79c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487

Analysis

max time kernel
133s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
Size

240KB
MD5

fdd55ad9190ca9a56c0d400d65b7504f
SHA1

cd2e1d9636fa035ec3c739a478b9f92bf3b52727
SHA256

79c986fd9c87542256a607eff10f5a2f84165b08bd9dd161e2d33e213607b487
SHA512

bea47ea7099e6922ffa60442e3f7010fdffa86e37a020e2fc30502b42a76ad5fbfd9780af988742b398fb9487744d4095912183157aa89ae40f31492b76e95cb
SSDEEP

3072:s0JdEu+qhhl0lPWxkWOCVY/OvMEcMA0bgzdiDp2uU7ef9aoACaNRCHeP3KqX+n:EutRjxk0dcMlIkN2uff3ACGCot+

Score

8^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file 3 IoCs

flow	pid	Process
104	3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
230	3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
230	3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe

Uses browser remote debugging 2 TTPs 10 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
4244	chrome.exe
1620	chrome.exe
2604	msedge.exe
4860	chrome.exe
2200	chrome.exe
3872	chrome.exe
4632	msedge.exe
4400	msedge.exe
2240	msedge.exe
2120	msedge.exe

Loads dropped DLL 2 IoCs

pid	Process
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133877488828061195"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-83325578-304917428-1200496059-1000\{C16F8B2D-424C-4D1E-99DE-6DE82D5BAE1B}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
4244	chrome.exe
4244	chrome.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe
Token: SeShutdownPrivilege	4244	chrome.exe
Token: SeCreatePagefilePrivilege	4244	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4244	chrome.exe
4632	msedge.exe
4632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 4244	3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe	89
PID 3652 wrote to memory of 4244	3652	2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe	89
PID 4244 wrote to memory of 3896	4244	chrome.exe	90
PID 4244 wrote to memory of 3896	4244	chrome.exe	90
PID 4244 wrote to memory of 3732	4244	chrome.exe	127
PID 4244 wrote to memory of 3732	4244	chrome.exe	127
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 3112	4244	chrome.exe	94
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96
PID 4244 wrote to memory of 4860	4244	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_fdd55ad9190ca9a56c0d400d65b7504f_amadey_smoke-loader.exe"
1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9e31edcf8,0x7ff9e31edd04,0x7ff9e31edd10
    3⤵
    PID:3896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2152,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2148 /prefetch:2
    3⤵
    PID:3112
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2380,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2536 /prefetch:8
    3⤵
    PID:732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2976,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2984 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4860
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2992,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3008 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2200
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3992,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3996 /prefetch:2
    3⤵
    - Uses browser remote debugging
    PID:3872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4588,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:1620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5328,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5284 /prefetch:8
    3⤵
    PID:1092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5432 /prefetch:8
    3⤵
    PID:3320
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5620,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5332 /prefetch:8
    3⤵
    PID:3472
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5764,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5760 /prefetch:8
    3⤵
    PID:4092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5348,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    PID:2900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,4698290072280537905,12055465936381892939,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5528 /prefetch:8
    3⤵
    PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
  2⤵
  - Uses browser remote debugging
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7ff9d405f208,0x7ff9d405f214,0x7ff9d405f220
    3⤵
    PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    PID:4392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2168,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:3328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2524,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8
    3⤵
    PID:2836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3536,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=3612 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3508,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=3568 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4180,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=4352 /prefetch:1
    3⤵
    - Uses browser remote debugging
    PID:2604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --remote-debugging-port=9229 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4196,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:2
    3⤵
    - Uses browser remote debugging
    PID:2240
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3788,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5256,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
    3⤵
    PID:2020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4200,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:8
    3⤵
    PID:4132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4868,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:8
    3⤵
    PID:3732
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6164,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:8
    3⤵
    PID:1332
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6164,i,12290069057468259630,13383332346352896827,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:8
    3⤵
    PID:2776

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2153bca58b42ffaf481317f7b9d8195f

SHA1
7b555f2fd61d6ec52babb00cfc1a64592e166e94

SHA256
b4131a82279fc9a423e927b0977472ff7287b8d0dae068e79a7fe6b2c551d09b

SHA512
f4b9c05036060417ca21d580690a73c6c2ad66f5c198cefae7ac88957a7d8d089e27dac4e250b397d00f2f1b39dcd72f9a9ba8f52c3fa2785a8752a287e9d29c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
2b96f564b3d365a41896fdca8e451c6e

SHA1
3e237982e0ac776d18b0b003200a34ab36654cb6

SHA256
f3a41eac3dc1dfcaf4c77a2c20210311f0a2abfdbd374d8a82543c7209e1ba33

SHA512
06799593552547736a87382352f2315088c5b7c8e84a88a87d1d36f7ab24b4b1e410de4f6cac3075ed79eba591bcf1c5bcc621140f0300bf3bedafb3ac05ae05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
b78ad87fe89d6bd4088039ca68491e51

SHA1
02d62ba0abcccfa5a84c43aa35a137ba7d939271

SHA256
33e43b06053ba6f30c8a6938337e93f83aaf7c55596de773a182a798f4b79862

SHA512
d2380a919255235770792baf00c95ac499dd4b7df32d7d6c486105723f22fea90310e06c48e64f146f0333c656f08cace5be136ddd5edb25a8d0d50a35e67712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
eec55fe349980566b1dbf1d409d28c3e

SHA1
654ce4b550defea0851f12e8ff81ae9298bb3f60

SHA256
2e81ea3d7ddfc0274f3955d5131143c481e63f2529514c5295873b393d508efe

SHA512
58e02658d08732b5f36e868331a483b5fde15475a6c5f704a19c97d920399c3f7d41a8fa163c66683bf403598f8f48f0cf9fa468f9783fcabd9136a55cec0059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
5a7e1750438748bd333b79a94ca69b2a

SHA1
94fd1be56969e269ce195ba29c3d464d356d6556

SHA256
6d7a64a318c25c643323d5cf1c0c80ccf2f2433e7d74b722fca90468f8f9b914

SHA512
842509c0f495ee24d152ab3f7867183d7cd64b01b5a9305405682abbbff3aa18a8ad7d97ee039393fdd1766fc17ad2df1caf711dc4db8dc7b9df608ffc0fdc7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2f9c3550-1ca3-4a43-94f5-81d4e22504b2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index

Filesize
1KB

MD5
c11be72b66431f13195b876b22b765fd

SHA1
a8f1c469a28956bd6a2ca3777f156c7eee498137

SHA256
1f2540856a64fd4296570050ba3ae2e401e24ac8775d08c33216b12ee7eb6300

SHA512
f64dc3cf50498130a12b24e7b8622c3e34027a82951748d40ee09e49f692e8853b2b687543d10b403bb24d5406205444db669aa74ae63cc040242dc19f9597dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\b6a380d4-5862-40a9-a645-ceea7f421bc5\index-dir\the-real-index~RFe57c8ce.TMP

Filesize
1KB

MD5
e66bb51adc896238daa3daa30492dd1d

SHA1
ff06a013f7017602189c354e1ec4ac8ca923cfb8

SHA256
43a82b5bf85eadbf1a8cc5b789de188fde398d206597c3b2f22c255a3e503d6d

SHA512
d4ff4c44838affe1d40e5cf2db4a7d1e2e56349571cd9710df1cc358a6dc46c20ae49dc6ac73d076ed9999bf164dcf89c36cb7e755d887e7a4fbda6e8961012b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
801ca0fb1c7e7cb93f9dff518b63ba1b

SHA1
0becc384641cc7ea56b40bb2d11f16da862743fe

SHA256
6f4bd0eba1f1c1aa041ac2c0b76d314653160a64865d2cfd5e19f0367836902c

SHA512
6a7f6665da5270f3796447f2e9b38f7552b43c6d7718ba6542250390c4b1d6d7aee3cf92f1d818fec0d1df94a814c1b0bf882767e52cb52ef189c3d66b80932b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
228KB

MD5
34f12bff350f07d3d77d25ae9739708c

SHA1
b965dbf8d309c8451b02cc9e33ab878a6d632449

SHA256
14e71a737b871ad2f49dd96d3abb698f993114a7b249a2bbea92451fded26b4b

SHA512
a114f50deae7a0740e95bfe3d2c43e9d1966f25bdc83d7845e0324807584121c6e1747446a5c6c9fa140654bacbc4a544be71ed388157f64ec047953bac7c15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
41faf989ba8a7edd06db16eb381c4068

SHA1
65f3f72b05035306a8a55cdc25c087d77b7c129c

SHA256
3d48ba4e9dc3bfaa40161bc5c9dfebb680063be4ef35bd937f88ba7bd6d0f33e

SHA512
9fdf05693c3e9e8adfb0f08e92fbfe73c04b3d9db097b72717661b8ca16a00e9ef904877d0dda086b961b9ed68629ea441916adf9b2da64ae27ab039ecc19346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
9a173ac09a7d278ab06722dd371be61e

SHA1
1b813cc38d59d5ee72a838530d2fcdca41089f3f

SHA256
627a928ade73674fe9086f1590e200cb888edd02c687b7afcfb21f4dcc1e61c4

SHA512
0aa4505efe064fdaef961d2a3d4e2bfd371a56a7b83549413ddae6ce060e84afdd3b723a515b0d21cf5a5ae8e6206bb6cc4ec683c23827993900c039cb4155c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
cd0004b0b9662b88154bb9f376982bf6

SHA1
3182035f060c0450d4d47cfcbe85b801cb3f6c9e

SHA256
38e54b58261593d63580a22400ebc50f0e77912d4cd887ed342a6275c9466030

SHA512
c0694c91b86086778b473d05969bb9257948c9d19f684c3198eb1187a55117c376860754462a413627e195619b126032d1bb01a5a6ada30b89b4dbdd48c21189

Download Submit
C:\Users\Admin\AppData\Local\Temp\e60c929b-21e7-4bc3-8e28-c7120b1fc343.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/3652-0-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download