bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8

General

Target

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
Size

1.0MB
MD5

b94449517e6e249068ed414e93fd1124
SHA1

f09f2517a4c1930bd6d1c12ebd0e75864bc4a7ac
SHA256

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8
SHA512

5769d014364e054fc75fcb221136699504dd736544deae38b52b4ff304c51950404f37d553c834921ab7a1154244d9e5b69941b7c1ec984a5724b077e3364b82
SSDEEP

24576:pYAxsZn4U7D3hIC96owoKYAB+Aq/gX57L4BmAvXpDqedXUEQ1LCINN5:pY0sCU7D3mCsogYUNplINvtq6X9Un5

Score

9^/10

Malware Config

Signatures

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/4448-141-0x0000000000000000-mapping.dmp	WebBrowserPassView
behavioral2/memory/4448-143-0x0000000000400000-0x0000000000459000-memory.dmp	WebBrowserPassView

Nirsoft 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4448-141-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/4448-143-0x0000000000400000-0x0000000000459000-memory.dmp	Nirsoft
behavioral2/memory/2900-170-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/2900-173-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral2/memory/1332-221-0x0000000000000000-mapping.dmp	Nirsoft
behavioral2/memory/1332-223-0x0000000000400000-0x000000000044F000-memory.dmp	Nirsoft

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

97 whatismyipaddress.com
99 whatismyipaddress.com

flow	ioc
97	whatismyipaddress.com
99	whatismyipaddress.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exebc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

description	pid	process	target process
PID 4776 set thread context of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 980 set thread context of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 set thread context of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

pid	process
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exebc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

description	pid	process
Token: SeDebugPrivilege	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
Token: SeDebugPrivilege	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

pid process

980 bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exebc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe

description	pid	process	target process
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 4776 wrote to memory of 980	4776	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 4448	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe
PID 980 wrote to memory of 2312	980	bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
"C:\Users\Admin\AppData\Local\Temp\bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe
"C:\Users\Admin\AppData\Local\Temp\bc559e34221021bd9447ec44a01514d60e3a0947ed67f6ea7b6da4537431c6b8.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
3⤵
PID:4448

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
3⤵
PID:2312

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt" /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
PID:2900

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderprodkey.txt"
3⤵
PID:2140

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderskypeview.txt"
3⤵
PID:1332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/980-139-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/980-140-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/980-136-0x0000000000000000-mapping.dmp

Download
memory/1332-223-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1332-221-0x0000000000000000-mapping.dmp

Download
memory/2312-142-0x0000000000000000-mapping.dmp

Download
memory/2900-170-0x0000000000000000-mapping.dmp

Download
memory/2900-173-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4448-141-0x0000000000000000-mapping.dmp

Download
memory/4448-143-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4776-138-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4776-135-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4776-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4776-134-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download
memory/4776-133-0x0000000074EC0000-0x0000000075471000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads