agenttesla | a87292de990133b944754dcf27f76de727ec4a52033ea408d942b0ba16e968f9

Analysis

max time kernel
73s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 18:30

Sharing

Reason

Machine shutdown: "{\"level\":\"info\",\"time\":\"2024-04-19T18:34:02Z\",\"message\":\"Dirty snapshot: /var/lib/sandbox/hatchvm/win10v2004-20240412-en/instance_14-dirty.qcow2\"}"

Report Analysis Logs

General

Target

3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
Size

12KB
MD5

55dba6e7aa4e8cc73415f4e3f9f6bdae
SHA1

87c9f29d58f57a5e025061d389be2655ee879d5d
SHA256

3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a
SHA512

f2eb91e812b2ba58c4309fd44edadc8977367c7d9d6214d7e70a0392ae8427d570746ae57cca68dc260901f664f2e8c6c5387118ff01d243abeb5680abe2a352
SSDEEP

192:vnpYaU28zxHdo4ZMgQl9q+4ua7HhdSbwxz1ULU87glpK/b26J4Uf1XXr5:vWZdoWMR96uaLhM6ULU870gJR

Score

10^/10

agenttesla phorphiex discovery evasion keylogger loader persistence spyware stealer trojan worm

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
gator3220.hostgator.com
Port:
587
Username:
[email protected]
Password:
28#75@ts76#V1F8h
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	http185.215.113.66newtpp.exe.exe

Phorphiex
Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	http185.215.113.66newtpp.exe.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe

Executes dropped EXE 11 IoCs

pid	Process
924	http94.156.65.175responsibilityleadpro.exe.exe
3916	http185.215.113.66pei.exe.exe
3156	responsibilitylead.exe
4792	http185.215.113.66newtpp.exe.exe
4736	httppower.crazyfigs.topstyle070.exe.exe
2884	is-EVENO.tmp
4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe
2788	freewaveeditor.exe
4340	freewaveeditor.exe
4296	84918347.exe
3084	19084358.exe

Loads dropped DLL 3 IoCs

pid	Process
2884	is-EVENO.tmp
2884	is-EVENO.tmp
2884	is-EVENO.tmp

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	http185.215.113.66newtpp.exe.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	http185.215.113.66newtpp.exe.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysvpplvcr.exe"	http185.215.113.66newtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Users\\Admin\\sysvpplvcr.exe"	http185.215.113.66newtpp.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	http94.156.65.175responsibilityleadpro.exe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
112	raw.githubusercontent.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
137	api.ipify.org
139	api.ipify.org
141	ip-api.com
163	api.myip.com
166	api.myip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4948 set thread context of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysvpplvcr.exe	http185.215.113.66newtpp.exe.exe
File created	C:\Windows\sysvpplvcr.exe	http185.215.113.66newtpp.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3224	Powershell.exe
3224	Powershell.exe
3224	Powershell.exe
2488	RegAsm.exe
2488	RegAsm.exe
2488	RegAsm.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
2488	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
Token: SeDebugPrivilege	3156	responsibilitylead.exe
Token: SeDebugPrivilege	3224	Powershell.exe
Token: SeDebugPrivilege	2488	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2488	RegAsm.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 924	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	101
PID 216 wrote to memory of 924	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	101
PID 216 wrote to memory of 3916	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	102
PID 216 wrote to memory of 3916	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	102
PID 216 wrote to memory of 3916	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	102
PID 924 wrote to memory of 3156	924	http94.156.65.175responsibilityleadpro.exe.exe	103
PID 924 wrote to memory of 3156	924	http94.156.65.175responsibilityleadpro.exe.exe	103
PID 216 wrote to memory of 4792	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	104
PID 216 wrote to memory of 4792	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	104
PID 216 wrote to memory of 4792	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	104
PID 216 wrote to memory of 4736	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	105
PID 216 wrote to memory of 4736	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	105
PID 216 wrote to memory of 4736	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	105
PID 4736 wrote to memory of 2884	4736	httppower.crazyfigs.topstyle070.exe.exe	106
PID 4736 wrote to memory of 2884	4736	httppower.crazyfigs.topstyle070.exe.exe	106
PID 4736 wrote to memory of 2884	4736	httppower.crazyfigs.topstyle070.exe.exe	106
PID 216 wrote to memory of 4948	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	107
PID 216 wrote to memory of 4948	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	107
PID 216 wrote to memory of 4948	216	3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe	107
PID 2884 wrote to memory of 2788	2884	is-EVENO.tmp	108
PID 2884 wrote to memory of 2788	2884	is-EVENO.tmp	108
PID 2884 wrote to memory of 2788	2884	is-EVENO.tmp	108
PID 2884 wrote to memory of 4340	2884	is-EVENO.tmp	109
PID 2884 wrote to memory of 4340	2884	is-EVENO.tmp	109
PID 2884 wrote to memory of 4340	2884	is-EVENO.tmp	109
PID 4948 wrote to memory of 3224	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	110
PID 4948 wrote to memory of 3224	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	110
PID 4948 wrote to memory of 3224	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	110
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 4948 wrote to memory of 2488	4948	httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe	112
PID 3916 wrote to memory of 4296	3916	http185.215.113.66pei.exe.exe	113
PID 3916 wrote to memory of 4296	3916	http185.215.113.66pei.exe.exe	113
PID 3916 wrote to memory of 4296	3916	http185.215.113.66pei.exe.exe	113
PID 4792 wrote to memory of 3084	4792	http185.215.113.66newtpp.exe.exe	114
PID 4792 wrote to memory of 3084	4792	http185.215.113.66newtpp.exe.exe	114
PID 4792 wrote to memory of 3084	4792	http185.215.113.66newtpp.exe.exe	114

C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe
"C:\Users\Admin\AppData\Local\Temp\3cea805f1396df15bdbcd4317388a046a41a6079dba04576a58ba7b2c812338a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\http94.156.65.175responsibilityleadpro.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http94.156.65.175responsibilityleadpro.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Users\Admin\AppData\Local\Temp\84918347.exe
    C:\Users\Admin\AppData\Local\Temp\84918347.exe
    3⤵
    - Executes dropped EXE
    PID:4296
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe"
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Users\Admin\AppData\Local\Temp\19084358.exe
    C:\Users\Admin\AppData\Local\Temp\19084358.exe
    3⤵
    - Executes dropped EXE
    PID:3084
- - C:\Users\Admin\AppData\Local\Temp\2274032419.exe
    C:\Users\Admin\AppData\Local\Temp\2274032419.exe
    3⤵
    PID:4384
- C:\Users\Admin\AppData\Local\Temp\httppower.crazyfigs.topstyle070.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httppower.crazyfigs.topstyle070.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Admin\AppData\Local\Temp\is-OOPN7.tmp\is-EVENO.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-OOPN7.tmp\is-EVENO.tmp" /SL4 $B014E "C:\Users\Admin\AppData\Local\Temp\httppower.crazyfigs.topstyle070.exe.exe" 3637775 52224
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Free Wave Editor\freewaveeditor.exe
      "C:\Users\Admin\AppData\Local\Free Wave Editor\freewaveeditor.exe" -i
      4⤵
      Executes dropped EXE
      PID:2788
  - - C:\Users\Admin\AppData\Local\Free Wave Editor\freewaveeditor.exe
      "C:\Users\Admin\AppData\Local\Free Wave Editor\freewaveeditor.exe" -s
      4⤵
      Executes dropped EXE
      PID:4340
- C:\Users\Admin\AppData\Local\Temp\httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    "Powershell.exe" 東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽E東б屁एचтぎ儿ト丽x東б屁एचтぎ儿ト丽e東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽u東б屁एचтぎ儿ト丽t東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽P東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽l東б屁एचтぎ儿ト丽i東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽B東б屁एचтぎ儿ト丽y東б屁एचтぎ儿ト丽p東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽s東б屁एचтぎ儿ト丽東б屁एचтぎ儿ト丽-東б屁एचтぎ儿ト丽c東б屁एचтぎ儿ト丽o東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽m東б屁एचтぎ儿ト丽a東б屁एचтぎ儿ト丽n東б屁एचтぎ儿ト丽d 東б屁एचтぎ儿トC東б屁एचтぎ儿トo東б屁एचтぎ儿トp東б屁एचтぎ儿トy東б屁एचтぎ儿ト-東б屁एचтぎ儿トI東б屁एचтぎ儿トt東б屁एचтぎ儿トe東б屁एचтぎ儿トm 'C:\Users\Admin\AppData\Local\Temp\httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: SetClipboardViewer
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2488
- C:\Users\Admin\AppData\Local\Temp\http77.221.151.32serverww12AppGate2103v01.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http77.221.151.32serverww12AppGate2103v01.exe.exe"
  2⤵
  PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Free Wave Editor\freewaveeditor.exe

Filesize
3.8MB

MD5
c6338a9712978ae00826cf4b648cdc02

SHA1
c59333cc5950c3bbbbc072ba240ecd6a448f7ce5

SHA256
65fbb8376180f17ece9138c78e0472007b14e67dd78ccf24486594d153859f85

SHA512
d628d6b572722f3a27472f12ad94dc67edb149446fc3d8935e91fddd223bf8a9929ae72a79c801bd1ca4e3c26400b14898e3568f5f494689db050a6531e9da03

Download Submit
C:\Users\Admin\AppData\Local\Temp\2274032419.exe

Filesize
14KB

MD5
2f4ab1a4a57649200550c0906d57bc28

SHA1
94bc52ed3921791630b2a001d9565b8f1bd3bd17

SHA256
baa6149b5b917ea3af1f7c77a65e26a34a191a31a9c79726bd60baf4656701fa

SHA512
ab1a59aa4c48f6c7fcf7950f4a68c3b89a56f266681a5aabd0df947af8340676e209d82ddd1997bfebd972b35ca235233b61231335aec4567f7b031e786ea7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\responsibilitylead.exe

Filesize
6KB

MD5
f7930c4859ccd34bd2b80a9995f49926

SHA1
8b5b95fb51619e20246f90d60f2137da7654fc5e

SHA256
163969ebee8180e125eb00c02307adda1eb31174ba6f7e011b7b4b3441d8950a

SHA512
8f5a440541b227083f3d2a3a251758bf699a290db3c066ae3209d4c2df5e1e933b9c24cd4c0da0a7f3cb6ca0ce025acf22f65cc06ee1e306ecb9b1318a223a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_no3a4g4y.vnj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66newtpp.exe.exe

Filesize
81KB

MD5
f4713c8ac5fc1e4919156157e7bece19

SHA1
7bd9e35b1d1210183bbb4fe1995895cbc1692c62

SHA256
2be2206e079516c8cfa50bbc86f8a431898aa90dd73f7cfc6af1d21573247c4b

SHA512
ecff8f3af212f444b5f44fd3bfd922556a49b9156fd7a20e13ebc60b4abe08b9d193a49556d4a8e776ef8083db77ab9667ec537dd44f863719e83cb3899cb46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
9KB

MD5
62b97cf4c0abafeda36e3fc101a5a022

SHA1
328fae9acff3f17df6e9dc8d6ef1cec679d4eb2b

SHA256
e172537adcee1fcdc8f16c23e43a5ac82c56a0347fa0197c08be979438a534ab

SHA512
32bd7062aabd25205471cec8d292b820fc2fd2479da6fb723332887fc47036570bb2d25829acb7c883ccaaab272828c8effbc78f02a3deeabb47656f4b64eb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\http77.221.151.32serverww12AppGate2103v01.exe.exe

Filesize
2.5MB

MD5
749cb9cb3ce89a03fdd97a9aaf96e895

SHA1
73ecd478ace66e1dfb7aeed8ed061af48214a46f

SHA256
85aeb0eca144912f0713ac4e8392e2645a91bb4ba8e2ffa55e5bf834665170af

SHA512
ac0afac898ab53a3277b4d1aef90af246ca8596872a6a61bbf47817c1ea038fc4394094a4d14d2cc0aa94aeaf1435f9ccc7cf7143010ff581fd4256dc653bd31

Download Submit
C:\Users\Admin\AppData\Local\Temp\http94.156.65.175responsibilityleadpro.exe.exe

Filesize
157KB

MD5
5790d1417f8f00bd7ec6fb7011c79d9c

SHA1
36076ed9457c45d94e664ea291eb01e5c70d084b

SHA256
ad07503bc046f5b3d65eb61646fa826bc39560916c6e1ef2c3437b6465b30a82

SHA512
b19195510624ad16a4730282c97b68d05e4890a33d91f86f24eaf921e23e7786649e4e31aaaec2d9d6c7bb3695c615851d7aed3e53b13083e03acbc8d0543ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\httppower.crazyfigs.topstyle070.exe.exe

Filesize
3.8MB

MD5
ad4d59f67896456294dbc19e6aa0f92a

SHA1
5a4138250cd2463325384145e15da5ea2751af55

SHA256
e8cc79043b2b8995bd5206513306ca8c3c3061e64fe4bab987a3f4c29beeff20

SHA512
fed5bf6ed053c978665d4f72c3e90a0a96cce260d948d9093f82409e3584fab91872473b57160c0127cfea9a99a4ad2e75e8b764839b7635a599f94afb869d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsuniversalmovies.topTransactionSummary_910020049836765_110424045239.xlsx.exe.exe

Filesize
542KB

MD5
055e5476942818329e232d273578a1c3

SHA1
dd1b9aa4a8b359f8e88b0562e642f76294b579d1

SHA256
99677c9af723d0773f67fe035205dbbd9d857022b1619fc33fd83808072d2caa

SHA512
6c877468562c7527a67433f0b9a41cfd343c6ab0727a17ad238af512b867dca486b46c8ebb7b8cd6367bfbb5f1997d30e4ea99492686691778f9792d66cc4734

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I6IDK.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I6IDK.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OOPN7.tmp\is-EVENO.tmp

Filesize
648KB

MD5
ba27acf39f1bc1f782b5ff3ffad2f527

SHA1
58da67551e533e5b22f8acc4178ebbeedc22b304

SHA256
c2a86a5d853d1e437993bbaf2243620265a840ce0d36e5bddecb801805911a7e

SHA512
c9fb586001f34059a10caf6c2d100c5b387c18482ac59400ec405c4849b041cdf6ae5fd9242e07ef7561f1d27f3b5709520cc0895303621625cbeac76ce77667

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/216-2-0x0000016046CF0000-0x0000016046D00000-memory.dmp

Filesize
64KB

Download
memory/216-1-0x00007FFE2D560000-0x00007FFE2E021000-memory.dmp

Filesize
10.8MB

Download
memory/216-3-0x00007FFE2D560000-0x00007FFE2E021000-memory.dmp

Filesize
10.8MB

Download
memory/216-0-0x000001602C6B0000-0x000001602C6BA000-memory.dmp

Filesize
40KB

Download
memory/216-4-0x0000016046CF0000-0x0000016046D00000-memory.dmp

Filesize
64KB

Download
memory/2488-154-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-186-0x0000000006DF0000-0x0000000006E40000-memory.dmp

Filesize
320KB

Download
memory/2488-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-202-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/2488-212-0x0000000003280000-0x0000000003290000-memory.dmp

Filesize
64KB

Download
memory/2788-115-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-119-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2788-120-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2884-192-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2884-173-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2884-59-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/3132-224-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3132-220-0x00007FFE4B7D0000-0x00007FFE4B9C5000-memory.dmp

Filesize
2.0MB

Download
memory/3132-219-0x00007FFE00000000-0x00007FFE00002000-memory.dmp

Filesize
8KB

Download
memory/3132-213-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3132-221-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3132-211-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3132-222-0x00007FFE00030000-0x00007FFE00031000-memory.dmp

Filesize
4KB

Download
memory/3132-218-0x00007FFE4A1E0000-0x00007FFE4A29E000-memory.dmp

Filesize
760KB

Download
memory/3132-223-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3132-234-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3132-225-0x0000000140000000-0x00000001408B7000-memory.dmp

Filesize
8.7MB

Download
memory/3156-147-0x00007FFE2D560000-0x00007FFE2E021000-memory.dmp

Filesize
10.8MB

Download
memory/3156-32-0x00000136D1050000-0x00000136D1060000-memory.dmp

Filesize
64KB

Download
memory/3156-155-0x00000136D1050000-0x00000136D1060000-memory.dmp

Filesize
64KB

Download
memory/3156-31-0x00007FFE2D560000-0x00007FFE2E021000-memory.dmp

Filesize
10.8MB

Download
memory/3156-30-0x00000136CF290000-0x00000136CF296000-memory.dmp

Filesize
24KB

Download
memory/3224-182-0x00000000071E0000-0x00000000071E8000-memory.dmp

Filesize
32KB

Download
memory/3224-185-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3224-126-0x0000000002290000-0x00000000022C6000-memory.dmp

Filesize
216KB

Download
memory/3224-145-0x0000000005BD0000-0x0000000005C1C000-memory.dmp

Filesize
304KB

Download
memory/3224-127-0x0000000004DD0000-0x00000000053F8000-memory.dmp

Filesize
6.2MB

Download
memory/3224-160-0x0000000006B50000-0x0000000006B82000-memory.dmp

Filesize
200KB

Download
memory/3224-161-0x000000006F940000-0x000000006F98C000-memory.dmp

Filesize
304KB

Download
memory/3224-172-0x0000000006D90000-0x0000000006E33000-memory.dmp

Filesize
652KB

Download
memory/3224-171-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/3224-159-0x000000007F400000-0x000000007F410000-memory.dmp

Filesize
64KB

Download
memory/3224-129-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/3224-146-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/3224-174-0x0000000007510000-0x0000000007B8A000-memory.dmp

Filesize
6.5MB

Download
memory/3224-175-0x0000000006EC0000-0x0000000006EDA000-memory.dmp

Filesize
104KB

Download
memory/3224-176-0x0000000006F30000-0x0000000006F3A000-memory.dmp

Filesize
40KB

Download
memory/3224-177-0x0000000007140000-0x00000000071D6000-memory.dmp

Filesize
600KB

Download
memory/3224-178-0x00000000070C0000-0x00000000070D1000-memory.dmp

Filesize
68KB

Download
memory/3224-179-0x00000000070F0000-0x00000000070FE000-memory.dmp

Filesize
56KB

Download
memory/3224-180-0x0000000007100000-0x0000000007114000-memory.dmp

Filesize
80KB

Download
memory/3224-181-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/3224-144-0x0000000005B90000-0x0000000005BAE000-memory.dmp

Filesize
120KB

Download
memory/3224-130-0x0000000004BB0000-0x0000000004BD2000-memory.dmp

Filesize
136KB

Download
memory/3224-143-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/3224-138-0x00000000023B0000-0x00000000023C0000-memory.dmp

Filesize
64KB

Download
memory/3224-131-0x0000000004C50000-0x0000000004CB6000-memory.dmp

Filesize
408KB

Download
memory/3224-132-0x0000000004D30000-0x0000000004D96000-memory.dmp

Filesize
408KB

Download
memory/4340-194-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4340-193-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4340-128-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4736-52-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4736-158-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4736-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4948-124-0x0000000005060000-0x00000000050B6000-memory.dmp

Filesize
344KB

Download
memory/4948-125-0x0000000005160000-0x00000000051FC000-memory.dmp

Filesize
624KB

Download
memory/4948-149-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4948-123-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/4948-114-0x0000000005310000-0x00000000058B4000-memory.dmp

Filesize
5.6MB

Download
memory/4948-118-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/4948-110-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-96-0x0000000000350000-0x00000000003DE000-memory.dmp

Filesize
568KB

Download
memory/4948-157-0x0000000073320000-0x0000000073AD0000-memory.dmp

Filesize
7.7MB

Download
memory/4948-148-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads