agenttesla | hxxps://gofile[.]io/d/lIBbma

Resubmissions

08-09-2024 10:50

240908-mxngmsvakh 10

08-09-2024 10:48

240908-mv5m5ssakq 3

Analysis

max time kernel
175s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/lIBbma

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral1/memory/4944-257-0x0000000005E00000-0x0000000006014000-memory.dmp	family_agenttesla

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
4060	bypassed.exe
4944	Morphine.exe
4804	Morphine.exe
2700	bypassed.exe
4472	Morphine.exe
4072	Morphine.exe
216	bypassed.exe
2412	Morphine.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 5 IoCs

pid	pid_target	Process	procid_target
776	4944	WerFault.exe	126
4976	4804	WerFault.exe	136
1616	4472	WerFault.exe	150
4324	4072	WerFault.exe	158
3436	2412	WerFault.exe	171

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypassed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Morphine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypassed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bypassed.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Delays execution with timeout.exe 5 IoCs

evasion

pid	Process
4716	timeout.exe
992	timeout.exe
4896	timeout.exe
2776	timeout.exe
2844	timeout.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Morphine.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Morphine.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133702662710329269"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2824	OpenWith.exe
2152	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeRestorePrivilege	2152	7zFM.exe
Token: 35	2152	7zFM.exe
Token: SeSecurityPrivilege	2152	7zFM.exe
Token: SeDebugPrivilege	4944	Morphine.exe
Token: SeDebugPrivilege	4804	Morphine.exe
Token: SeDebugPrivilege	4472	Morphine.exe
Token: SeDebugPrivilege	4072	Morphine.exe
Token: SeDebugPrivilege	2412	Morphine.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
2152	7zFM.exe
2152	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2824	OpenWith.exe
2068	AcroRd32.exe
2068	AcroRd32.exe
2068	AcroRd32.exe
2068	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 2968	3120	chrome.exe	83
PID 3120 wrote to memory of 2968	3120	chrome.exe	83
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 1076	3120	chrome.exe	84
PID 3120 wrote to memory of 4072	3120	chrome.exe	85
PID 3120 wrote to memory of 4072	3120	chrome.exe	85
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86
PID 3120 wrote to memory of 3348	3120	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/lIBbma
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd09e5cc40,0x7ffd09e5cc4c,0x7ffd09e5cc58
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2424,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1896,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2508 /prefetch:3
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2104,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4604,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:1096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4856,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5224,i,15540075688256988435,10125840900073212706,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2232

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2824
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\MorphineCracked.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2068
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BA928AA983F885062465504DFA00EA3 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4388
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DF229BECD883AD1CA4B24C2090F9F03E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DF229BECD883AD1CA4B24C2090F9F03E --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3032
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CC73FFEDCC6844D84D7BE367301FC85C --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F281CA90A3A7DDDA4288DDE2753BAF42 --mojo-platform-channel-handle=1868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4788
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1A5BA4CC39C97B3EAC8AD8FD0FD2EB3C --mojo-platform-channel-handle=1968 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4648

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MorphineCracked.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2152

C:\Users\Admin\Desktop\bypassed.exe
"C:\Users\Admin\Desktop\bypassed.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4060
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\71A1.tmp\71A2.tmp\71A3.bat C:\Users\Admin\Desktop\bypassed.exe"
  2⤵
  - Drops file in Drivers directory
  PID:3932
- - C:\Windows\system32\openfiles.exe
    openfiles
    3⤵
    PID:2780
- - C:\Windows\system32\certutil.exe
    certutil -addstore "Root" "C:\Users\Admin\Desktop\certificate.crt"
    3⤵
    PID:4928
- - C:\Users\Admin\Desktop\Morphine.exe
    "C:\Users\Admin\Desktop\Morphine.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4944
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
      4⤵
      System Location Discovery: System Language Discovery
      PID:116
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2532
      4⤵
      Program crash
      PID:776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4944 -ip 4944
1⤵
PID:1608

C:\Users\Admin\Desktop\Morphine.exe
"C:\Users\Admin\Desktop\Morphine.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2568
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 1004
  2⤵
  - Program crash
  PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4804 -ip 4804
1⤵
PID:3372

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER C:\Users\Admin\Desktop\certificate.crt
1⤵
PID:3656

C:\Users\Admin\Desktop\bypassed.exe
"C:\Users\Admin\Desktop\bypassed.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3FDE.tmp\3FDF.tmp\3FE0.bat C:\Users\Admin\Desktop\bypassed.exe"
  2⤵
  - Drops file in Drivers directory
  PID:1880
- - C:\Windows\system32\openfiles.exe
    openfiles
    3⤵
    PID:4904
- - C:\Windows\system32\certutil.exe
    certutil -addstore "Root" "C:\Users\Admin\Desktop\certificate.crt"
    3⤵
    PID:2704
- - C:\Users\Admin\Desktop\Morphine.exe
    "C:\Users\Admin\Desktop\Morphine.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
      4⤵
      System Location Discovery: System Language Discovery
      PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 976
      4⤵
      Program crash
      PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4472 -ip 4472
1⤵
PID:4524

C:\Users\Admin\Desktop\Morphine.exe
"C:\Users\Admin\Desktop\Morphine.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:704
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2776
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2268
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4072 -ip 4072
1⤵
PID:4212

C:\Users\Admin\Desktop\bypassed.exe
"C:\Users\Admin\Desktop\bypassed.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:216
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FFF.tmp\1000.tmp\1001.bat C:\Users\Admin\Desktop\bypassed.exe"
  2⤵
  - Drops file in Drivers directory
  PID:2232
- - C:\Windows\system32\openfiles.exe
    openfiles
    3⤵
    PID:3932
- - C:\Windows\system32\certutil.exe
    certutil -addstore "Root" "C:\Users\Admin\Desktop\certificate.crt"
    3⤵
    PID:936
- - C:\Users\Admin\Desktop\Morphine.exe
    "C:\Users\Admin\Desktop\Morphine.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success": false, "message": "delete hosts file!"} && timeout /t 5"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 5
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 980
      4⤵
      Program crash
      PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2412 -ip 2412
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9acabdcddcf56766c2eba59f4f5136dc

SHA1
33dffc932f4b797621893f1a2ca9f2c3137ba718

SHA256
8598549939fc048404d0008ca33e99e9d562812fce55caea8285f9080c9fa1a7

SHA512
55200dff4a61cf78015b1ebb73c0a06efa3c533871ab7e5caab94e5a3ccd9ea0f07e6c00f8e6b093e909958025f0353b1494dae6530f19f5b67216f03e248a3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
0628c97625f18981eac5e53732eac84f

SHA1
068d01c4b619abd099473044b34598ba398415cb

SHA256
cdd0bbdf2403d10f2b9f3b6eccdca88be37c58649fb6864b05ecd335c9068e99

SHA512
b5c6d00bd42d7d63b21bc7ec89a4ff5bbdbb6a040276add1dd2aa58dffa8b9dd0e425f5b00d426facc9fbf4caed8869549b5bd5f0bc31d8d2f82cf059b2a55b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b0be55739b0c5bc515a7021dd6489d8d

SHA1
bc2917513df570a065bb17a730346132df46f4a6

SHA256
90a1e7742e05dfa96873f4a9914bec81a2dcab45c4236c163f12e51106cb8941

SHA512
4748035fb70f53c4d79216894a2c20ca7da90cadb0468e27321d9b0a4291f3815ead08dfef6fd2091538b9d0f0dc17746184564d4906af765db534754a632696

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
7cd91dea8cd078f8c957a6cf9b176762

SHA1
7647078e0c41440bc7bc4e96a344bb367b4d13e6

SHA256
4736958bcaeac15ba63c09b3ee10628b626f672538af008f3d7fece6434aee92

SHA512
906d1985a9fe77643d6bfddd4b3080ccde82d8d5003e7b2cac1c92c21fd50f7d403ea0c2ff95ebaab244a5efef00445b06a531950bb672372f82749fa27bde28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
75624490a6e0096844184ca7b3b686c2

SHA1
d995933f08a5a80c0e20892da7ec5a007b1b2ebe

SHA256
fe65c59e7350e7acf052ab71680307b6e737aca4a590b1a8ff4b92f14dbd6b0c

SHA512
428d6b07733e14c08326a3c10524cf65d8fbd00ef3d97390bb041ee9cda7eb1de036537218784cf0a4d16c5ccf64f4db4b45439a93896f54895273c11f429d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce7564d41c846e3911ed05e3327bd11e

SHA1
f7e70576fb9f8473e4b29b2efa544565aa86472e

SHA256
72fb03a2dfff4b864d39d6c0de029d2677d87f305f29fae9e90964e2dc732f18

SHA512
3cabf48530786360a938fc98c3b3f7a24d0b5dbde9d825fb8d71b2d1e956bc30ae70d086b16d3929dcdadccfb6b8979f6efb922693df6c0b42919e7052e0248c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
00bc8a46a8ed3821d2daccdb7dedc19f

SHA1
aa1d556842dfa9dbeee14d41d5ad7ceee64757d3

SHA256
73165f983c9e6f4f9167dbad6b2b5a20c33a77bd022e8baf0453f8739ca4f7de

SHA512
6d8030cdd09405af5ef818a6c29a105932a50e46ce9d0f906f8042f6ee7a0d788bf1c2921a1f00aade1b81912792ca25bb9962523a63933c3f9627fce8581047

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
39ea9b11011944261d21d0ca0eb5a32a

SHA1
05910a5191c791f2e2570b7b5f4656608d35b7b0

SHA256
4efa3fa802c967d5511a8c6a3d0f49ff8fdbc5a72168fc1c7e8ba42b19cbc8a7

SHA512
06baa405e3f2a304ccc51bf87ce0c6e94ee48f987f4a78a91a18301e87e6a1d4d1175ddeeccd24f741c8d7af8f9a015e63c6c352fa5f7af768f0a2ff16d55310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Morphine.exe.log

Filesize
1KB

MD5
4f818cf0e8d5f04a1a1ad5c4abfc4c7f

SHA1
9048e304ee570e25dcbad76d752188dac1594f1c

SHA256
5b09309e8184cfd02165002c8f6a0b35cf8ff8184db6dfb649d47968fe72862a

SHA512
00cc0d1cf1f412768d721ba3f394ac6e2fcac8349479b7ea3eb64fb83540b67ce5131e19b65c081ba938e09f18f3d13d0d5b9cc74d275ac0cdd6e0e388d2c98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\71A1.tmp\71A2.tmp\71A3.bat

Filesize
1KB

MD5
4139d82b7887de939696e636b8c4a86e

SHA1
42ac906cc609814eb6cc27d5d0ff93c25ff842f2

SHA256
3c5bee69f5de7ccf115c18fe5d908a8a8f6232178f5af7bbb74a8efeddf85647

SHA512
8ddb01874b1c1e37780dfe4defaae393d65e8102ba9f4d0ff67c88694aea5167402b2c748e18078c15924583418bae6fa10a627868f2c94528519bd803103ceb

Download Submit
C:\Users\Admin\Desktop\Logs\ErrorLogs.txt

Filesize
368B

MD5
dd339476f397d1e0b5efc703eb944a68

SHA1
95bbc4ec3e88509c0655b29dd934e25fcf59e042

SHA256
523952c88574ac8deff20b2e9e7148613a684ddd652de7462721e6486c9fed99

SHA512
99fd7d86ca86683d4207c1a26d52be2d2706773549ed698c203f5546ea872d5a7476c00b6451d60f9a66b5531db550d3f129928a12a494b031b216178d3ce024

Download Submit
C:\Users\Admin\Desktop\Logs\ErrorLogs.txt

Filesize
552B

MD5
2178998af60431e6c8dae3837a379a87

SHA1
86e4706d18a8947dc41e7d2e376f2026dc6a5d83

SHA256
805d7a3824d1ef640485d4a09e814ef3e9eec498fbdb0f49d294d0192f17ace8

SHA512
a5356b6f5ff0c7eeaa530e8a8f9fdbf0d31c51d9122348f5e9d08ed8606703d7fa6d0c6c6410ec1422fc7e50df09c46496b512da4012891b22bd5ef10ec94bd1

Download Submit
C:\Users\Admin\Desktop\Logs\ErrorLogs.txt

Filesize
736B

MD5
5f49c58ea4c899efe9093c14c83f272f

SHA1
180375c54168b2d1b121c9c364479009dd6b10e9

SHA256
b02a991069453e98f7a0ffcdfa09ce42d8abe8ce6c1eca7a1bb176f07e6b662f

SHA512
c213fba1d0e82da73418a832e0d668e8755282fd8f956b6c3469c9500f1d93a500c609eda0e2827a2d11fdd336f321f64d92b9b1b4107033a723cace2e32e2af

Download Submit
C:\Users\Admin\Desktop\Logs\ErrorLogs.txt

Filesize
920B

MD5
aafbd05baba3f227c1911d3acb14df8a

SHA1
45921e02d52f8ac81423340a84c1cf280f3c07e7

SHA256
feb5338af6c03701840b50069e5b6ff16145043cc598011e1581cc43486b821c

SHA512
218064d2acc0c73a99db780d310610d68117dbfba0cf5d73ea91adeaa86c17c6e5445c357899838e4401cce0f08227ec69488a147ff002ca4f0d38a4530e4248

Download Submit
C:\Users\Admin\Desktop\Morphine.exe

Filesize
5.8MB

MD5
c61fbe172730e0e221f4abe4069dd8e9

SHA1
f0b7f3d5b45537c3250db2ce7f15bc74e545cab3

SHA256
b4af9f34ccb4774459d6586598e0c32e7ffcd5efb45226e2d47da7def44dcc83

SHA512
f03559718dbba771620269ac5a5c0a1aefdf74e37f3fdf84c6bab39f4cc859494fd053763642debe19c99ce3f356513c23d42eb2c8c33aa5e8447b864ba70490

Download Submit
C:\Users\Admin\Desktop\bypassed.exe

Filesize
90KB

MD5
5d046cd83e8e4bbb64ca82a250e90ea8

SHA1
231c777db2aaa5677953a275137e8959ecc447ff

SHA256
049ea73a545bf2c262f03a53e2c54020dbf3314b694d37d0d0255768c73cbcf1

SHA512
6c6f5ab99735353b65eed9efd7b3f5cd90f5879cdc67856384be9aa22022377404632bea26b7c26ae771f07515251a67c360da7d3d76e76091a729d2d4bfeb87

Download Submit
C:\Users\Admin\Desktop\certificate.crt

Filesize
1KB

MD5
e3eff8b29b2d04da7a2e09e214f0949b

SHA1
34a05a3e6a8fc1710d22b9fb891f6c7a400c5701

SHA256
dfea79c5653186395f8c5c06942471144d1528a2bb0a270321b1a53bcab32f58

SHA512
bd7207bed45d100a522228ed21d1bee079e4cbd449369f114a9feda56d0ca7df1fc05c8451454f60b77ae27a12a1467eae667c9f1a992a9dab755dcd7f3344c5

Download Submit
C:\Users\Admin\Downloads\MorphineCracked.rar

Filesize
4.4MB

MD5
81c7217f289de17945186eaaac435571

SHA1
2086719e7477be84cc6c7ccb4a07d950da71b563

SHA256
812b875a2e5e43b0cda447a19af314fcb56926b75205b036110f8500fea3d7e8

SHA512
0bcbad10ddd608ca1e00ce09df6feac6f1c7f97963714fefd0fc8031ffabcbe8ab2e1acf7de69b43c4c0a88f28c7146e76a645f520503e201fe7234b26f1be90

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
d3a34187a3ade2feeb0164910bedc348

SHA1
ef5d6a667b344b4591cd620728b0cd82a0cc7d9c

SHA256
e97e0209d668ff9dce7f03c4c9cbd40267c0bf0dbff72a0b0bf137ce55fdd543

SHA512
70a511c80096f62dca1cc8fbe3c41399c76a9edbc7cf6433a4649ec43b3db26259ac93bde95c106b73fe666806c0ae6c8df9810c55aec0c65e2de4ea7d33e2b0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
8035dc04ab74193fba9f5e6058527b30

SHA1
0cd9f05dc977026e247ee50fe22312abecc23aa7

SHA256
50f4ef19e456585f4f04eea89d04ac48ae24ef98d82acd097b45089519f66502

SHA512
64a8243aa68ce7a612381b060c4763f40407c6d7e667624bb4d787cad717577e3badc6738f81d92f99c04c8935d348f6010423b8509c39c572b7319d58acf570

Download Submit
memory/4944-255-0x0000000005D30000-0x0000000005D3A000-memory.dmp

Filesize
40KB

Download
memory/4944-256-0x0000000005D60000-0x0000000005D72000-memory.dmp

Filesize
72KB

Download
memory/4944-257-0x0000000005E00000-0x0000000006014000-memory.dmp

Filesize
2.1MB

Download
memory/4944-254-0x0000000005BA0000-0x0000000005C32000-memory.dmp

Filesize
584KB

Download
memory/4944-253-0x00000000060B0000-0x0000000006654000-memory.dmp

Filesize
5.6MB

Download
memory/4944-252-0x0000000000910000-0x0000000000EE2000-memory.dmp

Filesize
5.8MB

Download