Analysis
-
max time kernel
131s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
24-07-2022 06:34
Behavioral task
behavioral1
Sample
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
Resource
win7-20220718-en
General
-
Target
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe
-
Size
5.6MB
-
MD5
80a0a3da2f9717c0532cc760b1e7f746
-
SHA1
999e1bd2c3947f898d21572c2c360de72232ef09
-
SHA256
58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
-
SHA512
4edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
Malware Config
Extracted
Protocol: smtp- Host:
smtp.vivaldi.net - Port:
587 - Username:
[email protected] - Password:
nAMkXP8FUGvSc3wjPCKF
Signatures
-
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/960-75-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/960-76-0x0000000000411654-mapping.dmp MailPassView behavioral1/memory/960-79-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/960-81-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView behavioral1/memory/960-82-0x0000000000400000-0x000000000041B000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral1/memory/1344-84-0x0000000000442628-mapping.dmp WebBrowserPassView behavioral1/memory/1344-83-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1344-87-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView behavioral1/memory/1344-89-0x0000000000400000-0x0000000000458000-memory.dmp WebBrowserPassView -
Nirsoft 9 IoCs
resource yara_rule behavioral1/memory/960-75-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/960-76-0x0000000000411654-mapping.dmp Nirsoft behavioral1/memory/960-79-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/960-81-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/960-82-0x0000000000400000-0x000000000041B000-memory.dmp Nirsoft behavioral1/memory/1344-84-0x0000000000442628-mapping.dmp Nirsoft behavioral1/memory/1344-83-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1344-87-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft behavioral1/memory/1344-89-0x0000000000400000-0x0000000000458000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 2008 Windows Update.exe -
resource yara_rule behavioral1/memory/1524-54-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral1/memory/1524-57-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral1/files/0x0009000000012334-61.dat vmprotect behavioral1/files/0x0009000000012334-63.dat vmprotect behavioral1/memory/1524-64-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral1/files/0x0009000000012334-65.dat vmprotect behavioral1/memory/2008-67-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect behavioral1/memory/2008-72-0x0000000000400000-0x0000000000D6C000-memory.dmp vmprotect -
Deletes itself 1 IoCs
pid Process 2008 Windows Update.exe -
Loads dropped DLL 1 IoCs
pid Process 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3762437355-3468409815-1164039494-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 whatismyipaddress.com 6 whatismyipaddress.com 7 whatismyipaddress.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 2008 Windows Update.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2008 set thread context of 960 2008 Windows Update.exe 30 PID 2008 set thread context of 1344 2008 Windows Update.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 Windows Update.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Windows Update.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 Windows Update.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 2008 Windows Update.exe 2008 Windows Update.exe 2008 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe Token: SeDebugPrivilege 2008 Windows Update.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 1524 wrote to memory of 2008 1524 58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe 28 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 960 2008 Windows Update.exe 30 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31 PID 2008 wrote to memory of 1344 2008 Windows Update.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe"C:\Users\Admin\AppData\Local\Temp\58c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
- Accesses Microsoft Outlook accounts
PID:960
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:1344
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
102B
MD5d158de25d5b1a2d6699f1b6f572b7561
SHA1f88bb5ae47e97c1a475831b368a93787241e362c
SHA25619af143d58d5d194461e8fe97ac35779917cb4b4389aa609f98ba3f86619d32e
SHA5123d2ba0546123957ec515b8ab95b13c7dbb6944d376515e1f8e476b64e65e2d3b5c4a6fc4f926a87683d4d17c53dbfdc4b8533f4908145a4f42ec44ad17500640
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
5.6MB
MD580a0a3da2f9717c0532cc760b1e7f746
SHA1999e1bd2c3947f898d21572c2c360de72232ef09
SHA25658c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
SHA5124edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
-
Filesize
5.6MB
MD580a0a3da2f9717c0532cc760b1e7f746
SHA1999e1bd2c3947f898d21572c2c360de72232ef09
SHA25658c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
SHA5124edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5
-
Filesize
5.6MB
MD580a0a3da2f9717c0532cc760b1e7f746
SHA1999e1bd2c3947f898d21572c2c360de72232ef09
SHA25658c69a35991347e174f2ddcb5c25d74c288dbd98212478c4983c0dbc1cce0f52
SHA5124edcea03f46ae0ef3b196f69d3ce7ad6a9a6c7d73a21c833cc60c6293ac943c070cda5ad8d7b613a8100e8b1aebbdc7326cce8790db83e40a3f2a3d7013387b5