agenttesla | 7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

Analysis

max time kernel
22s
max time network
119s
platform
windows10_x64
resource
win10v20210408
submitted
15-09-2021 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

13deb1f9e3779ecdc3025f0252e22176.exe
Size

742KB
MD5

13deb1f9e3779ecdc3025f0252e22176
SHA1

fd7d53357ad66545b97a9333ad48186fb8ab41c8
SHA256

7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8
SHA512

c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Score

10^/10

agenttesla evasion keylogger spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
e.werner@eccovacs-europe.com
Password:
alibaba.com

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2848-171-0x0000000000400000-0x000000000043C000-memory.dmp	family_agenttesla
behavioral2/memory/2848-176-0x0000000000436E0E-mapping.dmp	family_agenttesla
behavioral2/memory/4192-310-0x0000000000436E0E-mapping.dmp	family_agenttesla

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Nirsoft 6 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe	Nirsoft

Executes dropped EXE 3 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe7B71FC14.exe

pid process

1796 AdvancedRun.exe
2060 AdvancedRun.exe
3184 7B71FC14.exe
Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe7B71FC14.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7B71FC14.exe

Drops startup file 2 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe	13deb1f9e3779ecdc3025f0252e22176.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe	13deb1f9e3779ecdc3025f0252e22176.exe

Windows security modification 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\Common Files\System\7957F23F\svchost.exe = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	13deb1f9e3779ecdc3025f0252e22176.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe = "0"	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	13deb1f9e3779ecdc3025f0252e22176.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	13deb1f9e3779ecdc3025f0252e22176.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13deb1f9e3779ecdc3025f0252e22176.exe

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe7B71FC14.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	13deb1f9e3779ecdc3025f0252e22176.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	13deb1f9e3779ecdc3025f0252e22176.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	7B71FC14.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0	7B71FC14.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description pid process target process

PID 912 set thread context of 2848 912 13deb1f9e3779ecdc3025f0252e22176.exe 13deb1f9e3779ecdc3025f0252e22176.exe
Drops file in Program Files directory 1 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description ioc process

File created C:\Program Files\Common Files\System\7957F23F\svchost.exe 13deb1f9e3779ecdc3025f0252e22176.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 912 set thread context of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
File created	C:\Program Files\Common Files\System\7957F23F\svchost.exe	13deb1f9e3779ecdc3025f0252e22176.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exepowershell.exepowershell.exe13deb1f9e3779ecdc3025f0252e22176.exepowershell.exe

pid	process
1796	AdvancedRun.exe
1796	AdvancedRun.exe
1796	AdvancedRun.exe
1796	AdvancedRun.exe
2060	AdvancedRun.exe
2060	AdvancedRun.exe
2060	AdvancedRun.exe
2060	AdvancedRun.exe
2872	powershell.exe
2588	powershell.exe
2848	13deb1f9e3779ecdc3025f0252e22176.exe
2848	13deb1f9e3779ecdc3025f0252e22176.exe
3824	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AdvancedRun.exeAdvancedRun.exe13deb1f9e3779ecdc3025f0252e22176.exepowershell.exepowershell.exe13deb1f9e3779ecdc3025f0252e22176.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1796	AdvancedRun.exe
Token: SeImpersonatePrivilege	1796	AdvancedRun.exe
Token: SeDebugPrivilege	2060	AdvancedRun.exe
Token: SeImpersonatePrivilege	2060	AdvancedRun.exe
Token: SeDebugPrivilege	912	13deb1f9e3779ecdc3025f0252e22176.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2848	13deb1f9e3779ecdc3025f0252e22176.exe
Token: SeDebugPrivilege	3824	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

13deb1f9e3779ecdc3025f0252e22176.exeAdvancedRun.exe

description	pid	process	target process
PID 912 wrote to memory of 1796	912	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 912 wrote to memory of 1796	912	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 912 wrote to memory of 1796	912	13deb1f9e3779ecdc3025f0252e22176.exe	AdvancedRun.exe
PID 1796 wrote to memory of 2060	1796	AdvancedRun.exe	AdvancedRun.exe
PID 1796 wrote to memory of 2060	1796	AdvancedRun.exe	AdvancedRun.exe
PID 1796 wrote to memory of 2060	1796	AdvancedRun.exe	AdvancedRun.exe
PID 912 wrote to memory of 2588	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 2588	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 2588	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 2872	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 2872	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 2872	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3824	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3824	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3824	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 4020	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 4020	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 4020	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3956	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3956	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3956	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3184	912	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 912 wrote to memory of 3184	912	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 912 wrote to memory of 3184	912	13deb1f9e3779ecdc3025f0252e22176.exe	7B71FC14.exe
PID 912 wrote to memory of 4080	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 4080	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 4080	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3116	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3116	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 3116	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 808	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 808	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 808	912	13deb1f9e3779ecdc3025f0252e22176.exe	powershell.exe
PID 912 wrote to memory of 2232	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2232	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2232	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe
PID 912 wrote to memory of 2848	912	13deb1f9e3779ecdc3025f0252e22176.exe	13deb1f9e3779ecdc3025f0252e22176.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

13deb1f9e3779ecdc3025f0252e22176.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	13deb1f9e3779ecdc3025f0252e22176.exe

C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe
"C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe"
1⤵
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:912

C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796

C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe" /SpecialRun 4101d8 1796
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
2⤵
PID:4020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
PID:3956

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Maps connected drives based on registry
PID:3184

C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
3⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe
"C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe" /SpecialRun 4101d8 4392
4⤵
PID:4500

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
3⤵
PID:4728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
3⤵
PID:4808

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
3⤵
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe" -Force
3⤵
PID:4924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
3⤵
PID:4992

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe"
3⤵
PID:4192

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
2⤵
PID:4080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe" -Force
2⤵
PID:3116

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files\Common Files\System\7957F23F\svchost.exe" -Force
2⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe
"C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe"
2⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe
"C:\Users\Admin\AppData\Local\Temp\13deb1f9e3779ecdc3025f0252e22176.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Bypass User Account Control

T1088

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
6767548c2ecf21edfc122bcc5c64ee96

SHA1
27ce985ec02bdee3fdb5e23478b1a6abd4e5ff37

SHA256
3a3266fc763b9d50ee22adb19e9532259fcb892dd930518eff1d6bd5eb61fb6b

SHA512
0e488d5c2a22a750927c621374d982810963e8df82271bbf474eb70a483f1e7baeecb10457d4c9cd6971bacb4707210fc5fb786e28753b83563571cfdcb8e4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5d7251aeca419e0fb9c4e02e5767e1cf

SHA1
3b9f15eb137416ba582d22d6b051b5c0710b053a

SHA256
7f8693903c1b5be23b65da1a5a0153b62d8bf3c7334a8c1dad7be876778be1e7

SHA512
6cb62b842b311e16a73c1e906958dd8392d89ab3e46364620dd686464f10fc51f43675f2a260247e29b0668e6b72e0446c6dabc60f28dd1ea4b668e5b7377edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5d7251aeca419e0fb9c4e02e5767e1cf

SHA1
3b9f15eb137416ba582d22d6b051b5c0710b053a

SHA256
7f8693903c1b5be23b65da1a5a0153b62d8bf3c7334a8c1dad7be876778be1e7

SHA512
6cb62b842b311e16a73c1e906958dd8392d89ab3e46364620dd686464f10fc51f43675f2a260247e29b0668e6b72e0446c6dabc60f28dd1ea4b668e5b7377edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5d7251aeca419e0fb9c4e02e5767e1cf

SHA1
3b9f15eb137416ba582d22d6b051b5c0710b053a

SHA256
7f8693903c1b5be23b65da1a5a0153b62d8bf3c7334a8c1dad7be876778be1e7

SHA512
6cb62b842b311e16a73c1e906958dd8392d89ab3e46364620dd686464f10fc51f43675f2a260247e29b0668e6b72e0446c6dabc60f28dd1ea4b668e5b7377edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
5d7251aeca419e0fb9c4e02e5767e1cf

SHA1
3b9f15eb137416ba582d22d6b051b5c0710b053a

SHA256
7f8693903c1b5be23b65da1a5a0153b62d8bf3c7334a8c1dad7be876778be1e7

SHA512
6cb62b842b311e16a73c1e906958dd8392d89ab3e46364620dd686464f10fc51f43675f2a260247e29b0668e6b72e0446c6dabc60f28dd1ea4b668e5b7377edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
71f1cd7681a0b887f835e3aadeea7767

SHA1
f784f0ff4b999ddfa59633e592aba8736763bf50

SHA256
f01aec7092ba6bdab328a091b414002487ae38c51df0917ffe57bc1254d11a42

SHA512
450d9ac3236ce36625d0a6585f9ee0bf430c2899f77211ba79d1dd23c070d9323d3a2c91673d44988f896e1b549d839f147148ac474cad9111714cf98cd56064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bdc4005337e397047bd01ad1d4b30baa

SHA1
a9affae10fb30c82250e3c6411f532130eb9bac8

SHA256
4edc2e9a65167a7b626ffcd6e5878e3a7e3f4c9d9fda80250b45c4afa2efa4b8

SHA512
08c4aeb37d5149cc98da9c571f8b56bd4e772bf1015c72343004917023b3049f8c9076c66efec7abdc7010639a4731fb49e92d81d8846c95fa5c2ca3419aab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bdc4005337e397047bd01ad1d4b30baa

SHA1
a9affae10fb30c82250e3c6411f532130eb9bac8

SHA256
4edc2e9a65167a7b626ffcd6e5878e3a7e3f4c9d9fda80250b45c4afa2efa4b8

SHA512
08c4aeb37d5149cc98da9c571f8b56bd4e772bf1015c72343004917023b3049f8c9076c66efec7abdc7010639a4731fb49e92d81d8846c95fa5c2ca3419aab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bdc4005337e397047bd01ad1d4b30baa

SHA1
a9affae10fb30c82250e3c6411f532130eb9bac8

SHA256
4edc2e9a65167a7b626ffcd6e5878e3a7e3f4c9d9fda80250b45c4afa2efa4b8

SHA512
08c4aeb37d5149cc98da9c571f8b56bd4e772bf1015c72343004917023b3049f8c9076c66efec7abdc7010639a4731fb49e92d81d8846c95fa5c2ca3419aab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
6faff0ebd7c3554b8b1b66bdc7a8ed7f

SHA1
cc38cfcd0b4265eb2200f105c9ae46b3809beb72

SHA256
b5cf2e1865f49c705491963f07bbf48cd3a863e42e73c7f84b99e3edca282c3a

SHA512
ab424cc9603699a5285b75527892cd20ca3209cc01c4191171e7463d149434bd877c5b2a34443bc44e7502b58e35e2ecafd56bfef8f5d496e2aea2037f7b439d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bdc4005337e397047bd01ad1d4b30baa

SHA1
a9affae10fb30c82250e3c6411f532130eb9bac8

SHA256
4edc2e9a65167a7b626ffcd6e5878e3a7e3f4c9d9fda80250b45c4afa2efa4b8

SHA512
08c4aeb37d5149cc98da9c571f8b56bd4e772bf1015c72343004917023b3049f8c9076c66efec7abdc7010639a4731fb49e92d81d8846c95fa5c2ca3419aab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
bdc4005337e397047bd01ad1d4b30baa

SHA1
a9affae10fb30c82250e3c6411f532130eb9bac8

SHA256
4edc2e9a65167a7b626ffcd6e5878e3a7e3f4c9d9fda80250b45c4afa2efa4b8

SHA512
08c4aeb37d5149cc98da9c571f8b56bd4e772bf1015c72343004917023b3049f8c9076c66efec7abdc7010639a4731fb49e92d81d8846c95fa5c2ca3419aab3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1db6a04bdc33b584b4f9a519a6773036

SHA1
38f070086274d9b77b9ec71251d4eaac3fd3382c

SHA256
29c2f2a9557a4ff36d0112b93420ab4c6fb4f0d83d4713bbc73d4571deee3700

SHA512
4d741e9c4c3b8af0f1f9234bddf72c88a5b222eeba076b2e1b7d5f01b9516d8526595cac97768c3d133b2c1ba04fe22019d362c30175b79b72fcfd0b9778537d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
1db6a04bdc33b584b4f9a519a6773036

SHA1
38f070086274d9b77b9ec71251d4eaac3fd3382c

SHA256
29c2f2a9557a4ff36d0112b93420ab4c6fb4f0d83d4713bbc73d4571deee3700

SHA512
4d741e9c4c3b8af0f1f9234bddf72c88a5b222eeba076b2e1b7d5f01b9516d8526595cac97768c3d133b2c1ba04fe22019d362c30175b79b72fcfd0b9778537d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
101343244d619fd29dc007b34351865b

SHA1
a721bf0ee99f24b3e6c263033cfa02a63d4175cc

SHA256
286038573287d04ce980461054d2377b71ab4eb8a37e466b38d120ad7f93a043

SHA512
1a40055b9e2186d142059ab12afc82a21767f9fbfe98345be40f67619d128fb261f6afef74b25ba52b8f80480bb86e06006047de1b9505d5a65f7d7ee3ce0209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f925a999b2f70c7768088cdafbae437f

SHA1
d36f615dce80abaf585da8d20e2a1c030717dc77

SHA256
defeddf0c5322ac82e9256b602752d38f13bda5db701791730e34941b2199c51

SHA512
374d80c298ad498c37abfd8891fd46a77f5986f6a8a74368dbb3eb03a0ddf20a8f5955fac38316ba9dc9fc33a98474a3f4c5ef4de5c9fa407d2ef7f92e4a5f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
f925a999b2f70c7768088cdafbae437f

SHA1
d36f615dce80abaf585da8d20e2a1c030717dc77

SHA256
defeddf0c5322ac82e9256b602752d38f13bda5db701791730e34941b2199c51

SHA512
374d80c298ad498c37abfd8891fd46a77f5986f6a8a74368dbb3eb03a0ddf20a8f5955fac38316ba9dc9fc33a98474a3f4c5ef4de5c9fa407d2ef7f92e4a5f1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d0b8f9a1b25be1d20ed86831da6649c3

SHA1
16247b19fd1f79d3057143ae5eb873047b5489d4

SHA256
de2c23f0aa454d89ed9df9a4e8eb5baedb1bc7e88ece3cc625dd08a2c4ffb87b

SHA512
c37fbcbeab831e8817db1cc48d3d228a507dcb124c3a076d6d59369aa77b0805672569c139ac73b30289720b8851c9577c1999ee62ec2bac196ed91f38e0a6a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
d8fef5959ed94536f54659f8190c4298

SHA1
014ae423ec804ef180fc4ab1d16cea12d0613a6c

SHA256
fb651f75d373c49d110193fa115b14607a7f61956ff2dd73082f513fe9e336ad

SHA512
b08d4e1caf97a7c2581c92fb311040bb7492cdef40a7bf15194011237d9de64600f2cde1840ab4ac61fc6e4449cbc3c7b0b6064e0ea56cda62422a229812739d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a7ee1c2-ff3c-4c8c-afbf-5b25284a3f32\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe778a2c-c1b6-4df5-b28a-63f9639cd2fe\AdvancedRun.exe
MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7B71FC14.exe
MD5
13deb1f9e3779ecdc3025f0252e22176

SHA1
fd7d53357ad66545b97a9333ad48186fb8ab41c8

SHA256
7a9a395febca4d19f4aae40a2ea18dc819bf7475175cdc2b15e68cb2b5beaff8

SHA512
c08652216e3e7734caebe23c6835f000044df5616ce1abed2ac4b13ccf303c5626ae74e45e17b3c2537f7026e1702ebd8447b504acd97688d28809afb9be81db

Download Submit
memory/808-153-0x0000000000000000-mapping.dmp

Download
memory/808-185-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/808-191-0x0000000007182000-0x0000000007183000-memory.dmp

Filesize
4KB

Download
memory/808-500-0x0000000007183000-0x0000000007184000-memory.dmp

Filesize
4KB

Download
memory/808-420-0x000000007F6B0000-0x000000007F6B1000-memory.dmp

Filesize
4KB

Download
memory/912-120-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/912-180-0x00000000064C0000-0x00000000064C3000-memory.dmp

Filesize
12KB

Download
memory/912-121-0x00000000050E0000-0x0000000005148000-memory.dmp

Filesize
416KB

Download
memory/912-119-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/912-118-0x0000000004D50000-0x000000000524E000-memory.dmp

Filesize
5.0MB

Download
memory/912-117-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/912-116-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/912-115-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

Filesize
4KB

Download
memory/912-122-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/912-114-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1796-123-0x0000000000000000-mapping.dmp

Download
memory/2060-126-0x0000000000000000-mapping.dmp

Download
memory/2588-512-0x0000000004233000-0x0000000004234000-memory.dmp

Filesize
4KB

Download
memory/2588-169-0x0000000004232000-0x0000000004233000-memory.dmp

Filesize
4KB

Download
memory/2588-144-0x0000000006C60000-0x0000000006C61000-memory.dmp

Filesize
4KB

Download
memory/2588-165-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/2588-138-0x00000000041A0000-0x00000000041A1000-memory.dmp

Filesize
4KB

Download
memory/2588-128-0x0000000000000000-mapping.dmp

Download
memory/2588-479-0x000000007FCC0000-0x000000007FCC1000-memory.dmp

Filesize
4KB

Download
memory/2848-176-0x0000000000436E0E-mapping.dmp

Download
memory/2848-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2848-187-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2848-198-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/2872-168-0x0000000007050000-0x0000000007051000-memory.dmp

Filesize
4KB

Download
memory/2872-129-0x0000000000000000-mapping.dmp

Download
memory/2872-181-0x0000000007052000-0x0000000007053000-memory.dmp

Filesize
4KB

Download
memory/2872-464-0x000000007F260000-0x000000007F261000-memory.dmp

Filesize
4KB

Download
memory/2872-196-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/2872-502-0x0000000007053000-0x0000000007054000-memory.dmp

Filesize
4KB

Download
memory/2872-206-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/2872-210-0x0000000008070000-0x0000000008071000-memory.dmp

Filesize
4KB

Download
memory/3116-149-0x0000000000000000-mapping.dmp

Download
memory/3116-509-0x0000000006553000-0x0000000006554000-memory.dmp

Filesize
4KB

Download
memory/3116-184-0x0000000006550000-0x0000000006551000-memory.dmp

Filesize
4KB

Download
memory/3116-189-0x0000000006552000-0x0000000006553000-memory.dmp

Filesize
4KB

Download
memory/3116-446-0x000000007EF70000-0x000000007EF71000-memory.dmp

Filesize
4KB

Download
memory/3184-136-0x0000000000000000-mapping.dmp

Download
memory/3184-203-0x0000000004A40000-0x0000000004F3E000-memory.dmp

Filesize
5.0MB

Download
memory/3824-130-0x0000000000000000-mapping.dmp

Download
memory/3824-194-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/3824-496-0x00000000041C3000-0x00000000041C4000-memory.dmp

Filesize
4KB

Download
memory/3824-195-0x00000000041C2000-0x00000000041C3000-memory.dmp

Filesize
4KB

Download
memory/3824-477-0x000000007EE20000-0x000000007EE21000-memory.dmp

Filesize
4KB

Download
memory/3956-505-0x0000000004503000-0x0000000004504000-memory.dmp

Filesize
4KB

Download
memory/3956-200-0x0000000004500000-0x0000000004501000-memory.dmp

Filesize
4KB

Download
memory/3956-133-0x0000000000000000-mapping.dmp

Download
memory/3956-455-0x000000007F880000-0x000000007F881000-memory.dmp

Filesize
4KB

Download
memory/3956-202-0x0000000004502000-0x0000000004503000-memory.dmp

Filesize
4KB

Download
memory/4020-201-0x0000000006FE0000-0x0000000006FE1000-memory.dmp

Filesize
4KB

Download
memory/4020-131-0x0000000000000000-mapping.dmp

Download
memory/4020-498-0x0000000006FE3000-0x0000000006FE4000-memory.dmp

Filesize
4KB

Download
memory/4020-204-0x0000000006FE2000-0x0000000006FE3000-memory.dmp

Filesize
4KB

Download
memory/4020-475-0x000000007F350000-0x000000007F351000-memory.dmp

Filesize
4KB

Download
memory/4080-173-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/4080-178-0x0000000004E32000-0x0000000004E33000-memory.dmp

Filesize
4KB

Download
memory/4080-143-0x0000000000000000-mapping.dmp

Download
memory/4080-515-0x0000000004E33000-0x0000000004E34000-memory.dmp

Filesize
4KB

Download
memory/4080-468-0x000000007F7F0000-0x000000007F7F1000-memory.dmp

Filesize
4KB

Download
memory/4192-310-0x0000000000436E0E-mapping.dmp

Download
memory/4192-360-0x0000000004D00000-0x00000000051FE000-memory.dmp

Filesize
5.0MB

Download
memory/4392-252-0x0000000000000000-mapping.dmp

Download
memory/4500-263-0x0000000000000000-mapping.dmp

Download
memory/4728-370-0x00000000068D2000-0x00000000068D3000-memory.dmp

Filesize
4KB

Download
memory/4728-1213-0x00000000068D3000-0x00000000068D4000-memory.dmp

Filesize
4KB

Download
memory/4728-992-0x000000007EC00000-0x000000007EC01000-memory.dmp

Filesize
4KB

Download
memory/4728-350-0x00000000068D0000-0x00000000068D1000-memory.dmp

Filesize
4KB

Download
memory/4728-282-0x0000000000000000-mapping.dmp

Download
memory/4808-1478-0x0000000004224000-0x0000000004226000-memory.dmp

Filesize
8KB

Download
memory/4808-1476-0x0000000004223000-0x0000000004224000-memory.dmp

Filesize
4KB

Download
memory/4808-1217-0x000000007F4B0000-0x000000007F4B1000-memory.dmp

Filesize
4KB

Download
memory/4808-387-0x0000000004222000-0x0000000004223000-memory.dmp

Filesize
4KB

Download
memory/4808-378-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/4808-284-0x0000000000000000-mapping.dmp

Download
memory/4868-438-0x0000000004B42000-0x0000000004B43000-memory.dmp

Filesize
4KB

Download
memory/4868-1313-0x000000007E6A0000-0x000000007E6A1000-memory.dmp

Filesize
4KB

Download
memory/4868-1489-0x0000000004B43000-0x0000000004B44000-memory.dmp

Filesize
4KB

Download
memory/4868-285-0x0000000000000000-mapping.dmp

Download
memory/4868-412-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4868-1490-0x0000000004B44000-0x0000000004B46000-memory.dmp

Filesize
8KB

Download
memory/4924-1482-0x0000000006EC4000-0x0000000006EC6000-memory.dmp

Filesize
8KB

Download
memory/4924-1481-0x0000000006EC3000-0x0000000006EC4000-memory.dmp

Filesize
4KB

Download
memory/4924-1267-0x000000007F2D0000-0x000000007F2D1000-memory.dmp

Filesize
4KB

Download
memory/4924-481-0x0000000006EC2000-0x0000000006EC3000-memory.dmp

Filesize
4KB

Download
memory/4924-429-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/4924-286-0x0000000000000000-mapping.dmp

Download
memory/4992-1264-0x000000007E980000-0x000000007E981000-memory.dmp

Filesize
4KB

Download
memory/4992-397-0x0000000006D20000-0x0000000006D21000-memory.dmp

Filesize
4KB

Download
memory/4992-1484-0x0000000006D23000-0x0000000006D24000-memory.dmp

Filesize
4KB

Download
memory/4992-405-0x0000000006D22000-0x0000000006D23000-memory.dmp

Filesize
4KB

Download
memory/4992-287-0x0000000000000000-mapping.dmp

Download
memory/4992-1487-0x0000000006D24000-0x0000000006D26000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads