agenttesla | hxxps://github[.]com/MiRw3b/ScriptWare-Released

Analysis

max time kernel
523s
max time network
529s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/MiRw3b/ScriptWare-Released

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4756-332-0x0000000006930000-0x0000000006B26000-memory.dmp	family_agenttesla

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

33 raw.githubusercontent.com
34 raw.githubusercontent.com
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2364 4712 WerFault.exe ScriptWare.exe

flow	ioc
33	raw.githubusercontent.com
34	raw.githubusercontent.com

pid	pid_target	process	target process
2364	4712	WerFault.exe	ScriptWare.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

ScriptWare.exeScriptWare.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	ScriptWare.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	ScriptWare.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133587998807803973"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2340 chrome.exe
2340 chrome.exe
2412 chrome.exe
2412 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2340 chrome.exe
2340 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe
Token: SeShutdownPrivilege	2340	chrome.exe
Token: SeCreatePagefilePrivilege	2340	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe
2340	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2340 wrote to memory of 316	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 316	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4396	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 864	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 864	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe
PID 2340 wrote to memory of 4984	2340	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/MiRw3b/ScriptWare-Released
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff90a849758,0x7ff90a849768,0x7ff90a849778
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:2
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1808 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2084 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4644 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4728 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1848,i,1885754966693996024,10596474856379030392,131072 /prefetch:8
  2⤵
  PID:452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:224

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1312

C:\Users\Admin\Downloads\Script-ware\Script-ware\ScriptWare.exe
"C:\Users\Admin\Downloads\Script-ware\Script-ware\ScriptWare.exe"
1⤵
- Enumerates system info in registry
PID:4756

C:\Users\Admin\Downloads\Script-ware\Script-ware\ScriptWare.exe
"C:\Users\Admin\Downloads\Script-ware\Script-ware\ScriptWare.exe"
1⤵
- Enumerates system info in registry
PID:4712
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4712 -s 2936
  2⤵
  - Program crash
  PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
719B

MD5
28bc19a7cc607d718102b84fc9f09871

SHA1
39d1445b8267f6c64398dbdc3b36cb8bf61779ee

SHA256
2182af4e3be8732f98cb14244373d1eb042f40b516f2a4fae039b0c4f536159d

SHA512
dcc21b668fdb55133ca0fe88530be15a312f59b968842a2f9ab1a5530cdf0a74e5c01efdd5ba5832452a4b0e24a0b4088521b2bf8ccd33efdfbeec60c9eede50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E

Filesize
1KB

MD5
866fa294e6d002d6a472fcfef8d9ac1d

SHA1
0d45da17dfb1e47b5c0b79db6fd69f6c3951e2b9

SHA256
1af9d2284e17bc162096e207f51eb970e9e7cbb2c7c8b8d1591a2925e3c8baea

SHA512
f6000b24b0a9298f1fd329e6588793592010061e9408d244bdbc4ae96b937b2fa2bea0ad6d02e612b18311dba93872aec30e947b309a7e0eba7e7b83f9f34f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D682FDDA10064185EC8111DC39DBA8EC

Filesize
64KB

MD5
3b3ebc2f17615c4d5e0f1c74849b5f2c

SHA1
0c5262e4ea3d3ce7e66edfe32ae655cc1935e832

SHA256
9968dbc58d3b4376c6f09202dd22d600a96e44447cac7b27805bdcb7db4b5f39

SHA512
fcf18c776a4676edc5ff8c320390e697fb1dbe43a93108ad89e26edd78126f7b1fede4711927201fba7f6cdc5687481c7f9f828bd4edbefee5b73d16510b31c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\54C62B182F5BF07FA8427C07B0A3AAF8_4DBBCB40FA282C06F1543D887F4F4DCC

Filesize
446B

MD5
14b5d7db7d7e1f2599a3e43eb10b7412

SHA1
cb5b4483cbbe015a37c67a010bcfded7490ec46a

SHA256
9df88ead4b3a83ccd8ffd6754a3d0023aafe13a16dd4da050a248bc598d28c30

SHA512
fc593ffc032bc88698824decc541ef0c3bf0c0ab3cdbbfa70d3769db16ab487ffe0bebebfa9d742ad7ce97ee884cca60becf13cc877f9fc0e5933aebbfccba33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94D451DDCFFF94F1A6B8406468FA3558_E4A7C6A10F816F002B00DE3B58B7E44E

Filesize
406B

MD5
da07f7011b63bdee2cf64b597fc7501c

SHA1
7b518b950178eafad726f5f20a6ebf8ec3af6d30

SHA256
55cb7d3c91b8e38a5bd9220a19f860c084f0596f7e1e2c64b12b8a586939904b

SHA512
46dad6563e3a4a0369839adf3249437f69e9504c49c98d33d86cf341796a0c0613f7755638f1ee5d948d8131298ad5a73af4c553d7165250e169a671e8e321d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D682FDDA10064185EC8111DC39DBA8EC

Filesize
308B

MD5
d16f864d23d46417fa5062706c2197c8

SHA1
9b9dee9b99dc0c2926c894bbdff8178e32664d54

SHA256
f51c10959d26ea7de698b7abf750bb8b93826939c563fb8e9b9eeef042e92825

SHA512
7cacd7fb37e16bbec3a8ed87e76c88471a7346e1f8d6c471a6fa03a4955fed70e9bd24c511d57ab63cf72e8181130079269b0126e816eac388d93f71915b9b5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
28be59acb19fb44e3524e0b87b2662f6

SHA1
782370b231e9709501c21a217697f9d7f45c7b0f

SHA256
7dcc12f3995feaeb3ee8bf2d51a74382e211206c2eb2431094b9ba1087813170

SHA512
c2524317f5310977c9e1ce13e3d31b9ec32eeab6667f390d08cd42f51ee2170dcff27b4b5996161b9ad17fd5577751dae70907e92530add2a351c44e51f6c4d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
24ae48b7c4feb712d644b7e46a48ccda

SHA1
be198999c2608de3d74d3c28e5827c55caafdc10

SHA256
722c882ea365c954bffbfe0392f35ef6dec8cb00a0bc211bc1bbc789a64a933c

SHA512
5064cdf44bee2774bae52fd96f814767aa1ad5a14afc4a1a485939339fa13b557b6d01682e4b9820becc2a3a3b9f4717c750b5a228dd1d61828ce0157f8189af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
f3a335e931701bc82ac860cb69a7abef

SHA1
3478b8982ca7cbd14569382706394668644f2a94

SHA256
52874ec13d2cf16a1bb7ffbe3606bca3555c0a881756fd637e8033f71f0c83fe

SHA512
9eb9d73d7acceb867cffddf400c038dda718ee7173979f7b8f9b7b439f8ba572a51bc2abb95cb5953743f2836dad9c5c229a0b6a6b3bc593b66249c0025f6f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
3ed7ddd0940883e3b2f9779d625f11f4

SHA1
b805c357f277ffe641662cd6a908852491cd0026

SHA256
1495aac24883ed9ebf4d13f4d77599b452e4696ed131e2cd7cd554bdf76de0e8

SHA512
fd4b622fa0a5f769b757e4ca33f40791537e09276f2d3a6cb3c03ea36a5992b5757851d29034526835e5a9faa5de76cc4ce04db186a0e146cef80283419325fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b60918f9a9c46b531cff0d1aeb5fe688

SHA1
1c53e8ad21f6b77d99054190848f66b868159caf

SHA256
2f7a8f3e524a25f05206dc71377b0794f8a521bb7d3e63d592a58a87c13fd6ab

SHA512
f8e9739b816de241c2a0a2058b248c6a4c545279b94e3f90c5b1d1578180a404f2906be8230540ed32b649ccffe0bc41c12eee8b3a8c6180b79ad59dee36ac14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d92fed0d4b84f0dd5ff1ba5aa07dd28d

SHA1
da373a4eda5d31c389407d1d74a3d4875fe601c6

SHA256
9e96213bfbbe6f9d4f59faf03d16ce878855a65a1b67854759d09cad28648a3e

SHA512
335b61d899e07f61193da9050d6dc3031ade063494f62f5a584a0f039982d12402be678211c3dd7fd09f1760f00c0d2c99f1b3183b4336c8dc9c53b348620885

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9beb6f4574a9738011f62a7dca12a2cb

SHA1
84e65d3a4719bdda1d7ea51e0397cacb423d82cb

SHA256
75b4042054f7cc04711b39ce75873bf3d842dfd542ef2d1bfb235d55d37d2876

SHA512
b8495ca0bdf01346b02228005873c3c8842bd7e74db6e907310afcfa4629528a0ad31c07e44c340246c36073f0bbe7e4ef9048662530c7aac1eb3a1a9a277235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e9947017-c2c2-4f73-b464-08635784468c.tmp

Filesize
987B

MD5
353f03516ddd12b9d026a78454bc9647

SHA1
266e61f759995a48a682e74790e1b2847e53eb70

SHA256
c320bb5e4dd36bfc1b69c2a5912ebeb074c5dcf3e8892098c80a9e6b45bf2729

SHA512
6a7a6088cb3bb73f8f595ad0ce39a130b3ef4c20c7b84ffe7c54c2f2a4f9c90f0fd556963a363c4fcefb683e1bb688650067e20cbee90043e230e8969bf709bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
349a6c5b99156821674e2980c7fb871b

SHA1
c245feca1328e474c41cba211a9ab5404f98af37

SHA256
646149d07083c55a3dbbc999ccbb68342f6c23e382f4c877f598dbe7aba59111

SHA512
414bb7635d44b9f851c9fb30bb432bfb188d5c1acbd66fe9d9343f23f53ce9325ed7488b5f2f30082b99e38b592cd5d5b43667e818562e44cb88b9844252cb85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
567a27fa658e92c4ecaef15c13149699

SHA1
24e40d7c0b3a68feb4ac3f1e0f5d1c7f77893e85

SHA256
0c3b1a8e389854d0af84c05c137e85ba37247bdbd88ef7db378f2c355839fe09

SHA512
9f810b6b0ef7dd3e0f5731958dfc0bce04154a32a7c33ff052192346c5fd31f76bb66fa6904ab9e7e2e24866211c60f4c70e7857674209db0e9459eadf2eebbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5825b4aaa2855ec7860f065ac87d46d4

SHA1
e7bf60b180784aa1e2da9746ed5206df735b1c94

SHA256
a96f6983926c74a9f80d3a408538cc9adc6e86eeeba172a769f38dc316bc1a91

SHA512
d6bd3ca2aeb4b320d5f4bb0579f72cdd13280c93105340b2164886f455cb7e772dd4a14089d769beb338040d22c19736169472a353a6173fdaa58ecc3394a979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c0b5bb8b7e45fb7d91fdc34c97b9811c

SHA1
f2fa80eb9c69c57b1d16fdbbd9558ec897d8f296

SHA256
df544cd0470ceb685d12c928385ad96cbfec37ca46aeb24046d9c646e9330350

SHA512
bde720f86f6bf45db351c6221596d122ca862db6bead9125533602ec45089d0d6da7398598126c3b7486fee3a8b3b274768a27eb3e8b839ec9c87dfd41e36618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a461666557895dc794d8ed1549061e07

SHA1
c9fc197767fdd7a54cca6e7892a979760c400b0b

SHA256
ddd7fc6f9f2ca4eb71aa1d9980f2230f63b1e8092a8260dd76cd2d4585783197

SHA512
a6ed9cacaa7c4f1f09553ddcb55d67e7f010076947244f89da0a4b0d92937da5e498f901e7e9565e974bc3732bfa94e5a97991cdcd47b103c5163c327db10ec3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
84fcf137350d5c2a307921d8e1c588e7

SHA1
b70567458c1be7a17802035955ee3c2bc20e9e20

SHA256
032d152cdb1031c17dd73e72ca3681bb7ccc103007796263ff5491ca599c64e0

SHA512
737ca1dbf6e186213c31e6305dfbe7872f65ab8bc7e63945e99766cc318f9dfa7fdac9ffdc6451d6165308278e01ad83fca7689163a5228df7f4b5cbff6fc941

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
83ae8ba98f9155c9e1394ce230fd1276

SHA1
b19adb78c8a8e8c5bac87eb4aa2d9ee33a2b4090

SHA256
629e2394ad717b56489e0f6cfe117759c427d201617f3f9389403aafdabde2af

SHA512
4c18642363bec1089196b9c65589cc9b56a27f3c7ec887c5ead44e750cf9268176cc7bd2ac128e342ae21e5c28a1895ed78386227417993ef3e7a043cefed4b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
67bb37d2f1b337e6f4541a9638369aec

SHA1
672da9fa74bfe0d00ca9e397108f0d7e9e66e8d5

SHA256
0b245dd21a0df8326ce5f7c9af1ec127e94ab1e7749d1a92c5d60c9dd7ea7671

SHA512
b36d878d23028c27f15e3168de3b9f94be0557d62a55a65e70b4d29e3defe9bb23a22b0dc527df71b76dbf9d1b81082430ca5d3fdb08cd4972888795d2c64b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58d4fe.TMP

Filesize
98KB

MD5
cdca8321ea768ee0f2a2119c76c0a184

SHA1
7fdfc03ce7f0a5f326237dc37bfa1abf47f9f125

SHA256
6713279cbc8ff0ae763ee93f24b08c547bc55fe6d5637fd5609ddfdda9a8293d

SHA512
7666cd4e444f892d8fe0ab90bbc3945ecb91702c30bacb713f1df4b1b47bbfaa54b24e639ca2899f0bb9ef0e512d9cfd9389bd5d0e1e356f159d4e8e09fe1e6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ScriptWare.exe.log

Filesize
1KB

MD5
e29e16723a0e8a2d19a201bd60f9502d

SHA1
735038d7b8bdac6ed56b24b552a78a61ff6d54a6

SHA256
dcb3154cd8e67a9ff3c85da08265208384d3207a394f44bd5f9cece60b8a47a7

SHA512
fdc092d40ba143df0804f3b5b64cfddecdeeabac10084bb5c9b0ece4fcfc59ae5d6ff857f04ed0afb52867713f2b1cc768a5272aeb08ff5e649f6d0c0705c98e

Download Submit
\??\pipe\crashpad_2340_BNOZEMYRPNUXPXBA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4756-345-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4756-343-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4756-329-0x0000000005D10000-0x0000000005DA2000-memory.dmp

Filesize
584KB

Download
memory/4756-342-0x000000000A720000-0x000000000A7D2000-memory.dmp

Filesize
712KB

Download
memory/4756-328-0x0000000006130000-0x000000000662E000-memory.dmp

Filesize
5.0MB

Download
memory/4756-327-0x0000000000540000-0x0000000001360000-memory.dmp

Filesize
14.1MB

Download
memory/4756-326-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/4756-332-0x0000000006930000-0x0000000006B26000-memory.dmp

Filesize
2.0MB

Download
memory/4756-331-0x0000000006740000-0x000000000674A000-memory.dmp

Filesize
40KB

Download
memory/4756-330-0x0000000005C20000-0x0000000005C30000-memory.dmp

Filesize
64KB

Download