agenttesla | hxxps://workupload[.]com/file/eLcBvGaLd2z

Analysis

max time kernel
96s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/eLcBvGaLd2z

Score

10^/10

agenttesla discovery keylogger spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

AgentTesla payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023508-130.dat	family_agenttesla
behavioral1/memory/4240-133-0x000000000B370000-0x000000000B582000-memory.dmp	family_agenttesla

Executes dropped EXE 1 IoCs

pid	Process
4240	AtmosLoader.exe

Loads dropped DLL 2 IoCs

pid	Process
4240	AtmosLoader.exe
4240	AtmosLoader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
76	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtmosLoader.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	AtmosLoader.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	AtmosLoader.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	AtmosLoader.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5464	chrome.exe
5464	chrome.exe
5564	msedge.exe
5564	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5100	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
5464	chrome.exe
5464	chrome.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeRestorePrivilege	5100	7zFM.exe
Token: 35	5100	7zFM.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeSecurityPrivilege	5100	7zFM.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe
Token: SeCreatePagefilePrivilege	5464	chrome.exe
Token: SeShutdownPrivilege	5464	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5100	7zFM.exe
5100	7zFM.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
5464	chrome.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5464 wrote to memory of 4568	5464	chrome.exe	84
PID 5464 wrote to memory of 4568	5464	chrome.exe	84
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 2396	5464	chrome.exe	85
PID 5464 wrote to memory of 4396	5464	chrome.exe	86
PID 5464 wrote to memory of 4396	5464	chrome.exe	86
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87
PID 5464 wrote to memory of 5832	5464	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://workupload.com/file/eLcBvGaLd2z
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffaa0a9cc40,0x7ffaa0a9cc4c,0x7ffaa0a9cc58
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,784750599055838279,14355024426700017903,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2128,i,784750599055838279,14355024426700017903,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,784750599055838279,14355024426700017903,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:5832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,784750599055838279,14355024426700017903,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,784750599055838279,14355024426700017903,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,784750599055838279,14355024426700017903,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3848 /prefetch:8
  2⤵
  PID:3344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2972

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Atmos-Free.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5100

C:\Users\Admin\Desktop\AtmosLoader\AtmosLoader.exe
"C:\Users\Admin\Desktop\AtmosLoader\AtmosLoader.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/wxbKTq8Wmy
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa8d1946f8,0x7ffa8d194708,0x7ffa8d194718
    3⤵
    PID:4952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,13886411165713842949,11376847067972937661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
    3⤵
    PID:4288
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,13886411165713842949,11376847067972937661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,13886411165713842949,11376847067972937661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:4408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13886411165713842949,11376847067972937661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,13886411165713842949,11376847067972937661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
    3⤵
    PID:2736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\AtmosLoader\instruction without (AtmosLoader) - manually.txt
1⤵
PID:6080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1b528117517a634002c02d6495008798

SHA1
afc8c78740153ed8477ea7b616ddd1897cf96b36

SHA256
f8c59465d86747a255115023ab147ef991825f2e34678c2e16d9e57ccdd7bb65

SHA512
c9584e2a3be623874709c233e4e2335c898bf48b7c11d7f0d6ee21778d9d5d4b886d9cf868cc8f4ab11b13b3dc2654664cfeb6bfb37527261c517c2e0599b137

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
962B

MD5
e0422e23c27cc7bb0239e0d1a480da29

SHA1
24eee1c09610c748825e2c358f150eba9c0fd31f

SHA256
a6d9545ebb31d2008627d3f823114a6313e085740b25e46fccfeb6faaf961793

SHA512
9092c1955fb4693bb3679d1fc8be69966e001bf75c81d632215d427193b8554a932efea9c64ce35179d432c8005b16effad434ee87116a3cb84c0e0e21cdec08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d37c65275235670182534beb9e0ccb88

SHA1
85bcbe8e4d0d13af59024c6fd9350ccea337dfd4

SHA256
4b3afc50d48ccf5870fc2fd6b65ea74d4746b4a07812f4bd7f48ad7d58d12eb0

SHA512
e82dd4e98534cb70a7e391292e42083c28172c42dacf8cf5901f8d2316eb704de6a1321a300d3f6c3de8c2fff1ce3d9ab9039c96a99b57e7a4a852c40c0b3802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6538d1a72ee11e20b07636828bb759c

SHA1
b1b713df81ff035eaf46631469dfc82e11fcf43f

SHA256
102abd10054172698a7c60fb65db57391fe7e53c8efa5cf1dc53c33326c2bbcf

SHA512
6c083be773503fe787754d6736d123e97721247f8d5b73b6f7f32ad3def9eb31e56f0c79cf52d2393a9f7336b98edf3af8d775ca827cd4929f531931c9f04f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b49c8c7401582cda21ff4bc810dc46e7

SHA1
61e6a7688903bc9f9a24b1b093e5892b8b029215

SHA256
2034c447cf1b326720fc1eb8fffd56961c959b6237623a6944c07b831bd2c2a6

SHA512
292a021482cd2cbcb864ead23adb35501c53a398d2516294152493952b92d97696ba6a24e15fd666a83cfc0ddc0972ff87b2751758b0cdfac0ea742732cef23c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0016881b91312747c5550204ed9bea40

SHA1
6d5bb6bb5df97c7d9d7a573eb086c86599bccccc

SHA256
7b3a51f279b8376ad1fcec55e611581a150b4346695a0041a9c3a821f522a96f

SHA512
48c582a122a8c95c6d97669523ea3f23eb46d69a45ac38d09a3330ae7ed9eaab91701c00523dbd17a4a5b7ff97cdd1331ef3b2d46aebfa57b666185044fcd093

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8797640145c1d28c66421cda1b5c6100

SHA1
34ffbfaf7d2427f3ff7d4ceaa75da21fa1cd3b88

SHA256
7fea6cc625d34276be27aa5e7fabe96e332f5a3797a51371fd775c88eed618f6

SHA512
66d736c5fa1de73e33b9b3b0e14025a346e6fda90042f714757e4ee099d86b215960082f75649d8a303b7bf5160e81e51a5608d2ab945a29225996a9854cc84b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d2654bd8b6fbc355306010d8c0b9ef9

SHA1
d14bd421354c6808306d3613c4cff34eeda9e6bc

SHA256
97a1b18a833f674633ee4ba0216484e7b14b4cec3f3c46704a7e6cebba26712d

SHA512
15a16c126f6637f24a3ace214806ddb4b30a55af05f6d34b75ab54e6315601a10ddbf181faedd30f99f789ec6b65c0f1ad06b88fa5dcf46aa78f2382bf6cfd39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
79fd070ddf42c78e2df3b2953ed86db3

SHA1
1b2eec53bc07a9b97150236681276370fa9f02c0

SHA256
c70fb8fa17f72b3a08cfa7c2fd252867afa7acfeb5bb2298d801aa8a1b375401

SHA512
f885a34edf061465b8c3b293106b3dc12b72e4c9556559ca05c71492fbf9f8cd5a95fac073798bb7f98dd92fd7529d0fa42c9e58b1888afffbaa9dba03cf489a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
45d1756134840c943b1e4e1b39cd48f6

SHA1
7916f5fbbc57976d40a6b8e5392137f50fa23ba5

SHA256
870139e0015408871bc1046fec391121da825ef1a7badfa8ebb25bed4665427a

SHA512
574c41208da47d23006cd766f925f5fb244e8be524e705a16618bf7b7debe18a35ee6779de1354cd300ae69af59044b5ef1afb5d042d9eb75ec9a3b1952fe48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
178B

MD5
4a93b2ef69f94924cf58b6be3a86b7b9

SHA1
0f15409e37c4626ea11109a3ad158d40cd4803a9

SHA256
00bf442051658c0721c54165303466b6330689c1087665a39c125bc24a709f8f

SHA512
76f2f349aeca499abb5d77ec068d36cc8592c8f51380946743ccf8766a96664652bc308f2d9507d1b4d8b661a0f25b04c0e84822396ca1ddf5cb02f06e212529

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1712544256d5f7c7310d0b59e8ecaec9

SHA1
13dc52d345bd3342159c7f50fcaafcb5f5152ffd

SHA256
d1c88c26b4d8e604a7c476b4c58ef743d95b76a92e2ec7d96a8472acf1722fd3

SHA512
4d100db9853779c80e4aef27e065573040cd6bb17b4300904f1fce5f9ffcf19d7551e0978776512bcff1b567459709720a6dcfccac0f367c2f3555d03415668f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2017ebc24dbbfe55621d8b9f388e2087

SHA1
60446f601ff4c2e408c4b557445e91d342dd71e1

SHA256
97259f355403affd75ec1fe81470545ae6b7d55d3f79a76b00e4428977074e5a

SHA512
56fc1959381571662efb5085a5b6579e28fe5d083de73c4a2cd05ab025cebe76f4386166da183defee37874be001a9d015f6538939f1d080d6517cd630808f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4ae00d293e96e65c17f22547b4c85aaf

SHA1
f88f172597bb7120f61315a0aa00584c214bedd6

SHA256
9c8a32f3d9c8548f65bc6b3523c524282e2ecb82fb9f24026a4979b8f35f0e23

SHA512
d59486374cb6a440bedb28cfe32acc6b161b1aa581479405a9b94dbaf5d0ed505deac950f869dcc6f5bdc1d64cb0daabc7fd720ae287af5579c39d4fba3d62da

Download Submit
C:\Users\Admin\Desktop\AtmosLoader\AtmosLoader.exe

Filesize
81KB

MD5
83f5b569447e73756c2985fc5584448e

SHA1
b51bbb7603f9cb3bf1fc0559418c3b99359e5977

SHA256
b3e8192f0788152339d7f49453d2e42f70877e59282c49b0d2301b46ed269a50

SHA512
2201142bed30b4505481c454ccf671dea949dcc684d5d0e0e2a46cff439604c8057108f156a8b4d96768f024b6cd47bdd1691b408eab9c0a7e3fcde4200fc5f9

Download Submit
C:\Users\Admin\Desktop\AtmosLoader\Guna.UI2.dll

Filesize
2.1MB

MD5
c97f23b52087cfa97985f784ea83498f

SHA1
d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

SHA256
e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

SHA512
ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

Download Submit
C:\Users\Admin\Desktop\AtmosLoader\instruction without (AtmosLoader) - manually.txt

Filesize
1KB

MD5
76eee9cf2f40df7d0cc8dd222b94fe5e

SHA1
90772304174a04974082bce96159c9c0efadf6a5

SHA256
7780789132420c74ee31df814cdd35492ba8c59e8d149e16a25b78d9cb84693e

SHA512
7ed9c7dd34b2eeca4c8e0d12f261b6c7d86904a7ca400c2c0a0e5c7c3af789033f8bb660e49945a44a5ad780086c9b86d6d20811af7fcc874cd67859f1d4e3b1

Download Submit
C:\Users\Admin\Downloads\Atmos-Free.zip.crdownload

Filesize
1.3MB

MD5
5424eb38859b09a798c8dfd90ce35e3a

SHA1
4a3a66c5272187627c804dbce3f058a10d67334a

SHA256
5f2ce4e2d0809f9d41ed393cc4069f2f94751dd22b1b3e1a9c6d361574488e49

SHA512
b25fd3db35a53533eb21d5b7b593eaa2bf39a978be4088b580e79a020d664a25b3f73f28de6ca3bdbe293e7aee2e1d3a284a73936eeb87ad19055b09d1a284c8

Download Submit
memory/4240-134-0x0000000002B70000-0x0000000002B7A000-memory.dmp

Filesize
40KB

Download
memory/4240-133-0x000000000B370000-0x000000000B582000-memory.dmp

Filesize
2.1MB

Download
memory/4240-129-0x000000000AA30000-0x000000000AAC2000-memory.dmp

Filesize
584KB

Download
memory/4240-237-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download
memory/4240-128-0x000000000ADC0000-0x000000000B364000-memory.dmp

Filesize
5.6MB

Download
memory/4240-127-0x00000000052F0000-0x00000000052F6000-memory.dmp

Filesize
24KB

Download
memory/4240-126-0x00000000008B0000-0x00000000008CE000-memory.dmp

Filesize
120KB

Download
memory/4240-125-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download