Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/01/2024, 16:28
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice_ Public Bank Berhad.pdf.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
Payment Advice_ Public Bank Berhad.pdf.exe
Resource
win10v2004-20231215-en
General
-
Target
Payment Advice_ Public Bank Berhad.pdf.exe
-
Size
1.4MB
-
MD5
89ff8e75427e825570b0b2340dd832cf
-
SHA1
12903d7c478914c4c38e76b24001145048f20b8e
-
SHA256
7011d414322a2e8079029fdb2646ce87bea6baaa1dccdb4cc3ac07f968189cbd
-
SHA512
525e3098b2b6699113feedabe29e9636e71f30e1caef327c576df4853021a431483905bb6b17379cb587d87a79a811f856e25627f50e9ca34de7142603493c96
-
SSDEEP
24576:KbGQWvRW2299XrxE7Ozo4vq60bhs+VfnO52CF:EGQWsXr+zZzhrVfni
Malware Config
Extracted
remcos
RemoteHost
172.96.14.67:9785
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-6W5HVR
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral2/memory/2172-3-0x0000000005C10000-0x0000000005CE8000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-4-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-5-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-7-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-9-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-17-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-15-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-23-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-25-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-27-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-21-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-19-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-29-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-13-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-33-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-35-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-31-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-11-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-41-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-39-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-37-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-43-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-45-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-47-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-49-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-57-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-55-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-59-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-53-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-67-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-65-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-63-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-61-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 behavioral2/memory/2172-51-0x0000000005C10000-0x0000000005CE2000-memory.dmp family_zgrat_v1 -
NirSoft MailPassView 5 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/1236-971-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/1236-974-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/2340-986-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/2340-989-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView behavioral2/memory/4880-1011-0x0000000000400000-0x0000000000457000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 6 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/4320-969-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3328-1004-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4320-1015-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/1792-1026-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/4320-1025-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView behavioral2/memory/3328-1027-0x0000000000400000-0x0000000000478000-memory.dmp WebBrowserPassView -
Nirsoft 16 IoCs
resource yara_rule behavioral2/memory/4320-969-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/864-970-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1236-971-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/864-972-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/1236-974-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/2340-986-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/380-988-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/2340-989-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/380-990-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/3328-1004-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4880-1011-0x0000000000400000-0x0000000000457000-memory.dmp Nirsoft behavioral2/memory/4412-1014-0x0000000000400000-0x0000000000424000-memory.dmp Nirsoft behavioral2/memory/4320-1015-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/1792-1026-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/4320-1025-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft behavioral2/memory/3328-1027-0x0000000000400000-0x0000000000478000-memory.dmp Nirsoft -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Payment Advice_ Public Bank Berhad.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Payment Advice_ Public Bank Berhad.pdf.exe Key opened \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Payment Advice_ Public Bank Berhad.pdf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ohmueaslw = "C:\\Users\\Admin\\AppData\\Roaming\\Ohmueaslw.exe" Payment Advice_ Public Bank Berhad.pdf.exe -
Suspicious use of SetThreadContext 10 IoCs
description pid Process procid_target PID 2172 set thread context of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 4280 set thread context of 4320 4280 Payment Advice_ Public Bank Berhad.pdf.exe 102 PID 4280 set thread context of 1236 4280 Payment Advice_ Public Bank Berhad.pdf.exe 104 PID 4280 set thread context of 864 4280 Payment Advice_ Public Bank Berhad.pdf.exe 105 PID 4280 set thread context of 1792 4280 Payment Advice_ Public Bank Berhad.pdf.exe 106 PID 4280 set thread context of 2340 4280 Payment Advice_ Public Bank Berhad.pdf.exe 107 PID 4280 set thread context of 380 4280 Payment Advice_ Public Bank Berhad.pdf.exe 108 PID 4280 set thread context of 3328 4280 Payment Advice_ Public Bank Berhad.pdf.exe 110 PID 4280 set thread context of 4880 4280 Payment Advice_ Public Bank Berhad.pdf.exe 111 PID 4280 set thread context of 4412 4280 Payment Advice_ Public Bank Berhad.pdf.exe 112 -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 864 Payment Advice_ Public Bank Berhad.pdf.exe 864 Payment Advice_ Public Bank Berhad.pdf.exe 4320 Payment Advice_ Public Bank Berhad.pdf.exe 4320 Payment Advice_ Public Bank Berhad.pdf.exe 1792 Payment Advice_ Public Bank Berhad.pdf.exe 1792 Payment Advice_ Public Bank Berhad.pdf.exe 380 Payment Advice_ Public Bank Berhad.pdf.exe 380 Payment Advice_ Public Bank Berhad.pdf.exe 3328 Payment Advice_ Public Bank Berhad.pdf.exe 3328 Payment Advice_ Public Bank Berhad.pdf.exe 4412 Payment Advice_ Public Bank Berhad.pdf.exe 4412 Payment Advice_ Public Bank Berhad.pdf.exe 3328 Payment Advice_ Public Bank Berhad.pdf.exe 4320 Payment Advice_ Public Bank Berhad.pdf.exe 3328 Payment Advice_ Public Bank Berhad.pdf.exe 4320 Payment Advice_ Public Bank Berhad.pdf.exe 1792 Payment Advice_ Public Bank Berhad.pdf.exe 1792 Payment Advice_ Public Bank Berhad.pdf.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
pid Process 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe 4280 Payment Advice_ Public Bank Berhad.pdf.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2172 Payment Advice_ Public Bank Berhad.pdf.exe Token: SeDebugPrivilege 864 Payment Advice_ Public Bank Berhad.pdf.exe Token: SeDebugPrivilege 380 Payment Advice_ Public Bank Berhad.pdf.exe Token: SeDebugPrivilege 4412 Payment Advice_ Public Bank Berhad.pdf.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 2172 wrote to memory of 4280 2172 Payment Advice_ Public Bank Berhad.pdf.exe 96 PID 4280 wrote to memory of 4320 4280 Payment Advice_ Public Bank Berhad.pdf.exe 102 PID 4280 wrote to memory of 4320 4280 Payment Advice_ Public Bank Berhad.pdf.exe 102 PID 4280 wrote to memory of 4320 4280 Payment Advice_ Public Bank Berhad.pdf.exe 102 PID 4280 wrote to memory of 4320 4280 Payment Advice_ Public Bank Berhad.pdf.exe 102 PID 4280 wrote to memory of 1236 4280 Payment Advice_ Public Bank Berhad.pdf.exe 104 PID 4280 wrote to memory of 1236 4280 Payment Advice_ Public Bank Berhad.pdf.exe 104 PID 4280 wrote to memory of 1236 4280 Payment Advice_ Public Bank Berhad.pdf.exe 104 PID 4280 wrote to memory of 1236 4280 Payment Advice_ Public Bank Berhad.pdf.exe 104 PID 4280 wrote to memory of 864 4280 Payment Advice_ Public Bank Berhad.pdf.exe 105 PID 4280 wrote to memory of 864 4280 Payment Advice_ Public Bank Berhad.pdf.exe 105 PID 4280 wrote to memory of 864 4280 Payment Advice_ Public Bank Berhad.pdf.exe 105 PID 4280 wrote to memory of 864 4280 Payment Advice_ Public Bank Berhad.pdf.exe 105 PID 4280 wrote to memory of 1792 4280 Payment Advice_ Public Bank Berhad.pdf.exe 106 PID 4280 wrote to memory of 1792 4280 Payment Advice_ Public Bank Berhad.pdf.exe 106 PID 4280 wrote to memory of 1792 4280 Payment Advice_ Public Bank Berhad.pdf.exe 106 PID 4280 wrote to memory of 1792 4280 Payment Advice_ Public Bank Berhad.pdf.exe 106 PID 4280 wrote to memory of 2340 4280 Payment Advice_ Public Bank Berhad.pdf.exe 107 PID 4280 wrote to memory of 2340 4280 Payment Advice_ Public Bank Berhad.pdf.exe 107 PID 4280 wrote to memory of 2340 4280 Payment Advice_ Public Bank Berhad.pdf.exe 107 PID 4280 wrote to memory of 2340 4280 Payment Advice_ Public Bank Berhad.pdf.exe 107 PID 4280 wrote to memory of 380 4280 Payment Advice_ Public Bank Berhad.pdf.exe 108 PID 4280 wrote to memory of 380 4280 Payment Advice_ Public Bank Berhad.pdf.exe 108 PID 4280 wrote to memory of 380 4280 Payment Advice_ Public Bank Berhad.pdf.exe 108 PID 4280 wrote to memory of 380 4280 Payment Advice_ Public Bank Berhad.pdf.exe 108 PID 4280 wrote to memory of 4484 4280 Payment Advice_ Public Bank Berhad.pdf.exe 109 PID 4280 wrote to memory of 4484 4280 Payment Advice_ Public Bank Berhad.pdf.exe 109 PID 4280 wrote to memory of 4484 4280 Payment Advice_ Public Bank Berhad.pdf.exe 109 PID 4280 wrote to memory of 3328 4280 Payment Advice_ Public Bank Berhad.pdf.exe 110 PID 4280 wrote to memory of 3328 4280 Payment Advice_ Public Bank Berhad.pdf.exe 110 PID 4280 wrote to memory of 3328 4280 Payment Advice_ Public Bank Berhad.pdf.exe 110 PID 4280 wrote to memory of 3328 4280 Payment Advice_ Public Bank Berhad.pdf.exe 110 PID 4280 wrote to memory of 4880 4280 Payment Advice_ Public Bank Berhad.pdf.exe 111 PID 4280 wrote to memory of 4880 4280 Payment Advice_ Public Bank Berhad.pdf.exe 111 PID 4280 wrote to memory of 4880 4280 Payment Advice_ Public Bank Berhad.pdf.exe 111 PID 4280 wrote to memory of 4880 4280 Payment Advice_ Public Bank Berhad.pdf.exe 111 PID 4280 wrote to memory of 4412 4280 Payment Advice_ Public Bank Berhad.pdf.exe 112 PID 4280 wrote to memory of 4412 4280 Payment Advice_ Public Bank Berhad.pdf.exe 112 PID 4280 wrote to memory of 4412 4280 Payment Advice_ Public Bank Berhad.pdf.exe 112 PID 4280 wrote to memory of 4412 4280 Payment Advice_ Public Bank Berhad.pdf.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qzvdrtbmkaiiqxcn"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4320
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\btankmmgyiamsdyzjsf"3⤵
- Accesses Microsoft Outlook accounts
PID:1236
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\dvgglefhuqsrdjmdbcsaroz"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xkcxpdrtimw"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1792
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\iehqqvcmwuoxrrf"3⤵
- Accesses Microsoft Outlook accounts
PID:2340
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\szmiiomokdgcbfbruk"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqnknfstlh"3⤵PID:4484
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\pqnknfstlh"3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3328
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zkbdgxcvhpuna"3⤵
- Accesses Microsoft Outlook accounts
PID:4880
-
-
C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Advice_ Public Bank Berhad.pdf.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kmgwhqnovxmscgdq"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD50cb17253d14f1f732dfbc3ef9b580d1e
SHA185d726cf68f14dd34090de9f4d160c0387249b68
SHA256e09a0aed9bbc43da3b7a85d30a9a10b54d11c096aa6cef81c23364bc9c4dfcc9
SHA512f651e62d58e83f9d5e21f3ac8cc516290bfff66c1981dc14cc3a7a900db70d6e7e15c99bb717a18c036b96a6c2f794c2351df7aa39b69531f2112860a51a86ee