agenttesla | cc726e4c6bf344979a92dcbea4aa7c35df7462c6bee507cb901db50bfb798061

Analysis

max time kernel
299s
max time network
295s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
08-06-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWorm V5.3 @BlackHatArchive/XWorm V5.3 @BlackHatArchive/XWorm V5.3.exe
Size

13.8MB
MD5

897201dc6254281404ab74aa27790a71
SHA1

9409ddf7e72b7869f4d689c88f9bbc1bc241a56e
SHA256

f41828bd13a3a85fdf7a1d688b21ce33d2015c3c5f46b4d92ab6ea8ea019e03a
SHA512

2673cd7b927ffc22f3a4b4fbfcb1b4f576c416d67168e486e6d79fdd132129c9e244e36d7b7883a4a1ed51e993cc4384bf24f2fa3129584f2bd43fd16042de20
SSDEEP

98304:rtktdI2TeowYNva0P6olJ93ipte/Giw56/gpeejzhAAsnQqHKrzzIRwG4saY6c2n:rGt3JwVFcV/Gp7jiwzYwENy3W

Score

10^/10

agenttesla agilenet keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1144-10-0x000002C764100000-0x000002C7642F4000-memory.dmp	family_agenttesla

Loads dropped DLL 1 IoCs

Processes:

XWorm V5.3.exe

pid process

1144 XWorm V5.3.exe

pid	process
1144	XWorm V5.3.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/1144-1-0x000002C747060000-0x000002C747E3E000-memory.dmp	agile_net

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

XWorm V5.3.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	XWorm V5.3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	XWorm V5.3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133623642342026771"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2608 chrome.exe
2608 chrome.exe
5040 chrome.exe
5040 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2608 chrome.exe
2608 chrome.exe
2608 chrome.exe
2608 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

XWorm V5.3.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1144	XWorm V5.3.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe
Token: SeCreatePagefilePrivilege	2608	chrome.exe
Token: SeShutdownPrivilege	2608	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe

pid	process
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe

Suspicious use of SendNotifyMessage 22 IoCs

Processes:

chrome.exe

pid	process
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2608 wrote to memory of 3580	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3580	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3432	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3484	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3484	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe
PID 2608 wrote to memory of 3628	2608	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\XWorm V5.3 @BlackHatArchive\XWorm V5.3 @BlackHatArchive\XWorm V5.3.exe
"C:\Users\Admin\AppData\Local\Temp\XWorm V5.3 @BlackHatArchive\XWorm V5.3 @BlackHatArchive\XWorm V5.3.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ac44ab58,0x7ff9ac44ab68,0x7ff9ac44ab78
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1560 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:2
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:3484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2136 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:3628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:1
2⤵
PID:680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3128 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:1
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3504 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:1
2⤵
PID:2808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4540 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4540 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:4736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4380 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:4968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4792 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:4064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3228 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 --field-trial-handle=1776,i,6286320860405625731,8178583134018907339,131072 /prefetch:8
2⤵
PID:3784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
2f0ed32d782a3d144f92213b38b95dcf

SHA1
eca4941642923311d87a1ced34683fc4090a7cd2

SHA256
c03cc8ce5015434ffd44046247ed9939fec6fa01a4b9327c443f7a8fcb3dc159

SHA512
58e3cdd56ac64e17a4ac0cf97db7e11be14ef0028f9fa6b9f9c5a80af50cdc8dd2787d3c99b5a7f63484a40817affd7d160e5b63e830239bdfa04e559e29dd5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
71a65a3553dd0133745fe55ef466b4a6

SHA1
dc9e29e5dccde1a719407a371548737b7b90c2f7

SHA256
2a04f58448ad8380ddab47238ed06ddd179fea40955ed288365b6519aa5783d9

SHA512
e72142329bd194db572758d2fa4de15dcea72648d69171e5e4e2fa62ad878f1ee24785402ebd7f0780d56ca41b6458983d28e06ac58e050a4b927c20530f0e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
766da647978e0600b2ec89619f2d80a1

SHA1
2e43287bcb49d617341c1272e0e1e5f503ebc926

SHA256
c1c169721785f6a7d006a6e8125db2aec9cd0e20dfd71171741d3e9028d2d00b

SHA512
76f09222f328e12638ed8b9cd14225c08e94254eafe8d5ff6338f175dc7aac93a41f3eb457875c3e44e2844b5d1b50bac431889b2656633cf3dc36fe50468537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
524B

MD5
8f51aa1aa4ad849027a395b207951a0b

SHA1
1cdeb13ac34b61f3505979cf7a29ef1a35507d36

SHA256
c696100a1fcf31c4ae4e113103f0a6d404e6ec3be2f2cfc6ab04fbab909424bc

SHA512
a7f2500ac339e53e196c4bfea2094c02ae84ca8472b8981f4635fed84887b5954db50fc835e08acfa9c947d2d76f8a5a89e2690f20a6cd591d3dc9be789a2138

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
cc4f60220e53f3aa857a2886da05ea62

SHA1
8ad8720262c29f54877e9b586f1f46d7de0d31d2

SHA256
67ed1dab9855d747d7d11df02a861a0fb02a7d6de2cb1d40b1139b086f07be11

SHA512
0a2ac594a662fb3a7ae54dc691820f1e9d348f12460acde2f1ff448e9a6ba36c36b70377730bd73192253bdce4e25909ba3c0f0d01eecf330d7992f003c27220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
01783aee1b91601009ceb650964c2ae5

SHA1
ca11f8e28aa4f89c6df3e32e269d8077e861f6a3

SHA256
4442488b9dfa98399b235ab9a65acddf7ec5020056f81d99bc46ed09c72a0938

SHA512
11340db749118c0da89d3a0416e3b7b3877710bd81e87857f87253c0ccc3a1051a7be9b4a2880466a4fa9d0729f98c1f6439556df9ff11ca9f8cd076010549a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
41cd1f053e10f29fc4b456d07a31a351

SHA1
63c6c5964308e24fb1fb6189c0496b5060859991

SHA256
2d6448620c20fe5a23207bec718124cd41e8e73f7be7ada6a7c96b34634d3da6

SHA512
72c4eb211265e110521eeebf4dd5cb2fdbacb83016394e2ef118cbba4083208f9f17a33b19dcb8ad3d5cee42ec48e20e684f27cb490b5ea358c4facfb8fd993d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
279fcfd851b28ad8b79009236adb3f4e

SHA1
97574006e7e0ea3e4e6f0703c2263dd588224c0d

SHA256
400a4e961d185ba76756ea982c03f1f9a91f35fd6ff2699752e7d3c7f2f885cb

SHA512
fa81e8efca7a6fb7e670c8c4d75e79b9f2d566ae04bc412857539ec64ba3c208da5b0d4778a4e8f97ef947a9d7aeb5e9d0fe0ca1f29e84a36ee47434870c51d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
09b69652483b5dcc996ebdf638ae9df0

SHA1
d43e83079c0dd8ca78c0cfed72b082ae4acc2add

SHA256
df9a59db8c31e83dea37d48f9f987a0adff7cdb32b0b528b49c7c9a7b8346571

SHA512
ae7e3077f9b6d7440bdaccc4c1b14cb20e685673baf12692be56e37f44e144893a9396c0e517d68657dda7ee121c6e0f5b7f4175f29b97745b483b77ef51d596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
8975eebb2ae691a7ec872066c0c102e6

SHA1
c1e5b5368b0f135ea6c0353f0d90c7f548575e5b

SHA256
c36589691575b098be8a4e3073b96dde8c63f4a83a34bae09ae4423632695e27

SHA512
8147a381880dd611099721c1a510a28311c6504736824350ef6d016d6efa467cf38c78b1f24e4160fe9a1850b7d9694e519fe1202d701ca7f65fcd88ac88e10d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
82ae803bd8878caa75dcbb0f2d3d780d

SHA1
c996df0a0e92ec5cc48b003c7997d83fbab98866

SHA256
a8db4938c0253b831f8fff1dbfbb02fef0b7d54d12c3bfd23a808a45be722036

SHA512
beb5d9fc710b08d0e7e44f96d3d96415f99cf7ae7d78da9e478a88bfdeac96b6b6af0524224e87aafa130dcd4905aa8a5d4c128e404b70f21ce2b56e9875b852

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f050b2bd1676e672560661d8c240412c

SHA1
ee0324952666d3c1a5c719b141445efcdc62137d

SHA256
d1e52c8ca5cc35893c563b849385df141926149a97d23d0ed99a5b733c07b1c9

SHA512
d9a2858d2c2816154571a23b550c353140459778caca2c6f34d03aa4a56c9590f1a4e0bdd24b7cb0f3a5953d9e9685db9e6c687a2974ea10253326e3f1fb758d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
a07ef95cb68da3a64bdd450db08206eb

SHA1
414fbe95c550b4164e559c1d1d4c4a42465e0ef2

SHA256
aa1b85a0c32dcfef4746dba642decba05b7d94effe4d973c1765507648441da1

SHA512
df1872f672aea6f0b0b9d9a9e018e4fbd88a56e8420cd8544ae0813f31aad2ecbf096a6e699f6519c981c5a3ac34b2264f1a577fb8c6299f36343588aa9df6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
263KB

MD5
e9c2aa97651c67a99633a24e0e27bb1e

SHA1
7080f3b0ce504eae6772edcffdd9b325db7b08c0

SHA256
f5a3910c447dc66eb4db9612fc9b0a1f410814b30e488b5174ffb3bd5c797675

SHA512
c33b086da082fd6c0e56ce779549b35afe71ec6dc2b4281224cd5b6dcdbc8148a4cf4b27ee2b0ef0bcc25911e7c3280de5e5359928d9afdbfc240456a472af2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
84KB

MD5
3782f8fb9b11957506e41e399f8bd6af

SHA1
01308593b3e80ff79049cd5719321f1f0f875add

SHA256
3581deabca458b671725f0e3fb092072d0743a7072cc8ae58cc56af215837ec1

SHA512
460b33b5d99e923bf4f3c288decc2c45aff24205481b9d2ca0d99c8da35d9035a27dffb793bab036c79945ceb8e7c4339fd2db8014aa6c10a29b17572db69401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
86KB

MD5
702357b152cf206134118b45f0954819

SHA1
f603f34b130b8b368ce2b03f54f8a6e1ca7c6faa

SHA256
5227611c15431b342aa542e7064aa7d400574731a61406c285ca954ef036e00a

SHA512
45f2df20f57c900cba17ba64491655b293ab3b6bb9cde4f43821831fb596391a9efd12aee4bcf26861841e55deed7ba424e8bcdd276a871703df1532a0ef12b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a3663.TMP
Filesize
83KB

MD5
5d8e10a7c5210efae982a1442ecf870b

SHA1
f796d437b8e315b9747dbe34adfd3fa8fe658ae5

SHA256
42414d6a535799a25de99c60ac4ce9b9cc27a06384ad7202e396c43d2e4a7719

SHA512
da86ae025d472f341a63b3541fe3e376634d89fce4b55f966a4c4bc3d8bcdc0511013ad193b7cf817504dcdf4a2d00497e73ea8303931be897275e4ef7d3850d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFZzY\RFZzY.dll
Filesize
112KB

MD5
2f1a50031dcf5c87d92e8b2491fdcea6

SHA1
71e2aaa2d1bb7dbe32a00e1d01d744830ecce08f

SHA256
47578a37901c82f66e4dba47acd5c3cab6d09c9911d16f5ad0413275342147ed

SHA512
1c66dbe1320c1a84023bdf77686a2a7ab79a3e86ba5a4ea2cda9a37f8a916137d5cfec30b28ceae181355f6f279270465ef63ae90b7e8dcd4c1a8198a7fd36a8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\crashpad_2608_WKTMLXXJIYBZKSFA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1144-13-0x00007FF9B0D93000-0x00007FF9B0D95000-memory.dmp

Filesize
8KB

Download
memory/1144-97-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1144-78-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1144-14-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1144-0-0x00007FF9B0D93000-0x00007FF9B0D95000-memory.dmp

Filesize
8KB

Download
memory/1144-12-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1144-11-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1144-10-0x000002C764100000-0x000002C7642F4000-memory.dmp

Filesize
2.0MB

Download
memory/1144-9-0x000002C7631D0000-0x000002C763DBC000-memory.dmp

Filesize
11.9MB

Download
memory/1144-8-0x00007FF9B0D90000-0x00007FF9B1852000-memory.dmp

Filesize
10.8MB

Download
memory/1144-1-0x000002C747060000-0x000002C747E3E000-memory.dmp

Filesize
13.9MB

Download