agenttesla | 7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

Analysis

max time kernel
136s
max time network
138s
platform
windows7_x64
resource
win7-en
submitted
15-09-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13deb1f9e3779ecdc3025f0252e22176.exe
Size

742KB
MD5

13deb1f9e3779ecdc3025f0252e22176
SHA1

fd7d53357ad66545b97a9333ad48186fb8ab41c8
SHA256

7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8
SHA512

c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
e.werner@eccovacs-europe.com
Password:
alibaba.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1332-91-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/1332-92-0x0000000000436E0E-mapping.dmp	family_agenttesla
behavioral1/memory/1332-94-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral1/memory/548-107-0x00000000023B0000-0x0000000002FFA000-memory.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 14 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe7B71FC14.exeAdvancedRun.exeAdvancedRun.exe

pid process

812 AdvancedRun.exe
1516 AdvancedRun.exe
1652 7B71FC14.exe
2508 AdvancedRun.exe
2560 AdvancedRun.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe7B71FC14.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7B71FC14.exe

Drops startup file 2 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe	13deb1f9e3779ecdc3025f0252e22176.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe	13deb1f9e3779ecdc3025f0252e22176.exe

Loads dropped DLL 10 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exeAdvancedRun.exe7B71FC14.exeAdvancedRun.exe

pid	process
820	13deb1f9e3779ecdc3025f0252e22176.exe
820	13deb1f9e3779ecdc3025f0252e22176.exe
812	AdvancedRun.exe
812	AdvancedRun.exe
820	13deb1f9e3779ecdc3025f0252e22176.exe
820	13deb1f9e3779ecdc3025f0252e22176.exe
1652	7B71FC14.exe
1652	7B71FC14.exe
2508	AdvancedRun.exe
2508	AdvancedRun.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\7957F23F\svchost.exe = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe = "0"	13deb1f9e3779ecdc3025f0252e22176.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\7B71FC14 = "C:\\Program Files\\Common Files\\System\\7957F23F\\svchost.exe"	13deb1f9e3779ecdc3025f0252e22176.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13deb1f9e3779ecdc3025f0252e22176.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe7B71FC14.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	13deb1f9e3779ecdc3025f0252e22176.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	7B71FC14.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description pid process target process

PID 820 set thread context of 1332 820 13deb1f9e3779ecdc3025f0252e22176.exe 13deb1f9e3779ecdc3025f0252e22176.exe
Drops file in Program Files directory 1 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description ioc process

File created C:\Program Files\Common Files\System\7957F23F\svchost.exe 13deb1f9e3779ecdc3025f0252e22176.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2268 820 WerFault.exe 13deb1f9e3779ecdc3025f0252e22176.exe

description	pid	process	target process
PID 820 set thread context of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\7957F23F\svchost.exe	13deb1f9e3779ecdc3025f0252e22176.exe

pid	pid_target	process	target process
2268	820	WerFault.exe	13deb1f9e3779ecdc3025f0252e22176.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe13deb1f9e3779ecdc3025f0252e22176.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exe

pid	process
812	AdvancedRun.exe
812	AdvancedRun.exe
1516	AdvancedRun.exe
1516	AdvancedRun.exe
1332	13deb1f9e3779ecdc3025f0252e22176.exe
1332	13deb1f9e3779ecdc3025f0252e22176.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
2268	WerFault.exe
1328	powershell.exe
1504	powershell.exe
1488	powershell.exe
824	powershell.exe
548	powershell.exe
1064	powershell.exe
1492	powershell.exe
1684	powershell.exe
2508	AdvancedRun.exe
2508	AdvancedRun.exe
2560	AdvancedRun.exe
2560	AdvancedRun.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

2268 WerFault.exe

pid	process
2268	WerFault.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe13deb1f9e3779ecdc3025f0252e22176.exe13deb1f9e3779ecdc3025f0252e22176.exeWerFault.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAdvancedRun.exeAdvancedRun.exe

description	pid	process
Token: SeDebugPrivilege	812	AdvancedRun.exe
Token: SeImpersonatePrivilege	812	AdvancedRun.exe
Token: SeDebugPrivilege	1516	AdvancedRun.exe
Token: SeImpersonatePrivilege	1516	AdvancedRun.exe
Token: SeDebugPrivilege	820	13deb1f9e3779ecdc3025f0252e22176.exe
Token: SeDebugPrivilege	1332	13deb1f9e3779ecdc3025f0252e22176.exe
Token: SeDebugPrivilege	2268	WerFault.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2508	AdvancedRun.exe
Token: SeImpersonatePrivilege	2508	AdvancedRun.exe
Token: SeDebugPrivilege	2560	AdvancedRun.exe
Token: SeImpersonatePrivilege	2560	AdvancedRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exeAdvancedRun.exe7B71FC14.exeAdvancedRun.exe

description	pid	process	target process
PID 820 wrote to memory of 812	820	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 820 wrote to memory of 812	820	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 820 wrote to memory of 812	820	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 820 wrote to memory of 812	820	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 812 wrote to memory of 1516	812	AdvancedRun.exe	AdvancedRun.exe
PID 812 wrote to memory of 1516	812	AdvancedRun.exe	AdvancedRun.exe
PID 812 wrote to memory of 1516	812	AdvancedRun.exe	AdvancedRun.exe
PID 812 wrote to memory of 1516	812	AdvancedRun.exe	AdvancedRun.exe
PID 820 wrote to memory of 548	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 548	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 548	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 548	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1488	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1488	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1488	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1488	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1328	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1328	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1328	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1328	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 824	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 824	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 824	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 824	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1684	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1684	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1684	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1684	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1652	820	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 820 wrote to memory of 1652	820	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 820 wrote to memory of 1652	820	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 820 wrote to memory of 1652	820	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 820 wrote to memory of 1492	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1492	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1492	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1492	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1064	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1064	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1064	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1064	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1504	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1504	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1504	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1504	820	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 1332	820	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 820 wrote to memory of 2268	820	13deb1f9e3779ecdc3025f0252e22176.exe	WerFault.exe
PID 820 wrote to memory of 2268	820	13deb1f9e3779ecdc3025f0252e22176.exe	WerFault.exe
PID 820 wrote to memory of 2268	820	13deb1f9e3779ecdc3025f0252e22176.exe	WerFault.exe
PID 820 wrote to memory of 2268	820	13deb1f9e3779ecdc3025f0252e22176.exe	WerFault.exe
PID 1652 wrote to memory of 2508	1652	7B71FC14.exe	AdvancedRun.exe
PID 1652 wrote to memory of 2508	1652	7B71FC14.exe	AdvancedRun.exe
PID 1652 wrote to memory of 2508	1652	7B71FC14.exe	AdvancedRun.exe
PID 1652 wrote to memory of 2508	1652	7B71FC14.exe	AdvancedRun.exe
PID 2508 wrote to memory of 2560	2508	AdvancedRun.exe	AdvancedRun.exe
PID 2508 wrote to memory of 2560	2508	AdvancedRun.exe	AdvancedRun.exe
PID 2508 wrote to memory of 2560	2508	AdvancedRun.exe	AdvancedRun.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13deb1f9e3779ecdc3025f0252e22176.exe

C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe
"C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:820

C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe" /SpecialRun 4101d8 812
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe" /SpecialRun 4101d8 2508
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
3⤵
PID:2624

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe
"C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 1352
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2268

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
6e8cf0d512e7f8cf1785113a9207af27

SHA1
26d12f4a9297846cd9e7174ac1eefd95996cc528

SHA256
7635e771abe15d7172505e50514aca4adceb30335c1bcab0a7c2d49d2f713fef

SHA512
e26fd49ab5e7741a2d7cb2e70f716e0f7c25ebfd501c4a5676a525f056f17a1a11fff46d6236536d0a5376e7d728e9ccecf4945f3ca3914346968040abf5d74e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\6b50770e-4f90-43be-9732-ca2d96f342bb\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Local\Temp\f888e42e-ac1d-418e-aab5-7c9066040603\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
memory/548-67-0x0000000000000000-mapping.dmp

Download
memory/548-118-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/548-107-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/812-58-0x0000000000000000-mapping.dmp

Download
memory/812-60-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/820-53-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/820-95-0x00000000006E0000-0x00000000006E3000-memory.dmp

Filesize
12KB

Download
memory/820-55-0x0000000000D80000-0x0000000000DE8000-memory.dmp

Filesize
416KB

Download
memory/820-54-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/824-70-0x0000000000000000-mapping.dmp

Download
memory/824-110-0x0000000002270000-0x0000000002EBA000-memory.dmp

Filesize
12.3MB

Download
memory/824-119-0x0000000002270000-0x0000000002EBA000-memory.dmp

Filesize
12.3MB

Download
memory/1064-115-0x0000000002340000-0x0000000002F8A000-memory.dmp

Filesize
12.3MB

Download
memory/1064-82-0x0000000000000000-mapping.dmp

Download
memory/1064-111-0x0000000002340000-0x0000000002F8A000-memory.dmp

Filesize
12.3MB

Download
memory/1328-69-0x0000000000000000-mapping.dmp

Download
memory/1328-108-0x0000000002300000-0x0000000002F4A000-memory.dmp

Filesize
12.3MB

Download
memory/1328-117-0x0000000002300000-0x0000000002F4A000-memory.dmp

Filesize
12.3MB

Download
memory/1332-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-113-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1332-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1332-92-0x0000000000436E0E-mapping.dmp

Download
memory/1488-68-0x0000000000000000-mapping.dmp

Download
memory/1488-106-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1492-109-0x00000000023F0000-0x000000000303A000-memory.dmp

Filesize
12.3MB

Download
memory/1492-79-0x0000000000000000-mapping.dmp

Download
memory/1504-114-0x0000000001E21000-0x0000000001E22000-memory.dmp

Filesize
4KB

Download
memory/1504-104-0x0000000001E20000-0x0000000001E21000-memory.dmp

Filesize
4KB

Download
memory/1504-85-0x0000000000000000-mapping.dmp

Download
memory/1504-116-0x0000000001E22000-0x0000000001E24000-memory.dmp

Filesize
8KB

Download
memory/1516-64-0x0000000000000000-mapping.dmp

Download
memory/1652-90-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/1652-80-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/1652-76-0x0000000000000000-mapping.dmp

Download
memory/1684-72-0x0000000000000000-mapping.dmp

Download
memory/1684-112-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/1684-105-0x00000000023B0000-0x0000000002FFA000-memory.dmp

Filesize
12.3MB

Download
memory/2268-120-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/2268-103-0x0000000000000000-mapping.dmp

Download
memory/2508-123-0x0000000000000000-mapping.dmp

Download
memory/2560-129-0x0000000000000000-mapping.dmp

Download
memory/2624-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads