agenttesla | e2c3d4137136fe107e4b38629a0323ee423de66368ebcf3a2c4b4b4eb3e61818

Analysis

max time kernel
34s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/03/2024, 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

p.exe
Size

1.0MB
MD5

5245bda7f8a56fd15c2974d4c35262a4
SHA1

32b0dd0d781643925b19dc57e06f6169ba6b67be
SHA256

e2c3d4137136fe107e4b38629a0323ee423de66368ebcf3a2c4b4b4eb3e61818
SHA512

b984602e8db49c9ff0eca737d04e0e9d87ab956f7d58c30d268d3d1a202bac14bccec165bca35a362a0cb6e63dd31ee06a1577cdb1652bb28bed9b9a8bdb62d7
SSDEEP

24576:dqRaPITMvRFhRRbNWoCfkYSEH3OqtwIuXoU:MAPITYbNbNWo4kSH3OqtwIU

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/memory/2940-3-0x000000001C3B0000-0x000000001C5C4000-memory.dmp	family_agenttesla
behavioral1/memory/2940-174-0x000000001B9F0000-0x000000001BA70000-memory.dmp	family_agenttesla

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	p.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	p.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	p.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	p.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	p.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	p.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2940	p.exe
2940	p.exe
2940	p.exe
2940	p.exe
2940	p.exe
2940	p.exe
2940	p.exe
2940	p.exe
2940	p.exe
896	chrome.exe
896	chrome.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	p.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe
Token: SeShutdownPrivilege	896	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe
896	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 896 wrote to memory of 2644	896	chrome.exe	29
PID 896 wrote to memory of 2644	896	chrome.exe	29
PID 896 wrote to memory of 2644	896	chrome.exe	29
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2744	896	chrome.exe	31
PID 896 wrote to memory of 2584	896	chrome.exe	32
PID 896 wrote to memory of 2584	896	chrome.exe	32
PID 896 wrote to memory of 2584	896	chrome.exe	32
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33
PID 896 wrote to memory of 1328	896	chrome.exe	33

C:\Users\Admin\AppData\Local\Temp\p.exe
"C:\Users\Admin\AppData\Local\Temp\p.exe"
1⤵
- Enumerates system info in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefd19758,0x7feefd19768,0x7feefd19778
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:2
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1444 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2312 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1564 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:2
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1372 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3748 --field-trial-handle=1168,i,1009376747274435975,14824351096214380639,131072 /prefetch:1
  2⤵
  PID:1816

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2092

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31892b1de4f18bf52ecda5acba8c51c0

SHA1
87bd86849eb59d5033c511fe94647a90e9648391

SHA256
71701fac90baa98e917d6243943a76cbf5c5eaa1b25377c62b5c90d49fbe3a81

SHA512
3bae884b9850ba524fe44721b6bec0bca68c5d37040b7ad69a54433eae8717aa8e7b517db2834f5da09df826700c604872baa8c3f0bc65c0b761985ea9755580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1578309c-b691-42c8-ba48-eb1421bf89bb.tmp

Filesize
258KB

MD5
d5fcbd089d49d2401a5b439f001dbf67

SHA1
e8412ef543ea6e7f1bedffed4bc3f9f3d67c66e4

SHA256
e32551c839f4d9a4ddce01e7f14d560d7ac5cc8b4cb8b8f75c163a1026b0d881

SHA512
da8f01d3734961ea4c1d90416145c4e6f240974ea686e9d00f59399129f9df91e5c3ca2416db7a6a96c2e43e432c5fc3fd18bedab2693d00b6f75a01a173440a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
195KB

MD5
89d79dbf26a3c2e22ddd95766fe3173d

SHA1
f38fd066eef4cf4e72a934548eafb5f6abb00b53

SHA256
367ef9ec8dc07f84fed51cac5c75dc1ac87688bbf8f5da8e17655e7917bd7b69

SHA512
ab7ce168e6f59e2250b82ec62857c2f2b08e5a548de85ac82177ac550729287ead40382a7c8a92fbce7f53b106d199b1c8adbb770e47287fc70ea0ea858faba6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
fe403204951ad25c51b236d76ddcb2fc

SHA1
ba11d5d7707d16d5571fa077fa2f48eb28c9a6f4

SHA256
cf2366a4971369cbbd2bedadd05c17d940e23ae2004662381d82c56eb6737954

SHA512
903a855ba2b1543cf1b70f0969e09b669969692a7389443300388c3eed3960e6dd55b430226375b7731f9e07113954740f7afaefa4c2bdb8895d288b842028b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2d9da660cdb45a537010d14556781964

SHA1
86e3e9e2c298fcc9b47d3bd484dbcfbfb6171285

SHA256
6ae0e6ca1d0a34b3bc5b0f6a2a7f109d6d78ef322112dbcac1963ca97263a97f

SHA512
390d6efa5196a2f1a22ce35543a29f3658b4158a950439cfc2a6d46aae36dbcf3002fcfcb8a9cc94f6a292586d10e8068d1c4084b87ef87c83efffdcc3f3925e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
2858d3205da245d59e3c4f721b52b8d3

SHA1
6c9544d26a1a7e69c18a78935e1473a11188304b

SHA256
b22414d9a4d120c08545d7aa4866432bcf9abdaf579a85bb3d4bc02f34282f47

SHA512
657ff5d67d2c6888de3d8508ca7973de9d78aae09609c4824e7361389426b088a276d718e44ee7a48a61620e4dc0d8df01bd436f5f7a5764700dcc036bd49222

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
17a24f9ead48f4075d587b6355a51959

SHA1
e6fbe68ec6012b585b8d942fba54fa769f920f48

SHA256
6938e8542b166d792d802ad4104f380b9220edf127cd6b08d90f9aeecb658628

SHA512
92086ed3bda13c151c8b0c99f07248bcbd4d481c1f964017705be8229df47d777bc7ffa47808f6745bd0b3b96e56a944670ae65d6f53910fe81740e043021134

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
c9aba61fc4a18ca4d97c68fd0370d74a

SHA1
23cfff55a05f08e03b2a8e604510e574db17344f

SHA256
c173a3be07ec8401b67fe302579c3461b4e376dfb443cc26683578e4f7b69846

SHA512
4c8d5142ffcaabbcf24437a07f33f186776bbc133589df0e2a940ef350bc89e721f8a6a8a706a9004004efbf0c16250c5f0f8a3a381033714cbce7be300c6a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab64AE.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar66C8.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/2940-155-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download
memory/2940-159-0x000000001B9F0000-0x000000001BA70000-memory.dmp

Filesize
512KB

Download
memory/2940-174-0x000000001B9F0000-0x000000001BA70000-memory.dmp

Filesize
512KB

Download
memory/2940-0-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/2940-4-0x000000001B9F0000-0x000000001BA70000-memory.dmp

Filesize
512KB

Download
memory/2940-3-0x000000001C3B0000-0x000000001C5C4000-memory.dmp

Filesize
2.1MB

Download
memory/2940-2-0x000000001B9F0000-0x000000001BA70000-memory.dmp

Filesize
512KB

Download
memory/2940-1-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp

Filesize
9.9MB

Download