agenttesla | a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

Analysis

max time kernel
41s
max time network
116s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cecfa83ee6ea6dd1de38462bbedf15c.exe
Size

761KB
MD5

0cecfa83ee6ea6dd1de38462bbedf15c
SHA1

de4dde34707658d98f50de8cf2a182bf7ded2a45
SHA256

a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2
SHA512

cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
princeprice@voodome.com
Password:
princeprice@11

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2796-174-0x000000000043764E-mapping.dmp	family_agenttesla
behavioral2/memory/2796-169-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/4180-1140-0x000000000043764E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe481F404B.exe

pid process

4084 AdvancedRun.exe
1072 AdvancedRun.exe
1540 481F404B.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Drops startup file 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	0cecfa83ee6ea6dd1de38462bbedf15c.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description pid process target process

PID 652 set thread context of 2796 652 0cecfa83ee6ea6dd1de38462bbedf15c.exe aspnet_compiler.exe

description	pid	process	target process
PID 652 set thread context of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe

Drops file in Windows directory 2 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeWerFault.exe

description	ioc	process
File created	C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2536 652 WerFault.exe 0cecfa83ee6ea6dd1de38462bbedf15c.exe
2236 1540 WerFault.exe 481F404B.exe

pid	pid_target	process	target process
2536	652	WerFault.exe	0cecfa83ee6ea6dd1de38462bbedf15c.exe
2236	1540	WerFault.exe	481F404B.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

pid	process
4084	AdvancedRun.exe
4084	AdvancedRun.exe
4084	AdvancedRun.exe
4084	AdvancedRun.exe
1072	AdvancedRun.exe
1072	AdvancedRun.exe
1072	AdvancedRun.exe
1072	AdvancedRun.exe
2796	aspnet_compiler.exe
2796	aspnet_compiler.exe
1584	powershell.exe
3120	powershell.exe
788	powershell.exe
2928	powershell.exe
4048	powershell.exe
2884	powershell.exe
2504	powershell.exe
3004	powershell.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
3120	powershell.exe
2884	powershell.exe
3004	powershell.exe
1584	powershell.exe
788	powershell.exe
4048	powershell.exe
2928	powershell.exe
2504	powershell.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe0cecfa83ee6ea6dd1de38462bbedf15c.exeaspnet_compiler.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	4084	AdvancedRun.exe
Token: SeImpersonatePrivilege	4084	AdvancedRun.exe
Token: SeDebugPrivilege	1072	AdvancedRun.exe
Token: SeImpersonatePrivilege	1072	AdvancedRun.exe
Token: SeDebugPrivilege	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe
Token: SeDebugPrivilege	2796	aspnet_compiler.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeRestorePrivilege	2536	WerFault.exe
Token: SeBackupPrivilege	2536	WerFault.exe
Token: SeBackupPrivilege	2536	WerFault.exe
Token: SeDebugPrivilege	2536	WerFault.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exeAdvancedRun.exe

description	pid	process	target process
PID 652 wrote to memory of 4084	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 652 wrote to memory of 4084	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 652 wrote to memory of 4084	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	AdvancedRun.exe
PID 4084 wrote to memory of 1072	4084	AdvancedRun.exe	AdvancedRun.exe
PID 4084 wrote to memory of 1072	4084	AdvancedRun.exe	AdvancedRun.exe
PID 4084 wrote to memory of 1072	4084	AdvancedRun.exe	AdvancedRun.exe
PID 652 wrote to memory of 3004	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 3004	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 3004	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2928	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2928	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2928	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 788	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 788	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 788	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 4048	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 4048	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 4048	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 1584	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 1584	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 1584	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 1540	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 652 wrote to memory of 1540	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 652 wrote to memory of 1540	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	481F404B.exe
PID 652 wrote to memory of 2504	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2504	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2504	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2884	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2884	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2884	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 3120	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 3120	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 3120	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	powershell.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe
PID 652 wrote to memory of 2796	652	0cecfa83ee6ea6dd1de38462bbedf15c.exe	aspnet_compiler.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

0cecfa83ee6ea6dd1de38462bbedf15c.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0cecfa83ee6ea6dd1de38462bbedf15c.exe

C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe
"C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:652

C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe" /SpecialRun 4101d8 4084
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe"
2⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe" /SpecialRun 4101d8 5008
4⤵
PID:4264

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
PID:4488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe" -Force
3⤵
PID:4500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
3⤵
PID:4720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 2100
3⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0cecfa83ee6ea6dd1de38462bbedf15c.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Resources\Themes\aero\Shell\4B6A7152\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 652 -s 2052
2⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1492eba5c9b9182ba43ef10c69eb397f

SHA1
ea5bbf96f2abd01d69fd6417043ca8a71a27c88a

SHA256
e07bef7b3d99b2bf5e5de8718dadfa19f1951cf5606964e304a9ca7f16f857fd

SHA512
14f6fdd869029d14637d20f0ef787dfc6555df835bff09d2f4540b67bc7f86b781a3ec1e64bd614521929987d5f074f90c6836ee3e3b5f2a32c96d5c132b0a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
deea6eda5ba6dccfadc32922cfbaa16e

SHA1
949742cf59445f35500645c730785bab8cac586f

SHA256
921b5749a93d6175a71f429c0d4d3220175032f0a6d08f82a6eebc66c58c88a0

SHA512
4240bd40d4b0a9e4d9357dad0941c92ac85c1dff2189179f7f3f8daa9a4bd2aae42757ea907b098c487566d0f808816753f9325dd1ae17883c3868774fb31e45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c01a712158450b424b847535e29cf660

SHA1
0b2d43a00669ec0bef2421a87ed66f27dbd37d0f

SHA256
d9181349aca3a761edcf28afe1f469c31d2df56702f510406b468a3d407e80d5

SHA512
67acbe81b5e28dcb670954d8b043fd756a99071a6ff8a214501ad01ff19576d89b18cea629a44058f200d312cee396c41d99c05f5f11968f72c333c996f04acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
8ed25f53a449c0b9ece3c9e2bed07f9f

SHA1
8e7efc637f959f9c456a8db0c8a191dbb35ca617

SHA256
4ead38f3686bd90f67a6e90b1253e4b9ac123b1cb5220aacbb6588cd5c2e404f

SHA512
637c3b340ca95c0cfa2806c23402f940dadfb4baa8492bf72000e1c4b7a679df7d2ff590fa3a9a48e215e6394705bb54a68e15ebeefd4c149efa93a0c658c4c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
2472b74e4f2a781778d6a51aca7d1825

SHA1
1e6a5664ba5aec45a4e3ea18956749be6040297a

SHA256
4efcf3c46e73081e4ee78496ffdce624752e8890d1a6decb99b4845d319a3dd3

SHA512
2ecbcadbcee36ffd8d336f4c1c11942d54b5c6614b76a19cbd5c78bb44bf43b3217ad13bc4f0df14faeef93ee0775c7ea458ce0a0742cd1989ae2f7a92920b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1740db18ff8e4c72a3389286495a39d8

SHA1
e8867c73a5d9a6e0b9dfcbd7b3649bd7196f1d62

SHA256
95054102820fbcff96f766b2bc82e91acf2217aa38357f3e197b57a9ef458ee4

SHA512
162565248cafe1a8f994b4785fe7119981f5ff1fee1837a447db63cdbda567f2150cc7cbefd02e4a8091a27bfd810f1cae4032205184acfea52db2a8febc029f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
1740db18ff8e4c72a3389286495a39d8

SHA1
e8867c73a5d9a6e0b9dfcbd7b3649bd7196f1d62

SHA256
95054102820fbcff96f766b2bc82e91acf2217aa38357f3e197b57a9ef458ee4

SHA512
162565248cafe1a8f994b4785fe7119981f5ff1fee1837a447db63cdbda567f2150cc7cbefd02e4a8091a27bfd810f1cae4032205184acfea52db2a8febc029f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0318533d-fc0d-49e3-98e5-08db48ad32de\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\72aa7295-ff99-4f8b-963e-34fd017463dc\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\481F404B.exe
MD5
0cecfa83ee6ea6dd1de38462bbedf15c

SHA1
de4dde34707658d98f50de8cf2a182bf7ded2a45

SHA256
a6bdce859b5373990681d6ed6c6133a80330fa2744ea9c1e88018d03ab77feb2

SHA512
cedfcb1fbbcfc9c0592d346295c1225b926d4c7246a81f98cb4e50007629c4f60deb9c1f8a539c353835d1213f2c291d81996b6f327a27dad38e4b1e4bcedd86

Download Submit
memory/652-114-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/652-117-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/652-115-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/652-179-0x00000000071B0000-0x00000000071B3000-memory.dmp

Filesize
12KB

Download
memory/652-123-0x0000000007F40000-0x0000000007F41000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x0000000007D50000-0x0000000007DB8000-memory.dmp

Filesize
416KB

Download
memory/652-118-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/652-121-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/652-120-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/788-436-0x0000000007433000-0x0000000007434000-memory.dmp

Filesize
4KB

Download
memory/788-131-0x0000000000000000-mapping.dmp

Download
memory/788-176-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/788-198-0x0000000007432000-0x0000000007433000-memory.dmp

Filesize
4KB

Download
memory/788-342-0x000000007F400000-0x000000007F401000-memory.dmp

Filesize
4KB

Download
memory/1072-127-0x0000000000000000-mapping.dmp

Download
memory/1540-134-0x0000000000000000-mapping.dmp

Download
memory/1540-186-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/1540-201-0x00000000057B0000-0x0000000005CAE000-memory.dmp

Filesize
5.0MB

Download
memory/1584-200-0x00000000076A0000-0x00000000076A1000-memory.dmp

Filesize
4KB

Download
memory/1584-133-0x0000000000000000-mapping.dmp

Download
memory/1584-316-0x000000007F440000-0x000000007F441000-memory.dmp

Filesize
4KB

Download
memory/1584-202-0x00000000076A2000-0x00000000076A3000-memory.dmp

Filesize
4KB

Download
memory/1584-446-0x00000000076A3000-0x00000000076A4000-memory.dmp

Filesize
4KB

Download
memory/2504-173-0x0000000007460000-0x0000000007461000-memory.dmp

Filesize
4KB

Download
memory/2504-450-0x0000000007463000-0x0000000007464000-memory.dmp

Filesize
4KB

Download
memory/2504-181-0x0000000007462000-0x0000000007463000-memory.dmp

Filesize
4KB

Download
memory/2504-143-0x0000000000000000-mapping.dmp

Download
memory/2504-327-0x000000007ECC0000-0x000000007ECC1000-memory.dmp

Filesize
4KB

Download
memory/2796-192-0x0000000004840000-0x0000000004D3E000-memory.dmp

Filesize
5.0MB

Download
memory/2796-169-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-174-0x000000000043764E-mapping.dmp

Download
memory/2884-203-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/2884-191-0x00000000072B0000-0x00000000072B1000-memory.dmp

Filesize
4KB

Download
memory/2884-431-0x00000000072B3000-0x00000000072B4000-memory.dmp

Filesize
4KB

Download
memory/2884-355-0x000000007EBD0000-0x000000007EBD1000-memory.dmp

Filesize
4KB

Download
memory/2884-144-0x0000000000000000-mapping.dmp

Download
memory/2928-440-0x0000000004C93000-0x0000000004C94000-memory.dmp

Filesize
4KB

Download
memory/2928-204-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/2928-349-0x000000007F090000-0x000000007F091000-memory.dmp

Filesize
4KB

Download
memory/2928-130-0x0000000000000000-mapping.dmp

Download
memory/2928-212-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/2928-196-0x0000000004C92000-0x0000000004C93000-memory.dmp

Filesize
4KB

Download
memory/2928-194-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3004-168-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/3004-195-0x0000000000F72000-0x0000000000F73000-memory.dmp

Filesize
4KB

Download
memory/3004-148-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3004-432-0x0000000000F73000-0x0000000000F74000-memory.dmp

Filesize
4KB

Download
memory/3004-156-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3004-334-0x000000007DF60000-0x000000007DF61000-memory.dmp

Filesize
4KB

Download
memory/3004-129-0x0000000000000000-mapping.dmp

Download
memory/3028-1223-0x0000000004E62000-0x0000000004E63000-memory.dmp

Filesize
4KB

Download
memory/3028-1063-0x0000000000000000-mapping.dmp

Download
memory/3028-1176-0x0000000004E60000-0x0000000004E61000-memory.dmp

Filesize
4KB

Download
memory/3028-2313-0x000000007F140000-0x000000007F141000-memory.dmp

Filesize
4KB

Download
memory/3120-454-0x00000000049D3000-0x00000000049D4000-memory.dmp

Filesize
4KB

Download
memory/3120-321-0x000000007E6B0000-0x000000007E6B1000-memory.dmp

Filesize
4KB

Download
memory/3120-189-0x00000000049D2000-0x00000000049D3000-memory.dmp

Filesize
4KB

Download
memory/3120-183-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/3120-149-0x0000000000000000-mapping.dmp

Download
memory/4048-360-0x000000007F2C0000-0x000000007F2C1000-memory.dmp

Filesize
4KB

Download
memory/4048-197-0x0000000006E10000-0x0000000006E11000-memory.dmp

Filesize
4KB

Download
memory/4048-199-0x0000000006E12000-0x0000000006E13000-memory.dmp

Filesize
4KB

Download
memory/4048-132-0x0000000000000000-mapping.dmp

Download
memory/4048-228-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/4048-443-0x0000000006E13000-0x0000000006E14000-memory.dmp

Filesize
4KB

Download
memory/4084-124-0x0000000000000000-mapping.dmp

Download
memory/4180-1253-0x0000000004DC0000-0x00000000052BE000-memory.dmp

Filesize
5.0MB

Download
memory/4180-1140-0x000000000043764E-mapping.dmp

Download
memory/4264-1003-0x0000000000000000-mapping.dmp

Download
memory/4488-2185-0x000000007F210000-0x000000007F211000-memory.dmp

Filesize
4KB

Download
memory/4488-1058-0x0000000000000000-mapping.dmp

Download
memory/4488-1141-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/4488-1164-0x0000000004F12000-0x0000000004F13000-memory.dmp

Filesize
4KB

Download
memory/4500-2323-0x000000007ED70000-0x000000007ED71000-memory.dmp

Filesize
4KB

Download
memory/4500-1239-0x0000000007392000-0x0000000007393000-memory.dmp

Filesize
4KB

Download
memory/4500-1072-0x0000000000000000-mapping.dmp

Download
memory/4500-1231-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/4664-1154-0x0000000006D82000-0x0000000006D83000-memory.dmp

Filesize
4KB

Download
memory/4664-1132-0x0000000006D80000-0x0000000006D81000-memory.dmp

Filesize
4KB

Download
memory/4664-2306-0x000000007F7A0000-0x000000007F7A1000-memory.dmp

Filesize
4KB

Download
memory/4664-1052-0x0000000000000000-mapping.dmp

Download
memory/4720-2369-0x000000007E970000-0x000000007E971000-memory.dmp

Filesize
4KB

Download
memory/4720-1086-0x0000000000000000-mapping.dmp

Download
memory/4720-1262-0x0000000006D72000-0x0000000006D73000-memory.dmp

Filesize
4KB

Download
memory/4720-1246-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/5008-816-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads