agenttesla | d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e

Analysis

max time kernel
24s
max time network
139s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f51a31a3b9ed0a4087aca907befdeb.exe
Size

835KB
MD5

83f51a31a3b9ed0a4087aca907befdeb
SHA1

f3805488954d7bdb7b1d83ef77968ae59170a1e9
SHA256

d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e
SHA512

3e5212b2de5b2fe9ca162625410559acacb11e7d04d431ff5af72662489efa20131f3648390edcf6bb97771683c26d4c47951ded7ebce072b03a67e25b1bc3b3

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
mailjege@yandex.com
Password:
recovery111

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3992-173-0x000000000043770E-mapping.dmp	family_agenttesla
behavioral2/memory/3992-170-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4520-1189-0x000000000043770E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe7ADA33B7.exe

pid process

2892 AdvancedRun.exe
652 AdvancedRun.exe
1288 7ADA33B7.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	83f51a31a3b9ed0a4087aca907befdeb.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	83f51a31a3b9ed0a4087aca907befdeb.exe

Drops startup file 2 IoCs

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe	83f51a31a3b9ed0a4087aca907befdeb.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\E59A6148\svchost.exe = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	83f51a31a3b9ed0a4087aca907befdeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	83f51a31a3b9ed0a4087aca907befdeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	83f51a31a3b9ed0a4087aca907befdeb.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	83f51a31a3b9ed0a4087aca907befdeb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	83f51a31a3b9ed0a4087aca907befdeb.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	83f51a31a3b9ed0a4087aca907befdeb.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description pid process target process

PID 3176 set thread context of 3992 3176 83f51a31a3b9ed0a4087aca907befdeb.exe 83f51a31a3b9ed0a4087aca907befdeb.exe
Drops file in Program Files directory 1 IoCs

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description ioc process

File created C:\Program Files\Common Files\System\E59A6148\svchost.exe 83f51a31a3b9ed0a4087aca907befdeb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3172 1288 WerFault.exe 7ADA33B7.exe

description	pid	process	target process
PID 3176 set thread context of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\E59A6148\svchost.exe	83f51a31a3b9ed0a4087aca907befdeb.exe

pid	pid_target	process	target process
3172	1288	WerFault.exe	7ADA33B7.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2892	AdvancedRun.exe
2892	AdvancedRun.exe
2892	AdvancedRun.exe
2892	AdvancedRun.exe
652	AdvancedRun.exe
652	AdvancedRun.exe
652	AdvancedRun.exe
652	AdvancedRun.exe
3848	powershell.exe
3872	powershell.exe
3868	powershell.exe
884	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exe83f51a31a3b9ed0a4087aca907befdeb.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2892	AdvancedRun.exe
Token: SeImpersonatePrivilege	2892	AdvancedRun.exe
Token: SeDebugPrivilege	652	AdvancedRun.exe
Token: SeImpersonatePrivilege	652	AdvancedRun.exe
Token: SeDebugPrivilege	3848	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	3176	83f51a31a3b9ed0a4087aca907befdeb.exe
Token: SeDebugPrivilege	3868	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exeAdvancedRun.exe

description	pid	process	target process
PID 3176 wrote to memory of 2892	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	AdvancedRun.exe
PID 3176 wrote to memory of 2892	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	AdvancedRun.exe
PID 3176 wrote to memory of 2892	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	AdvancedRun.exe
PID 2892 wrote to memory of 652	2892	AdvancedRun.exe	AdvancedRun.exe
PID 2892 wrote to memory of 652	2892	AdvancedRun.exe	AdvancedRun.exe
PID 2892 wrote to memory of 652	2892	AdvancedRun.exe	AdvancedRun.exe
PID 3176 wrote to memory of 3848	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3848	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3848	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3872	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3872	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3872	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3868	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3868	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3868	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 884	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 884	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 884	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 444	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 444	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 444	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 1288	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	7ADA33B7.exe
PID 3176 wrote to memory of 1288	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	7ADA33B7.exe
PID 3176 wrote to memory of 1288	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	7ADA33B7.exe
PID 3176 wrote to memory of 1608	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 1608	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 1608	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 1936	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 1936	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 1936	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 2392	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 2392	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 2392	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	powershell.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe
PID 3176 wrote to memory of 3992	3176	83f51a31a3b9ed0a4087aca907befdeb.exe	83f51a31a3b9ed0a4087aca907befdeb.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

83f51a31a3b9ed0a4087aca907befdeb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	83f51a31a3b9ed0a4087aca907befdeb.exe

C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe
"C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3176

C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe" /SpecialRun 4101d8 2892
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe" -Force
2⤵
PID:444

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe"
2⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe" /SpecialRun 4101d8 4808
4⤵
PID:4956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
3⤵
PID:4568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
3⤵
PID:4696

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
3⤵
PID:4740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe" -Force
3⤵
PID:5040

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
3⤵
PID:4788

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe"
3⤵
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 1308
3⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
2⤵
PID:1608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe" -Force
2⤵
PID:1936

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\E59A6148\svchost.exe" -Force
2⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe
"C:\Users\Admin\AppData\Local\Temp\83f51a31a3b9ed0a4087aca907befdeb.exe"
2⤵
PID:3992

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
04dcf48e42aabd6059a0c987d6a30064

SHA1
c0cdfc104291938dd603a2ba2c4d06f9d8989a44

SHA256
d1587f4ec158b1f60054693360bb7fcf9f22075b29388c8d7c8c65a7309b02b6

SHA512
d34808b704cf0bc93ee212fafe40e6ee0aa59567f508835c9d06c970ae389d53249878e73572c889ceeb5c0c8cc217ca75efa47ca34ba1fcad443761c91d6401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
04dcf48e42aabd6059a0c987d6a30064

SHA1
c0cdfc104291938dd603a2ba2c4d06f9d8989a44

SHA256
d1587f4ec158b1f60054693360bb7fcf9f22075b29388c8d7c8c65a7309b02b6

SHA512
d34808b704cf0bc93ee212fafe40e6ee0aa59567f508835c9d06c970ae389d53249878e73572c889ceeb5c0c8cc217ca75efa47ca34ba1fcad443761c91d6401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
04dcf48e42aabd6059a0c987d6a30064

SHA1
c0cdfc104291938dd603a2ba2c4d06f9d8989a44

SHA256
d1587f4ec158b1f60054693360bb7fcf9f22075b29388c8d7c8c65a7309b02b6

SHA512
d34808b704cf0bc93ee212fafe40e6ee0aa59567f508835c9d06c970ae389d53249878e73572c889ceeb5c0c8cc217ca75efa47ca34ba1fcad443761c91d6401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0734dec688e13304cdaf6a08d2065d87

SHA1
8024fc0ad8d0576827d9e041cab49a309aceba5a

SHA256
29970034ddd3b6a6cebfe65ab07cfd17cff61a179e0eafc3c9dbe6a899195227

SHA512
1ab702478458afdb63163a953dd6522c6c3f29dc482261dd976808a44a835e8aea6c08aa80be900e0649f9cd277b8c3e8963096cd135baa5dba5d67e8cc0c30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
0734dec688e13304cdaf6a08d2065d87

SHA1
8024fc0ad8d0576827d9e041cab49a309aceba5a

SHA256
29970034ddd3b6a6cebfe65ab07cfd17cff61a179e0eafc3c9dbe6a899195227

SHA512
1ab702478458afdb63163a953dd6522c6c3f29dc482261dd976808a44a835e8aea6c08aa80be900e0649f9cd277b8c3e8963096cd135baa5dba5d67e8cc0c30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
070c3e5b5cff6b4443a920ed826e3b3c

SHA1
4bf236dab22b03378c498fde350bc9cef545053c

SHA256
ed9761f10d41a4499a1b8b44d3d3e09694f069ec12c9a638c273ecd02eff495a

SHA512
de9352f6b2696f3f7152fc579c6132064ccc6813f3fb9596f7be2bd130cde43a3cd4f9b33441040b3a2ec7c4c08ff2f5084967a6605c0a4c561fcff14a19284c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
070c3e5b5cff6b4443a920ed826e3b3c

SHA1
4bf236dab22b03378c498fde350bc9cef545053c

SHA256
ed9761f10d41a4499a1b8b44d3d3e09694f069ec12c9a638c273ecd02eff495a

SHA512
de9352f6b2696f3f7152fc579c6132064ccc6813f3fb9596f7be2bd130cde43a3cd4f9b33441040b3a2ec7c4c08ff2f5084967a6605c0a4c561fcff14a19284c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a417b7b5-c22a-4683-8f15-e90e644f7010\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae7dcbd0-4d45-4aef-9e0a-d035561239af\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
83f51a31a3b9ed0a4087aca907befdeb

SHA1
f3805488954d7bdb7b1d83ef77968ae59170a1e9

SHA256
d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e

SHA512
3e5212b2de5b2fe9ca162625410559acacb11e7d04d431ff5af72662489efa20131f3648390edcf6bb97771683c26d4c47951ded7ebce072b03a67e25b1bc3b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
83f51a31a3b9ed0a4087aca907befdeb

SHA1
f3805488954d7bdb7b1d83ef77968ae59170a1e9

SHA256
d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e

SHA512
3e5212b2de5b2fe9ca162625410559acacb11e7d04d431ff5af72662489efa20131f3648390edcf6bb97771683c26d4c47951ded7ebce072b03a67e25b1bc3b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7ADA33B7.exe
MD5
83f51a31a3b9ed0a4087aca907befdeb

SHA1
f3805488954d7bdb7b1d83ef77968ae59170a1e9

SHA256
d15ba749c366334fd969a221a70a8f567efb1ae5db0bdbceddb166301585806e

SHA512
3e5212b2de5b2fe9ca162625410559acacb11e7d04d431ff5af72662489efa20131f3648390edcf6bb97771683c26d4c47951ded7ebce072b03a67e25b1bc3b3

Download Submit
memory/444-176-0x00000000070A2000-0x00000000070A3000-memory.dmp

Filesize
4KB

Download
memory/444-168-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/444-132-0x0000000000000000-mapping.dmp

Download
memory/444-371-0x000000007E260000-0x000000007E261000-memory.dmp

Filesize
4KB

Download
memory/444-454-0x00000000070A3000-0x00000000070A4000-memory.dmp

Filesize
4KB

Download
memory/652-125-0x0000000000000000-mapping.dmp

Download
memory/884-130-0x0000000000000000-mapping.dmp

Download
memory/884-312-0x000000007F280000-0x000000007F281000-memory.dmp

Filesize
4KB

Download
memory/884-438-0x0000000007303000-0x0000000007304000-memory.dmp

Filesize
4KB

Download
memory/884-166-0x0000000007302000-0x0000000007303000-memory.dmp

Filesize
4KB

Download
memory/884-163-0x0000000007300000-0x0000000007301000-memory.dmp

Filesize
4KB

Download
memory/1288-136-0x0000000000000000-mapping.dmp

Download
memory/1288-157-0x0000000005290000-0x000000000578E000-memory.dmp

Filesize
5.0MB

Download
memory/1608-449-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/1608-140-0x0000000000000000-mapping.dmp

Download
memory/1608-206-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/1608-207-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/1608-401-0x000000007F410000-0x000000007F411000-memory.dmp

Filesize
4KB

Download
memory/1936-387-0x000000007F760000-0x000000007F761000-memory.dmp

Filesize
4KB

Download
memory/1936-211-0x0000000004602000-0x0000000004603000-memory.dmp

Filesize
4KB

Download
memory/1936-204-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/1936-470-0x0000000004603000-0x0000000004604000-memory.dmp

Filesize
4KB

Download
memory/1936-144-0x0000000000000000-mapping.dmp

Download
memory/2392-379-0x000000007F6A0000-0x000000007F6A1000-memory.dmp

Filesize
4KB

Download
memory/2392-215-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/2392-150-0x0000000000000000-mapping.dmp

Download
memory/2392-220-0x0000000007142000-0x0000000007143000-memory.dmp

Filesize
4KB

Download
memory/2392-464-0x0000000007143000-0x0000000007144000-memory.dmp

Filesize
4KB

Download
memory/2892-122-0x0000000000000000-mapping.dmp

Download
memory/3176-177-0x0000000006450000-0x0000000006453000-memory.dmp

Filesize
12KB

Download
memory/3176-121-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/3176-116-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/3176-117-0x0000000004E90000-0x0000000004E91000-memory.dmp

Filesize
4KB

Download
memory/3176-118-0x0000000004E90000-0x000000000538E000-memory.dmp

Filesize
5.0MB

Download
memory/3176-119-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/3176-120-0x0000000004E10000-0x0000000004E78000-memory.dmp

Filesize
416KB

Download
memory/3176-159-0x0000000006410000-0x0000000006411000-memory.dmp

Filesize
4KB

Download
memory/3176-115-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/3848-200-0x0000000007CF0000-0x0000000007CF1000-memory.dmp

Filesize
4KB

Download
memory/3848-137-0x00000000049F0000-0x00000000049F1000-memory.dmp

Filesize
4KB

Download
memory/3848-127-0x0000000000000000-mapping.dmp

Download
memory/3848-394-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/3848-305-0x000000007E3A0000-0x000000007E3A1000-memory.dmp

Filesize
4KB

Download
memory/3848-149-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3848-171-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/3848-141-0x00000000075E0000-0x00000000075E1000-memory.dmp

Filesize
4KB

Download
memory/3848-195-0x0000000007C80000-0x0000000007C81000-memory.dmp

Filesize
4KB

Download
memory/3848-186-0x0000000007470000-0x0000000007471000-memory.dmp

Filesize
4KB

Download
memory/3868-447-0x00000000069E3000-0x00000000069E4000-memory.dmp

Filesize
4KB

Download
memory/3868-155-0x00000000069E0000-0x00000000069E1000-memory.dmp

Filesize
4KB

Download
memory/3868-319-0x000000007F800000-0x000000007F801000-memory.dmp

Filesize
4KB

Download
memory/3868-129-0x0000000000000000-mapping.dmp

Download
memory/3868-161-0x00000000069E2000-0x00000000069E3000-memory.dmp

Filesize
4KB

Download
memory/3872-151-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/3872-445-0x00000000070F3000-0x00000000070F4000-memory.dmp

Filesize
4KB

Download
memory/3872-179-0x00000000070F2000-0x00000000070F3000-memory.dmp

Filesize
4KB

Download
memory/3872-128-0x0000000000000000-mapping.dmp

Download
memory/3872-325-0x000000007F5C0000-0x000000007F5C1000-memory.dmp

Filesize
4KB

Download
memory/3992-173-0x000000000043770E-mapping.dmp

Download
memory/3992-181-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3992-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3992-218-0x0000000005000000-0x00000000054FE000-memory.dmp

Filesize
5.0MB

Download
memory/4520-1270-0x0000000004F10000-0x000000000540E000-memory.dmp

Filesize
5.0MB

Download
memory/4520-1189-0x000000000043770E-mapping.dmp

Download
memory/4568-1250-0x0000000004620000-0x0000000004621000-memory.dmp

Filesize
4KB

Download
memory/4568-1075-0x0000000000000000-mapping.dmp

Download
memory/4568-3000-0x0000000004623000-0x0000000004624000-memory.dmp

Filesize
4KB

Download
memory/4568-1305-0x0000000004622000-0x0000000004623000-memory.dmp

Filesize
4KB

Download
memory/4568-2272-0x000000007FC80000-0x000000007FC81000-memory.dmp

Filesize
4KB

Download
memory/4696-1090-0x0000000000000000-mapping.dmp

Download
memory/4696-1313-0x0000000007252000-0x0000000007253000-memory.dmp

Filesize
4KB

Download
memory/4696-2455-0x000000007E8D0000-0x000000007E8D1000-memory.dmp

Filesize
4KB

Download
memory/4696-1288-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/4740-1339-0x0000000006F62000-0x0000000006F63000-memory.dmp

Filesize
4KB

Download
memory/4740-1105-0x0000000000000000-mapping.dmp

Download
memory/4740-2282-0x000000007F380000-0x000000007F381000-memory.dmp

Filesize
4KB

Download
memory/4740-1322-0x0000000006F60000-0x0000000006F61000-memory.dmp

Filesize
4KB

Download
memory/4788-1138-0x0000000000000000-mapping.dmp

Download
memory/4788-1296-0x0000000004CF2000-0x0000000004CF3000-memory.dmp

Filesize
4KB

Download
memory/4788-1281-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/4788-2448-0x000000007EC70000-0x000000007EC71000-memory.dmp

Filesize
4KB

Download
memory/4808-961-0x0000000000000000-mapping.dmp

Download
memory/4956-996-0x0000000000000000-mapping.dmp

Download
memory/5040-1122-0x0000000000000000-mapping.dmp

Download
memory/5040-1330-0x0000000006FF2000-0x0000000006FF3000-memory.dmp

Filesize
4KB

Download
memory/5040-1261-0x0000000006FF0000-0x0000000006FF1000-memory.dmp

Filesize
4KB

Download
memory/5040-2442-0x000000007E7C0000-0x000000007E7C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads