agenttesla | hxxps://www[.]mediafire[.]com/file/6ld7ux4tde3m7wd/INVOICE[.]tgz/file

Analysis

max time kernel
178s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/6ld7ux4tde3m7wd/INVOICE.tgz/file

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6828335029:AAHOq6iD_8Eg5u6FhmWF0NHPcKj1jLGtRk4/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Executes dropped EXE 4 IoCs

pid	Process
5100	INVOICE.exe
536	INVOICE.exe
512	INVOICE.exe
964	INVOICE.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 5100 set thread context of 4876	5100	INVOICE.exe	116
PID 536 set thread context of 1380	536	INVOICE.exe	119
PID 512 set thread context of 2984	512	INVOICE.exe	128
PID 964 set thread context of 920	964	INVOICE.exe	137

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caspol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INVOICE.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	msedge.exe
2900	msedge.exe
1672	msedge.exe
1672	msedge.exe
4620	identity_helper.exe
4620	identity_helper.exe
3524	msedge.exe
3524	msedge.exe
4876	Caspol.exe
4876	Caspol.exe
4876	Caspol.exe
536	INVOICE.exe
536	INVOICE.exe
1380	Caspol.exe
1380	Caspol.exe
1380	Caspol.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
2984	Caspol.exe
2984	Caspol.exe
2984	Caspol.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
3212	msedge.exe
3212	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
952	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeRestorePrivilege	952	7zFM.exe
Token: 35	952	7zFM.exe
Token: SeSecurityPrivilege	952	7zFM.exe
Token: SeSecurityPrivilege	952	7zFM.exe
Token: SeDebugPrivilege	5100	INVOICE.exe
Token: SeDebugPrivilege	4876	Caspol.exe
Token: SeDebugPrivilege	536	INVOICE.exe
Token: SeDebugPrivilege	1380	Caspol.exe
Token: SeDebugPrivilege	1160	taskmgr.exe
Token: SeSystemProfilePrivilege	1160	taskmgr.exe
Token: SeCreateGlobalPrivilege	1160	taskmgr.exe
Token: SeDebugPrivilege	512	INVOICE.exe
Token: SeDebugPrivilege	2984	Caspol.exe
Token: SeDebugPrivilege	964	INVOICE.exe
Token: SeDebugPrivilege	920	Caspol.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
952	7zFM.exe
952	7zFM.exe
952	7zFM.exe
952	7zFM.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe
1160	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1212	1672	msedge.exe	83
PID 1672 wrote to memory of 1212	1672	msedge.exe	83
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 4968	1672	msedge.exe	84
PID 1672 wrote to memory of 2900	1672	msedge.exe	85
PID 1672 wrote to memory of 2900	1672	msedge.exe	85
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86
PID 1672 wrote to memory of 4768	1672	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/6ld7ux4tde3m7wd/INVOICE.tgz/file
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f3e046f8,0x7ff8f3e04708,0x7ff8f3e04718
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3380 /prefetch:8
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2340 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,8517879899038686927,4153679917840822962,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5060

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\INVOICE.tgz"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:952

C:\Users\Admin\Downloads\INVOICE.exe
"C:\Users\Admin\Downloads\INVOICE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4876

C:\Users\Admin\Downloads\INVOICE.exe
"C:\Users\Admin\Downloads\INVOICE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1160

C:\Users\Admin\Downloads\INVOICE.exe
"C:\Users\Admin\Downloads\INVOICE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

C:\Users\Admin\Downloads\INVOICE.exe
"C:\Users\Admin\Downloads\INVOICE.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INVOICE.exe.log

Filesize
847B

MD5
f8ec7f563d06ccddddf6c96b8957e5c8

SHA1
73bdc49dcead32f8c29168645a0f080084132252

SHA256
38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

SHA512
8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
215KB

MD5
1585c4c0ffdb55b2a4fdc0b0f5c317be

SHA1
aac0e0f12332063c75c690458b2cfe5acb800d0a

SHA256
18a1cfc3b339903a71e6a68791cde83fca626a4c1a22be5cb7755c9f2343e2a5

SHA512
7021ed87f0c97edc3a8ff838202fa444841eafcbfa4e00e722b723393a1ac679279aa744e8edde237a05be6060527a0c7e64a36148bd2d1316d5589d78d08e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
b69adcfb75f2916b35c51474352bb803

SHA1
c4646f34326f902dcdd824338e0e9d9ec98c1eca

SHA256
ba460330a066edf83b12d01733f71ee2e5a1d9ff657473ce6a02c1d55635d971

SHA512
6074e327f9c72839df92f70fc623773128abbe598a6af6ac65f57fdcc94b219a5718721676e5e7c982383861ae40b6cb8a9284f0fa2b0db1c05192ab89fbd36f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ce3bca2291bcc2579da48bd08c64e7b8

SHA1
feacc03fa457ee92c064da4145fa59948d1d01ef

SHA256
37698077c0f9ae6969e16487506b3528ae4aa08bc7d94404eab129706b633f7d

SHA512
cba2f32ebfd249306746bbb1e9d24014c731181d9cb09aabbd3b5141065a3958b42db96d587bd778f204e37e46bf269c42eaa7ab7d4c0c3a04366ea9b93d1607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
db3e45bc6f6e15b0252c6d1a29980001

SHA1
ca99924f4ecfce81ca668f50023ac23689e25174

SHA256
200656566edcb109e587104a6140fb13da63aa37832e019c639616249d9aa150

SHA512
40787b1a353105a98eeda69f467b6468e935d6da7ab3a037e93f1623f268213720998da23d84793c13a3bd84f5dc9b3950c1506fb50d702c247493ab4469d06b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27f157698fa38cf486b47d7586c43614

SHA1
c62118c5beac54ae318311e538c6aceaf4afacd8

SHA256
0f3b3e44470cddccf99d4dfb457c547229a8823c7f8bf98b8451da0d9adf1293

SHA512
6ec39e7e49694c3c0601f37eca39ae4a7227a4b9640e8ce203aef269c2b8ff0cdd42d922b7d0574f44f419d684248d06100ae0c3e4cb4de1d236ac4e33a7529a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c766935d25fc7326b0f14913d2dc31e

SHA1
9e23902914c5d1f4f8bec4101fabab3a21103f64

SHA256
60906c77e4606d1f15af1ad219e77ca7dd28d08888c38cfe7759f657523fc868

SHA512
8cb4de3f7f530a6ffde7f833b37d5976fd5ac553bacf82af417fa13940879f0e183df7dc754b729e2e91905f14505d8b4201a825bb0bf7860ac985df639c9693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc64cdba54483a20fb670ba9d1ed7b15

SHA1
5a316d233febbfc970c09484b727a10cef447656

SHA256
fe50a580bffdbec6f11bb2abcc1dd63fe40bad66a9bc80036aefbf5dbba222d4

SHA512
349c2e4925cb7c14caaaf32771f9a208fc5b8da06865652cda3671ef97d39009cf35b899ab41c7ba1aa3259c5cf300343eeb774cc79e99ad3df809d7f7a42df8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fe3c.TMP

Filesize
37B

MD5
661760f65468e15dd28c1fd21fb55e6d

SHA1
207638003735c9b113b1f47bb043cdcdbf4b0b5f

SHA256
0a5f22651f8fe6179e924a10a444b7c394c56e1ed6015d3fc336198252984c0e

SHA512
6454c5f69a2d7d7f0df4f066f539561c365bb6b14c466f282a99bf1116b72d757bef0bf03a0e0c68a7538a02a993fc070c52133ca2162c8496017053194f441c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
657d8b3f184569733935bdbf50ec0ecf

SHA1
ad1726073423271b2cfe516e6016fb75e0ceff47

SHA256
0d34b0fa628520ea9d4f9aecf3daabd39286b92ae0a8037c295d0ab6e60a6b1b

SHA512
0dce670dc08d7a4d39a81201f524a2fa7a2005ba81b547cae9de990efe9108ff25d4ede8f1ecf0fa8cd2be54d0f88e0813bfdef489e50fa5c8fa09c3d39acf73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d011e27551fa24cc070867563cf8f1b

SHA1
31417849ed9d02abae494e0f1daecd56de55c5a1

SHA256
d8ea0b4c7c3138e7bd8b7d431133481ce238af4cb25029ebca29c73e516bbc7a

SHA512
c4ce71d1eb4df53282dfc57214ca233cb9d25a9c6186cb9e5dc9c7698e8d8a1cb35d97f873c4bc8c4b72302c2550e40a0cbbd6ab61b0be31f2ab1547b0d47b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
62e4d0c1eaa4508cfe9831bc212ecab4

SHA1
73c16f525f7ac371b8d59390adb08e2e46f195c2

SHA256
bfdf11df07dbd95b951b83c49cd127da83f0b6104012703b3d5d149b85d74941

SHA512
222dcf2efcead76aa2c9e447bf588a6edf324894d4d9be987f3227adfaa97acca105e37f38d0a42a08902a3f86006f44bbf180e689e0e9c1777c37eed67eddd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1515bae59207acbe7ab1e783417b3d32

SHA1
5ff217533f5bfe83b993a71999192d4cef26222b

SHA256
b41edd523f6be843fe84f5d1aea283b31ae99b55110b3362b22e88b66370104c

SHA512
d73eaf1582182a487264fdf4a4a6f15d020d42d9b62ccd30847533591bfd4bcd7003e5b8f66e57ef11b34a832d4b6b16e156385872d30e5c83541c6c27100d41

Download Submit
C:\Users\Admin\Downloads\INVOICE.tgz

Filesize
834KB

MD5
fb613d57a0a94c1eccc0061307dbc12d

SHA1
af50240cfdbbb400364141a7996521427e5b15e6

SHA256
c93484e7aa773215c5b4a8da10304b74d2622b68c842f4e4aa88a0552b903a21

SHA512
3c3a1ba33a2ec844bf19877ac4a119eefd9c7213b35dc3c8fd38185f82f2ebb5757b61171d6e860165f60d1683517bcc52739a81622a1971d97c508c7f7c5cbc

Download Submit
memory/1160-145-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-144-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-139-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-140-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-146-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-147-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-150-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-149-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-148-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/1160-138-0x000001E1B3730000-0x000001E1B3731000-memory.dmp

Filesize
4KB

Download
memory/4876-105-0x00000000063D0000-0x00000000063DA000-memory.dmp

Filesize
40KB

Download
memory/4876-104-0x0000000006440000-0x00000000064D2000-memory.dmp

Filesize
584KB

Download
memory/4876-94-0x0000000005E80000-0x0000000005F1C000-memory.dmp

Filesize
624KB

Download
memory/4876-93-0x0000000005D90000-0x0000000005DE0000-memory.dmp

Filesize
320KB

Download
memory/4876-92-0x0000000004EC0000-0x0000000004F26000-memory.dmp

Filesize
408KB

Download
memory/4876-91-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/4876-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5100-88-0x0000000000320000-0x0000000000338000-memory.dmp

Filesize
96KB

Download