agenttesla | 90708abbcad8c3e95f37fb29927781a1ec885a9c3799b50f7dcc01e1b4065baa

Resubmissions

14-09-2024 04:07

240914-epr6vswcnq 10

14-09-2024 04:03

240914-emf1tawfnc 10

14-09-2024 04:02

240914-elt62swbnj 3

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asd.txt
Size

93B
MD5

7213463c27611670218de026f379a4a7
SHA1

90750ced837038b11524c1dba538785414bba6e3
SHA256

90708abbcad8c3e95f37fb29927781a1ec885a9c3799b50f7dcc01e1b4065baa
SHA512

734dfaf55bbba3e05c6bb8a2582aae5defc7336133d96714ca93123843cf476e1e4fdf905a18598e7c9e0ad19cbc98e9affe0e4df296ab4c5d30012f12093f4a

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 1 IoCs

resource	yara_rule
behavioral2/memory/4996-237-0x00000000050E0000-0x00000000052F6000-memory.dmp	family_agenttesla

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HwidSpoofer.com.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	HwidSpoofer.com.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	HwidSpoofer.com.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	HwidSpoofer.com.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133707602192332895"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2004	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1180	chrome.exe
1180	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe
Token: SeShutdownPrivilege	1180	chrome.exe
Token: SeCreatePagefilePrivilege	1180	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe
1180	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3204	1180	chrome.exe	98
PID 1180 wrote to memory of 3204	1180	chrome.exe	98
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 4808	1180	chrome.exe	99
PID 1180 wrote to memory of 2940	1180	chrome.exe	100
PID 1180 wrote to memory of 2940	1180	chrome.exe	100
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101
PID 1180 wrote to memory of 4896	1180	chrome.exe	101

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\asd.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff2e2dcc40,0x7fff2e2dcc4c,0x7fff2e2dcc58
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1828 /prefetch:2
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2212,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:544
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff731f24698,0x7ff731f246a4,0x7ff731f246b0
    3⤵
    - Drops file in Program Files directory
    PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3892,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4656,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3456,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5200,i,9144916220033631478,8572351853561862362,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:3664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:960

C:\Users\Admin\Desktop\asd\HwidSpoofer.com.exe
"C:\Users\Admin\Desktop\asd\HwidSpoofer.com.exe"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d7bc87098fb7ef2db3283af58f967c2c

SHA1
eaf4c4fbae60104171837614286cafa4173fac0f

SHA256
7299f528c6b95042948be337240a9aaef079508ed5d6cb15e35a65aab447933d

SHA512
eeebf6be24778420d956077395025095a23698ccc2942d7a0afed78c419fe82a7739bcbb1458b7fb9ca224340811f2dbf07758fe3fa100aecdcdcd4a5138f69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
2536117b1410bfffa35fe2d161f2b7b5

SHA1
6d1096da9b6060138b393ed85229cf2cb58d4aa6

SHA256
ee4fcf8daeeee6af0bc75a916be3d8e84ba21c3d4505da33e36b3331e4187867

SHA512
6089aa9aa02c80a5e494837a322259df368a69444c527fd3a208ef36eb22f43cc297473f5572fa168ad62ade3ee194859a22fe21ba1c16e015e489e9a3105a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5794a37d-7bdb-484c-8af9-1e61e291ac8f.tmp

Filesize
690B

MD5
8b63d2c5780de112c6c3fcf02b6b4bb6

SHA1
8af3586597cfd0f805a0642ab55089b301ee0dbe

SHA256
143b70bee8760c8cdbdf8be4086272ba8f6a054c71a11021486d3347a4899f31

SHA512
a2590b998c7ef63f2dcdeab81ad577d5d556c7f09ff3fd336f13a2ad6372de01859065f7599d7bad9941f7eb51f8a8a53552829ff31e72798421bd34276f996f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8b18ed42-a4a3-4827-a665-edea356056bf.tmp

Filesize
2KB

MD5
45cce4832e6b78a4ad2e753e5eab4ec4

SHA1
706ed81e5bd964f8053b65b65aa823bf7b44cde8

SHA256
7ba543e64542f6ef65b071a912a6befd264c36c750a37c5d7d51eb725325bc86

SHA512
ead302a3b697880c50706061495c9058744bc4fe048ae7993493d88f5f9473c870e64abf6bcd097c4d593402f69305ceeec80ae778b283327b7b300a31356de0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f470f9594581d1276023b63f9160cfd3

SHA1
903fd28059f1a7ed59e838cd9df853c48170c18a

SHA256
123ac6ff4e754b4b1dd88084a070fdb5e288a10c8060fa90acee6df3fc6e8da5

SHA512
696ff7069805684ca02c001ffafa803ef667809e75ebff5744c7fad8a030e450f03b6f8108dc5fd0ede97626f0e6393734f515293bc649478d0b046fd4168017

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c042f6dff93d2c8df8c1e5e06dbfe926

SHA1
1f0c14c96be0e7fd0af47a3f078a83d97786b746

SHA256
4c106aa6f94d926de7ee9acb6374645aef4303ea1e67c00a60383f520583fc78

SHA512
17a1723f40875f6178cd9c244de2e3e8e5736c0f462d7d787b241d65252d7c7a0ff67555146b5199b375e89bcb212d9734b195a60224f2f5b91f94ef8e339140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fe181eb148748555d57a0e7de06f2958

SHA1
d652b232b25867a868a168f88f39c72b4864a6e3

SHA256
451c4efd4d297e6ad6604ab7cdb6ef26f6f39b3ea36c66be2c5823bfda2987f7

SHA512
5ff69dc45f16777a5b9de80aff2e554d28ab935f1d295179b01ccc33fd8c096a935fa9e4c884e0a8d95154b52c5fb3bfaf60b22d25a3a5a726fb6e97e9a33306

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54fe9d22fb0631258c7b47abf5633639

SHA1
0d722f7e5fa9e4ec295dfed3ed0e03387ba82011

SHA256
96460dc6658b7a6ccd56d398a6ec6df8391c1df409c917b8b605fc8c87e5eb10

SHA512
341e865f1f5c97233d879ffd7e90262e37acc7e9a37246a2a0e2feb1eff2d3aa7e7b7971200a3c1dace42d17af439d94f933d6508ad8735441dd3978a50922cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
92c3039ed4f5fcc3dfee4b8da81bdc83

SHA1
c900b754448116407b0e96dcae8fe3a453a3fdce

SHA256
60d2f4aed8dda066f21779a144d0c6aacdb9ec5667cbe058d1e4ecc6ccb0d973

SHA512
4ccd6912fefff0d33c658ed0c92fdbd3b005b6e580711bf8cd6a3efb4c2b82720f33e077b41d62344174ddbb4f2a92698ab2e264cec733482b1d21052bbe1774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
a184da0a383410b8dbe86b8ad45920ba

SHA1
218582f9682f2a97d91a31ee8088491b971557e0

SHA256
2ed33c112c246fef60461a0f14a813fe113489476f078a4b562a8d33c641c006

SHA512
97940ca2d83c1b394bc4e8a3eb920daba13b3eb6ff4ce59e815fc081afd5221826ddefcbe8c31e1021a11ebbc66b8fef603352b0cf9c44c9f81d3973062a9b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
208KB

MD5
2f26dda340997a7218a4290e6f893c38

SHA1
8329bfae480faa36ea01b3d010a5d3ba8b5284a0

SHA256
a58d4e16071b77961a0c3fbd430d417f0eb44c7d88dba02087f3319824f77d1e

SHA512
c4e9cffa51ea6963268ceac29fb9ef10b28a52f0dd802f12f8bfef9a6d069f0e429c674c9abf3f24cf9ac55c5abe5ae93dc2d901ec467839c0a23bc9478e8bec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
4cd033cc5ca85dd497d212dba78bf6ed

SHA1
86427e970c7a130a0193dd2ed80cc4829468f489

SHA256
42b8dbe4d6b6081c5496845cdba30779360d272f05087207370093205abe1608

SHA512
0cb0289ca51261a53a1ffc0ce3c3f57dede96224f5c66d4c1b7f3baf53382911c2295611f1cee7ea6870b102563a1bf65ebed257452569de21dc0d81b90602d3

Download Submit
memory/4996-234-0x0000000000180000-0x00000000004B4000-memory.dmp

Filesize
3.2MB

Download
memory/4996-235-0x00000000054F0000-0x0000000005A94000-memory.dmp

Filesize
5.6MB

Download
memory/4996-236-0x0000000004F40000-0x0000000004FD2000-memory.dmp

Filesize
584KB

Download
memory/4996-237-0x00000000050E0000-0x00000000052F6000-memory.dmp

Filesize
2.1MB

Download
memory/4996-238-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download