Filesize
85KB

MD5
a9998c1f395c44bcd41faa0ae60439e4

SHA1
4a267707c7dd8a24eed4c433b3c41b7e1a6a936b

SHA256
8165d0b468d73347a495f525dc81d847bb84b3391c8af1abc95e2b8f4a51d620

SHA512
9f0fb00c34ee788f9e8058915794b822fcb31f1c35a1d47ce5da2b15bae904cab513d55111ae4cccbf4da2587a4c3e045f0cc2e95654c9b5631a3a4a86632bd3

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1045\LocalizedData.xml

Filesize
88KB

MD5
5eadf11a5b9af3f40b21328474ba3b7e

SHA1
af456b6123f9adf4ea0b926124b926ea3056248e

SHA256
4362c962c7611190999b36e139370245104b66398ebddd56b210810440c43e88

SHA512
e0f0c32c736d23d40508daaa2fb7b7033034154869a4f411aa4ff96c7ff197d97b1d89eb4a6da1dbfeacdd3373c45f22bdda70554521bbce409c051ae4573e42

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1046\LocalizedData.xml

Filesize
85KB

MD5
361a4c229849b55e4540943b5c04403c

SHA1
46a0751432df223c936393f21a7543a3b314157e

SHA256
c2afb880f0986ca807b1dacbd5a9f2a5b9be4930c29379cdd88a6ebf9b0618c1

SHA512
40ba8c19286f992e5742f342532161062c36504aa3a364cdaee15e2e3ab750012d6502278d064f45b3df13b3063c66a361d688adbcaa6eb7a657c9a50e0e9380

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1049\LocalizedData.xml

Filesize
87KB

MD5
f65088c4998e6ca3a872fc66bdd2a192

SHA1
c697a3a043a6104befd6f8e1b85e746c3d84e390

SHA256
3b2c633bb0a7342418aef0ce29331643a4cd48a572ddbb90c3d3433d135fd952

SHA512
a5938da7cab6e963c553de1c135ee9c7ec565fc97ed4d433dfff9debb5d31ba3bbf3d1b8a12e814462fd92f4c39680ae71dbd2e3df846f23a1a98921f3981992

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1053\LocalizedData.xml

Filesize
84KB

MD5
a6f6198758552f453df96c4a8fb84134

SHA1
c40dd5faafe457c6c814695b4885f065f9d2f4bd

SHA256
b28bd460c2df31315297083c5507c233a569e1e89547127191468598b35eb36e

SHA512
9b958a0556d5989f71d1e38848c8b6b54ff6bfe292ad599b81e808f4c193cd41a23885d806539a0c246b811519a73d5fe7b0ce679c53119cfa97f999784fb66b

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\1055\LocalizedData.xml

Filesize
84KB

MD5
c515bca575c7e7e7dba8c1ac2a3031d7

SHA1
3aa307513e55a2ada4866ff8fcb2de4e5184a1ad

SHA256
98b5b75b8a89606dfcb54c622884671211199dffced96c29269010b81b06231a

SHA512
5a8c51f55aa6ae44f0a6932a30f0054e8c012080696d5fc784a3ec89aa63275978440364e6b9663eab5466af459594fd1c5d517c629f312bc9b4943e9e040a29

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\2052\LocalizedData.xml

Filesize
70KB

MD5
83242627ea9f4ea7c346a8830026eeb5

SHA1
75a8f52fa3e03b2f04b168d517117f80212b5672

SHA256
4577902142bb96b849f6b78866a5e81c761109a454470948902a40c73f7b9b7f

SHA512
cd27e3ad4168b7bb61b2336f73cd9f61516b953271aeecafbe22cbcffe18ef45d4a4e2c7513c3986939ffd635f2e7d1868798182ffcb4ae0e7aa207c5bc67bc2

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\2070\LocalizedData.xml

Filesize
87KB

MD5
50b9f5f566fd83ceeb0fd0992739388b

SHA1
c040e31d59580541bbcbd662598e8d3fbf52b51e

SHA256
4aa6b559e8993de92797e0d1c595cec0bf305403dd275a231f8417ba4c09c1a1

SHA512
87736f5db8bbcbe4924667e8f5820dc5329e902632d22480ac4768023215fd0db399f442eb1ba76ab2c5c008e58611f006cae4307605a5340380127fd83f70a4

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\3082\LocalizedData.xml

Filesize
86KB

MD5
14005b857dd90ec8bde8e80c3cb0faea

SHA1
7aa4e6f4c9feb808b2dc95f7541bd10aee02874b

SHA256
9d3fd31e3826b91d68ea34a6961cf288e23251cdf8faf0aad02653a55c53f2e0

SHA512
5ad424144a47fcc47ce5a33225a7cb1017b4278b5e3241da48213e132c4cef549ea3c107e7789f42886bdc0a343f50fcd0fc0b287efaff010bc1186251c5c0ec

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\ParameterInfo.xml

Filesize
1.0MB

MD5
4a0c5e0d81034c74bedc85b7f4759888

SHA1
d2c13fca6d918c7b4d25c8b9290bac053c551694

SHA256
5b872fc7d87f00634137d4051ee6f4cf481f9f7e0163ae7589a6c40a7c828569

SHA512
913425ea56c02ec136ee6eab4ab6a44e6a61f428ee431df241e2c745377d33835a6ecac69a8d02596f2adbbbf602a8afe578a05a1e3d253aa6e60e5666e1214c

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\Setup.exe

Filesize
118KB

MD5
f7a63e2d4217b71d39e4b18b3dadf632

SHA1
c3446cd1a50f6374c3ad3446607864bee97426d9

SHA256
43290269962f9edb13d042d54973a76570f6e4b6a4af33e7362f8284b9083720

SHA512
1703b6c1b1f96febdee8663fa9e8e11939715781810f5feccc6f11b0298fed4f83f6decd975ed1c05dd0e976a12b0738040d0c09db46389a2720462a6624c942

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\SetupEngine.dll

Filesize
899KB

MD5
9964ce1f4874a686910dbc1aeec1a326

SHA1
0b434c566f6722c765245a1228b7600fd10ba1c9

SHA256
3a45fbe9c5e03f67b49808c068eb2ce831e4eebdd1b38e520e4be5a5537a72e4

SHA512
8d123ab8e6b767a80d122b021a77460373e2b0841c92375ba1f56830529a2610bbf3749ce95aa64b67f45591378246409f035518feced582c7ebe1b6609dba99

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\SetupUi.dll

Filesize
341KB

MD5
b90a60068318cefa24e3344c4ef71649

SHA1
e61893f999442bbf6c0b1fa4c154fddb3be721f1

SHA256
1f757ea33835920a08fd9558f973761f70bc63a8c01fda4db1170e19ebf0c73d

SHA512
372d17ddc5ecc1190a81be67d1e9a256e9d52d1225a0de064dcebc3b7da983412a3ec1c5cb4f3f1abfe5a1fb3cc69157abbdf05e1c6bbea368d0a357afbd611b

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\SetupUi.xsd

Filesize
31KB

MD5
a9f6a028e93f3f6822eb900ec3fda7ad

SHA1
8ff2e8f36d690a687233dbd2e72d98e16e7ef249

SHA256
aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848

SHA512
1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\SplashScreen.bmp

Filesize
117KB

MD5
bc32088bfaa1c76ba4b56639a2dec592

SHA1
84b47aa37bda0f4cd196bd5f4bd6926a594c5f82

SHA256
b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7

SHA512
4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\Strings.xml

Filesize
13KB

MD5
8a28b474f4849bee7354ba4c74087cea

SHA1
c17514dfc33dd14f57ff8660eb7b75af9b2b37b0

SHA256
2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b

SHA512
a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\UiInfo.xml

Filesize
63KB

MD5
c99059acb88a8b651d7ab25e4047a52d

SHA1
45114125699fa472d54bc4c45c881667c117e5d4

SHA256
b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d

SHA512
b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\graphics\print.ico

Filesize
123KB

MD5
d39bad9dda7b91613cb29b6bd55f0901

SHA1
6d079df41e31fbc836922c19c5be1a7fc38ac54e

SHA256
d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6

SHA512
fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\graphics\save.ico

Filesize
123KB

MD5
c66bbe8f84496ef85f7af6bed5212cec

SHA1
1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1

SHA256
1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd

SHA512
5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\graphics\setup.ico

Filesize
123KB

MD5
6125f32aa97772afdff2649bd403419b

SHA1
d84da82373b599aed496e0d18901e3affb6cfaca

SHA256
a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5

SHA512
c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\graphics\stop.ico

Filesize
185KB

MD5
7d1bccce4f2ee7c824c6304c4a2f9736

SHA1
2c21bf8281ac211759b1d48c6b1217dd6ddfb870

SHA256
bfb0332df9fa20dea30f0db53ceaa389df2722fd1acf37f40af954237717532d

SHA512
16f9bf72b2ddc2178a6f1b439dedabe36a82c9293e0e64cfaccbf5297786d33025a5e15aa3c4dc00b878b53fe032f0b7ed3dee476d288195fb3f929037bdcdbe

Download Submit
C:\87e9fdf066cdc6bfc244cf54949b08cd\sqmapi.dll

Filesize
221KB

MD5
6404765deb80c2d8986f60dce505915b

SHA1
e40e18837c7d3e5f379c4faef19733d81367e98f

SHA256
b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120

SHA512
a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
d5cf86f7fd8a0bc4a2ab55af4af7e9f9

SHA1
3eded078bfe5d8a95b13f19d9a2f3f92bfd4f2fd

SHA256
44abc7b3f8dcf4cf87e7803217a46bd404d5f7e70db505af8cc5e0af322d4a0c

SHA512
1650cda0abafe06ada89b2e1f2dd52e736d0ccf9edc6d25163c8362a01ba8d3a17d72a1db097f57889a79916c66ddc4200909d102d77d861d74780dd9a85540e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
c8597e21c9b00a20b4a2d818d97e1dfe

SHA1
5d4838f9433943201f87d29db950920272900d54

SHA256
271cf8cd560f63b90628313ec803437c96d1f6caa10b45a62a6b1615a580a1bd

SHA512
a0c6552a5ac51b52b41a653b5682de83fbc5994b637e9531a32ffacbd97fa50837223cf959d36549d0a850a09a9b317724125fa662ae084f43f712bdba8689d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab3458ea2c41c6fb1d7a6ce1d4828550

SHA1
1f46a83105d722d96d2c6e7f31633ab5e7bac037

SHA256
26592ca1993d8fe4fbd968e904588b98b566f60664919c50ddece2e055c53839

SHA512
50401a9036f3dcdedd084b712060b26203fa48e911e0daa9137e0494aac82a10c233e224d0a223d59a9fdd0b0f513053d15aef238b95879e372db5e8a8033776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3f4042c8c39c16001832242efdf6ce20

SHA1
2c8f5ca9babcfac01f9d5f4a8fc9d1814631605e

SHA256
ac09f82fc4f2a613c1802b90aed1c8d0277ba98e6dcb830040c6daed949d22f6

SHA512
4d376a0844aa412f697b446046c5526bd3e02d74bc056d3eb631b853e4a6b7cc0030c6dae83134d178f3aee84e2ec4d47d538ea76ce40b25a1c27a6a4bd1c2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
275cefa519e7933897d86c98b1a82777

SHA1
ce6c1ca1b9862336455eadf61b5d3019d435fd1d

SHA256
a7114e5a51d078249e51a8aa984d87d30676f0abb366ffddee61df11a4f5d2f1

SHA512
c8d1a940b5352b00dc699082a4d8033177129252199df09c2d86cee547f0fff78e80b3f5b4a45288f8c19b09bfc53faa075d3922d11064dff8521d9f192efda5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d395dad72c93afaffb215a0acfd01343

SHA1
1cce80b10fb86bba542d7fef3560a9149d9eba57

SHA256
2f50892ff8b3627acbb966494fba8348f518d1f78acafea94e30d2f5e8edfc56

SHA512
cd844394b2e21b657534f44e76eb3495a46048f6d9ebac7783c57141a257f21fe79af51abc2e3515cc1681b8aeef35b83257c5f4910f65db5706c13ce0d3e86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b59e5b0a47a98b0013c0bb7430e66de

SHA1
b21eda6e67a7f7583343e4dafe8e1d0a088b7077

SHA256
331b433ab06a8f981e06b683efd3e80f73fed3509f6984ad627a8de61111a79c

SHA512
643685e3a63b6cda79a0239eaebf51baeba1045010045070454dfd45de9499efb89502576e022139617049e998c8f19db92ab5389e432b435ab805ad35445297

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2x50gl3k.320.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ErisimEngeli.zip

Filesize
2.4MB

MD5
9941b21868922cc214ae69b1dbc7452c

SHA1
9a4e7d8d0ced13948423aca12e9cd772d2c62bd4

SHA256
79adb6b9405c73db160ea4be1b036c32197b1890bdcf0b32b082a703efeabf18

SHA512
9e3c74a4a6a293bb7cb9066ebbcdb2b9bc9862b8928b9e73c29109db56e0d8d62b60589089f0b037b3e0744995c5f71c01c9583b078e517c24138f4ff973f665

Download Submit
C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\BTKInternetAgi.exe

Filesize
797KB

MD5
5299a07f38ca573f1d4bfb998229f0d6

SHA1
7b37be31b784e41a98c9f84755f3b9bda37a11cc

SHA256
899cdce451f9793046356eaeff97468d477b7ca141ba7d67649e60dbd17550d6

SHA512
2a4617566e164d2d3dec5240114f744ce138786830d8f72de63a112192a7a4cc1598f1051c8fae1b8b433b8b69fd5937b5ca2083316b4e99dd5aa016873b6870

Download Submit
C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\BTKInternetAgi.exe.config

Filesize
187B

MD5
15c8c4ba1aa574c0c00fd45bb9cce1ab

SHA1
0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

SHA256
f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

SHA512
52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

Download Submit
C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\Downloads\ErisimEngeli\ErisimEngeli\NDP481-Web.exe

Filesize
1.4MB

MD5
39304ce18d93eeeb6efa488387adaed8

SHA1
22c974f3865cce3f0ec385dd9c0b291ca045bc2c

SHA256
05e9ada305fd0013a6844e7657f06ed330887093e3df59c11cb528b86efa3fbf

SHA512
4cf7f831fc1316dd36ed562a9bd1fda8cca223d64d662f3da0ade5fddc04be48c2d40333ba3320ee2d6c900e54c4f7e4f503897793e86666eac7e242d8194f5b

Download Submit
memory/5176-484-0x00000000057B0000-0x00000000057BA000-memory.dmp

Filesize
40KB

Download
memory/5176-481-0x0000000000CF0000-0x0000000000DBE000-memory.dmp

Filesize
824KB

Download
memory/5176-486-0x0000000006330000-0x0000000006542000-memory.dmp

Filesize
2.1MB

Download
memory/5176-488-0x000000000ADC0000-0x000000000AE36000-memory.dmp

Filesize
472KB

Download
memory/5176-498-0x000000000AEE0000-0x000000000AEFE000-memory.dmp

Filesize
120KB

Download
memory/5176-482-0x0000000005D80000-0x0000000006324000-memory.dmp

Filesize
5.6MB

Download
memory/5176-483-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/5612-541-0x0000000005E80000-0x0000000005E9E000-memory.dmp

Filesize
120KB

Download
memory/5612-555-0x00000000070A0000-0x0000000007143000-memory.dmp

Filesize
652KB

Download
memory/5612-535-0x0000000005890000-0x00000000058F6000-memory.dmp

Filesize
408KB

Download
memory/5612-527-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/5612-529-0x00000000057B0000-0x0000000005816000-memory.dmp

Filesize
408KB

Download
memory/5612-540-0x0000000005A00000-0x0000000005D54000-memory.dmp

Filesize
3.3MB

Download
memory/5612-526-0x0000000004B00000-0x0000000004B36000-memory.dmp

Filesize
216KB

Download
memory/5612-542-0x0000000005EC0000-0x0000000005F0C000-memory.dmp

Filesize
304KB

Download
memory/5612-543-0x0000000007060000-0x0000000007092000-memory.dmp

Filesize
200KB

Download
memory/5612-554-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/5612-544-0x000000006ECA0000-0x000000006ECEC000-memory.dmp

Filesize
304KB

Download
memory/5612-528-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/5612-556-0x00000000077E0000-0x0000000007E5A000-memory.dmp

Filesize
6.5MB

Download
memory/5612-557-0x00000000071A0000-0x00000000071BA000-memory.dmp

Filesize
104KB

Download
memory/5612-558-0x0000000007210000-0x000000000721A000-memory.dmp

Filesize
40KB

Download
memory/5612-559-0x0000000007420000-0x00000000074B6000-memory.dmp

Filesize
600KB

Download
memory/5612-560-0x00000000073A0000-0x00000000073B1000-memory.dmp

Filesize
68KB

Download
memory/5612-561-0x00000000073D0000-0x00000000073DE000-memory.dmp

Filesize
56KB

Download
memory/5612-562-0x00000000073E0000-0x00000000073F4000-memory.dmp

Filesize
80KB

Download
memory/5612-563-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/5612-564-0x00000000074C0000-0x00000000074C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads