agenttesla | hxxps://www[.]mediafire[.]com/file/x3uymk8l2du8tyl/Payment+Confirmation[.]tgz/file

Analysis

max time kernel
155s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-09-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/x3uymk8l2du8tyl/Payment+Confirmation.tgz/file

Score

10^/10

agenttesla credential_access discovery execution keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3868	powershell.exe
3028	powershell.exe
960	powershell.exe
3096	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
4484	Payment Confirmation.exe
2768	Payment Confirmation.exe
816	Payment Confirmation.exe
2072	Payment Confirmation.exe
4400	Payment Confirmation.exe
4924	Payment Confirmation.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 2768	4484	Payment Confirmation.exe	114
PID 816 set thread context of 4924	816	Payment Confirmation.exe	124

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Confirmation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Confirmation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Confirmation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Confirmation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payment Confirmation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133709300529453360"	chrome.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c003100000000000259ed7c110050524f4752417e310000740009000400efbec55259613059c6192e0000003f0000000000010000000000000000004a00000000007d990901500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "3"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0 = 50003100000000000259b67a1000372d5a6970003c0009000400efbe0259b67a0259b67a2e000000559f0200000004000000000000000000000000000000ae78850037002d005a0069007000000014000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Applications	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Applications\7z.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Payment Confirmation.tgz:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4784	schtasks.exe
468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3540	chrome.exe
3868	powershell.exe
3868	powershell.exe
3028	powershell.exe
3028	powershell.exe
3028	powershell.exe
2768	Payment Confirmation.exe
2768	Payment Confirmation.exe
3096	powershell.exe
3096	powershell.exe
960	powershell.exe
960	powershell.exe
816	Payment Confirmation.exe
816	Payment Confirmation.exe
4924	Payment Confirmation.exe
4924	Payment Confirmation.exe
3096	powershell.exe
960	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe
Token: SeShutdownPrivilege	5112	chrome.exe
Token: SeCreatePagefilePrivilege	5112	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
2352	7zG.exe
2356	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe
5112	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
1052	OpenWith.exe
5056	OpenWith.exe
5056	OpenWith.exe
5056	OpenWith.exe
5056	OpenWith.exe
5056	OpenWith.exe
5056	OpenWith.exe
5056	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe
2716	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 3588	5112	chrome.exe	79
PID 5112 wrote to memory of 3588	5112	chrome.exe	79
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1752	5112	chrome.exe	80
PID 5112 wrote to memory of 1552	5112	chrome.exe	81
PID 5112 wrote to memory of 1552	5112	chrome.exe	81
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82
PID 5112 wrote to memory of 2336	5112	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/x3uymk8l2du8tyl/Payment+Confirmation.tgz/file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb4d1acc40,0x7ffb4d1acc4c,0x7ffb4d1acc58
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1936 /prefetch:3
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4620,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3792,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4236 /prefetch:8
  2⤵
  - NTFS ADS
  PID:3388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4848,i,11938197385495628123,8079233989266496487,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2304 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3200

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1052
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Payment Confirmation.tgz"
  2⤵
  PID:4692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5056
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Payment Confirmation.tgz"
  2⤵
  PID:5036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2716
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Payment Confirmation.tgz"
  2⤵
  PID:2824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19593:102:7zEvent15444
1⤵
- Suspicious use of FindShellTrayWindow
PID:2352

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap12890:102:7zEvent32622
1⤵
- Suspicious use of FindShellTrayWindow
PID:2356

C:\Users\Admin\Downloads\Payment Confirmation.exe
"C:\Users\Admin\Downloads\Payment Confirmation.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4484
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\Payment Confirmation.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hdusbcAb.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3028
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hdusbcAb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp92D0.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4784
- C:\Users\Admin\Downloads\Payment Confirmation.exe
  "C:\Users\Admin\Downloads\Payment Confirmation.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2768

C:\Users\Admin\Downloads\Payment Confirmation.exe
"C:\Users\Admin\Downloads\Payment Confirmation.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:816
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads\Payment Confirmation.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hdusbcAb.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:960
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hdusbcAb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA78.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:468
- C:\Users\Admin\Downloads\Payment Confirmation.exe
  "C:\Users\Admin\Downloads\Payment Confirmation.exe"
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Users\Admin\Downloads\Payment Confirmation.exe
  "C:\Users\Admin\Downloads\Payment Confirmation.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4924

C:\Users\Admin\Downloads\Payment Confirmation.exe
"C:\Users\Admin\Downloads\Payment Confirmation.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9047d382a719566414e51edd82d1b1f0

SHA1
d8cbc2fdeaa47ecf71ebbba6b08eacf2028c0021

SHA256
db11ec813c430f02a84589d3a0f2e95005895169cebde23e9cd98a0e8eadec0b

SHA512
44d80235d33225d45da62e0d8f0488a9b2cb1b504eff9494f48a9e756eec38a9ca6b31c49ea75e6996e3c41300fe433ac0ec3dbd823bf4cd045ce48e6ab59964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3a04eb6bfc98ad808a43c6ce8e8ff546

SHA1
aee07419642c84dc7ee3671ef4b0ad495652e55c

SHA256
142f4349a8ee5fab6af2195e4a222fe8d790f4b9f9a382d4194b83a06977efad

SHA512
97f46ac66477d63f6aa290ceda89427d24851f66455d58615c8e32138466ad4d2145e653ed5ef8f881b4d373fe1ef11fd3b764be820a5c4e636e8828d132001b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
d29a1c6d559b9545ad2b4eb774047477

SHA1
2d8c8d58f78e054f2c8123a19e55d197ff4a0ab0

SHA256
01787f97f3a8c7acbf091662c0382a9dc0ac90aacf6f23f234a152be660ba57b

SHA512
3372ceb299d37825c541ac71f0acc53da207f6721f1ec49289f7540d7934e6d04fd5854d096fd114105a0f4361cf913a50e5db722f5e133869ff1b85218574de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6fccc32a543b55e1895ccfcc3585028a

SHA1
d1ba0c18f8e1bef3f80f96b2996c34cfe9d9f6cd

SHA256
954dcf3577cf287ba5eb1f5e8acc10e13d4747e057bc36b0a2c6ba5209454ecb

SHA512
9ff19fc27f52be81ac0437b2106cb368b4fe481713b9c4016e04888d8146d4b634f113b491c4c430b6776d2961ecac353ed91fb72733119dc7b99e84ad38a710

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
222ab02b664604cefd4db1333c5ff426

SHA1
271626d8b0b847e256e44f22489b997134492a25

SHA256
674ab7b5a40746d5769004077570651b96c19fb4c4688410235661d402860207

SHA512
2fa4e440df5dc3ba36860ff4dc3c667e873e5097680b3a75174ca4805b8c52493ba6a2d808fc43c1b3d2d74303f9a3c5fdc8803ad99994a3f1cfe3230f23f4dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95ff2e8b9c599cee9e219b5fc62a3432

SHA1
7d08c4c8ca725eefca2e0d850493cfdf0271d287

SHA256
6d0c5c40f4c2d96639f7f17654b5d06b31eba40069dde7e1dfea67837b423bee

SHA512
22dfb9fa9aa27f354950f4f5ef20fe30c58b2d691b2e656c569dfd49e7dbbafd41569a5e6bf7b49d53e576867c9bcdb1ce48e6d4fd7851577dab00af321363bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2ac9e97d2daf626f2ca1b331e594c74

SHA1
68bb360fa00dd47b89a7c3c905f562db3a8c960d

SHA256
f59525c1293641ac646479923fb3b2bd50de823ed21c6a0fdeaaa5e59a4ad251

SHA512
2ee2821f2cbe61b63009f20d76df346fac4986b06d3785fd6057731499eeaacd7a7ce61a7eb265bc490f069760104c65fb2397db6b926e018f795b36855f9494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
407b57bc3ad3cd78d8e5d48c74cfa045

SHA1
2f5d16503406d40a1f3d38bb005be111782111c9

SHA256
408afda7cd7c027bc1f9386e1555696bc5a3aedc548798ddf9d742d091553b84

SHA512
f5ed67257cad498772bb62c67d7156ef05db7e478e44f39fd779b09166e621bf8156d22b7dd3880288d33dbe02214e5bde0791bb55b35687d70e280040014980

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b7ba4d6bfc76f64b6de703ceda380c86

SHA1
3646ed8674e6928431d6caae5c1354e4cbefa9c4

SHA256
2e45b23ed0a0d8575d787e887dee561594bf8620990ec1c95b352291573e14fd

SHA512
039caae56dbae19c209b1057b94ab6f390b612f25a44a8bdf46a8dc79c98fc2c212a13925a99dbecbdcbdc6c919aaa5150a3533b23bf1e5917607ceb7fc5b8c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7547a53a41dd41596371943c0c283c6e

SHA1
efeaf1b5c4343661a061f5c9aad758c952b00925

SHA256
45b2f73963118b97efe66fe6133b0b0693ccb27a7f287b648ca73c78efb7d389

SHA512
5b7bb182278b98d0d2ab64dc1a8457c4cc078a016761115edfa5f89826969d41f5d0b0e8401a00c57080e44f98beec97f9089c96f1a35bd4970f3ea62eeae0e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95ecd4381b10ff76037a1c055301ee33

SHA1
0c3e086294b3eafa4075e182b8907b69c4a7806c

SHA256
35ed819e9c3681201056a8698296c902ba3784f59097c193a9c557fb9e8e93e4

SHA512
5049816000d30680c122a283ea20e6d7b6ce2aebdf3e3c328612aa506edfb03b9c4c73a1ad3367c5052fc77fb9d444d1008e5ceeada7a185618c19ebf44653b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
68808417e32f0b159cad1ed3587adfe4

SHA1
b5049f30a9721eca8bf8503b5a2abe2efc2084a9

SHA256
867a5aea00d8765673bb6d2e89ba68429fa105519efa459a11024d3a02d2b172

SHA512
551c46b8dff44311322b53f2ca5c7c777f8e0d09a5e1862acce842d59421696657ad4fe8acd26cce607afb04b20b42f63a0e294c6da32807b3a2f9c42dfa586d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb99cd38d5902507bf6a026466020940

SHA1
7bdacb3ba04f8d28d0f46a2d00e8337ac9cf9f67

SHA256
e4909326c3e52b14e89a23f66d2ba228329bec84949ac26a58135c3391e1d9c6

SHA512
c3daec6496c3ad3076fbe1429c62dd9ae90c06325ab4572445ffc83f8da84fe98d950b6dbbb8a7512844b743f653dc1dd83fd045bd15a39c675e48fdb08ec993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
e1c3451e3cffac142f6b25f914eddad6

SHA1
2a2e4bc6136a61d5bbea6c42d06b1c0f1ed7d524

SHA256
60f76f955604b6b8be0acee99c45272ee364e08d2980269a1f0a927645269623

SHA512
2510b575dadff0797822e511383952110a1e4ca9c86ae208bd240310b7a0bd09628dfc6c37239b6e6471dc84c0c08ec5b6a774054b029ca9bc64aea207626fc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
3c9057cdc72c71b1881393ac04c6646e

SHA1
ea551b2f1105a5edd40630ffc50e3f0b96e6e990

SHA256
f01dce6c5de751d436dc8b5a3d5df4bb95114800b69555e7ee88e256e929f75c

SHA512
a9ee8c6438dc9fb1d8ff4c708e2742648cf9c01a5cb81f829e306819af5f3eb0dc362aa17a10517d578697eaeaf6a2dc2c8655e3925d2aeeb48e69508e90033a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payment Confirmation.exe.log

Filesize
1KB

MD5
7e1ed0055c3eaa0bbc4a29ec1ef15a6a

SHA1
765b954c1adbb6a6ecc4fe912fdaa6d0fba0ae7d

SHA256
4c17576f64dea465c45a50573ee41771f7be9962ab2d07f961af4df5589bdcce

SHA512
de7c784c37d18c43820908add88f08ab4864c0ef3f9d158cc2c9d1bab120613cb093dd4bfc5d7ed0c289414956cfe0b213c386f8e6b5753847dec915566297c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
adc2dde2e923cafc192f4bdd741c111b

SHA1
029a647dc530c2f96c01fcf4676ff0b2facdf8a2

SHA256
0a3a0962f18aac32576ab0274e61f7a359d889d1edf365bdc5c78be5a72e492f

SHA512
8e7ba8a251450d66c13ad0523706eb7c0897190190485015ce8f8715eaed57f7ab6df1f59213ee115a5b23eca4824f96c21134df29fbcdf02673e3b976c4c48f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
542d9a1e9e14f285e84bb1acd428db72

SHA1
b08beee1ae6bb9ba580bf75fb2084a7e963974e7

SHA256
912ca8da5b997db478ca54a1b741a8981e11a7ae85648d253b251f4e45e572ea

SHA512
30b0797f6cbb9b23d4c570909351b24eca6601ea65d5216c6f444f93903f95b6c7b12dd642227dbd100ee1e0d48e93086e9f1c6b87b3b97b37e353778dea7d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zsvydb4d.mxm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92D0.tmp

Filesize
1KB

MD5
2df178c64716d767824fa7f0b089f1a4

SHA1
2d31e13f24842e1ce7c46ccca06887a3a3564122

SHA256
e4534dc298ae1916de863babcbf89a01b61b5eec8abca7170c521042299d619c

SHA512
146d2ca08c93b8e1d4d2b1b99306f4accf26e37ac672748e4f58958337c7761a5c14e30735e5fcb17f141ad4af3f8d7064053f3f65f01e511400ab54b005a838

Download Submit
C:\Users\Admin\Downloads\Payment Confirmation.tgz

Filesize
1.4MB

MD5
37ac065d89791fe2b3d51bbb598e0a56

SHA1
21f568d02460b532a731f710285adc65be65f7c3

SHA256
3b430a2da7beb1840ba7af7621a2d8a9c5a585aa47cdd0fd836e896c13daf04a

SHA512
9b11ca4284d181fb9c33f56e71a20929cb45d871b3c6d1586a2b887bc43e125d03edb0ec92e40826c67b4993fc0e74ed162fda79ad0c155c2ed7718a3796dd0b

Download Submit
C:\Users\Admin\Downloads\Payment Confirmation.tgz:Zone.Identifier

Filesize
283B

MD5
43eced94885b76d0040fbd017ac5c277

SHA1
a943146b3a451d182f3d12064e5d1344f0b2c9bc

SHA256
9686045d98e70ca55bc3d708e496492d541076b8f8f769de27fdacb98e2f3324

SHA512
3a733c870a164225666a04eacddbeea20a581a17f2b1bd2c22c27568afb1458990bbfbb75caebeb238123f822df8ce97775e5799c2a16169e25e7dd3ca65fb3a

Download Submit
memory/960-288-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

Filesize
304KB

Download
memory/2768-231-0x00000000067E0000-0x0000000006830000-memory.dmp

Filesize
320KB

Download
memory/2768-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3028-209-0x000000006F430000-0x000000006F47C000-memory.dmp

Filesize
304KB

Download
memory/3028-224-0x00000000072B0000-0x00000000072B8000-memory.dmp

Filesize
32KB

Download
memory/3028-223-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3028-222-0x00000000071C0000-0x00000000071D5000-memory.dmp

Filesize
84KB

Download
memory/3028-221-0x00000000071B0000-0x00000000071BE000-memory.dmp

Filesize
56KB

Download
memory/3096-246-0x0000000005A10000-0x0000000005D67000-memory.dmp

Filesize
3.3MB

Download
memory/3096-268-0x0000000006000000-0x000000000604C000-memory.dmp

Filesize
304KB

Download
memory/3096-278-0x0000000070AD0000-0x0000000070B1C000-memory.dmp

Filesize
304KB

Download
memory/3096-287-0x0000000007140000-0x00000000071E4000-memory.dmp

Filesize
656KB

Download
memory/3096-297-0x00000000074B0000-0x00000000074C1000-memory.dmp

Filesize
68KB

Download
memory/3868-219-0x0000000007B20000-0x0000000007BB6000-memory.dmp

Filesize
600KB

Download
memory/3868-206-0x00000000077A0000-0x0000000007844000-memory.dmp

Filesize
656KB

Download
memory/3868-207-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/3868-208-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/3868-205-0x0000000006AD0000-0x0000000006AEE000-memory.dmp

Filesize
120KB

Download
memory/3868-218-0x0000000007910000-0x000000000791A000-memory.dmp

Filesize
40KB

Download
memory/3868-195-0x0000000007760000-0x0000000007794000-memory.dmp

Filesize
208KB

Download
memory/3868-220-0x0000000007AA0000-0x0000000007AB1000-memory.dmp

Filesize
68KB

Download
memory/3868-196-0x000000006F430000-0x000000006F47C000-memory.dmp

Filesize
304KB

Download
memory/3868-178-0x0000000006B00000-0x0000000006B4C000-memory.dmp

Filesize
304KB

Download
memory/3868-177-0x0000000006530000-0x000000000654E000-memory.dmp

Filesize
120KB

Download
memory/3868-176-0x0000000006060000-0x00000000063B7000-memory.dmp

Filesize
3.3MB

Download
memory/3868-165-0x0000000005E60000-0x0000000005E82000-memory.dmp

Filesize
136KB

Download
memory/3868-166-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/3868-167-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3868-164-0x0000000005780000-0x0000000005DAA000-memory.dmp

Filesize
6.2MB

Download
memory/3868-163-0x0000000005090000-0x00000000050C6000-memory.dmp

Filesize
216KB

Download
memory/4484-162-0x000000000AB70000-0x000000000AC0C000-memory.dmp

Filesize
624KB

Download
memory/4484-161-0x00000000084C0000-0x0000000008544000-memory.dmp

Filesize
528KB

Download
memory/4484-135-0x00000000060D0000-0x00000000060DE000-memory.dmp

Filesize
56KB

Download
memory/4484-134-0x0000000008420000-0x00000000084BA000-memory.dmp

Filesize
616KB

Download
memory/4484-133-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/4484-132-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/4484-131-0x00000000060F0000-0x0000000006696000-memory.dmp

Filesize
5.6MB

Download
memory/4484-130-0x0000000000FC0000-0x0000000001062000-memory.dmp

Filesize
648KB

Download