agenttesla | 1dac9bf886bee2e9d288c39d1cd1e3d8507a923c63786a31342ea95f94808dc3

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
23-05-2024 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.html
Size

176KB
MD5

6bc5d3a03c1743a427da3619a602b852
SHA1

f5c61c9b60b9009b015c89e4f1d8ae8f7bb545ab
SHA256

1dac9bf886bee2e9d288c39d1cd1e3d8507a923c63786a31342ea95f94808dc3
SHA512

060093bde4373d6b114ee196418878dd08da2de3d0a345d57ad9ab0b8fae4a8a855fe59bc7c597b2792c6498b9e3dede699b401ded222101d60d799a8aeefdf9
SSDEEP

1536:titCl50ZoTgAJuHnjde83Ml83Mn1CyKBKyf6C9XS6zmFMtMd5/an/xl3217Tzkeq:tiKgAkHnjPIQ6KSEX/5Hm/4Kz4

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1520-121-0x000001D6C16F0000-0x000001D6C1904000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Cloud Engine v10.2.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions Cloud Engine v10.2.exe
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

Cloud Engine v10.2.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools Cloud Engine v10.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	Cloud Engine v10.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	Cloud Engine v10.2.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cloud Engine v10.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Cloud Engine v10.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Cloud Engine v10.2.exe

Executes dropped EXE 1 IoCs

Processes:

Cloud Engine v10.2.exe

pid process

1520 Cloud Engine v10.2.exe
Loads dropped DLL 1 IoCs

Processes:

Cloud Engine v10.2.exe

pid process

1520 Cloud Engine v10.2.exe

pid	process
1520	Cloud Engine v10.2.exe

pid	process
1520	Cloud Engine v10.2.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Cloud Engine v10.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	Cloud Engine v10.2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	Cloud Engine v10.2.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3188 timeout.exe

pid	process
3188	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeCloud Engine v10.2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Cloud Engine v10.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Cloud Engine v10.2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Cloud Engine v10.2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608966821924715"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Cloud Engine v10.2 rar pass 1.rar:Zone.Identifier chrome.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

232 chrome.exe
232 chrome.exe
232 chrome.exe
232 chrome.exe
2316 chrome.exe
2316 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

232 chrome.exe
232 chrome.exe
232 chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Cloud Engine v10.2 rar pass 1.rar:Zone.Identifier	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

chrome.exe7zG.exe

pid	process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
3052	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exe

pid process

4380 OpenWith.exe
4380 OpenWith.exe
4380 OpenWith.exe

pid	process
4380	OpenWith.exe
4380	OpenWith.exe
4380	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 232 wrote to memory of 3032	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 3032	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1900	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1652	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1652	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe
PID 232 wrote to memory of 1600	232	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\file.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7fff3311ab58,0x7fff3311ab68,0x7fff3311ab78
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:2
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2164 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:1
2⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:1
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4148 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
- NTFS ADS
PID:1244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
PID:4704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4792 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:8
2⤵
PID:1580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1452 --field-trial-handle=1792,i,16462713488160608622,1782396525129786072,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2316

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29797:120:7zEvent10945
1⤵
- Suspicious use of FindShellTrayWindow
PID:3052

C:\Users\Admin\Downloads\Cloud Engine v10.2.exe
"C:\Users\Admin\Downloads\Cloud Engine v10.2.exe"
1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Maps connected drives based on registry
- Enumerates system info in registry
PID:1520

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c start cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
2⤵
PID:3320

C:\Windows\system32\cmd.exe
cmd /C "color b && title Error && echo Please initialize first. Add KeyAuthApp.init(); on load. && timeout /t 5"
3⤵
PID:1308

C:\Windows\system32\timeout.exe
timeout /t 5
4⤵
- Delays execution with timeout.exe
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9e2ab405-1b25-4d96-975f-85173f567a83.tmp

Filesize
131KB

MD5
92b38a012c5851eb9d85b508aefac562

SHA1
8a89d3f0bdeacfaac118b84c3a8077cfae0717a0

SHA256
7c3e209bae508428872ed8d820818a60e8fec315633bebed2f1533d0d38a8b64

SHA512
86eaa1e86bd763068657142a9bcc1d360393c455ca7e0da12a153638161d3c6d5e666d512481dd171b171db2b911eb326191c6e2bc0322ff71ac8a35abc8cfdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\3f74ffb4-8289-4cae-aebb-33dac9c34be7.tmp

Filesize
858B

MD5
90ea5a93acf87ad8f613010e4103f9bf

SHA1
68a044c81fa78b75ef346fc630588118665e1e19

SHA256
e3f5d2de36227b59e1a8d61e7ea341d7d31f2b9515d6a2804ddb900324e2adf5

SHA512
525400c468e644ad3b450f85b877249bb164cb89f4bd7f4e52c39b4f82fc18904fc6b8b526f03afa8370ff944d88b5621428267519d941d8a80c95e74cf4391f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
83a42514ae03c51fe35104b4d7511d2a

SHA1
3f47f7e7f362f2a1eb8eb9983c05033057e38f7d

SHA256
33ce3e3f2c6b8f42649bd39b10ad214e372276fff4e5c8a4f3f0228ca90e2955

SHA512
b322bff15eaa176f8df91dee7191b26836444eef8d46ecef8c574604016e5e6f2dc1ea5a1d1b37935b94955b486b2433f9e72d3d81f6c1fdc39efa1542efaad2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f3a03cccfbebb5e4e7dd5a9f674196ac

SHA1
b6a32228f07ee62178b198e54a3adafa70c12a95

SHA256
ad019db4f05adbdcb60e0f8f0bd0895c378191e50667f18585aa718aabffc328

SHA512
b453e0b6ea7e3a8cbeaee80e6ba7a9a09d9397b5dd33c524040bcd300e7175a00460db3b3f72aefc2eb4eeb43ac7d45dfce1c1aed2c41247335e80344a7c8d33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d89ac8a8571f1f84893543befbdf90c9

SHA1
8992968c5f2450c61aee21fbee9652843b776b29

SHA256
f7b2c75274e2445744c9ef652cfeb65695e177f2f6b2809425ed807b465f6414

SHA512
f4e7e91b47bd5b76352331c25e7f881b75867cb07776d74065e299c6c7c554f37f6aa2bef393b30669a2280879b2e1075a5a2a4f37d0a5d36fa6ef4c00243f73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
68bfc2e7be69bd2444896465f9f48dbd

SHA1
2c81cf5afc80739ed10a018bd2b2094446283070

SHA256
be2550ed4ec78aff641191b26f8d1defcac1653616b68a39c4c1c6b97f2cc83a

SHA512
2bc0fcd1a82947e873ee556534c0204bd308d178d6261bdc5dd73babe1c15e2aade38564bae593d1dbbefa160bf009272a0d9786b4805f1fa85741c5afa85671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
131KB

MD5
009ed3c398c452717eb6758796e6e01d

SHA1
3af51fa2abf171b10b46e659a7d11db883e9a0e4

SHA256
8b0053af6e12327fd9edad9d05ebafd61750219e39208281a812c1761d59ef30

SHA512
15c4d87116fafa1dd9d566758b8d996f7b632c28368a4d650a03c24df3aafe46982732bc6a09edd12b9ed0872cb0417c7aa698a359251c37ec849904863525f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Runtime.MSIL.1.0.0.0\sByte.dll

Filesize
39KB

MD5
d80d1b6d9a6d5986fa47f6f8487030e1

SHA1
8f5773bf9eca43b079c1766b2e9f44cc90bd9215

SHA256
446128f1712da8064d0197376184315cb529ed26ed9122f7b171bb208e22c0c3

SHA512
9fcf0105c2c9ee81c526d41633d93579bb8e2837989d77fb4a6523440415ec2d7fa46ac9ae4e55ecebd99126837817ac308cc079475de02667b21727a43d74cc

Download Submit
C:\Users\Admin\Downloads\Cloud Engine v10.2 rar pass 1.rar

Filesize
5.9MB

MD5
9785775097412ffe28111920011b7418

SHA1
1ffdd9c9f26e343ba6afb9a106738a2bfd02fafd

SHA256
b946754fd23bf3037106cd3f06f6c4c23051dd8b1a57cf897f2b4b8f034d02bc

SHA512
ca052adfb4cf1af26691625801a8524ddc3906b760f45d195552967ad55f4595f45a1f4727d4e0b93a89cf3db1f6564459f7381e32ee3d1a47e1cf9140cb31ba

Download Submit
C:\Users\Admin\Downloads\Cloud Engine v10.2 rar pass 1.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Cloud Engine v10.2.exe

Filesize
6.1MB

MD5
8889774faa2e900b476f7e2079a2b01a

SHA1
c4f1f8d9be4af6c2410e586cafd550a421d48cee

SHA256
cbead680ac7c4e0b97119890e8b0ce2d407e335daa9a6ba68770d79b702de40d

SHA512
2595f13201875dd28f4d57c4b486d9e58428ade26be6256690b165a4ce68f45023832e8941f3d070e00c824a04c4d9e75f71e03fecff5c9cfbe4abeef387b600

Download Submit
\??\pipe\crashpad_232_QZFONSWLSREVWKKY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1520-112-0x000001D6A61D0000-0x000001D6A67EE000-memory.dmp

Filesize
6.1MB

Download
memory/1520-119-0x000001D6A6D40000-0x000001D6A6D4A000-memory.dmp

Filesize
40KB

Download
memory/1520-120-0x000001D6C0D50000-0x000001D6C0D62000-memory.dmp

Filesize
72KB

Download
memory/1520-121-0x000001D6C16F0000-0x000001D6C1904000-memory.dmp

Filesize
2.1MB

Download
memory/1520-122-0x000001D6C2590000-0x000001D6C25CC000-memory.dmp

Filesize
240KB

Download
memory/1520-118-0x000001D6C0EF0000-0x000001D6C12FA000-memory.dmp

Filesize
4.0MB

Download
memory/1520-113-0x000001D6A6D20000-0x000001D6A6D2C000-memory.dmp

Filesize
48KB

Download