agenttesla | 46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09

Analysis

max time kernel
25s
max time network
143s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f377de371a8e95acec9956303d6f032.exe
Size

835KB
MD5

5f377de371a8e95acec9956303d6f032
SHA1

4d36d918df8ff90c0327ef713cfa262591d93636
SHA256

46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09
SHA512

f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
mailjege@yandex.com
Password:
recovery111

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4480-169-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4480-172-0x000000000043770E-mapping.dmp	family_agenttesla
behavioral2/memory/4932-1038-0x000000000043770E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe7ADA33B7.exe

pid process

4856 AdvancedRun.exe
4908 AdvancedRun.exe
3564 7ADA33B7.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5f377de371a8e95acec9956303d6f032.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5f377de371a8e95acec9956303d6f032.exe

Drops startup file 2 IoCs

Processes:

5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	5f377de371a8e95acec9956303d6f032.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	5f377de371a8e95acec9956303d6f032.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	5f377de371a8e95acec9956303d6f032.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe = "0"	5f377de371a8e95acec9956303d6f032.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	5f377de371a8e95acec9956303d6f032.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe = "0"	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	5f377de371a8e95acec9956303d6f032.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\E59A6148\svchost.exe = "0"	5f377de371a8e95acec9956303d6f032.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5f377de371a8e95acec9956303d6f032.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f377de371a8e95acec9956303d6f032.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	5f377de371a8e95acec9956303d6f032.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	5f377de371a8e95acec9956303d6f032.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5f377de371a8e95acec9956303d6f032.exe

description pid process target process

PID 4720 set thread context of 4480 4720 5f377de371a8e95acec9956303d6f032.exe 5f377de371a8e95acec9956303d6f032.exe
Drops file in Program Files directory 1 IoCs

Processes:

5f377de371a8e95acec9956303d6f032.exe

description ioc process

File created C:\Program Files\Common Files\System\E59A6148\svchost.exe 5f377de371a8e95acec9956303d6f032.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4040 4720 WerFault.exe 5f377de371a8e95acec9956303d6f032.exe
4868 3564 WerFault.exe 7ADA33B7.exe

description	pid	process	target process
PID 4720 set thread context of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\E59A6148\svchost.exe	5f377de371a8e95acec9956303d6f032.exe

pid	pid_target	process	target process
4040	4720	WerFault.exe	5f377de371a8e95acec9956303d6f032.exe
4868	3564	WerFault.exe	7ADA33B7.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4856	AdvancedRun.exe
4856	AdvancedRun.exe
4856	AdvancedRun.exe
4856	AdvancedRun.exe
4908	AdvancedRun.exe
4908	AdvancedRun.exe
4908	AdvancedRun.exe
4908	AdvancedRun.exe
4984	powershell.exe
5020	powershell.exe
5056	powershell.exe
4128	powershell.exe
1548	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exe5f377de371a8e95acec9956303d6f032.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4856	AdvancedRun.exe
Token: SeImpersonatePrivilege	4856	AdvancedRun.exe
Token: SeDebugPrivilege	4908	AdvancedRun.exe
Token: SeImpersonatePrivilege	4908	AdvancedRun.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	4720	5f377de371a8e95acec9956303d6f032.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

5f377de371a8e95acec9956303d6f032.exeAdvancedRun.exe

description	pid	process	target process
PID 4720 wrote to memory of 4856	4720	5f377de371a8e95acec9956303d6f032.exe	AdvancedRun.exe
PID 4720 wrote to memory of 4856	4720	5f377de371a8e95acec9956303d6f032.exe	AdvancedRun.exe
PID 4720 wrote to memory of 4856	4720	5f377de371a8e95acec9956303d6f032.exe	AdvancedRun.exe
PID 4856 wrote to memory of 4908	4856	AdvancedRun.exe	AdvancedRun.exe
PID 4856 wrote to memory of 4908	4856	AdvancedRun.exe	AdvancedRun.exe
PID 4856 wrote to memory of 4908	4856	AdvancedRun.exe	AdvancedRun.exe
PID 4720 wrote to memory of 4984	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 4984	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 4984	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 5020	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 5020	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 5020	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 5056	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 5056	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 5056	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 4128	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 4128	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 4128	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 1548	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 1548	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 1548	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 3564	4720	5f377de371a8e95acec9956303d6f032.exe	7ADA33B7.exe
PID 4720 wrote to memory of 3564	4720	5f377de371a8e95acec9956303d6f032.exe	7ADA33B7.exe
PID 4720 wrote to memory of 3564	4720	5f377de371a8e95acec9956303d6f032.exe	7ADA33B7.exe
PID 4720 wrote to memory of 3660	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 3660	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 3660	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 736	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 736	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 736	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 3428	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 3428	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 3428	4720	5f377de371a8e95acec9956303d6f032.exe	powershell.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe
PID 4720 wrote to memory of 4480	4720	5f377de371a8e95acec9956303d6f032.exe	5f377de371a8e95acec9956303d6f032.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

5f377de371a8e95acec9956303d6f032.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5f377de371a8e95acec9956303d6f032.exe

C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe
"C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4720

C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe" /SpecialRun 4101d8 4856
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe"
2⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe" /SpecialRun 4101d8 4180
4⤵
PID:4852

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
3⤵
PID:4292

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
3⤵
PID:4392

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
3⤵
PID:4272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
3⤵
PID:4684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
3⤵
PID:4796

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe"
3⤵
PID:1752

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe"
3⤵
PID:2060

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe"
3⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 1944
3⤵
- Program crash
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
2⤵
PID:3660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe" -Force
2⤵
PID:736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
2⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe
"C:\Users\Admin\AppData\Local\Temp\5f377de371a8e95acec9956303d6f032.exe"
2⤵
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 1680
2⤵
- Program crash
PID:4040

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a22d97329a8e47b9b1524248e1db6100

SHA1
9095045df77790d3824366bc09776f1829b1c7f9

SHA256
bed4cd9183a4306e6f7fde5ec8c310431aa41c0b40da62e71b47caab0b9e83df

SHA512
696afdef2cdfaeedcd24ae25d0d4cfa40e1d60c48056e6137b7d0814d4a89db1cab5bdbcf3e3b5f634f5f02692608c3471ab656dc00d4d823b7f4b8273218bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
ce49e61a7b0ffd0c234e1c3b953aaffa

SHA1
b784d86fbe88ee3b157a7c279304ccfc294c0a66

SHA256
8078c4efe7c9438b47df0d2c97771ff3d3e8e74d35b78f782dd0a3db116d7be7

SHA512
da83703f5a08348a23949f9b75c56b1081db704e5d56903a335add35c3a62c4684ca0e67a76d884ccea0885eff308aa9c548af867b29a11f8a76c818105add76

Download Submit
C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\60437537-5b7d-4034-bfce-2e6522368f5b\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d4cb421-c647-4f9d-a7d8-d5598f5e494e\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
5f377de371a8e95acec9956303d6f032

SHA1
4d36d918df8ff90c0327ef713cfa262591d93636

SHA256
46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09

SHA512
f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
5f377de371a8e95acec9956303d6f032

SHA1
4d36d918df8ff90c0327ef713cfa262591d93636

SHA256
46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09

SHA512
f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
5f377de371a8e95acec9956303d6f032

SHA1
4d36d918df8ff90c0327ef713cfa262591d93636

SHA256
46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09

SHA512
f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
5f377de371a8e95acec9956303d6f032

SHA1
4d36d918df8ff90c0327ef713cfa262591d93636

SHA256
46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09

SHA512
f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
5f377de371a8e95acec9956303d6f032

SHA1
4d36d918df8ff90c0327ef713cfa262591d93636

SHA256
46eeda891d1ab66cb14c007a901cf167b9e80ed78d9af21889eea4be3eb55e09

SHA512
f7766dbb768cd671ac7a2e99b78625352b2ba53504ce9baaf6545afb0d33d769218b117400bb1658a48b1b6a108f56cf29b2287c761c9c98f7d6f714d6c4b506

Download Submit
memory/736-505-0x0000000007063000-0x0000000007064000-memory.dmp

Filesize
4KB

Download
memory/736-194-0x0000000007062000-0x0000000007063000-memory.dmp

Filesize
4KB

Download
memory/736-188-0x0000000007060000-0x0000000007061000-memory.dmp

Filesize
4KB

Download
memory/736-395-0x000000007F240000-0x000000007F241000-memory.dmp

Filesize
4KB

Download
memory/736-147-0x0000000000000000-mapping.dmp

Download
memory/1548-205-0x00000000047B0000-0x00000000047B1000-memory.dmp

Filesize
4KB

Download
memory/1548-167-0x00000000047B2000-0x00000000047B3000-memory.dmp

Filesize
4KB

Download
memory/1548-433-0x00000000047B3000-0x00000000047B4000-memory.dmp

Filesize
4KB

Download
memory/1548-133-0x0000000000000000-mapping.dmp

Download
memory/1548-340-0x000000007E6A0000-0x000000007E6A1000-memory.dmp

Filesize
4KB

Download
memory/3428-199-0x0000000007082000-0x0000000007083000-memory.dmp

Filesize
4KB

Download
memory/3428-489-0x0000000007083000-0x0000000007084000-memory.dmp

Filesize
4KB

Download
memory/3428-399-0x000000007EE80000-0x000000007EE81000-memory.dmp

Filesize
4KB

Download
memory/3428-153-0x0000000000000000-mapping.dmp

Download
memory/3428-192-0x0000000007080000-0x0000000007081000-memory.dmp

Filesize
4KB

Download
memory/3564-137-0x0000000000000000-mapping.dmp

Download
memory/3564-159-0x0000000005350000-0x000000000584E000-memory.dmp

Filesize
5.0MB

Download
memory/3660-142-0x0000000000000000-mapping.dmp

Download
memory/3660-174-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/3660-390-0x000000007F060000-0x000000007F061000-memory.dmp

Filesize
4KB

Download
memory/3660-184-0x0000000007002000-0x0000000007003000-memory.dmp

Filesize
4KB

Download
memory/3660-498-0x0000000007003000-0x0000000007004000-memory.dmp

Filesize
4KB

Download
memory/4128-202-0x0000000004E50000-0x0000000004E51000-memory.dmp

Filesize
4KB

Download
memory/4128-131-0x0000000000000000-mapping.dmp

Download
memory/4128-162-0x0000000004E52000-0x0000000004E53000-memory.dmp

Filesize
4KB

Download
memory/4128-434-0x0000000004E53000-0x0000000004E54000-memory.dmp

Filesize
4KB

Download
memory/4128-348-0x000000007EFF0000-0x000000007EFF1000-memory.dmp

Filesize
4KB

Download
memory/4180-815-0x0000000000000000-mapping.dmp

Download
memory/4272-1018-0x0000000000000000-mapping.dmp

Download
memory/4272-1112-0x0000000004DA2000-0x0000000004DA3000-memory.dmp

Filesize
4KB

Download
memory/4272-1094-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/4272-2150-0x000000007ECC0000-0x000000007ECC1000-memory.dmp

Filesize
4KB

Download
memory/4292-2121-0x000000007EF10000-0x000000007EF11000-memory.dmp

Filesize
4KB

Download
memory/4292-1049-0x00000000072C0000-0x00000000072C1000-memory.dmp

Filesize
4KB

Download
memory/4292-1061-0x00000000072C2000-0x00000000072C3000-memory.dmp

Filesize
4KB

Download
memory/4292-1016-0x0000000000000000-mapping.dmp

Download
memory/4392-2132-0x000000007EC50000-0x000000007EC51000-memory.dmp

Filesize
4KB

Download
memory/4392-1085-0x00000000049F2000-0x00000000049F3000-memory.dmp

Filesize
4KB

Download
memory/4392-1017-0x0000000000000000-mapping.dmp

Download
memory/4392-1075-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/4480-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4480-172-0x000000000043770E-mapping.dmp

Download
memory/4480-181-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/4480-197-0x0000000005750000-0x0000000005C4E000-memory.dmp

Filesize
5.0MB

Download
memory/4684-1103-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/4684-2141-0x000000007F170000-0x000000007F171000-memory.dmp

Filesize
4KB

Download
memory/4684-1123-0x00000000041D2000-0x00000000041D3000-memory.dmp

Filesize
4KB

Download
memory/4684-1019-0x0000000000000000-mapping.dmp

Download
memory/4720-120-0x00000000050A0000-0x0000000005108000-memory.dmp

Filesize
416KB

Download
memory/4720-121-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4720-118-0x0000000005120000-0x000000000561E000-memory.dmp

Filesize
5.0MB

Download
memory/4720-175-0x00000000065F0000-0x00000000065F3000-memory.dmp

Filesize
12KB

Download
memory/4720-117-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4720-164-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/4720-116-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4720-115-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4720-119-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4796-1133-0x0000000006DD0000-0x0000000006DD1000-memory.dmp

Filesize
4KB

Download
memory/4796-1055-0x0000000006DD2000-0x0000000006DD3000-memory.dmp

Filesize
4KB

Download
memory/4796-1020-0x0000000000000000-mapping.dmp

Download
memory/4796-2217-0x000000007F100000-0x000000007F101000-memory.dmp

Filesize
4KB

Download
memory/4852-910-0x0000000000000000-mapping.dmp

Download
memory/4856-122-0x0000000000000000-mapping.dmp

Download
memory/4908-125-0x0000000000000000-mapping.dmp

Download
memory/4932-1038-0x000000000043770E-mapping.dmp

Download
memory/4932-1067-0x00000000054A0000-0x000000000599E000-memory.dmp

Filesize
5.0MB

Download
memory/4984-163-0x0000000006722000-0x0000000006723000-memory.dmp

Filesize
4KB

Download
memory/4984-435-0x0000000006723000-0x0000000006724000-memory.dmp

Filesize
4KB

Download
memory/4984-318-0x000000007EFB0000-0x000000007EFB1000-memory.dmp

Filesize
4KB

Download
memory/4984-187-0x0000000006D30000-0x0000000006D31000-memory.dmp

Filesize
4KB

Download
memory/4984-157-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/4984-134-0x00000000065F0000-0x00000000065F1000-memory.dmp

Filesize
4KB

Download
memory/4984-135-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/4984-127-0x0000000000000000-mapping.dmp

Download
memory/4984-198-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/4984-204-0x00000000076C0000-0x00000000076C1000-memory.dmp

Filesize
4KB

Download
memory/5020-326-0x000000007F970000-0x000000007F971000-memory.dmp

Filesize
4KB

Download
memory/5020-128-0x0000000000000000-mapping.dmp

Download
memory/5020-165-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/5020-171-0x00000000070A2000-0x00000000070A3000-memory.dmp

Filesize
4KB

Download
memory/5020-439-0x00000000070A3000-0x00000000070A4000-memory.dmp

Filesize
4KB

Download
memory/5056-129-0x0000000000000000-mapping.dmp

Download
memory/5056-180-0x0000000004912000-0x0000000004913000-memory.dmp

Filesize
4KB

Download
memory/5056-177-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/5056-333-0x000000007ED50000-0x000000007ED51000-memory.dmp

Filesize
4KB

Download
memory/5056-442-0x0000000004913000-0x0000000004914000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads