agenttesla | f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe
Size

1.6MB
MD5

e90237d59aa816120d3a2fe9ddb1536b
SHA1

a6876e3fdbeffbdc55db62327cd2dc328915dcfb
SHA256

f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b
SHA512

9a426e35bd853796cf8105c5f40bd5590eb42e0fbd662527ff39315bb965067984710c01f0c61e562cf2e7cbcd2f9be392d2e151c96c3b3a43151376c0274994
SSDEEP

49152:OAodtaG9kS2U84B+FLan9k5TRM9zlIVj6:y/B1X

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.visiontrade.ae
Port:
587
Username:
[email protected]
Password:
,,.Ishaq2021 ,,
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs regedit.exe 1 IoCs

pid	Process
1884	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1904	msedge.exe
1904	msedge.exe
2488	msedge.exe
2488	msedge.exe
2996	identity_helper.exe
2996	identity_helper.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe
3588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe
2488	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 4856	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	83
PID 2728 wrote to memory of 4856	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	83
PID 2728 wrote to memory of 4856	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	83
PID 2728 wrote to memory of 4856	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	83
PID 2728 wrote to memory of 4856	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	83
PID 2728 wrote to memory of 4856	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	83
PID 2728 wrote to memory of 2992	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	84
PID 2728 wrote to memory of 2992	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	84
PID 2728 wrote to memory of 2992	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	84
PID 2728 wrote to memory of 2992	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	84
PID 2728 wrote to memory of 3628	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	85
PID 2728 wrote to memory of 3628	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	85
PID 2728 wrote to memory of 3628	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	85
PID 2728 wrote to memory of 3628	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	85
PID 2728 wrote to memory of 3628	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	85
PID 2728 wrote to memory of 3628	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	85
PID 2728 wrote to memory of 3648	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	86
PID 2728 wrote to memory of 3648	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	86
PID 2728 wrote to memory of 3648	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	86
PID 2728 wrote to memory of 3648	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	86
PID 2728 wrote to memory of 1884	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	87
PID 2728 wrote to memory of 1884	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	87
PID 2728 wrote to memory of 1884	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	87
PID 2728 wrote to memory of 1884	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	87
PID 2728 wrote to memory of 1884	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	87
PID 2728 wrote to memory of 1884	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	87
PID 2728 wrote to memory of 4936	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	88
PID 2728 wrote to memory of 4936	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	88
PID 2728 wrote to memory of 4936	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	88
PID 2728 wrote to memory of 4936	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	88
PID 2728 wrote to memory of 1216	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	89
PID 2728 wrote to memory of 1216	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	89
PID 2728 wrote to memory of 1216	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	89
PID 2728 wrote to memory of 1216	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	89
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2728 wrote to memory of 2388	2728	f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe	90
PID 2388 wrote to memory of 2488	2388	aspnet_wp.exe	95
PID 2388 wrote to memory of 2488	2388	aspnet_wp.exe	95
PID 2488 wrote to memory of 2060	2488	msedge.exe	96
PID 2488 wrote to memory of 2060	2488	msedge.exe	96
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97
PID 2488 wrote to memory of 3984	2488	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe
"C:\Users\Admin\AppData\Local\Temp\f53ac19e1eaa2c09cd5d01fdf87d548fa6f93e02fe8562971a3b836675c0187b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2992
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3628
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3648
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:1884
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:4936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffe5c1b46f8,0x7ffe5c1b4708,0x7ffe5c1b4718
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
      4⤵
      PID:3984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
      4⤵
      PID:2420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:1636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
      4⤵
      PID:368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
      4⤵
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
      4⤵
      PID:2132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      PID:220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
      4⤵
      PID:680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15967357232937300841,11760540999167954530,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=aspnet_wp.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:2852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5c1b46f8,0x7ffe5c1b4708,0x7ffe5c1b4718
      4⤵
      PID:3204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
e9cfa0bf7493aeb826696af67096076d

SHA1
b809b4aedc1adc500d10a6fd217fc714bfb9384e

SHA256
879ab7635778e1aaa6b739d8f6098d2a74ebba769377e5715e3d0afcd9fee87e

SHA512
115ba346c6a0a9d19e453e02731b7c212dfb4cbf676611b6da4cbee29d556bfc09d094cfe2cf441ad7f8b730c480f275d6360d79923528f7b04628f578fee200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1c88d201ba20e60f364893d7ff2967be

SHA1
afff1df08b7f27f4ed0ed99b53cb6aca78682f87

SHA256
d9db424e4a54ed840c353a7092bbd6d08ab48c6213c3f87f480251cb279a3be7

SHA512
7643aa3d7bc9a7573cd1fb13479c379a3b3b2f676f6b66c796822b5b8cf391dadcc9091b81b992d8dfc481f04cb4519e82baed0edd67d7dd07398bc54ef550dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
634e6c11fb9ecd38554c4d76c08ec033

SHA1
75d0885450bf73d35a0c325881db36ebed0b6737

SHA256
492603b843ef13a2b3078e5fdfdd92c5f0c50b9db04b93653bc4b662ab567fa0

SHA512
50aff99835cd26189eba4ed7e235607e1765b5db0a95e7c1d4a1bc2a8dda2bf39511bf7fdbc1763cb8219bc4fd7092306f18da148ecb16d9686ec6f8ebce11fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d251f898300baceb0f12c65b9fe2438c

SHA1
c50f979ff9bd6c2df56999ceade3748cdcb0a8c8

SHA256
5a53869cf2118f01e08c48268e06f3499150b1074c3c678ebac8c87a5beb3f1a

SHA512
b9e867971b8aef500e8e43cb487ef1d3ddd0067190ec54b154a686f4bcb1a86df66ebf973c790ac8ecb5fe03c3a0743e5ded65476acf812c8f5cd8a97c19d683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c9cc552a2ec4baf12c56a405950fabab

SHA1
165ae8de4598765da19d4989076269f551a0f437

SHA256
dd906b58864ead41180ecd80f1de897832dde038102ef30458a96764ce3abb9e

SHA512
e691e8365c6b591b3d302e6b0cb1dc65368612da8c7b49c8532cb6e81fd1d15a1e8098dca17c6617b7fc18c7d6563aa480cad127cb56b9ff70fb741c5ec0e288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ea12.TMP

Filesize
371B

MD5
ab5c52604da948c0310add49c2a3c07f

SHA1
7eda95db5a59f74e1189aa5443e4519e37b0b756

SHA256
2e72c5bc5668911316604889921c636dbf92dda224b82aecf472ea6d77ccc33e

SHA512
70ab28eba5f4ecc935a7a5a2129b7609a0d139ff7ec9a280bbdcf04b322b29ef0fcfd5b7eb4a66e5842538b7b31af5954efd9b27f9b8d97613da4fdd93f53f4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4b39e4496ba63d2ac7076327a2e93f9

SHA1
ab6b7eab1f9a9b2c5e37c6641724e3da58facf02

SHA256
af966790198ccefa70126fcd39cfb6e6f73c550ca44e859e7a7bd8b267a8e062

SHA512
111ab61c9383ddd13442862826f68550c2613682fcdb8c939173009021c11c563b72b9e46a95a47404a33500b343aed74b7de30c9f3e149b2f3f8ec78f9227e6

Download Submit
memory/2388-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download