agenttesla | a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

Analysis

max time kernel
29s
max time network
141s
platform
windows10_x64
resource
win10-en
submitted
15-09-2021 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cecfa83ee6ea6dd1de38462bbedf15c.exe
Size

761KB
MD5

0cecfa83ee6ea6dd1de38462bbedf15c
SHA1

de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256

a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
SHA512

cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
princeprice@voodome.com
Password:
princeprice@11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3892-172-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/3892-177-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral2/memory/4368-1168-0x000000000043764E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe481F404B.exe

pid process

2684 AdvancedRun.exe
652 AdvancedRun.exe
1624 481F404B.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Drops startup file 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description pid process target process

PID 4008 set thread context of 3892 4008 0cecfa83ee6ea6dd1de38462bbedf15c.exe aspnet_compiler.exe
Drops file in Windows directory 1 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description ioc process

File created C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe 0cecfa83ee6ea6dd1de38462bbedf15c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1180 4008 WerFault.exe 0cecfa83ee6ea6dd1de38462bbedf15c.exe
5064 1624 WerFault.exe 481F404B.exe

description	pid	process	target process
PID 4008 set thread context of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

pid	pid_target	process	target process
1180	4008	WerFault.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
5064	1624	WerFault.exe	481F404B.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exepowershell.exe

pid	process
2684	AdvancedRun.exe
2684	AdvancedRun.exe
2684	AdvancedRun.exe
2684	AdvancedRun.exe
652	AdvancedRun.exe
652	AdvancedRun.exe
652	AdvancedRun.exe
652	AdvancedRun.exe
3940	powershell.exe
3096	powershell.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe0cecfa83ee6ea6dd1de38462bbedf15c.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2684	AdvancedRun.exe
Token: SeImpersonatePrivilege	2684	AdvancedRun.exe
Token: SeDebugPrivilege	652	AdvancedRun.exe
Token: SeImpersonatePrivilege	652	AdvancedRun.exe
Token: SeDebugPrivilege	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Token: SeDebugPrivilege	3940	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeAdvancedRun.exe

description	pid	process	target process
PID 4008 wrote to memory of 2684	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 4008 wrote to memory of 2684	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 4008 wrote to memory of 2684	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 2684 wrote to memory of 652	2684	AdvancedRun.exe	AdvancedRun.exe
PID 2684 wrote to memory of 652	2684	AdvancedRun.exe	AdvancedRun.exe
PID 2684 wrote to memory of 652	2684	AdvancedRun.exe	AdvancedRun.exe
PID 4008 wrote to memory of 3940	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 3940	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 3940	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 3096	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 3096	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 3096	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 624	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 624	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 624	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1192	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1192	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1192	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1420	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1420	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1420	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1624	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 4008 wrote to memory of 1624	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 4008 wrote to memory of 1624	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 4008 wrote to memory of 1980	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1980	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 1980	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 2376	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 2376	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 2376	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 2792	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 2792	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 2792	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 4008 wrote to memory of 3176	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3176	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3176	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 4008 wrote to memory of 3892	4008	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe

C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe
"C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4008

C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe" /SpecialRun 4101d8 2684
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
PID:624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
PID:1420

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe"
2⤵
- Executes dropped EXE
PID:1624

C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe" /SpecialRun 4101d8 4908
4⤵
PID:4468

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
PID:4496

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
PID:4772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
PID:4676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
PID:4816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:3204

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 2052
3⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
PID:1980

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
PID:2376

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
PID:2792

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3176

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:3892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 2116
2⤵
- Program crash
PID:1180

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
f00ab92ea3a0f7b9289ccd99267d1b95

SHA1
68fc3bd2556df08bfcdc1d55c36946ed19a67104

SHA256
f1749cafb63b24dff555f0df02143ad37f4779764df7f523c4e94e225eed9bff

SHA512
e5e916901723eab4315045752934e1e5252143b18ccca0b42f8ee018d832625d69d80baa42c98d00c25ce9bfd96b1551d376d6a04b6723f2ab1ddfecbf5d8257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
189eea870f644f4ddb4ead8877050543

SHA1
b2b04580a2bcef59ab4d1e7c4764443e63b4403d

SHA256
1ed971d5bd6499803cc03e756cab1b8073234de531640907204e5befea30f586

SHA512
c7ccf1b441688d151dd01e486ce0bb90bd3f2543b35c9cdcd23ac81691e31fafda9f31dc74727a02764b45b9e9c7f81b997a7d459ae3d63ebdbf40aefa931089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a91205cda5ac1b88793f332c4f1422d6

SHA1
f37692dfa1c6976fea4995a99dd762a3ac3f67b1

SHA256
890e04eab4430894aba0e7dd6a571fa34cd00442a9437229edffb872e46e8fe0

SHA512
87fe73a0abbe96dceb5ad9872b632663b14a53d3fdde4ce93f23be5d613bf8c24f5a7ddbae1818e4356b3bc256dc7c138daca115e929fa247f7dc31468079c37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
a43b4ca441861397b6a12b0000fea183

SHA1
6e81557011427a48fb958de1875bc157c18c0227

SHA256
6fa5ddf2541700e039a2822479c635036cdc36103b422ce7434d77e0e6e6fb7d

SHA512
6c9d3651e16dca64d75be9225ac3fe0a69f869d918841d4def2fd4292da878e04fb9810417095aa3e42771b0cb7220429778fbbde0a2a7458eec80c479fe3dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
461ae0e612f54d2548394d99e6d65a4d

SHA1
8b436dbe701a91c7b0e3584396a3e0a994e30d02

SHA256
3afc25792ff859549cc0a4c87dd2f349304bff36bfeb625351f7fb6a37d4f308

SHA512
3634e5791d5971e780b2a11aecdb72208c751608e87e0e6ea395f44d46619b9f92f5903ca68579ebb97af1d13c796416ea4aa451cb82955b9a64d82357ef1d67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6a891f4765115ff3b8b73c9550141e38

SHA1
5658dcbd4d4c72054159d44c670dd0ec25d295bf

SHA256
61a3cc108c67d5b60772080dc6892e87993dc3b42f1921d24362ab6cfaf0befb

SHA512
0afe663ec72d41efda3c9ecf285bcf232f9defcacffa6060efa9a82e494a626736d018f46f30f9b24b499c51b7f7ff21331f00ec47a21d5b0b4665b177bcd109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f7eec2e95f6a287eefa2addd9e63aab7

SHA1
9e31ed77fec6b5fd69e32fb1616222a6f976ad36

SHA256
fb4e897ac99f72828322a5e0bcdc3bf48a429a21e8244a7bffc60785b3082a8c

SHA512
d8f55541b623e9888ce4f3f355e0c4624d94109f32ad468215a7985b0be55e725da39a7090fa3401c531565bd254f5e377ebceaab8c0240f7c320691d11f4f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\28f02f1d-337b-461a-a48a-5540e9dac6b9\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4db88baa-8d19-407b-ad63-26167c2dd081\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
memory/624-132-0x0000000000000000-mapping.dmp

Download
memory/624-163-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/624-203-0x00000000045A2000-0x00000000045A3000-memory.dmp

Filesize
4KB

Download
memory/624-521-0x00000000045A3000-0x00000000045A4000-memory.dmp

Filesize
4KB

Download
memory/624-419-0x000000007F340000-0x000000007F341000-memory.dmp

Filesize
4KB

Download
memory/652-128-0x0000000000000000-mapping.dmp

Download
memory/1192-338-0x000000007EAA0000-0x000000007EAA1000-memory.dmp

Filesize
4KB

Download
memory/1192-206-0x0000000004252000-0x0000000004253000-memory.dmp

Filesize
4KB

Download
memory/1192-216-0x0000000007680000-0x0000000007681000-memory.dmp

Filesize
4KB

Download
memory/1192-167-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1192-405-0x0000000004253000-0x0000000004254000-memory.dmp

Filesize
4KB

Download
memory/1192-133-0x0000000000000000-mapping.dmp

Download
memory/1192-209-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/1420-178-0x0000000002BD2000-0x0000000002BD3000-memory.dmp

Filesize
4KB

Download
memory/1420-343-0x0000000002BD3000-0x0000000002BD4000-memory.dmp

Filesize
4KB

Download
memory/1420-285-0x000000007F7D0000-0x000000007F7D1000-memory.dmp

Filesize
4KB

Download
memory/1420-171-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1420-134-0x0000000000000000-mapping.dmp

Download
memory/1624-137-0x0000000000000000-mapping.dmp

Download
memory/1624-159-0x0000000004D20000-0x000000000521E000-memory.dmp

Filesize
5.0MB

Download
memory/1624-201-0x0000000004D20000-0x000000000521E000-memory.dmp

Filesize
5.0MB

Download
memory/1980-399-0x000000007EB40000-0x000000007EB41000-memory.dmp

Filesize
4KB

Download
memory/1980-481-0x0000000004863000-0x0000000004864000-memory.dmp

Filesize
4KB

Download
memory/1980-140-0x0000000000000000-mapping.dmp

Download
memory/1980-184-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1980-192-0x0000000004862000-0x0000000004863000-memory.dmp

Filesize
4KB

Download
memory/2376-146-0x0000000000000000-mapping.dmp

Download
memory/2376-195-0x0000000004872000-0x0000000004873000-memory.dmp

Filesize
4KB

Download
memory/2376-412-0x000000007F7A0000-0x000000007F7A1000-memory.dmp

Filesize
4KB

Download
memory/2376-188-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/2376-527-0x0000000004873000-0x0000000004874000-memory.dmp

Filesize
4KB

Download
memory/2684-125-0x0000000000000000-mapping.dmp

Download
memory/2792-536-0x0000000004963000-0x0000000004964000-memory.dmp

Filesize
4KB

Download
memory/2792-197-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/2792-434-0x000000007F3A0000-0x000000007F3A1000-memory.dmp

Filesize
4KB

Download
memory/2792-200-0x0000000004962000-0x0000000004963000-memory.dmp

Filesize
4KB

Download
memory/2792-153-0x0000000000000000-mapping.dmp

Download
memory/3096-427-0x0000000006663000-0x0000000006664000-memory.dmp

Filesize
4KB

Download
memory/3096-131-0x0000000000000000-mapping.dmp

Download
memory/3096-351-0x000000007EAD0000-0x000000007EAD1000-memory.dmp

Filesize
4KB

Download
memory/3096-204-0x0000000006C30000-0x0000000006C31000-memory.dmp

Filesize
4KB

Download
memory/3096-181-0x0000000006660000-0x0000000006661000-memory.dmp

Filesize
4KB

Download
memory/3096-174-0x0000000006662000-0x0000000006663000-memory.dmp

Filesize
4KB

Download
memory/3892-202-0x00000000054B0000-0x00000000059AE000-memory.dmp

Filesize
5.0MB

Download
memory/3892-177-0x000000000043764E-mapping.dmp

Download
memory/3892-185-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/3892-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3940-288-0x000000007E460000-0x000000007E461000-memory.dmp

Filesize
4KB

Download
memory/3940-142-0x0000000006860000-0x0000000006861000-memory.dmp

Filesize
4KB

Download
memory/3940-152-0x00000000069C0000-0x00000000069C1000-memory.dmp

Filesize
4KB

Download
memory/3940-130-0x0000000000000000-mapping.dmp

Download
memory/3940-347-0x00000000069C3000-0x00000000069C4000-memory.dmp

Filesize
4KB

Download
memory/3940-145-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/3940-156-0x00000000069C2000-0x00000000069C3000-memory.dmp

Filesize
4KB

Download
memory/4008-122-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/4008-124-0x00000000073D0000-0x00000000073D1000-memory.dmp

Filesize
4KB

Download
memory/4008-121-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4008-119-0x0000000004CD0000-0x00000000051CE000-memory.dmp

Filesize
5.0MB

Download
memory/4008-116-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4008-123-0x00000000071E0000-0x0000000007248000-memory.dmp

Filesize
416KB

Download
memory/4008-118-0x0000000004C10000-0x0000000004C11000-memory.dmp

Filesize
4KB

Download
memory/4008-180-0x00000000066D0000-0x00000000066D3000-memory.dmp

Filesize
12KB

Download
memory/4008-115-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/4008-117-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/4008-120-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/4368-1168-0x000000000043764E-mapping.dmp

Download
memory/4368-1233-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/4468-1001-0x0000000000000000-mapping.dmp

Download
memory/4496-1102-0x0000000000000000-mapping.dmp

Download
memory/4496-1246-0x0000000006FD2000-0x0000000006FD3000-memory.dmp

Filesize
4KB

Download
memory/4496-2104-0x000000007E180000-0x000000007E181000-memory.dmp

Filesize
4KB

Download
memory/4496-1188-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/4676-1119-0x0000000000000000-mapping.dmp

Download
memory/4676-1258-0x0000000004B12000-0x0000000004B13000-memory.dmp

Filesize
4KB

Download
memory/4676-1197-0x0000000004B10000-0x0000000004B11000-memory.dmp

Filesize
4KB

Download
memory/4676-2414-0x000000007F040000-0x000000007F041000-memory.dmp

Filesize
4KB

Download
memory/4772-2347-0x000000007E3A0000-0x000000007E3A1000-memory.dmp

Filesize
4KB

Download
memory/4772-1252-0x0000000007382000-0x0000000007383000-memory.dmp

Filesize
4KB

Download
memory/4772-1110-0x0000000000000000-mapping.dmp

Download
memory/4772-1212-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/4816-1206-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/4816-1219-0x0000000004142000-0x0000000004143000-memory.dmp

Filesize
4KB

Download
memory/4816-2357-0x000000007F520000-0x000000007F521000-memory.dmp

Filesize
4KB

Download
memory/4816-1128-0x0000000000000000-mapping.dmp

Download
memory/4908-974-0x0000000000000000-mapping.dmp

Download
memory/4992-1137-0x0000000000000000-mapping.dmp

Download
memory/4992-1227-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/4992-1240-0x0000000007152000-0x0000000007153000-memory.dmp

Filesize
4KB

Download
memory/4992-2423-0x000000007FA20000-0x000000007FA21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads