agenttesla | 24b755b6d9e30fbb8edeececa05a0b01df452af64befa48b25c3f6555408ce10

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2025 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ING0988700F09089.html
Size

17KB
MD5

8bf3ddfc517dd706161a51c52e1ec5ab
SHA1

4dffeca66920a5d7c3233c30bb89737806b1cc41
SHA256

24b755b6d9e30fbb8edeececa05a0b01df452af64befa48b25c3f6555408ce10
SHA512

549f746b46b78854b32cf56c259d515ea5c1198a63746995fa48324ff2667d99dd44c1b986212b74ea62b925b6dd6a553d8b097b47ca7944898713543ce25a75
SSDEEP

384:m0D+I/3qThPsnNVbG2y+rkSVdSgLhb1i/mBQ:RD+XThP+0Kkca/me

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
162.254.34.31
Port:
587
Username:
[email protected]
Password:
M992uew1mw6Z
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Agenttesla family
agenttesla

Blocklisted process makes network request 2 IoCs

flow	pid	Process
46	3652	WScript.exe
61	1564	WScript.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	api.ipify.org
69	api.ipify.org

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4488 set thread context of 2092	4488	powershell.exe	141

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	mspaint.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	46	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	61	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4320	msedge.exe
4320	msedge.exe
2272	msedge.exe
2272	msedge.exe
4800	msedge.exe
4800	msedge.exe
3824	identity_helper.exe
3824	identity_helper.exe
4488	powershell.exe
4488	powershell.exe
4488	powershell.exe
3716	mspaint.exe
3716	mspaint.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
3236	powershell.exe
3236	powershell.exe
3236	powershell.exe
4488	powershell.exe
2092	MSBuild.exe
2092	MSBuild.exe
2092	MSBuild.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	4856	7zG.exe
Token: 35	4856	7zG.exe
Token: SeSecurityPrivilege	4856	7zG.exe
Token: SeSecurityPrivilege	4856	7zG.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	3320	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	2092	MSBuild.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
4856	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe
2272	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3716	mspaint.exe
4060	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 716	2272	msedge.exe	83
PID 2272 wrote to memory of 716	2272	msedge.exe	83
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 1108	2272	msedge.exe	84
PID 2272 wrote to memory of 4320	2272	msedge.exe	85
PID 2272 wrote to memory of 4320	2272	msedge.exe	85
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86
PID 2272 wrote to memory of 4160	2272	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\ING0988700F09089.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff267146f8,0x7fff26714708,0x7fff26714718
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5076547678227358177,17426817741172706924,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2760 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1196

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap27217:94:7zEvent8592
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ING0988700F09089.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
PID:5036
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\out.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:3652

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\xRDgFdPbCUZXODi.vbs"
1⤵
- Checks computer location settings
PID:3804
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2092
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4488" "2800" "2748" "2804" "0" "0" "2808" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4032
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3320" "2676" "2616" "2680" "0" "0" "2684" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2276
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3236" "2712" "2652" "2716" "0" "0" "2720" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ING0988700F09089.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
PID:1864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\ProgramData\out.vbe"
  2⤵
  - Blocklisted process makes network request
  PID:1564

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\StopComplete.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\out.vbe

Filesize
8KB

MD5
7b2e7b3b31b3e60521b04efd848622da

SHA1
d231fa2de5ac438a754281655cf3a9c19168c32d

SHA256
2e7a0777210fc1bb325391b8eb1f7e32c2be7fd0d4b0f3ace33ba9560c4622c2

SHA512
e7dfbbe1e782d30dc39db41555c21e765f6b3407005da45c9b4d58cb68251a432e701cfc92490b270eafe87aac4d0c6f7c29193a991cebc52ed2f2e6b931d312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
583B

MD5
2b8e4878a589c18f15582b4f0a5ecc88

SHA1
66c3073638aab3462f4c21934cbbb1ea3a5dce24

SHA256
5daa08c2fd5429eb5a1ec46554889af70c2744aefec2b94ebef8e45738432654

SHA512
6d97058855fe5ed972d696b0261e81be608c62359afd90b48c089e04a9baec69c2169c6b2d8c96469a8aeabc8fa18c2189160eb46d5707fc6135051e822345d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba699ca367e892be5212f4a99ed4bcbc

SHA1
f381620c9c67969b5eb27e44546afc61a2f3ffe5

SHA256
f689ebcd26b98f3aab8cbb73aa373f5f4515a2686c0e68cb833d5746052d2302

SHA512
f4b028c2b53d570c8c2bb434e99b157aefccdc77da90cccd4a57bfec14df8c75737403d41aff810c94a6da917a7b648b49606de00f597f17088e490b71178364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28c6c95a6961087b54adf5b8d8366516

SHA1
e5365e7647eeb8b9ca30bb2be85f3d641a9eada0

SHA256
cbef73677f1a8da3d67127e275914c1423df42ad88d6f719c416f76a8a15b65d

SHA512
a144763842db7e7c5127b6cbbaec2bafd84625640907e8970c2aa5ff1a8d501cf6df4248074f21f9b38d9429b4d624f377beb913f9a33975cb89c0cc01673129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
85e44c9b92084a8d158659ec68002fc7

SHA1
64ddb848e0deda6691ebe467569e7b5a1012d355

SHA256
ad131928b53ccee181b1946711bddee0eeb33277454de52920f6db9dacb02eaf

SHA512
183fd965154cf1251a5b54012268d2bcf551e5313ca1581e0b3739f12ee8c83a315c4d7f48b47b0ac985206eb1c2054cab409dd5890d1490e9f5af17031c612f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00c64319bd4ca27086a33a35ed0d1872

SHA1
8e8b996f0632d1029a895b9716ed14f8fa49101a

SHA256
62b3c47603d05b3e928ed8dafcc02d944673ffed9d01d5a2adbbc6b21e6505e7

SHA512
88235f36efce168466e244b08089a3e71d5b58df8e69db5bc59681ab97559521fb5ec86f5481e7a9bfcbab31ff6997d58f62d7d8d76c882117340257a53fd709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
df5bda8e493853535e27ab2df18f4751

SHA1
6046e080599665adb66d866ca8f502155cc54314

SHA256
806e32b4667a2808b5ad24335ba5860bf9f4ab91940bd4938d9061f5489d2bd4

SHA512
e3cd4370c93461e06d63410cc382022f71467ea1b85c9912e7cd0dd6077d9b44bf5b767d053b49deb206c833aa15310eceea89a623683b631c56412e1dbcbea9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc6f17b164696d7253a4baaa79f6d44a

SHA1
65f0226f30e446b2b561c763d2642adf1ef57c59

SHA256
c07815da20e7481fd59fefad3d1a62aa87bd71c57fe81e849154356181b0d4ba

SHA512
d96793eb582f71ff79bd2c00bc1f57d262886edad384e5262257e4b3b4213b2e92ec30ac6000c7eb2c054835886e618389e9f7733af201f8569e4455c003da85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
2b30242fe3de4d9edb43c28f08031166

SHA1
3dec76d6059bc908c3c1afe3c6512bb9b2884466

SHA256
176626b849aae53dfff8e6577e14ce326ef446cb4ef95fc7aade9b6e2444345a

SHA512
9891c05741744099c40dd66f951e963fe762e3d241a43f338bc805df81727fc0728c0f257a229f7c5a79d713832cd933488eb6740cb17e29630a53b4753b4240

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2w0zs3s.dgs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
440f18c12360b9407560df4ee64612b7

SHA1
18b6a7334bac76a94950c6ce3a63e79c0fe58674

SHA256
d5ef0dbddb2cd987502efca21fd5e45c198b74d3cd1ab0a67708b4f9d0b4e3e4

SHA512
a635a8c4a1f1c4971e551d4b3e3d67d034f9043fe086a60c5596c87cd0048503657132a67f371023afaa4b74958ea6419d2623745b6acc725199301c2579ebf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b8896a3c9c142c2d6938f894bf0d972f

SHA1
0353a38c8ac2f248db449d3e3a84a2c6b0709b1f

SHA256
6d38a521d42582052ea54a591d942fe7c840ffc39b24b58ee558530d046d3b31

SHA512
2e893f270533322c6e80a2e5ac716dc33899003ef72f2c7f84756adf32d8a26dde0223b8f1fabd3ae36e9666907a961281c4606d8644b782ff20315da40be4b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a3f3d303547ef975fa7aa72b6128b0d0

SHA1
09afc8c4a82440cc23f0dc83c67aeca9005d4599

SHA256
1e5143917fd1eeb3b62d5307b20d0299a0a85e978e35a8d397a064734fd28e4b

SHA512
7c97abe77d14314a7d5ff045b696db7f0da2154d0342db1b623f13a8c979f9660ca85be06fc720201d168de8c381a34ae5f445d0218236185e5a9a89c4eb68d0

Download Submit
C:\Users\Admin\AppData\Roaming\xRDgFdPbCUZXODi.vbs

Filesize
2KB

MD5
aa3252045aea552e9a9933f92372075e

SHA1
a5f197cfd8df3ea769cce9a3e03a53c9d8195e80

SHA256
e94a6dd48c7fa8a74c46497625e2fd33c122ab68d1efa29623153d69410cf70e

SHA512
ccd1dada025a89c09e69f1b5e5b12b2f871dc6f665bad015bd27d63a32935ce08c44239f3e8103bd42334f02461389b982c039549cfd353a9753c1f29cbb5279

Download Submit
C:\Users\Admin\Downloads\ING0988700F09089.vbs

Filesize
17KB

MD5
a12eacb8924e53f9ea7baee0ee67c87d

SHA1
dd30212fdbf97f53caad3baccb20f4b2a34d77f3

SHA256
9102e5545429c6e58a10cf1038270d80be18246289817490365dac2845daa07b

SHA512
bba524ce9581c98c33e2cdfd3b30edd0bc6747db8f9080e536933efa8419ac8c7e10830197558a7dc40a9ef63fafbcb1e06689ece4a271f7f7cd04dc9fe93380

Download Submit
C:\Users\Admin\Downloads\ING0988700F09089.zip

Filesize
4KB

MD5
e20121b41dfc09733c3bccc0aa1ffe05

SHA1
b6384dae2e05f7c01420a2a5c853e47e06839104

SHA256
5e4a5777685226367add66799d77ad4caac76a45940dd41fc686a34d5f4a51e2

SHA512
c6bb69dd7cad5f14e3809f2fde8d25f70fbc91014cdc80fdee507ecd2ef16c03195188eb4b0242d8cc13080bb6820050598e5b4ec1d3d7042350ea88cfbce11e

Download Submit
memory/2092-255-0x0000000006BB0000-0x0000000006C00000-memory.dmp

Filesize
320KB

Download
memory/2092-228-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/2092-229-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/2092-256-0x0000000006CA0000-0x0000000006D32000-memory.dmp

Filesize
584KB

Download
memory/2092-257-0x0000000006C20000-0x0000000006C2A000-memory.dmp

Filesize
40KB

Download
memory/2092-213-0x0000000001000000-0x0000000001040000-memory.dmp

Filesize
256KB

Download
memory/3236-254-0x0000026B448E0000-0x0000026B453A1000-memory.dmp

Filesize
10.8MB

Download
memory/3320-221-0x000001C2A87C0000-0x000001C2A9281000-memory.dmp

Filesize
10.8MB

Download
memory/3320-253-0x000001C2A87C0000-0x000001C2A9281000-memory.dmp

Filesize
10.8MB

Download
memory/3320-189-0x000001C2A87C0000-0x000001C2A9281000-memory.dmp

Filesize
10.8MB

Download
memory/3732-140-0x00000217881A0000-0x00000217881A1000-memory.dmp

Filesize
4KB

Download
memory/3732-136-0x0000021788100000-0x0000021788101000-memory.dmp

Filesize
4KB

Download
memory/3732-125-0x00000217FFDA0000-0x00000217FFDB0000-memory.dmp

Filesize
64KB

Download
memory/3732-121-0x00000217FFD60000-0x00000217FFD70000-memory.dmp

Filesize
64KB

Download
memory/3732-132-0x0000021788080000-0x0000021788081000-memory.dmp

Filesize
4KB

Download
memory/3732-139-0x00000217881A0000-0x00000217881A1000-memory.dmp

Filesize
4KB

Download
memory/3732-138-0x0000021788190000-0x0000021788191000-memory.dmp

Filesize
4KB

Download
memory/3732-137-0x0000021788190000-0x0000021788191000-memory.dmp

Filesize
4KB

Download
memory/3732-134-0x0000021788100000-0x0000021788101000-memory.dmp

Filesize
4KB

Download
memory/4488-211-0x00000271E1050000-0x00000271E1058000-memory.dmp

Filesize
32KB

Download
memory/4488-243-0x00000271C83A0000-0x00000271C8E61000-memory.dmp

Filesize
10.8MB

Download
memory/4488-147-0x00000271C83A0000-0x00000271C8E61000-memory.dmp

Filesize
10.8MB

Download
memory/4488-188-0x00000271C83A0000-0x00000271C8E61000-memory.dmp

Filesize
10.8MB

Download
memory/4488-212-0x00000271E1060000-0x00000271E106A000-memory.dmp

Filesize
40KB

Download
memory/4488-117-0x00000271E15A0000-0x00000271E1616000-memory.dmp

Filesize
472KB

Download
memory/4488-116-0x00000271E14D0000-0x00000271E1514000-memory.dmp

Filesize
272KB

Download
memory/4488-106-0x00000271E0FE0000-0x00000271E1002000-memory.dmp

Filesize
136KB

Download