agenttesla | 01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712

Analysis

max time kernel
87s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LUNA RAIDER.exe
Size

8.2MB
MD5

0437fa16eec1dedfd1ddf69afcccbf0f
SHA1

1649d8123ebbbc26857b0383efbbc8c329f23161
SHA256

01b82e741a88ef644df41689744f4a883d25f4ea3ad172b0a7c61b9d7eddd712
SHA512

5e995a9b3ec1cee80700f4c7f264b09f826a67bdfc65c67bb848815f5289656580e3f62853e0397da0a425ba28fabe385674320d53c36363abab2b2497de5eb2
SSDEEP

196608:b2qInJf+oTjOGNW+8u8tMmo/UIaIZQHFUQsGZgqBPtgsV:b2qIn4GN8osIVZQu6gAFgk

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
AgentTesla payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/744-7-0x0000000006140000-0x0000000006336000-memory.dmp family_agenttesla
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

LUNA RAIDER.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation LUNA RAIDER.exe
Obfuscated with Agile.Net obfuscator 2 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
agilenet

Processes:

resource yara_rule

behavioral2/memory/744-10-0x0000000006C50000-0x0000000006DDE000-memory.dmp agile_net
behavioral2/memory/744-11-0x0000000007FB0000-0x00000000080FE000-memory.dmp agile_net
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral2/memory/744-7-0x0000000006140000-0x0000000006336000-memory.dmp	family_agenttesla

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	LUNA RAIDER.exe

resource	yara_rule
behavioral2/memory/744-10-0x0000000006C50000-0x0000000006DDE000-memory.dmp	agile_net
behavioral2/memory/744-11-0x0000000007FB0000-0x00000000080FE000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

LUNA RAIDER.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	LUNA RAIDER.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	LUNA RAIDER.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	LUNA RAIDER.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = adc91b446da1da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 22 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{38AC43CD-21E0-4C98-A200-EBAB6784E104}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4A11CB27-35C2-11EF-A084-6E6D447F5FDC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003c000000900300001c020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe

Modifies registry class 4 IoCs

Processes:

LUNA RAIDER.exeOpenWith.exeiexplore.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	LUNA RAIDER.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{33E67225-FCC6-46CD-AB25-F7C187699A5A}	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1248 msedge.exe
1248 msedge.exe
3796 msedge.exe
3796 msedge.exe
4776 identity_helper.exe
4776 identity_helper.exe
1604 msedge.exe
1604 msedge.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

2372 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid process

3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
3796 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

LUNA RAIDER.exe

description pid process

Token: SeDebugPrivilege 744 LUNA RAIDER.exe

pid	process
1248	msedge.exe
1248	msedge.exe
3796	msedge.exe
3796	msedge.exe
4776	identity_helper.exe
4776	identity_helper.exe
1604	msedge.exe
1604	msedge.exe

description	pid	process
Token: SeDebugPrivilege	744	LUNA RAIDER.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

iexplore.exemsedge.exe

pid	process
1532	iexplore.exe
1532	iexplore.exe
1532	iexplore.exe
1532	iexplore.exe
1532	iexplore.exe
1532	iexplore.exe
1532	iexplore.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exe

pid	process
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe
2372	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

LUNA RAIDER.execmd.exeOpenWith.exeiexplore.exemsedge.exe

description	pid	process	target process
PID 744 wrote to memory of 3980	744	LUNA RAIDER.exe	cmd.exe
PID 744 wrote to memory of 3980	744	LUNA RAIDER.exe	cmd.exe
PID 744 wrote to memory of 3980	744	LUNA RAIDER.exe	cmd.exe
PID 3980 wrote to memory of 2796	3980	cmd.exe	choice.exe
PID 3980 wrote to memory of 2796	3980	cmd.exe	choice.exe
PID 3980 wrote to memory of 2796	3980	cmd.exe	choice.exe
PID 2372 wrote to memory of 1532	2372	OpenWith.exe	iexplore.exe
PID 2372 wrote to memory of 1532	2372	OpenWith.exe	iexplore.exe
PID 1532 wrote to memory of 3664	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 3664	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 3664	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 3908	1532	iexplore.exe	iexplore.exe
PID 1532 wrote to memory of 3908	1532	iexplore.exe	iexplore.exe
PID 1532 wrote to memory of 3816	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 3816	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 3816	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 2932	1532	iexplore.exe	iexplore.exe
PID 1532 wrote to memory of 2932	1532	iexplore.exe	iexplore.exe
PID 1532 wrote to memory of 2500	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 2500	1532	iexplore.exe	IEXPLORE.EXE
PID 1532 wrote to memory of 2500	1532	iexplore.exe	IEXPLORE.EXE
PID 3796 wrote to memory of 3952	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3952	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 3340	3796	msedge.exe	msedge.exe
PID 3796 wrote to memory of 1248	3796	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe
"C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"
1⤵
- Checks computer location settings
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER-OOMNP.rar
2⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:3664

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER-OOMNP.rar
3⤵
- Modifies Internet Explorer settings
PID:3908

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:82948 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:3816

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LUNA RAIDER-OOMNP.rar
3⤵
- Modifies Internet Explorer settings
PID:2932

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1532 CREDAT:17422 /prefetch:2
3⤵
- Modifies Internet Explorer settings
PID:2500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa181446f8,0x7ffa18144708,0x7ffa18144718
2⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
2⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
2⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
2⤵
PID:1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
2⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
2⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
2⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:1744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
2⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7755974064558407610,15783441058595236261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:3956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1422b5fe2951d57a33bec22548d9f237

SHA1
4f5b74a1acc5e836c8e226de0664e9114e922b57

SHA256
bcdc809346d68cbfef6d17375b5218eceefb701198352a16785e1009df1506f9

SHA512
e39bb17726b51e71fa617f9a947b48b4a53c8a0ff6ba05a86629f7d91d79d390f306b72d44ae762df98b2e78badbb7e230d3bdafd0db1262359cb1515bc5948c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
cfe9dd31f1a804ae3591405743f9f6f2

SHA1
32129e29bbab096f22446eb185cb4d7dd468f823

SHA256
60229bddae2244693c1122d24d34b64c76a029678bfeae28b0802f2c7885ce59

SHA512
4c6629c53888a0707eaee1d594ad43dfb0402e40f63b0aad289af5dc051bd0e34d87ca4aa2a72815c1160221aa89b29733610ba65e299610d4aaadc5a182d9ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
20d531ef75687ba268d96b30a79e4736

SHA1
e063ab7c46e2fa76d163ae574e2162ad9a7b47c6

SHA256
5bf9d187995b4e80f0b0a83fa9d2e64cb1c3eca49e8d4a055cb05f72fe2a01a4

SHA512
4ff06cee296658ca649eaa232b91425e79cf7716928c1f8c29335b6a8da7a899a497b0d4da55961eb1bb93470c40834e4f39a614e7f59864c7853e2f48f9e779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
8268717e7ace63f8cdb1ff98b2a51320

SHA1
eca37399451c340c7ea50887dfaaeae43abba1b8

SHA256
4a83088b8b9fceb855cb1cc51f6c015e3f1a57710b6052578be72015a362a132

SHA512
9cca339847c217a82e15877386ffde17d094e96e3cb20c33d165dddd050dd511f8ce5c63c2fc0b7d107abf2a41e973469e9cb8d9426a3cbf5c4aafa38dad86f8

Download Submit
\??\pipe\LOCAL\crashpad_3796_NQSJXBQRRNVRCEPW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/744-6-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/744-16-0x000000000AB00000-0x000000000AB1A000-memory.dmp

Filesize
104KB

Download
memory/744-9-0x0000000006090000-0x00000000060A4000-memory.dmp

Filesize
80KB

Download
memory/744-10-0x0000000006C50000-0x0000000006DDE000-memory.dmp

Filesize
1.6MB

Download
memory/744-11-0x0000000007FB0000-0x00000000080FE000-memory.dmp

Filesize
1.3MB

Download
memory/744-12-0x0000000008130000-0x0000000008160000-memory.dmp

Filesize
192KB

Download
memory/744-13-0x0000000008180000-0x0000000008296000-memory.dmp

Filesize
1.1MB

Download
memory/744-14-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/744-15-0x000000000AAC0000-0x000000000AAFC000-memory.dmp

Filesize
240KB

Download
memory/744-8-0x0000000006B00000-0x0000000006C4E000-memory.dmp

Filesize
1.3MB

Download
memory/744-20-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/744-7-0x0000000006140000-0x0000000006336000-memory.dmp

Filesize
2.0MB

Download
memory/744-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

Filesize
4KB

Download
memory/744-5-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

Filesize
40KB

Download
memory/744-4-0x0000000005E00000-0x0000000005E12000-memory.dmp

Filesize
72KB

Download
memory/744-3-0x0000000005ED0000-0x0000000005F62000-memory.dmp

Filesize
584KB

Download
memory/744-2-0x0000000006550000-0x0000000006AF4000-memory.dmp

Filesize
5.6MB

Download
memory/744-1-0x0000000000C20000-0x0000000001466000-memory.dmp

Filesize
8.3MB

Download