agenttesla | 328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
Size

1.1MB
MD5

63d74b4d5b18373ba3230ed473922c70
SHA1

96dd293df1e4d4f7972d3c2d647195b81a1699d8
SHA256

328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa
SHA512

c43d222acef5f5581ad1923431aa66a39161da2e69a02afc64aeb901e3c7465c392d11bad5d14662b66f79e90adc3ef843e78887591a4794486350aa0ba6f512
SSDEEP

24576:0qDEvCTbMWu7rQYlBQcBiT6rprG8amzNiCDJjKJ7ypNh1:0TvC/MTQYxsWR7amgUJI2

Score

10^/10

agenttesla zgrat keylogger persistence rat spyware stealer trojan

Malware Config

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect packed .NET executables. Mostly AgentTeslaV4. 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 34 IoCs

resource	yara_rule
behavioral2/memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients
behavioral2/memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skyT = "C:\\Users\\Admin\\AppData\\Roaming\\skyT\\skyT.exe"	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 2756	5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2756	RegSvcs.exe
2756	RegSvcs.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	RegSvcs.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2756	RegSvcs.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4168	1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	91
PID 1072 wrote to memory of 4168	1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	91
PID 1072 wrote to memory of 4168	1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	91
PID 1072 wrote to memory of 1348	1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	92
PID 1072 wrote to memory of 1348	1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	92
PID 1072 wrote to memory of 1348	1072	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	92
PID 1348 wrote to memory of 4492	1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	93
PID 1348 wrote to memory of 4492	1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	93
PID 1348 wrote to memory of 4492	1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	93
PID 1348 wrote to memory of 5088	1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	94
PID 1348 wrote to memory of 5088	1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	94
PID 1348 wrote to memory of 5088	1348	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	94
PID 5088 wrote to memory of 228	5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	95
PID 5088 wrote to memory of 228	5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	95
PID 5088 wrote to memory of 228	5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	95
PID 5088 wrote to memory of 5052	5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	96
PID 5088 wrote to memory of 5052	5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	96
PID 5088 wrote to memory of 5052	5088	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	96
PID 5052 wrote to memory of 2756	5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	97
PID 5052 wrote to memory of 2756	5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	97
PID 5052 wrote to memory of 2756	5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	97
PID 5052 wrote to memory of 2756	5052	328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe	97

C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
"C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
  2⤵
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
  "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
  2⤵
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
    3⤵
    PID:4492
- - C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
    "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
      4⤵
      PID:228
  - - C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe
      "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: MapViewOfSection
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:5052
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\328e70cca6f607ee5e124be316cbd024fa84f61b874c0568366516a8222675aa.exe"
        5⤵
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Esher

Filesize
262KB

MD5
18ed30c344f8d682fab7d478762b1cf2

SHA1
98a5297149ae03a5f3c1bf29dc6ace3afb2fb0ed

SHA256
66e8574b0659e2e43cf6c1958db0abc5c9650b9999d6c287d31dbf00a2042751

SHA512
57090c253807e22ba130f37a0b69ce6950cd72a37477040a645669d66f669e27263b452af7fd6fb85decbbd7e5d6fe9d9e3ab98796ef8b351ca595564b9f778b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6D9A.tmp

Filesize
257KB

MD5
b4518906b831aa6ae5072d7702fadbcf

SHA1
53f276bb0725903e159a677e2100908df128138f

SHA256
a8d534f7fb880dcba3a56c9384237c5b286df56dc0a0a8da0b3fb8bc2696321b

SHA512
a9ad64eff4bd622ceebebfc8ce886a19597b3d17518bc705113bdeb4fd7d1442696e75558aebe994eb29621b1715bbcb73332bd92e07dbb071707d43af34343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut6DBA.tmp

Filesize
9KB

MD5
9af133b9b553010c1b0b19f98de14813

SHA1
3644139a3c6d3429f1f2d662461c4b4f4d0e8245

SHA256
484827a635f7959666ab32f84f086867584f24b88b820406b247088de45cf88a

SHA512
debd4b9c4b06c1b2a1b03ec5fe986020a2d48d28087409ff13b3b1a8853fd6b879ba8ebca5f396c6dd0872d01a96ee03c9ca5eb725a64f2e06e088f1010dab5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nonhazardousness

Filesize
28KB

MD5
eafe8751898e0b3c1ea7f59f88dbb724

SHA1
3e94472d4b13544dccf63cae2b695b486458f40c

SHA256
f6efb701356255d6b13eb6a66d405337a30d1d1b2d1263c382fab079ccc34df9

SHA512
575e8c115202394c75910021ffbd7d7c0519f9ffb3777bcf5107179267c02ba3b3aa59a0116d839a3a5aea73e152bd053fccd5b83a421f2a3dc0332c39a1bd28

Download Submit
memory/1072-10-0x0000000000A80000-0x0000000000A84000-memory.dmp

Filesize
16KB

Download
memory/2756-95-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-85-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-49-0x00000000031C0000-0x0000000003214000-memory.dmp

Filesize
336KB

Download
memory/2756-50-0x0000000005D90000-0x0000000006334000-memory.dmp

Filesize
5.6MB

Download
memory/2756-51-0x0000000005820000-0x0000000005872000-memory.dmp

Filesize
328KB

Download
memory/2756-53-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-52-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-59-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-113-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-111-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-109-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-108-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-105-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-103-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-101-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-97-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-47-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2756-93-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-91-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-89-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-87-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-48-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2756-81-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-79-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-77-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-75-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-73-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-71-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-69-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-67-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-65-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-57-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-55-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-99-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-83-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-63-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-61-0x0000000005820000-0x000000000586D000-memory.dmp

Filesize
308KB

Download
memory/2756-1084-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/2756-1086-0x0000000006810000-0x0000000006860000-memory.dmp

Filesize
320KB

Download
memory/2756-1087-0x0000000006900000-0x0000000006992000-memory.dmp

Filesize
584KB

Download
memory/2756-1088-0x00000000068D0000-0x00000000068DA000-memory.dmp

Filesize
40KB

Download