agenttesla | hxxps://cdn[.]discordapp[.]com/attachments/1168956975988613260/1183159671813578863/xd[.]rar?ex=6587524f&is=6574dd4f&hm=d27e4f8d56f9e2a168defbaca8cf715f2a87ccf7a556bd9579e5cc2e7d8851da&

Analysis

max time kernel
1725s
max time network
1154s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2023 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1168956975988613260/1183159671813578863/xd.rar?ex=6587524f&is=6574dd4f&hm=d27e4f8d56f9e2a168defbaca8cf715f2a87ccf7a556bd9579e5cc2e7d8851da&

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Guna.UI2.dll	family_agenttesla
C:\Users\Admin\Desktop\Guna.UI2.dll	family_agenttesla
C:\Users\Admin\Desktop\Guna.UI2.dll	family_agenttesla
behavioral1/memory/2612-212-0x0000000005BE0000-0x0000000005DF4000-memory.dmp	family_agenttesla

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SubZero.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation	SubZero.exe

Executes dropped EXE 2 IoCs

Processes:

SubZero.exemapper.exe

pid process

2612 SubZero.exe
1704 mapper.exe
Loads dropped DLL 2 IoCs

Processes:

SubZero.exe

pid process

2612 SubZero.exe
2612 SubZero.exe
Drops file in Windows directory 2 IoCs

Processes:

SubZero.exe

description ioc process

File created C:\Windows\driver.sys SubZero.exe
File created C:\Windows\mapper.exe SubZero.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2612	SubZero.exe
1704	mapper.exe

pid	process
2612	SubZero.exe
2612	SubZero.exe

description	ioc	process
File created	C:\Windows\driver.sys	SubZero.exe
File created	C:\Windows\mapper.exe	SubZero.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeSubZero.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SubZero.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SubZero.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SubZero.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1404	msedge.exe
1404	msedge.exe
3624	msedge.exe
3624	msedge.exe
4896	identity_helper.exe
4896	identity_helper.exe
1352	msedge.exe
1352	msedge.exe
1488	msedge.exe
1488	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2184 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe
3624 msedge.exe

pid	process
2184	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zFM.exeSubZero.exe

description	pid	process
Token: SeRestorePrivilege	2184	7zFM.exe
Token: 35	2184	7zFM.exe
Token: SeSecurityPrivilege	2184	7zFM.exe
Token: SeDebugPrivilege	2612	SubZero.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
2184	7zFM.exe
2184	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe
3624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3624 wrote to memory of 2316	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2316	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 2360	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1404	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1404	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe
PID 3624 wrote to memory of 1920	3624	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1168956975988613260/1183159671813578863/xd.rar?ex=6587524f&is=6574dd4f&hm=d27e4f8d56f9e2a168defbaca8cf715f2a87ccf7a556bd9579e5cc2e7d8851da&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb9a2946f8,0x7ffb9a294708,0x7ffb9a294718
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
2⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
2⤵
PID:3792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
2⤵
PID:896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
2⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
2⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4672 /prefetch:8
2⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
2⤵
PID:448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,3298984865764153504,5441526172341598620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:3684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3556

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4888

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\xd (1).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184

C:\Users\Admin\Desktop\SubZero.exe
"C:\Users\Admin\Desktop\SubZero.exe" C:\Users\Admin\Desktop\Guna.UI2.dll
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Windows\mapper.exe
"C:\Windows\mapper.exe" C:\Windows\driver2.sys
2⤵
- Executes dropped EXE
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef2ab50a3d368243b8203ac219278a5d

SHA1
2d154d63c4371354ff607656a4d94bc3734658a9

SHA256
2e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf

SHA512
4533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ebc2010f99c41b61aa6e5abbb44f56ad

SHA1
14024fda561d8053577becd31df39ed89f1fca7e

SHA256
e35cc3fa1126982f0b57f2d6182982d925c70fbbf6a9a491aabf74b6e5342dd8

SHA512
cdfc313066919809c0bcd843247d0819fe615393cd4bb864f7c9c24284b6cab99b328221c9710d5fde6664fd5003325b8c246cf45e7a5a91e22ffa0b3a297f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6e876e3f930817c1b52bf6925b18fd4

SHA1
5594c021f37ede2f42e02de35cd8e25f816ada1f

SHA256
fa662ef69db2246772048474f6e2ac4c1458c7478fe952aa1a16bd7a284c1e3c

SHA512
5e4d2fb9967887bf76f6adc622166d1b567cb306f188341e0f7b294873b46b03eeb379304b0e2b88b6ef399c8c81e1b1a430b5d1eaea83ed8e2f067ec36fad1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe74dddee22f73ec38fb77705621cc27

SHA1
a6f2d6fb2d088066509a1f2cb09ea97eacdfc6c3

SHA256
13171f3213b5f43a029a76c38dc38724414e4986ddf80cbf53a4a742df214861

SHA512
3863902d230000c04bc8f2bbe6368019c109e9ff82e4b375abe30a871a1ca6eb752950b1e4326b97060fb6a2338f08189606ecde77110cc7af9bb603dfc1ead7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bf38e67347aea6d520cda5fde321a1e5

SHA1
0e7a8def4c923201d76b41dfa9918bb1052827ea

SHA256
0f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025

SHA512
f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2412b9d0d81011528865ac098cd198d5

SHA1
3119f3772080e67f5e8419cca63fe97ac3870cd7

SHA256
97dd10eaf647aa2ef9a67a573dd20a067d990e143136f43cfd9cce5ed2037349

SHA512
1179d3412ab6560fca378fea846e41b08d2ec48fc915edf55f889587a6817d8ad03e6c342b514d925a41cc5191a875eb8c894c27e50f27ddacfc90a088771a86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a48b179db374c4e6c467b366cb8b0709

SHA1
fce6e3cf57e0acdd0530f9b1c890de23fdcbaebd

SHA256
93cda08602cf495bc46a984c27be34dc5545ac87443279b15ceac8d5fcfb341f

SHA512
f0e7694192e63736a455e138a8fdc484a1bd2271e345a702af8a18e5a4461bfb15fec886905b2023aaaa5380092ccfec30a9c658ff6cea3ebe3a4951edf3e9fd

Download Submit
C:\Users\Admin\Desktop\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Users\Admin\Desktop\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Users\Admin\Desktop\Guna.UI2.dll

Filesize
2.1MB

MD5
c19e9e6a4bc1b668d19505a0437e7f7e

SHA1
73be712aef4baa6e9dabfc237b5c039f62a847fa

SHA256
9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

SHA512
b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

Download Submit
C:\Users\Admin\Desktop\SubZero.exe

Filesize
319KB

MD5
5a61563e97a4e56c6870a00db97988eb

SHA1
57232a44231784491c5c5b275d0b6107cd831f98

SHA256
ff96a31b316b7ace965bc78842f2bf1f7dd7c91edc19533c5d259814cb75ca40

SHA512
a88fd3b775ffded2730aac41b92e2a1d2a23c2fb9c2ccaf004cc6d82ede98bc96191ecefed5f055c30746c66af367559a3ed2544d31e5d61fd55f7ab8c0bd33f

Download Submit
C:\Users\Admin\Desktop\SubZero.exe

Filesize
319KB

MD5
5a61563e97a4e56c6870a00db97988eb

SHA1
57232a44231784491c5c5b275d0b6107cd831f98

SHA256
ff96a31b316b7ace965bc78842f2bf1f7dd7c91edc19533c5d259814cb75ca40

SHA512
a88fd3b775ffded2730aac41b92e2a1d2a23c2fb9c2ccaf004cc6d82ede98bc96191ecefed5f055c30746c66af367559a3ed2544d31e5d61fd55f7ab8c0bd33f

Download Submit
C:\Users\Admin\Downloads\xd (1).rar

Filesize
835KB

MD5
5b8f2248152e36e0c0866459716d7a0e

SHA1
6658fceac9f047e15a156d7590a3846f19aa4621

SHA256
e3b0e6c91a76819316f4f7b4b9ce4fee1a16dee415c299f266f54598046fff8a

SHA512
033570605dce7d3ca7b117287fcaf04f0bc149e76722a625940bdf922032fcdbc918582bddab65147eedc685ba428f8ec03f75dd3f9cfc84350b9fcdbfadea5b

Download Submit
C:\Users\Admin\Downloads\xd.rar

Filesize
835KB

MD5
5b8f2248152e36e0c0866459716d7a0e

SHA1
6658fceac9f047e15a156d7590a3846f19aa4621

SHA256
e3b0e6c91a76819316f4f7b4b9ce4fee1a16dee415c299f266f54598046fff8a

SHA512
033570605dce7d3ca7b117287fcaf04f0bc149e76722a625940bdf922032fcdbc918582bddab65147eedc685ba428f8ec03f75dd3f9cfc84350b9fcdbfadea5b

Download Submit
C:\Windows\mapper.exe

Filesize
140KB

MD5
04263de7ee19c3b84c3c144e98672bc2

SHA1
1aa0f179e18958de411952b620ad5ddf168c2bf4

SHA256
8aefceadb8116935252bcc2875a61a728a3f6068da5a0c12bf50ed309316d2dd

SHA512
fd2b70ca7f5ede587140e1be6df785fe271c26b7beeff5da0096dc529fde4dfaf6835fef93a6e252898b60af94ef07a08fa7fdeb3530d95222e44cbc96bac6c7

Download Submit
C:\Windows\mapper.exe

Filesize
140KB

MD5
04263de7ee19c3b84c3c144e98672bc2

SHA1
1aa0f179e18958de411952b620ad5ddf168c2bf4

SHA256
8aefceadb8116935252bcc2875a61a728a3f6068da5a0c12bf50ed309316d2dd

SHA512
fd2b70ca7f5ede587140e1be6df785fe271c26b7beeff5da0096dc529fde4dfaf6835fef93a6e252898b60af94ef07a08fa7fdeb3530d95222e44cbc96bac6c7

Download Submit
C:\Windows\mapper.exe

Filesize
140KB

MD5
04263de7ee19c3b84c3c144e98672bc2

SHA1
1aa0f179e18958de411952b620ad5ddf168c2bf4

SHA256
8aefceadb8116935252bcc2875a61a728a3f6068da5a0c12bf50ed309316d2dd

SHA512
fd2b70ca7f5ede587140e1be6df785fe271c26b7beeff5da0096dc529fde4dfaf6835fef93a6e252898b60af94ef07a08fa7fdeb3530d95222e44cbc96bac6c7

Download Submit
\??\pipe\LOCAL\crashpad_3624_XFAHPHGWTXXKDAEH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2612-203-0x0000000000490000-0x00000000004E6000-memory.dmp

Filesize
344KB

Download
memory/2612-208-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/2612-207-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2612-212-0x0000000005BE0000-0x0000000005DF4000-memory.dmp

Filesize
2.1MB

Download
memory/2612-213-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2612-206-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/2612-205-0x0000000005410000-0x00000000059B4000-memory.dmp

Filesize
5.6MB

Download
memory/2612-204-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2612-223-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download
memory/2612-224-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2612-225-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2612-227-0x0000000075310000-0x0000000075AC0000-memory.dmp

Filesize
7.7MB

Download